Tinker AI
Read reviews

#security

15 items tagged #security.

GUIDE 2026-05-25

Triaging AI-flagged vulnerabilities

A Glasswing-style scan can land hundreds of high-severity findings against your repo in a single run. Anthropic's 90.6% true-positive rate is high — but on a 10,000-finding batch, the 9.4% false-positive remainder is still 940 fires to put out.

Owner · 4 min #security #triage
BLOG 2026-05-25

AI found the bugs faster than we can patch them

Project Glasswing's first month surfaced more than ten thousand high- or critical-severity vulnerabilities. The framing was that AI just closed the security gap. The data, read carefully, is that AI just opened a different one.

Owner · 6 min #opinion #security
NEWS 2026-05-25

Anthropic's Glasswing finds 10,000 critical bugs in a month

Anthropic published the first results from Project Glasswing on May 22. Around fifty partners running Claude Mythos Preview found more than ten thousand high- or critical-severity vulnerabilities in the first month, including 2,000 at Cloudflare and 271 fixed in Firefox 150.

GUIDE 2026-05-22

Running scheduled coding agents safely

Antigravity 2.0 and Anthropic's Routines let agents run unattended on a schedule or a webhook. With no human at the trigger, scope, a review gate, a cost cap, and a kill switch are the only controls that still work.

Owner · 4 min #security #agents
GUIDE 2026-05-20

Auditing your MCP config for leaked secrets

GitGuardian found 24,008 secrets in MCP config files on public GitHub. This is the audit pass: find committed config, detect inline keys, convert to environment variables, rotate what leaked, and stop it recurring.

Owner · 4 min #security #mcp
BLOG 2026-05-20

Your agent config is leaking secrets

GitGuardian found 24,008 secrets sitting in MCP configuration files on public GitHub, 2,117 of them live. The number was published in March. It took this week's CVE wave for me to actually go read it.

Owner · 6 min #opinion #security
GUIDE 2026-05-19

Hardening your agent's supply chain

A concrete checklist for the May 2026 failure modes: pin skills and MCP servers, SBOM the agent's dependencies, require auth on MCP, and review config files as code.

BLOG 2026-05-19

Your agent's config is the attack surface now

I asked the MCP supply-chain question a while ago without numbers. May 2026 supplied the numbers — and they say the breach is mundane, not exotic, and the fix is boring.

Owner · 6 min #opinion #security
NEWS 2026-05-19

A wave of agent-targeting CVEs lands in May 2026

Researchers disclosed a cluster of vulnerabilities in AI coding agents in May 2026: prompt-injection-to-RCE in CrewAI, an unauthenticated Azure SRE Agent endpoint, a poisoned AGENTS.md chain against Codex, and over a thousand malicious skills.

Owner · 2 min #security #agents
GUIDE 2026-05-11

Secrets, sandboxes, and network isolation when using AI coding tools

Three threat axes in AI coding tools—log exfiltration, tool-call leaks, and supply-chain poisoning—and the mitigations that actually reduce risk.

GUIDE 2026-05-11

Codex sandbox mode: what it actually contains and where it leaks

Codex CLI runs every command in a restricted shell by default. Here's what that sandbox actually blocks, how to grant network access when you need it, and what it can't protect you from.

Owner · 7 min #codex #sandbox
GUIDE 2026-05-11

Cursor Privacy mode: what it actually does and what it doesn't

Cursor Privacy mode stops your code from being used for training and stored beyond a request. Here's what that covers, what it doesn't, and where the real gaps are.

Owner · 5 min #cursor #privacy
GUIDE 2026-03-07

Handling secrets safely with Cline: never letting the model see what shouldn't leave your machine

Cline reads files on demand. Without configuration, it'll read your .env file along with everything else. Three patterns prevent secret leakage.

Owner · 4 min #cline #security
BLOG 2026-03-02

The MCP server supply chain question nobody is asking yet

MCP servers are npm packages with deep access to your environment. The supply chain risks aren't being treated as seriously as they should be.

Owner · 5 min #mcp #security
NEWS 2026-02-16

MCP spec 1.1 ships with stronger permissions and authentication

The Model Context Protocol gets a 1.1 spec adding granular permissions, OAuth flows, and signed packages. Addresses real concerns about supply chain risk.

Owner · 3 min #mcp #security