Research notes from the edge.
Threat analysis, technical deep-dives, and field observations from the honeypot sensors. Confidence-graded, attribution-disciplined, every claim earned.
- 09Threat Research9 min
Anatomy of an MCP Kill Chain: 22 Minutes, 30 Tool Calls
Twenty-two minutes. Thirty tool calls. One Google Cloud IP walked the full kill chain of our MCP deception, pulling values across responses and combining them into a single privilege-escalation request. The shape looks agentic, not scripted.
- 08Threat Research5 min
CVE-2026-42208 Goes Live: Same Operator, Seventy-Five Days, Three Kits
LiteLLM is an open-source LLM proxy widely deployed in front of OpenAI, Anthropic, and self-hosted models. On May 14, three IPs sprayed a working time-based SQL injection against it. The IPs share hosting infrastructure with an operator we have been tracking through three earlier exploitation kits since March.
- 07Threat Research7 min
The Patch Contained Its Own Exploit: Analysis of CVE-2026-40217 in LiteLLM
LiteLLM ships a feature that compiles and runs administrator-supplied Python code inside a sandbox. The sandbox failed. Five days after the fix was disclosed, an attacker submitted the exact Python payload from the patch's own regression test, replaced the test command with a cryptocurrency miner, and started spraying.
- 06Field Notes13 min
From a honeypot to AWS IAM persistence in 100 minutes
A scanner harvested two AWS access keys from our honeypot in five seconds, validated them against AWS, then waited ninety-seven minutes. The keys came back online from seven different Hong Kong VPS hosts running a textbook IAM persistence chain. One of those seven IPs is the same source that Sysdig had documented exploiting an LLM-inference-server vulnerability eleven days earlier.
- 05Field Notes10 min
AKIA-only: profiling a Bedrock LLMjacker by what they refused to test
LLMjacking is the practice of stealing cloud credentials in order to use a victim's account to run large-language-model inference for free or for resale. When LLMjackers find a leaked .env file with five credentials in it, the typical move is to test all five. This one tested one and walked away from the other four. The most interesting thing they didn't touch was the credential that fires an alert on a single DNS lookup.
- 04Field Notes8 min
Forty Minutes With AIRecon
AIRecon is an open-source autonomous pentest agent that drives a local large language model through a recon-analysis-exploit loop. On April 19, an operator in Maharashtra pointed it at an Indian life insurer's wildcard domain and ran it against our Ollama honeypot. Forty minutes later, after twelve retries and zero successful inferences, they walked away.
- 03Field Notes11 min
Three Identical Strangers, One CMS Plugin Tree
An exposed Redis instance is one of the most reliable ways to lose a Linux server to a cryptocurrency miner. The dropper URL used in the attack we caught is hiding inside a path that looks like a French content-management system. The attacker has been serving the same six-file kill chain from the same Google Cloud VM for eighty days. We never touched their server. urlscan.io's public history made it possible to map the whole thing.
- 02Field Notes7 min
Your System Prompt Is Not a Secret
A system prompt is the instruction set a developer writes for a language model: 'you are a customer-service bot,' 'never reveal these API keys,' 'do not say you are an AI.' Many production deployments treat it as a secret. It is not. We watched an automated client extract our honeypot's full system prompt — including credentials it was explicitly told to hide — in eighty-seven seconds, using eight techniques in sequence.
- 01Field Notes4 min
Cloudflare WARP Leaks Your Real IP Through Tor
Cloudflare WARP is a consumer and enterprise VPN-style product that routes traffic through Cloudflare's network. Tor is a separate anonymity system that hides which network you are connecting from. Using both at the same time should give you the strongest possible privacy. It does not. WARP injects identifying HTTP headers — including your real IP — at a layer Tor cannot reach. We watched one visitor's real address arrive at our honeypot through six Tor exits.