AI 资讯
JWT Explained: What's Actually Inside That Token (with a free decoder)
If you've ever worked with auth, you've seen a JWT — a long string like eyJhbGci... split into three parts by dots. It looks cryptic, but it's surprisingly simple once you see inside. A JWT has three parts header.payload.signature Header – tells you the signing algorithm, e.g. {"alg":"HS256","typ":"JWT"} Payload – the claims (the actual data), e.g. {"sub":"123","name":"John","iat":1516239022} Signature – verifies the token wasn't tampered with (needs the secret/key) The header and payload are just Base64url-encoded JSON — not encrypted. That means anyone can read them. So: ⚠️ Never put secrets in a JWT payload. It's signed, not hidden. Decoding one yourself You can decode the payload in the browser console: const [, payload ] = token . split ( " . " ); console . log ( JSON . parse ( atob ( payload ))); Or, if you just want to paste a token and instantly see the header + payload (without sending it to a server), I built a free decoder that runs entirely in your browser: https://forgly.dev/tools/jwt-decoder Decoding ≠ verifying Reading a JWT is trivial. Trusting it is not — you must verify the signature on your server with the secret/public key before relying on any claim. Decoding just lets you inspect what's there. That's the whole mental model: a JWT is a readable, signed envelope — not a locked box.
AI 资讯
The Principle of Least Privilege: Operational Speed's Security Cost
The Principle of Least Privilege: Operational Speed's Security Cost While developing a production ERP, delayed shipment reports were always a headache. One of the main reasons behind incomplete reports was the complexity of privilege layers in the system and, often, excessive permissions granted. In this post, I will delve into the costs we pay when we stretch security boundaries in an effort to gain operational speed. The principle of least privilege is more than just a security concept; it's critically important for operational efficiency and system stability. In this article, I will explain the impact of the principle of least privilege on operational speed, the security risks it entails, and how I've tried to strike this balance with concrete examples from my practical experience. My goal is to move beyond superficial definitions and dive deep into this topic based on my real-world field experiences, providing actionable insights to readers. Why Does the Principle of Least Privilege Seem to Hinder Operational Speed? The general tendency is to provide instant access to all relevant tools and data to speed up a task. This can be appealing, especially in an emergency or before a critical delivery. However, the Principle of Least Privilege (PoLP) advocates the opposite: a user or system component should have the absolute minimum privileges required to perform its task. This might initially seem to slow down operational processes. For example, a development team having unlimited SELECT rights to a production database might facilitate running an urgent query. However, the same developer could accidentally run UPDATE or DELETE commands, causing serious damage to the system. Such an incident, instead of speeding up a query in the short term, could lead to hours of downtime and data loss. This is where the long-term risk posed by operational speed, which PoLP is thought to hinder, becomes apparent. Another example is a system administrator frequently using the sudo su co
AI 资讯
Claude vs Gemini Across 4 Security Domains: A Dead Heat — and the Hardening 63% of AI Code Skips
The interesting result isn't who won. It's that across four security domains, Claude and Gemini missed the same hardening steps — and if you've shipped AI-generated auth middleware this year, your code almost certainly has the same gaps, and your review didn't catch them either. For the record, the scoreboard: one Gemini win, two ties, one split — a statistical dead heat. That's the last time the winner matters in this article. Here's the number that should bother you more than any leaderboard: across 700 AI-generated functions scored by the rules I'm about to use, 63% shipped a vulnerability . So "which model writes more secure code?" is mostly the wrong question — I've run that leaderboard myself and argued it's the wrong frame. But people keep asking it, so I ran it properly — on the ESLint security plugins I wrote specifically to catch these bugs, each mapped to a CWE — to show you what actually matters. The setup Four domains, four of my plugins. For each, the same feature-only prompt (no "make it secure" hint — that's how people actually use these tools), generated once by Gemini 2.5 Flash via the Gemini CLI and once by Claude Sonnet 4.6 via the Claude CLI , then linted with the domain's plugin on recommended . Method honesty: this is Gemini Flash vs Claude Sonnet — the comparable price/latency tier each vendor's CLI defaults to (Pro and Opus are a separate bracket; more on that below). It compares CLI tooling, system prompt included, not raw models under controlled decoding. n=1 per domain — but I re-ran the JWT round, and both models landed on 5 findings again with the same core misses, so treat these as directional with stable failure modes, not ±0 gospel. The scorecard Domain Prompt Plugin Gemini Claude NestJS service users + auth + admin nestjs-security 2 6 JWT auth login + verify middleware jwt 5 5 MongoDB data layer Mongoose model + search mongodb-security 8 8 General API (injection) import + search + reset secure-coding 9 13* One Gemini win, two dead h
AI 资讯
Arm Open-Sources Metis, an AI Security Framework Outperforming Traditional SAST Tools
Arm has open-sourced Metis, an agentic AI security framework designed to autonomously uncover complex software vulnerabilities. Unlike traditional pattern-based tools, Metis applies semantic reasoning to analyze cross-component dependencies and provides clear, natural language explanations for its findings. By Sergio De Simone
AI 资讯
Are Claude skills safe in 2026? What the Snyk ToxicSkills audit actually found
{/* JSON-LD schema is generated server-side in app/blog/[slug]/page.tsx , do not re-add an inline block here, it crashes<br> MDX's Acorn parser on the leading <code>{</code>. */}</p> <h2> <a name="tldr" href="#tldr" class="anchor"> </a> TL;DR </h2> <p>In February 2026, Snyk published the <a href="https://snyk.io/blog/toxicskills-malicious-ai-agent-skills-clawhub/">ToxicSkills audit</a>, the first large-scale security review of the public Claude Code skills ecosystem. It scanned 3,984 skills from ClawHub and skills.sh. Findings:</p> <ul> <li><strong>13.4%</strong> contained critical-level issues</li> <li><strong>36%</strong> carried prompt-injection payloads</li> <li><strong>1,467</strong> distinct malicious payloads</li> <li><strong>91%</strong> of confirmed malware combined natural-language jailbreaks with executable shell payloads</li> </ul> <p>If you install a Claude Code skill today without reading its source, the probability that it can read your env vars, exfiltrate <code>~/.ssh/</code>, or chain a bash pipeline that bypasses your deny rules is real and measurable. This post is the cheat sheet for evaluating a skill before you install it. The CTA at the bottom is <a href="https://dev.to/skillvault">SkillVault</a>, the bundle we ship for teams who want this work already done.</p> <h2> <a name="why-the-question-is-suddenly-loadbearing" href="#why-the-question-is-suddenly-loadbearing" class="anchor"> </a> Why the question is suddenly load-bearing </h2> <p>Claude Code skills shipped as an open spec in December 2025. By March 2026, MCP downloads were tracking at 97 million per month, and the most-installed marketplace skill had passed 564,000 installs. <a href="https://venturebeat.com/security/claude-code-512000-line-source-leak-attack-paths-audit-security-leaders">Anthropic's source leak</a> on March 31, 2026 made the abstract attack surface visceral: the <code>bashSecurity.ts</code> module has 23 numbered security checks, suggesting each was a real incide
开发者
Microsoft is threatening legal action for disclosing exploits
Microsoft is facing criticism for its handling of zero-day exploits. Someone going by the name Nightmare Eclipse has been publicly feuding with the company, posting proof-of-concept exploit code. Some of their posts suggest that they're a disgruntled former employee. But what caught cyber security researcher Kevin Beaumont's eye was how Microsoft has responded. Microsoft suggests […]
AI 资讯
Coding agents should not hold write credentials.
I have been thinking a lot about coding agents lately. Not really about whether they can write good code, because usually they can, sometimes they can't. That part is obvious. But the risk is shifting from wrong answers to wrong outcomes. The part that feels more important to me is this: should the agent actually own the write authority? We already don't trust humans without roles, limits, reviews, and accountability. Developers use PRs, pilots use checklists, bank clerks have transfer limits. Capable agents need the same structure, but machine-readable. Right now a lot of setups still look roughly like this: agent reads the repo agent decides what to change agent has a GitHub token agent creates commits, branches, or PRs I don't think this is the right default. The agent can reason. The agent can inspect files. The agent can propose changes. But the moment it can directly create external impact, the problem changes. It is no longer just: did the agent say something wrong? It becomes: did the agent create the wrong outcome? That is a much more expensive failure mode. Intent is not authority The pattern I like more is simple: agent reads directly agent proposes intent a boundary decides an adapter materializes only admitted work So the agent does not get the write credentials. It submits a structured intent instead, which could look like: { "operation" : "write" , "target" : { "repo" : "example/app" , "branch" : "main" , "path" : "docs/config/agent-policy.md" }, "source_state" : { "blob_sha" : "8f31c2..." }, "requested_effect_hash" : "sha256:..." } This is then not a command anymore, it is a suggestion, or an intent. The system still has to decide whether this proposed outcome should exist. That decision layer can check things like: is this actor allowed? is this repo allowed? is this path in scope? does the source state still match? is this operation allowed? was the same effect already created? should this become a reviewable PR? Only after that should there be an
AI 资讯
Show HN: DCAP — A security analyzer that admits when it fails Most tools lie with false "PASS". DCAP reports "Pattern Vacuum" instead. Zero false positives. Self-verifying (6/6). Forensic reports. 900ms/94 files. Open source. github.com/aim-core/dcap
AI 资讯
CSRF, and the cookie flag
<form action= "https://bank.com/transfer" method= "POST" > <input name= "to" value= "attacker" > <input name= "amount" value= "10000" > </form> <script> document . forms [ 0 ]. submit () </script> Five lines of HTML on a malicious page. When a user who's logged into bank.com in another tab visits this page, the browser auto-submits the form, attaches their session cookie, and ten thousand dollars leave their account. They didn't click anything. The malicious site didn't see their password. There was no XSS, no breach, no leak in the traditional sense. The browser did exactly what it was designed to do. That's CSRF — Cross-Site Request Forgery — and it's been the classic "confused deputy" attack on the web for two decades. Let's walk through what makes it work, why CORS doesn't help, and the one cookie flag that mostly killed it around 2020. Why the browser attaches your cookie to that request Cookies belong to a domain. When you log into bank.com , the bank sets a session cookie in your browser: Set-Cookie: session=abc123; HttpOnly From that point on, every single request your browser sends to bank.com carries that cookie. Every page load. Every API call. Every image fetch. The browser does it automatically, without asking, and regardless of who triggered the request. That last word is the door CSRF walks through. The browser attaches the cookie based on where the request is going , not where it came from . So when evil.com triggers a POST to bank.com/transfer , the browser sees a request destined for bank.com , looks up the cookies for bank.com , and attaches them. As far as the bank's server can tell, the request looks exactly like one the user submitted from inside the bank's own page. This is the "confused deputy" idea. Your browser is the deputy. It has authority on your behalf (your cookies). And it's been tricked into using that authority for someone else's benefit. The server has no way to tell the difference, because from its point of view, there isn't one.
AI 资讯
Cybercrime Crew Claims It Hacked Mike Lindell’s MyPillow
Plus: A ransomware group is now stealing data in person, BusPatrol wants to hand its license plate surveillance data to the cops, and more.
AI 资讯
为什么使用代理总弹出“安全验证”?深度解析 Cloudflare 拦截机制与避坑指南
为什么使用代理总弹出“安全验证”?深度解析 Cloudflare 拦截机制与避坑指南 在互联网开发、跨国办公或日常浏览中,使用代理(如 VPN、机场、Socks5、OpenVPN/WireGuard 协议等)已经是不可或缺的技能。 然而,许多人在开启代理后,访问国外网站(如 Dev.to、GitHub、Medium 等)时,频繁遭遇如下提示: Performing security verification This website uses a security service to protect against malicious bots. This page is displayed while the website verifies you are not a bot. 甚至更让人崩溃的是,有时候点击了验证码,它依然不断刷新,陷入 无限验证死循环 。这并不是你的系统或浏览器损坏了,而是代理网络的特性触发了现代 Web 安全防御机制。本文将从技术原理深入拆解这一现象,并提供切实可行的优化方案。 一、 核心原理:网站安全服务是如何盯上你的? 现代网站大多会部署 Cloudflare(如 Turnstile 验证) 、Akamai、Imperva 等网络安全与防 DDoS 攻击服务。这些服务通过以下几个维度来评估访问者是“真实人类”还是“恶意机器人(Bot)”: 1. IP 信誉度(IP Reputation)与“连坐”机制 这是最核心的技术原因。代理服务商(特别是商业 VPN 或公共机场)所使用的 IP 地址,绝大多数属于 数据中心(Data Center)机房 IP ,而非普通家庭的 住宅(Residential)IP 。 高密度共用: 同一个代理 IP 节点上,可能同时有成百上千个用户在发起请求。 黑名单牵连: 如果该 IP 下的其他匿名用户正在使用自动化脚本抓取数据、进行端口扫描,或者发起恶意网络攻击,安全系统的风控引擎(如 Cloudflare IP Threat Score)就会瞬间拉高该 IP 的风险等级。当你恰好切换到这个“脏 IP”时,就会被系统无差别“连坐”,要求强制验证。 2. 被动指纹识别(Passive Fingerprinting)与几何特征 安全防御系统不仅看你的 IP 归属地,还会通过深层网络和浏览器几何特征来判断你的真实身份: TLS/SSL 握手特征(JA3 指纹): 当你通过一些特定协议或混淆模式(如带有特定加密的 TCP 隧道)连接网站时,浏览器发出的 TLS 握手特征可能会发生形变。 TCP/IP 栈特征: 经过代理服务器的转发,数据包的 TTL(生存时间)、Window Size(TCP 窗口大小)等底层参数可能会与你浏览器宣称的操作系统(如 Windows 11 或 Ubuntu 24.04)的标准特征不匹配。 浏览器画布与几何指纹(Canvas/Geometry): 浏览器的窗口大小、屏幕分辨率以及它们的比例,也是风控系统评估的重要指标。 自动化爬虫脚本(如 Selenium、Puppeteer)在启动时,常常使用死板的默认分辨率(如完美的 1024x768 或 800x600 )。如果你的代理 IP 本身信誉度低,窗口又处于这些“机器人专属分辨率”下,或者网页窗口大小与物理显示器分辨率比例极其诡异(例如伪造环境时穿帮),就会直接触发拦截。 3. 环境与地缘标签冲突(以 Yandex 浏览器为例) 风控系统对你使用的浏览器品牌同样有一套风险权重评估。 如果你使用的是 Yandex 浏览器 或某些小众、经过重度隐私魔改的浏览器,在配合代理时会变得 极其难通过验证 。Yandex 浏览器虽然基于 Chromium 内核,但其内部由俄罗斯团队集成了大量独特的隐私保护技术与 Canvas 渲染机制,计算出的浏览器指纹非常非主流。 更致命的是 地缘标签冲突 :欧美的主流网络安全公司(如 Cloudflare)对特定区域标签的客户端流量天然设置了更低的信任阈值。当你 用着 Yandex 浏览器 ,IP 却 挂着美国或日本的代理 时,这种“指纹与地理位置的剧烈冲突”在风控模型眼里极度反常,系统会判定该请求大概率来自自动化黑客工具,从而直接卡死验证。 4. 地理位置与行为“瞬移” 如果你的代理客户端开启了“负载均衡”或“定时自动切换节点”,可能会导致前一分钟请求来自日本,后一分钟请求来自美国。这种超越物理极限的“空间瞬移”属于高风险异常行为。此外,如果通过代码 瞬间改变 窗口尺寸,而非人类拖拽时产生的连续 resize 事件,也会被风控脚本捕捉到异常。 二、 实战优化:如何彻底摆脱“无限验证”死循环? 要彻底解决或缓解这个问题,可以根据实际的使用场景,从 节点筛选 、 路由分流 以及 浏
AI 资讯
Every tutorial tells you to add .env to .gitignore. That's not enough.
Here's something nobody talks about. .gitignore doesn't encrypt your secrets. It just hides them from git. They're still sitting on your laptop as plaintext. Every tool you install can read them. Every script that runs can read them. One accidental commit and your database password is public on GitHub forever. So I built dotlock — an encrypted .env vault with a terminal UI, written in Go. Before and after Before dotlock DATABASE_URL = postgres://localhost/myapp # plaintext, readable by anything STRIPE_KEY = sk_live_abc123 # one grep away from anyone After dotlock # .dotlock file on disk — looks like this: [ encrypted binary — unreadable without your private key] How it works under 10 seconds cd my-project dotlock set DATABASE_URL # prompts for value, input is masked dotloc # opens the terminal UI Secrets are encrypted with age — X25519 key agreement and ChaCha20-Poly1305 authenticated encryption. The same primitives serious security engineers use. No master password. No cloud. No telemetry. 100% offline. What it looks like Two panels — profiles on the left, secrets on the right. Values are masked by default. Press v to reveal for 30 seconds, then it hides itself automatically. Switch between dev , staging , and prod profiles. Run a diff before deploying to catch missing variables before they break your app. The interesting technical bit The hardest part wasn't the encryption — filippo.io/age makes that straightforward. It was the TUI. BubbleTea uses the Elm architecture — Model, Update, View. Everything is a message. A keypress is a message. A timer firing is a message. Your Update function receives messages and returns a new model. The 30-second auto-hide on secret reveal works like this — no time.Sleep , no goroutines: type secretReveal struct { key string value [] byte expire time . Time // Now() + 30 seconds } On every render, check if time.Now() is past the expiry. If it is, zero the bytes and clear the display. Simple once you understand the model but it took
AI 资讯
It's not too late! Make your AWS Security Agent debut with a code review!
Introduction This article is an English translation of the article at the following URL, which was originally written in Japanese. The screenshots are still in Japanese. Sorry about that. https://qiita.com/amarelo_n24/items/e196b74f718c750a0e18 The penetration testing feature for AWS Security Agent (hereinafter referred to only as "Security Agent"), which was announced at AWS re:Invent 2025, has been generally available (GA). Code review and design review are still in preview as of May 25th, so those who haven't been able to try Security Agent yet can still try these features. I wasn't able to try penetration testing during the preview period , so I decided to at least experience code review and made my Security Agent debut! This article reflects the author's personal views. It is based on personal testing and should be used for reference only. Furthermore, the author has no experience in app development, so the terminology used may not be entirely accurate. Any corrections or errors in the content would be greatly appreciated. This article was written based on information as of May 25, 2026. What is a Security Agent? As mentioned above, this service was announced during AWS re:Invent 2025. It is a frontier agent that proactively protects applications throughout the entire development lifecycle in all environments (quoted from the official AWS page). https://aws.amazon.com/security-agent/ It includes three features that became generally available (GA) in April: penetration testing, design review, and code review (the subject of this article). Function name Feature Overview Status(As of 2026/5/25) Penetration testing Attempting to infiltrate the system from an external source to evaluate security measures. GA Design Review Analyze product specifications, architecture documents, and technical designs from a security risk perspective. Preview Code Review Inspect source code and repositories to detect code-level vulnerabilities. Preview Code security review (hereinafter
AI 资讯
The White House’s Aliens.gov Site Brags That ICE Arrested More Than 700 US Citizens
The website, which compares human beings to extraterrestrials, touts arrest numbers from the Trump administration’s sweeping immigration crackdown. But some of its details are really out there.
开源项目
Botnet of more than 17 million devices dismantled
The botnet was reportedly tied to a Russia-based residential proxy network.
AI 资讯
Your JWT decoder might be leaking your tokens. Here's how to check.
Most developers paste production JWTs into online decoders without thinking. Here's a 10-second DevTools check to see if your token is actually leaving your machine. A coworker was debugging an auth bug last month. Standard workflow: copy the JWT from the failing request, paste it into an online decoder, read the payload. I've done it a thousand times. You probably have too. Except the token he pasted belonged to a real customer. And the decoder he used is owned by an identity company that's had its share of security incidents. Nothing bad happened. Probably. But it made me think about something I'd never actually checked: when you paste a JWT into an online decoder, where does that token go? What a JWT actually contains Quick reminder of why this matters. A JWT isn't encrypted — it's just Base64URL-encoded. Anyone who has the token can read everything in it: header.payload.signature The payload routinely contains: User ID, email, and role Session identifiers Token expiry ( exp ) and issue time ( iat ) Sometimes — against best practice — far more And here's the part people forget: a valid, unexpired JWT is a live credential. If it hasn't expired, whoever holds it can often impersonate the user. Pasting it into a random website is functionally similar to pasting a password. The 10-second check Most online JWT decoders claim to be "secure" and "client-side." Some are. Some aren't. You don't have to trust the claim — you can verify it yourself in 10 seconds: Open the decoder in your browser Open DevTools → Network tab Clear the network log Paste a JWT and decode it Watch the Network tab If any request fires when you decode — your token left your machine. A truly client-side decoder fires zero network requests during decoding. The JavaScript does everything locally; nothing is sent anywhere. Try this on whatever decoder you currently use. You might be surprised. Why most "online" tools send data It's usually not malicious. Building decoding logic on the server is someti
安全
Microsoft under fire for threatening security researcher with criminal investigation
A public spat between Microsoft and an independent security researcher reopens a long-running debate over who is responsible for securing software.
AI 资讯
I built a cryptographic audit receipt for Claude Mythos (and any AI model) — here's how it works
Anthropic's Mythos model can autonomously find zero-day vulnerabilities. Their CVD disclosure process uses manual SHA-3-512 hash commitments to prove findings existed. I built something that automates that in one line of Python. What AetherProof does One function call generates a 128-byte Ed25519-signed receipt that proves: What model ran — FNV-1a hash of provider/model ID What it produced — hash of the output When — cryptographic nanosecond timestamp Tamper-evident — flip any byte anywhere → INVALID python import aetherproof receipt = aetherproof.for_anthropic( "Find vulnerabilities in this binary.", finding_text, model="claude-mythos-preview" ) receipt.save("CVE-2026-001.receipt") print(receipt.verify()) # True Try it in 30 seconds pip install aetherproof python -c " import aetherproof r = aetherproof.for_anthropic('question', 'answer') print(r.verify()) # True print(r.pretty()) " The unusual part — invisible Unicode watermarking Receipts embed invisibly into any text using Unicode Private Use Area codepoints (U+E000–U+E0FF). AI output carries its own audit trail. Works in any language — Arabic, Chinese, Devanagari, Hebrew, Thai, Japanese all tested. signed_output = aetherproof.embed(ai_response, receipt.to_bytes()) # Text looks identical. Receipt is inside. aetherproof.verify_embedded(signed_output) # True Numbers 187 tests, 0 failures 128/128 byte flips all detected 1000/1000 tamper probes pass Cross-language: Python generates, Rust CLI verifies 15,446 receipts/sec (Python) · 5,472/sec (Rust) Why AGPL-3.0 Free for open source. Commercial use needs a license. This is the compliance layer under your AI stack — it should be open, auditable, and not vendor-locked. GitHub https://github.com/pulkit6732/aetherproof Built by Pulkit. Feedback welcome.
AI 资讯
Secure Your Microservices: Meet Halimun, the High-Performance Encrypted Proxy
Meet Halimun Proxy a high-performance, ultra-low latency proxy tunnel system built from the ground up in Rust. Why Rust? By leveraging Rust , Halimun achieves extreme efficiency. Using the Axum web framework and Tokio for non-blocking asynchronous I/O, it manages to maintain a tiny footprint—running on as little as ~15MB of RAM . It’s designed to be fast, memory-safe, and incredibly stable under load. Core Security Features Halimun isn't just a proxy; it’s a security layer. It enforces strict request validation to ensure your internal services are never exposed to malicious actors: AES-256-CBC Encryption: End-to-end payload masking. Even if your traffic is intercepted, the actual API endpoint and data remain indecipherable. HMAC-SHA256 Integrity: Validates that data hasn't been tampered with in transit. Replay Attack Prevention: Uses Nonce and timestamp verification in-memory (via DashMap ) to reject duplicate spoofed requests. SSRF Protection: Built-in mechanisms to prevent attackers from targeting your internal network infrastructure (e.g., 127.0.0.1 ). Camouflage Routing: It hides your actual API structure behind random, dummy URL segments, making traffic profiling by WAFs or human analysts nearly impossible. Quick Start (Docker) Halimun is "Docker-ready," making it easy to drop into any existing infrastructure. 1. Configuration First, generate your encryption keys using the built-in generator: # Generate keys and save to .env docker build -t halimun-proxy . docker run --rm halimun-proxy ./halimun-proxy --keygen --format = env > .env 2. Deployment Configure your config.yaml to map your backend services, then launch your cluster: docker-compose up -d Your production proxy is now live, listening securely on port 80 while your backend services remain completely secluded within a private Docker network. Under the Hood: Request Lifecycle Halimun uses an encrypted tunnel approach. A typical request follows this structure: POST /proxy/1/SEGMENT1/SEGMENT2/SEGMENT3/SEGMEN
AI 资讯
The UK Government Just Merged This Open-Source AI Security Benchmark Into Their National Evaluation Framework
What Happened Last month, the UK Government's AI Safety Institute merged AgentThreatBench into their official inspect_evals framework — the same framework they use to evaluate frontier AI models from OpenAI, Anthropic, and Google DeepMind. AgentThreatBench is an open-source adversarial benchmark I built that contains 200+ attack payloads specifically designed to test whether AI agents can resist memory poisoning attacks. Why This Matters AI agents are increasingly being deployed with persistent memory — they remember past conversations, user preferences, and context across sessions. This creates a new attack surface: memory poisoning . An attacker who can inject malicious content into an agent's memory can: Exfiltrate sensitive data on subsequent sessions Override safety instructions persistently Manipulate agent behavior without the user's knowledge The OWASP Agentic Security Initiative identified this as ASI06 — Agent Memory Poisoning . What AgentThreatBench Tests The benchmark covers 5 attack categories: Category Payloads Description Prompt Injection 40+ Instructions disguised as memory content Protected Key Tampering 40+ Attempts to overwrite system-level keys Sensitive Data Leakage 40+ PII/credential exfiltration via memory Size Anomaly 40+ Memory inflation / resource exhaustion Behavioral Drift 40+ Gradual personality/instruction shifts How to Use It pip install agentthreatbench # Run the full benchmark against your agent atb run --target your_agent_endpoint --output results.json # Or use individual attack categories atb run --category prompt_injection --target your_agent_endpoint The BEIS Validation The UK Government's AI Safety Institute uses inspect_evals to: Evaluate frontier models before deployment decisions Benchmark safety mitigations across providers Track regression in safety properties over time Having AgentThreatBench merged into this framework means it's now part of the official government toolkit for AI safety evaluation. Links GitHub : github.co