Cybersecurity Insights, Trends & Best Practices | Infinum

The Most Dangerous AI Tool Got Breached. What is an Adequate Disclosure Strategy?

Blanka Bogdanović — Fri, 24 Apr 2026 10:53:21 +0000

When an AI model capable of finding zero-day vulnerabilities at machine speed gets accessed without authorization, the incident response has to match the threat profile. Anthropic’s handling of the Mythos breach is a useful case study of where disclosure practices for security breaches still need to catch up.

Anthropic built Claude Mythos Preview as something it explicitly said the world wasn’t ready for.

The model finds zero-day vulnerabilities at machine speed, demonstrated the ability to escape its own sandbox, and in at least one test, posted details of its own exploit to public websites without being asked.

We’ve already covered how Anthropic’s response was to keep it locked behind Project Glasswing – a tightly controlled initiative limited to a handful of vetted partners: AWS, Microsoft, Cisco, major banks, and critical infrastructure operators.

But exactly that is what makes what happened instructive.

Reports emerged this week that an unauthorized group accessed Mythos Preview through a third-party vendor environment connected to the rollout.

The group – part of a private Discord community that tracks unreleased AI models gained access on the same day Anthropic announced the model.

They didn’t break into Anthropic directly. They pieced together naming conventions exposed in a prior breach at an AI contractor, guessed the model’s URL, and used credentials from a third-party vendor that were still active. Three low-sophistication steps that together were enough.

This mechanism of access is worth sitting with.

Supply chain security is no longer a background concern for procurement teams. It is a front-line risk for anyone deploying AI in environments that touch source code, internal systems, or critical infrastructure.

The question to ask is not just whether your AI provider is secure. It is whether every vendor, contractor, and subprocessor in the deployment chain is held to the same standard – because attackers will find the weakest link, and in an AI deployment, the weakest link may not be the model itself.

Want to learn more about supply chain security? Talk to our certified experts who can help you protect your organization from attacks and regulatory consequences.

The disclosure question

Anthropic has confirmed the reports and said its investigation is ongoing. It has found no evidence of impact on its core systems, and activity appears limited to the vendor environment.

But the scope, duration, and what was done with the model the world wasn’t ready for during that access remain unconfirmed.

The disclosure question is where the situation gets more complex – and where there are useful lessons for any organisation deploying advanced AI.

Anthropic is a private company.

The SEC’s four-business-day disclosure rule for material cybersecurity incidents applies to public companies – Anthropic doesn’t qualify. CIRCIA’s 72-hour critical infrastructure reporting framework is still being phased in and may not apply here.

The EU AI Act does apply to Anthropic – Claude is available in the EU, and the Act has extraterritorial reach – and for a model with Mythos’s capabilities, incident reporting obligations to the EU AI Office are likely already active. But the Commission’s enforcement powers over GPAI providers don’t arrive until August 2026.

All in all, from a strict legal standpoint, Anthropic is operating in a grey zone where disclosure is largely voluntary. But the regulatory question is, in some ways, the wrong one. The more useful question is: what does good practice look like, and what can other organisations learn from this?

What best practice actually requires

Every major cybersecurity framework – NIST, ISO 27001, SANS – is unambiguous on this point: notify early, disclose what you know, and update as the picture becomes clearer.

The reasoning is practical. Affected parties cannot protect themselves from information they don’t have. The standard is not to wait for a complete picture before saying anything. The standard is to say something immediately and complete the picture as you go.

Waiting for certainty before notifying is how contained incidents become larger ones.

The specific challenge here – and it is a genuine one – is that Anthropic had publicly framed Mythos as a tool requiring exceptional access controls because of its offensive potential. That framing raises the stakes for disclosure in both directions.

On one hand, it makes the case for fast, proactive communication stronger: if partners have been told they are working with something uniquely sensitive, they need to know quickly when something goes wrong.

On the other hand, it makes the cost of a premature or inaccurate disclosure higher – a false alarm about a tool of this profile carries its own reputational and operational risk.

That tension is real, and it is not unique to Anthropic. Any organisation deploying advanced AI in sensitive environments will face it.

There’s also the partner angle.

The Project Glasswing members – major banks, critical infrastructure operators, technology companies – all have their own incident response programmes and regulatory obligations. They can’t act on information they don’t have.

Every hour of delay is an hour those teams aren’t assessing whether their own environments were touched.

Anthropic has not publicly confirmed whether partners were notified directly ahead of or separately from its public statement – and given the two-week gap between access and disclosure, that is a question worth asking.

The broader lesson

The weakest link in the Mythos breach wasn’t Anthropic’s core infrastructure. It was a contractor’s credentials and a predictable URL.

That is a supply chain governance failure, and it is one that most organisations haven’t fully accounted for in their vendor contracts, partner agreements, or incident response plans.

This incident is a useful prompt to ask some basic questions:

Do your vendor contracts require notification within a defined timeframe?
Do your partners know they will be told directly, not via a press report?
Is your incident response plan built around the sensitivity of the AI tools involved, or around more generic breach protocols?

The regulatory framework for advanced AI incidents is still being built.

The EU AI Act’s enforcement powers are arriving in phases. CIRCIA is still being implemented. That grey zone will not last indefinitely – but in the meantime, the organisations that build trust are the ones that move faster than the rules require, not slower.

The gap between what the law currently demands and what good practice looks like is the space where reputations are made or lost. For companies working with the most capable AI tools available, that gap is worth closing proactively.

Supply chain security is complex. Our certified experts can help you assess your exposure and stay ahead of the regulatory and operational risks that come with AI deployment. Let’s chat.

The post The Most Dangerous AI Tool Got Breached. What is an Adequate Disclosure Strategy? appeared first on Infinum.

Project Glasswing Proves Frontier AI Can Break – and Fix – Software

Blanka Bogdanović — Fri, 17 Apr 2026 13:12:58 +0000

Anthropic just launched Project Glasswing – a major initiative to hunt vulnerabilities in critical open-source software using its most capable AI model. The implications for defenders and attackers alike are significant, and most organisations are not ready for either.

On 7 April 2026, Anthropic launched Project Glasswing – a coordinated effort to give key technology providers early access to Claude Mythos Preview with one goal: find and fix long-hidden vulnerabilities in critical open-source software before attackers do.

It is the clearest signal yet that frontier AI has crossed a threshold. It is no longer just a productivity tool bolted onto existing security workflows.

It is becoming an active participant in the vulnerability lifecycle, capable of reasoning across vast codebases, identifying subtle logic flaws, and chaining issues into exploitable paths that would take a human researcher weeks to uncover.

That is worth taking seriously. Not because of the marketing, but because credible institutions are paying attention.

The AI Security Institute and the UK National Cyber Security Centre have both documented measurable progress in AI agents completing multi-step cyber attack scenarios. The NCSC has called on defenders to prepare for a world in which frontier AI amplifies attacker capabilities at pace.

Glasswing is a concrete attempt to tilt that balance back toward defence. The early findings suggest it is working.

The two-sided ledger of AI-assisted security

For most of computing history, finding and exploiting software vulnerabilities required rare expertise.

The people who could do it reliably numbered in the thousands globally. That constraint mattered – it was a practical limit on how fast attackers could operate and how broadly they could target.

Over the past year, that constraint has eroded sharply.

AI models have become increasingly effective at reading and reasoning about code, showing a particular ability to spot vulnerabilities and work out how to exploit them. The cost, effort, and level of expertise required have all dropped dramatically.

Here is the uncomfortable truth: the same capabilities that make a frontier model useful for vulnerability discovery make it useful for exploitation.

Claude Mythos Preview, Anthropic’s unreleased frontier model behind Glasswing, has reached a level of coding capability where it can surpass all but the most skilled humans at finding and exploiting software vulnerabilities.

That is not a marketing claim – it is the assessment Anthropic has published alongside the initiative. The AISI’s evaluation of Claude Mythos Preview’s cyber capabilities tracks the same capability curve and reaches similar conclusions.

And it is not only expert hands that can wield it.

Anthropic’s own Red Team blog reports that engineers with no formal security training asked Mythos Preview to find remote code execution vulnerabilities overnight, and woke up the following morning to a complete, working exploit.

An AI that can read a codebase, reason about execution paths, and identify edge cases in authentication logic can do that work for a defender running a bug bounty programme or for an attacker building an exploit chain. The model does not care which side of the firewall it is on. And given the rate of AI progress, these capabilities will not remain confined to actors committed to deploying them safely.

The question for security teams is not whether to engage with this shift. It is – how fast.

What Glasswing tells us about where this is heading

Anthropic’s approach with Glasswing is instructive beyond the specific initiative. A few things stand out.

The focus on open-source infrastructure is deliberate

Open-source software underpins almost every critical system in operation today – cloud platforms, financial infrastructure, healthcare systems, industrial controls.

Vulnerabilities in widely used libraries do not stay contained. When one surfaces, the blast radius is enormous and the window between disclosure and exploitation has compressed to hours in many cases.

The Axios npm supply chain attack in March 2026 – where two malicious versions of one of JavaScript’s most-used libraries were quietly published – is a recent example of exactly how fast that window closes.

The results are concrete

Mythos Preview has already found thousands of zero-day vulnerabilities – flaws previously unknown even to the software’s own developers – including some in every major operating system and web browser.

Some of the specific findings illustrate just how significant the capability leap is:

A 27-year-old vulnerability in OpenBSD – one of the most security-hardened operating systems in the world, widely used to run firewalls and critical infrastructure – that allowed an attacker to remotely crash any machine running the OS simply by connecting to it.
A 16-year-old vulnerability in FFmpeg, the video encoding library used by an enormous range of software, in a line of code that automated testing tools had hit five million times without catching the problem.
A chain of vulnerabilities in the Linux kernel – the software running most of the world’s servers – that the model found and linked autonomously to escalate from ordinary user access to full control of the machine.
A web browser exploit that chained together four separate vulnerabilities, writing a complex attack that escaped both the browser’s renderer sandbox and the operating system sandbox beneath it.

The gap between Mythos Preview and the previous generation of models is also stark.

When tested against known vulnerabilities in Mozilla’s Firefox JavaScript engine, the previous best model – Claude Opus 4.6 – turned those vulnerabilities into working exploits twice out of several hundred attempts. Mythos Preview did it 181 times.

These are not theoretical weaknesses. They are exploitable flaws that survived decades of human review and millions of automated tests. The model found them.

The initiative is coordinated by design

Early access, structured disclosure, defined scope – Glasswing is built to funnel findings into responsible remediation rather than onto a paste site.

Anthropic’s position is that the same capabilities that make AI dangerous in the wrong hands make it invaluable for finding and fixing flaws in critical software, and for producing new software with fewer security bugs from the start.

That framing is worth taking at face value, because the alternative – waiting for these capabilities to proliferate without a coordinated defensive response – is considerably worse.

For organisations watching from the outside, the implication is direct: if a frontier model can find vulnerabilities in your dependencies that survived decades of human review and millions of automated tests, you cannot rely on existing scanning and review processes to give you confidence that your attack surface is clean.

The attacker’s advantage – and how to close it

Defenders have always operated at a structural disadvantage.

An attacker needs to find one way in. A defender needs to close every path. AI widens that gap if defenders do not move.

The realistic near-term threat is not yet a fully autonomous AI attacker operating without human direction. But it is human attackers using AI to operate faster, at a greater scale, and with less specialised knowledge than was previously required.

A moderately skilled attacker with access to a capable model can accelerate reconnaissance, generate targeted phishing content, identify patch-gap windows, and synthesise public vulnerability research into working attack chains.

Attacks that previously required specialist knowledge are now within reach of far more people.

SEAN MCCARTHY, HEAD OF CYBERSECURITY TESTING, AMR CYBERSECURITY – PART OF INFINUM

We explored a version of this problem in our analysis of security gaps in vibe-coded applications.

AI-generated code introduces vulnerabilities not because the model is careless but because it optimises for functional correctness, not security depth. An attacker using the same models to probe those applications has a natural advantage over a developer who did not think adversarially when prompting.

The answer is not to avoid AI in development.

It is to apply deliberate security discipline at every stage – including to the AI-generated output itself. That means combining automated scanning with human-led testing rather than assuming one replaces the other.

What organisations should do before the surge hits

Glasswing is likely to accelerate vulnerability disclosures across the open-source ecosystem. Organisations that are unprepared for a sudden increase in security advisories affecting their dependencies will struggle to respond at pace.

Martin Walsham, Director of Cybersecurity at AMR Cybersecurity – Part of Infinum, has been tracking this shift closely: “Frontier AI models are progressing at pace, and the same technologies that defenders can use to increase overall security posture can equally be used by attackers to amplify their capabilities. This heightens the need for organisations to implement strong security baselines, defence in depth, and robust secure code, and to patch at pace to make them less susceptible to attacks.”

Ahead of an anticipated surge in vulnerability reporting, organisations should be assessing and investing in advanced tooling and enhanced services to continually protect, detect, and respond to cyber threats – because the pace at which attackers operate will only increase.

MARTIN WALSHAM, DIRECTOR OF CYBERSECURITY, AMR CYBERSECURITY – PART OF INFINUM.

The precautionary steps below are not dramatic departures from good security hygiene. They are the foundations that make rapid response possible when it is needed.

Review and test your incident response plan now.

Not the version that was written two years ago and has not been touched since. Run a tabletop exercise against a realistic scenario – a critical CVE in a dependency you cannot patch immediately, combined with active exploitation attempts.

Prepare for increased advisory volume.

If AI-assisted vulnerability research delivers on its promise, the rate of disclosures in widely used open-source libraries will increase. Security and engineering teams need the capacity to triage and prioritise that volume without dropping everything else. Build that capacity before the surge, not during it.

Get your asset management list accurate.

You cannot patch what you do not know you are running. This is the most consistent gap we see in organisations that have otherwise mature security programmes. A dependency buried four levels deep in your supply chain is still your problem when a CVE drops against it. Our step-by-step software supply chain security framework covers how to map and manage that exposure systematically.

Monitor updates and advisories actively.

Subscribe to feeds for the libraries and platforms you depend on. Automated dependency scanning tools have improved significantly – if you are not running one, start.

Review third-party agreements with critical suppliers.

If a vulnerability surfaces in a service you depend on and your contract does not specify patching SLAs, you have no lever to apply. Review those agreements and open conversations with suppliers about their response posture before you need to have that conversation under pressure.

Test your external perimeter.

If your last penetration test was more than twelve months ago, you do not have an accurate picture of your exposure. This is especially true for organisations that have made infrastructure changes, onboarded new services, or shipped significant product updates since the last test.

Have a plan for enhanced monitoring at short notice.

Not all threats give you advance warning. Know what elevated monitoring looks like for your environment and how quickly you can activate it.

Security baselines matter more, not less

There is a temptation to frame AI-powered threats as something categorically new that requires a categorically new response.

In some respects, that is true – the speed and scale at which AI-assisted attacks can operate does change the calculus. But the vulnerabilities being exploited are mostly the same ones that have always existed: missing input validation, broken access control, insecure defaults, and unpatched dependencies.

Our cybersecurity trends outlook for 2026 covers how AI-driven attacks, stricter compliance requirements, and supply chain exposure are converging into a single pressure point for security teams.

The NIS2 and DORA frameworks that came into force across the EU reflect this same reality. The technical requirements they mandate – multi-factor authentication, incident reporting, supply chain risk management, regular penetration testing – are not responses to AI-powered threats specifically. They are the baseline hygiene that makes an organisation resilient regardless of what the attacker is using.

If your organisation is not meeting that baseline, the sophistication of the threat is almost beside the point.

Strong foundations beat reactive firefighting

Project Glasswing is a meaningful development in the responsible use of frontier AI for defence.

The AISI and NCSC assessments confirm what security practitioners have been observing in practice: capability is advancing faster than most organisations have adjusted for.

The right response is not to wait and see how the landscape settles. It is to invest in the defences that reduce exposure across the board – sound architecture, secure development practices, regular testing, and the operational readiness to respond when something goes wrong.

Infinum’s penetration testing and cybersecurity services are built around exactly that kind of proactive posture. If you want to understand your current exposure before the next wave of disclosures hits, talk to our security team.

The post Project Glasswing Proves Frontier AI Can Break – and Fix – Software appeared first on Infinum.

Why GRC Fails – and What a Framework That Actually Works Looks Like

Tom Miller — Fri, 17 Apr 2026 11:46:06 +0000

Most GRC programs fail not because the framework is wrong, but because it’s built to satisfy auditors, not protect businesses. Here’s what that costs you – and how to do it differently.

Most organisations have some version of GRC in place. Policies exist. Compliance boxes get ticked. A risk register lives somewhere in a shared drive, last updated before anyone currently on the team joined. And then a breach happens, or an audit goes badly, and everyone is surprised.

They shouldn’t be.

The most common GRC failure isn’t ignorance of the framework – it’s treating it as an administrative exercise rather than a decision-making system. You end up with documentation that describes security rather than delivers it.

That distinction matters more than most security conversations acknowledge.

Why GRC exists – and why it usually gets implemented wrong

GRC – governance, risk, and compliance – is a system for making security decisions that support a business rather than obstruct it. Not rules imposed from above, but a framework built around what the organisation is actually trying to achieve.

If you want a deeper grounding in GRC fundamentals before going further, start with our GRC explainer – it covers the full framework from first principles.

The problem is that most implementations start from the wrong end.

They start with a compliance requirement, reverse-engineer the policies needed to satisfy it, and call that a GRC program.

The risk register gets populated because ISO 27001 requires one, not because anyone is actively using it. Policies get written because auditors want to see them, not because they reflect how the business actually operates.

This is checkbox compliance. And it’s not just ineffective – it’s actively dangerous. It creates the appearance of security maturity without the substance.

When something goes wrong, the documentation says the right things. The reality doesn’t match.

A GRC framework that works starts with a different question: what is this business trying to achieve, and what could prevent it? Risk is the answer. Governance and compliance are how you respond to it.

Start with risk – and be honest about it

Risk sits at the centre of GRC.

Most organisations are far better at documenting risk than they are at being honest about it.

TOM MILLER, HEAD OF ASSURANCE, AMR CYBERSECURITY – PART OF INFINUM

The starting point is asset classification – understanding what you’re actually trying to protect. Critical data, intellectual property, operational systems, customer-facing services.

Not everything is equal, and treating it as if it is means you’ll over-invest in protecting things that don’t matter and under-invest in protecting things that do.

Once assets are mapped, the threat picture becomes clearer.

Sensitive customer data attracts financially motivated attackers.
Source code repositories attract competitors and state actors.
Physical sites face different exposure entirely.

The threats facing each asset differ in nature, method, and likely impact – and that shapes how risk should be assessed.

Risk assessment comes down to two dimensions: impact and likelihood.

How damaging would this event be – financially, operationally, reputationally? And how likely is it to occur given your current controls and environment?

Plot those two on a matrix, score them consistently, and you get a risk level you can act on.

The scoring methodology matters less than its consistent application. An organisation that assesses risk differently each quarter produces data that can’t be trended or compared. The value of a risk register is cumulative – it shows you how risk is changing over time, which controls are working, and where new exposure is emerging.

Risk reviews should happen at least annually for the full register, and quarterly for anything rated high.

Each risk needs a named owner – a senior person responsible for accepting that the risk level is appropriate and for escalating it if it changes. Without ownership, risks get logged and forgotten.

What to do when a control isn’t working

This is where most GRC programs go quiet. A control gets implemented, it gets checked off, and nobody asks whether it actually changed anything.

When a control isn’t working – when the risk level hasn’t moved, or when incidents keep recurring in the same area – the answer isn’t to add more controls. It’s to go back to the risk assessment and ask whether you’ve correctly understood the threat.

Often, the control addresses the symptom rather than the cause. A phishing training module doesn’t solve a culture that punishes people for reporting mistakes. A firewall rule doesn’t fix misconfigured cloud permissions.

Controls should reduce either the likelihood or the impact of a risk. If neither is moving, something is wrong with the control, the assessment, or both.

TOM MILLER, HEAD OF ASSURANCE, AMR CYBERSECURITY – PART OF INFINUM

For technical controls specifically, penetration testing is one of the most direct ways to find out whether a control is actually doing what you think it is.

Why security policies fail – and what to do about it?

Governance is what makes risk management repeatable. Documented policies, defined responsibilities, clear ownership – the infrastructure that ensures security doesn’t live in one person’s head and doesn’t fall apart when someone leaves.

But governance has a failure mode that organisations consistently underestimate: policies that nobody follows.

Lock down laptops too tightly, and people find workarounds.
Require complex passwords to be changed every 30 days, and they get written on sticky notes.
Mandate a slow, bureaucratic approval process for software tools, and teams start using personal accounts for work data.

If staff are bypassing a control, that is not a compliance problem. It is a design problem. The control is wrong. It’s asking people to choose between doing their job and following the rules, and unsurprisingly, they choose their job.

The irony is that overly strict controls often create more risk than they prevent – because the workarounds are almost always less secure than whatever the policy was trying to enforce.

The fix isn’t stricter enforcement. It’s redesigning the control to be compatible with how work actually gets done.

Security that works with people is more effective than security that works against them, even if it looks less rigorous on paper.

Metrics are how you catch this early.

Security training completion rates, phishing simulation results, patch compliance rates, incident trends – these tell you whether the governance framework is working in practice, not just on paper.

Patterns in that data are diagnostic.

If phishing click rates stay flat after multiple training rounds, the training isn’t the solution. If patch compliance drops in one team, there’s a resourcing or tooling problem to fix, not a people problem to escalate.

Incident reporting culture sits underneath all of it

Teams that punish mistakes get underreporting. Underreporting means the same vulnerabilities recur because nobody connected the dots between incidents.

An environment where people report phishing clicks, near misses, and process failures without fear is not a soft environment – it’s one that learns faster than its attackers.

For teams building software, the same principle applies to the development process itself: embedding security from the start is cheaper and more effective than bolting it on later. Here’s what that shift looks like in practice.

How to decide whether to comply with a regulation?

Compliance is the most visible part of GRC, and the most frequently misunderstood. The default assumption is that compliance requirements are obligations to be met. Some are. Many aren’t.

There are three distinct categories worth separating:

Mandatory compliance – legal requirements that apply to your organisation based on sector, geography, or the nature of the data you handle. GDPR for organisations processing EU personal data. NIS2 and DORA for financial services and critical sectors across the EU. Non-compliance here isn’t a business decision – it’s a legal exposure.
Commercial compliance – certifications and frameworks that aren’t legally required but open doors. ISO 27001 is the most common example: many enterprise customers and regulated-industry partners won’t sign contracts with vendors who can’t demonstrate it. The compliance decision here is a sales and market access question as much as a security one.
Voluntary frameworks – standards like NIST or CIS Controls that provide useful structure without any external mandate. The value is in the methodology, not the certification.

Treating all three categories the same way produces bad decisions.

Spending significant resources on a voluntary framework while ignoring a mandatory obligation is a governance failure. So is pursuing an expensive certification that none of your target customers will ever ask for.

Outcome-based regulation changes the calculation

Increasingly, regulators define what good looks like rather than prescribing exactly how to get there.

NIS2 is a clear example – it specifies required capabilities and outcomes across risk management, incident handling, and supply chain security, but leaves implementation to the organisation.

This is good policy design. It acknowledges that a one-size-fits-all technical prescription can’t account for the diversity of organisations in scope. But it shifts the burden onto organisations to genuinely interpret what compliance means for their context, rather than following a checklist.

That interpretation requires security judgment, not just legal review.

A small professional services firm and a hospital group might both fall under NIS2, but the controls that constitute appropriate risk management for each look very different.

Getting that translation right is the work – and it can’t be delegated entirely to a compliance team.

For a current view of which regulatory shifts are having the most practical impact on security teams right now, our 2026 cybersecurity trends piece covers the landscape.

Vendor risk: the risk you let in without realising it

Your own security posture is only part of the picture. Every supplier onboarded, every tool deployed, every third party with any form of access to your systems extends your attack surface. In most organisations, that surface is considerably larger than anyone has formally mapped.

Vendor risk management isn’t about being suspicious of suppliers. It’s about not assuming trust where it hasn’t been established.

The questions worth asking before any significant vendor relationship:

Do they hold relevant certifications (ISO 27001, Cyber Essentials, SOC 2)?
Has their product been independently penetration tested, and will they share the findings?
How do they manage vulnerabilities in their own software and infrastructure?
What access will they have to your systems – and is that access scoped correctly?
What happens to your data if the relationship ends?

These aren’t bureaucratic hurdles.

They’re the minimum basis for making an informed decision about the risk a vendor introduces.

An organisation that can’t answer these questions about its critical suppliers has a material gap in its risk picture, regardless of how well-managed its internal controls are.

Supply chain compromise is one of the highest-impact attack vectors in the current threat landscape, precisely because it bypasses the controls organisations invest in protecting their own perimeter.

The software supply chain security problem is worth understanding in detail if your organisation builds or depends on software from third parties.

The loop that most organisations miss

The reason GRC works – when it works – is that governance, risk, and compliance aren’t separate programmes running in parallel. They’re a loop.

Risk assessment drives what governance policies need to exist. Governance structures ensure risks are owned and monitored. Compliance requirements feed back into risk, because falling foul of a regulation is itself a risk with an impact and a likelihood that needs to be assessed and managed.

Break any link in that loop and the system degrades.

Risk managed without governance produces decisions that live in spreadsheets and get forgotten. Governance without risk produces policies disconnected from the actual threats. Compliance without either produces documentation that satisfies auditors and protects no one.

The organisations that do this well aren’t the ones with the most sophisticated tools or the thickest policy libraries. They’re the ones where security decisions are made deliberately, with clear ownership, against a shared understanding of what the business is trying to protect.

That’s a cultural outcome as much as a process one. And it’s harder to fake than any compliance certificate.

Security that works with your business rather than against it starts with the right foundations. Infinum’s security practice helps organisations build GRC frameworks grounded in real risk, not just audit readiness. Explore our cybersecurity services to see where we can help.

The post Why GRC Fails – and What a Framework That Actually Works Looks Like appeared first on Infinum.

What Is GRC? Governance, Risk, and Compliance Explained

Tom Miller — Fri, 17 Apr 2026 11:46:02 +0000

GRC connects governance, risk, and compliance into a single decision-making system. Here’s what each pillar means, how they interact, and how businesses apply them in practice.

Most organizations already manage governance, risk, and compliance in some form – they just do it in separate silos, with different teams, different tools, and no shared language. GRC formalizes that into a single, connected system.

When governance, risk, and compliance operate independently, decisions get made without context.

An IT team patches vulnerabilities without knowing which ones actually threaten business-critical systems. A compliance team checks boxes without understanding the underlying risk. Leadership approves budgets without visibility into what they’re actually protecting.

GRC fixes that – not by adding process overhead, but by aligning security decisions with business goals.

And in an environment where the regulatory landscape keeps expanding, the number of threat vectors keeps growing, and senior leadership is increasingly held personally accountable for security failures, that alignment is no longer optional.

Already familiar with GRC but want a more practical perspective on how it should work in real businesses? Check out our blog on the GRC framework for modern organizations.

What does GRC stand for?

GRC stands for Governance, Risk, and Compliance. Each term names a distinct discipline, but the value of GRC comes from how they interact.

Governance defines how an organization makes decisions – its policies, roles, responsibilities, and the processes that keep security practices consistent as the business grows or changes.

Risk is the analytical core. Risk management identifies what matters most to the business, assesses what could go wrong, and determines how much uncertainty the organization is willing to accept.

Compliance ensures the organization meets its legal, regulatory, contractual, and framework-based obligations – whether that’s GDPR, NIS2 and DORA, PCI DSS, ISO/IEC 27001, or requirements imposed by a customer.

The three are not parallel tracks – they form a loop. Governance defines how things should work, risk explains why controls are needed, compliance confirms that external expectations are met. Strip any one of them out and the system breaks down.

Why GRC matters for business

The case for GRC goes well beyond avoiding fines, though the fines alone are significant.

Under NIS2, essential entities face penalties of up to €10 million or 2% of global turnover.
Under GDPR, major violations carry fines of up to €20 million or 4% of annual worldwide revenue.
Failure to comply with the Payment Card Industry Data Security Standard (PCI DSS) can result in suspension of card processing rights for non-compliant organisations.

These aren’t edge cases – they’re the baseline exposure for businesses operating in regulated environments.

But the more durable argument for GRC isn’t the downside. It’s the operational benefit.

Organizations with mature GRC programs make better decisions faster. Risk appetite is defined, so teams don’t have to relitigate every security investment. Compliance obligations are mapped, so the answer to “do we need to do this?” is documented rather than guessed. Governance structures are in place, so accountability doesn’t evaporate when the person who knew something leaves.

TOM MILLER, HEAD OF ASSURANCE, AMR CYBERSECURITY – PART OF INFINUM

There’s also a commercial dimension.

Enterprise customers and regulated-sector partners regularly require evidence of security maturity before signing contracts. SOC 2 attestation, ISO/IEC 27001 certification, and documented compliance management systems are increasingly prerequisites rather than differentiators.

A strong GRC posture opens doors; the absence of one closes them.

How does risk management work in GRC?

Risk management is where most GRC programs begin, and for good reason.

Without a clear picture of what you’re protecting and what threatens it, governance produces arbitrary rules and compliance becomes theater.

Step one: identify and classify your assets

You cannot manage risk to assets you haven’t mapped.

Those assets may include customer data, intellectual property, operational systems, physical infrastructure, or vendor relationships. Classification matters because not all assets warrant the same level of protection – and trying to protect everything equally usually means protecting nothing well.

Step two: understand the threat landscape

Different assets face different threats.

Personal data is targeted for financial gain. Critical infrastructure faces operational disruption. Source code may attract industrial espionage. Understanding the nature of threats – not just their existence – shapes how you assess and respond to them.

Step three: assess impact and likelihood

This is where the risk matrix comes in. Risk is typically evaluated across two dimensions:

Impact – how damaging an incident would be, in terms of financial loss, reputational harm, regulatory penalties, or operational disruption
Likelihood – how probable it is that the event occurs, given existing controls and the threat environment

These are plotted on a matrix, commonly a 5×5 grid, to produce a risk score. The exact numbers are less important than the consistency of the methodology. Organizations that assess risks differently each time they run the exercise produce data that can’t be compared or trended. Continuous monitoring through defined key risk indicators (KRIs) keeps the picture current between formal review cycles.

Step four: decide how to treat the risk

Once a risk level is established, the business chooses how to respond. The standard options are:

Reduce the risk through controls – security training, technical safeguards, process changes
Accept the risk if it falls within the organization’s risk appetite
Avoid the risk by changing or discontinuing the activity that creates it
Transfer the risk – through insurance, contracts, or third-party arrangements

Controls should be matched to risks specifically. Generic controls applied uniformly are expensive and often ineffective against the actual threats an organization faces.

For technical risks in particular, penetration testing is one of the most direct ways to validate whether your controls actually hold up.

Risk assessment & management is ongoing, not periodic

Threats change. Businesses evolve. Acquisitions, new product lines, cloud migrations, and regulatory changes all shift the risk assessment.

Most organizations review their full risk register at least annually.

High-risk areas warrant more frequent reassessment. Assigning clear risk owners – people accountable for monitoring and managing specific risks – is what prevents risks from being noted once and then quietly forgotten.

What is governance in a GRC framework?

Governance is the operational skeleton of GRC. It translates risk decisions into repeatable practice.

That includes

documented policies covering data handling, access control, incident response plans, acceptable use, and other security-critical areas
defined roles – from senior leadership accountability at board level down to team-level ownership – so that security doesn’t depend on any single individual
processes for reviewing and updating those policies as the business changes

One design failure that consistently undermines governance programs: rules that are too strict for people to follow. Overly restrictive policies don’t eliminate risk – they push it underground.

Employees find workarounds. Shadow IT proliferates. Data ends up in personal accounts because the approved tools are too slow or too inconvenient.

Effective governance balances protection with usability. Policies should make it easier to work securely, not harder to work at all.

Governance frameworks also need scheduled reviews.

A policy written before your organization moved to cloud infrastructure, onboarded a major enterprise customer, or doubled headcount is likely obsolete in places.

Incident data, employee feedback, and internal audit results should all feed into governance updates – not sit in a report that nobody reads.

What compliance frameworks do businesses need?

The answer depends on the industry, the markets served, and the nature of customer relationships. But the typical compliance picture for a modern business covers several layers:

Legal and regulatory requirements – data protection laws, cybersecurity regulations, sector-specific legislation (NIS2 and DORA in the EU, for example)
Industry frameworks – ISO/IEC 27001, Payment Card Industry Data Security Standard (PCI DSS), SOC 2, NIST, CIS Controls
Regional data protection regulations – the General Data Protection Regulation (GDPR) for organizations handling EU personal data; the California Consumer Privacy Act (CCPA) for those serving US consumers; the Health Insurance Portability and Accountability Act (HIPAA) for healthcare; the Sarbanes-Oxley Act (SOX) for US-listed companies
Anti-corruption and financial crime frameworks – the Foreign Corrupt Practices Act (FCPA), the UK Bribery Act, and EU Money Laundering Directives for relevant sectors
Contractual obligations – security requirements imposed by enterprise customers or partners, often as conditions of doing business

It’s important to note that these often overlap.

A financial services company serving EU customers may simultaneously need to comply with DORA, NIS2, GDPR, and the security requirements of its largest institutional clients. GRC provides the structure to manage these demands coherently rather than spinning up separate workstreams for each.

What is outcome-based regulation?

A significant portion of modern compliance frameworks – including NIS2 and many data protection regimes – define outcomes rather than prescribing specific security controls. They tell you what you need to achieve, not exactly how to achieve it.

This creates flexibility. It also creates interpretation work.

“Implement appropriate technical and organizational measures” means different things for a 20-person SaaS company and a multinational bank.

Understanding your specific risk profile, business context, and the regulator’s expectations for your sector is what makes outcome-based regulatory compliance meaningful rather than aspirational.

Compliance is itself a risk decision

Not every framework that exists is mandatory for your organization.

Some are legally required. Others are commercially beneficial – certain enterprise customers won’t sign contracts with vendors who can’t demonstrate ISO/IEC 27001 certification, for example. Others are optional but signal maturity to the market.

Deciding which standards to pursue should follow the same logic as any risk assessment follow-up decision: what are the obligations, what is the business value, and what does it cost?

For an up-to-date view of which regulatory obligations are currently driving the most change, our 2026 cybersecurity trends piece is a useful companion read.

Culture, metrics, and the feedback loop

GRC doesn’t run on documents alone. It runs on people.

Security training participation rates, phishing simulation results, system patching cadence, and incident trends are all metrics that reveal how the governance framework is performing in practice – not just on paper.

Organizations that track these consistently identify weaknesses before they become incidents. Regular training sessions and awareness programs matter here not as regulatory compliance checkboxes, but as data sources: if phishing click rates don’t move after repeated training rounds, the training isn’t working.

The other half of this is incident reporting culture.

Employees need to feel safe raising concerns, reporting mistakes, and escalating near misses. Blame discourages reporting. Underreporting makes risk data unreliable and leaves the same vulnerabilities recurring across incidents that could have been connected.

Every incident that gets reported and analyzed is a direct feed into the risk register, the governance framework, and the next training cycle – that feedback loop is what makes GRC a living system rather than a compliance filing exercise.

If your organization builds software, embedding security into the development lifecycle is where that loop starts – here’s how to make that shift.

GRC tools: what actually matters

The market for GRC platforms – compliance management systems, risk registers, policy libraries, audit tracking tools – is large and varied, ranging from enterprise-grade systems with automated controls mapping and real-time dashboards to simpler internal documentation and spreadsheet-based approaches.

Sophisticated tooling can be valuable – but only if it’s properly configured, actively maintained, and matched to organizational maturity.

A platform that requires significant customization and ongoing administration may create more overhead than it removes for a smaller organization.

What matters is not the sophistication of the tool but the quality of the thinking behind it. A GRC spreadsheet used rigorously beats an enterprise platform treated as a checkbox.

TOM MILLER, HEAD OF ASSURANCE, AMR CYBERSECURITY – PART OF INFINUM

Vendor risk management deserves specific attention. Every supplier introduced into your environment extends your attack surface, and that includes cloud providers, managed service providers, software vendors, and any third party with access to your systems or data.

Trust should be verified through due diligence, not assumed. When evaluating vendors, prioritize demonstrated experience, relevant credentials, and a clear approach to their own GRC.

For a practical framework on how to assess and manage that exposure, our guide to software supply chain security covers it step by step.

How to build a GRC framework: where to start

The most common mistake when building a GRC program is starting with the tools or the compliance checklist rather than the risk picture. The sequence matters.

Start with an honest assessment of where you are.

Map your assets, identify your regulatory obligations, and evaluate whether your current governance structures and compliance programs are actually functioning or just documented. Gaps between what the policies say and what teams do are the most important findings at this stage.

Define your risk appetite.

Senior leadership needs to agree – explicitly, on paper – on how much risk the organization is willing to accept in different areas. Without that anchor, every risk treatment decision becomes a negotiation.

Prioritize by impact.

You cannot fix everything at once. Address the highest-risk areas first, assign owners, and set measurable targets. A chief compliance officer or equivalent role provides the continuity needed to drive this process – someone whose job it is to track progress across the organization, not just within a single team.

Build compliance management into operations, not alongside them.

Compliance programs that exist in parallel to how work actually gets done produce documentation and little else. The goal is to integrate compliance requirements into everyday workflows so that adherence is the path of least resistance, not an additional burden.

Review regularly.

A GRC program that isn’t updated is a liability. Set a cadence for risk register reviews, policy updates, and internal audit cycles. The specific intervals matter less than committing to them.

Why GRC builds business trust

The organizations that handle security incidents badly are rarely those with the weakest technical controls. They’re often the ones that didn’t know what they were protecting, couldn’t communicate clearly with stakeholders, or had no documented process for responding.

GRC addresses all of that. It forces honest conversations about risk that many organizations avoid until something goes wrong. It creates accountability at the leadership level. And it produces the documentation and evidence that regulators, customers, and partners increasingly expect as a baseline condition of doing business.

No organization eliminates risk entirely.

What GRC provides is something more practical: the ability to understand it, manage it deliberately, and learn from it when things don’t go according to plan.

Security decisions made without a governance and risk foundation tend to be reactive, inconsistent, and hard to justify when things go wrong.

Infinum’s security practice helps organizations build GRC frameworks that work in the real world – connected to business goals, not just compliance checklists. Explore our cybersecurity services to see where we can help.

The post What Is GRC? Governance, Risk, and Compliance Explained appeared first on Infinum.

Pen Testing, Red Teaming, and Why No Scanner Can Replace Either

Sean McCarthy — Wed, 01 Apr 2026 14:02:28 +0000

Pen testing and red teaming are often used interchangeably. Both probe your defences. Both find what’s broken. But they ask fundamentally different questions, and the one you choose shapes how wide you assess your business security.

Penetration testing and red teaming both start from the same premise: hire someone to break in before the bad guys do. But they’re different tools for different problems, and conflating them is one of the more common mistakes organisations make.

Two approaches, similar goal

Penetration testing is focused.

You define the scope – a specific application, a network segment, a set of systems – and testers use the penetration testing methodology step by step in an attempt to find and exploit vulnerabilities within it.

Most engagements use a gray box approach: testers are given enough context to work efficiently. Credentials, access, scope. Enough to find what matters within a fixed timeframe.

Red teaming is the opposite of narrow. It’s intelligence-led and scenario-driven, built to simulate a sophisticated adversary targeting your organisation specifically.

The approach changes depending on who you are – a red team targeting a bank crafts different phishing emails, chooses different attack vectors, and pursues different objectives than one targeting a logistics company.

The whole exercise is shaped by what real threat actors are actually doing to organisations like yours.

Pen testing	Red teaming
Narrow, system-focused scope	Whole-organisation scope
Often gray box by default	Intelligence-led, scenario-based
Time-boxed engagement	Simulates a real, tailored adversary
Finds specific technical vulnerabilities	Tests people, process, technology

Penetration Testing vs Red Teaming: Key Differences

The simplest way to tell them apart: pen testing answers “is this system secure?”, red teaming answers “could a determined attacker get into our organisation?”

Scope is the biggest practical difference. Pen testing is bounded — a specific application, network segment, or set of APIs. The tester works within those limits, finds what’s exploitable, and reports it. Red teaming has no such boundary. The adversary simulation can move across applications, people, and physical premises, using whatever combination of vectors a real attacker would.

The objectives differ, too. Pen testing produces a list of technical vulnerabilities with severity ratings and remediation steps. Red teaming produces something more like a case study: here is how an attacker targeting your organisation could move from initial access to their end goal, and here is what your people, processes, and technology did, or didn’t do to stop them.

Cost and time reflect this. A pen test might run for a week or two. A red team engagement is typically measured in weeks to months, and requires significantly more planning on both sides.

When Do You Need Pen Testing vs Red Teaming?

Pen testing is right for checking specific systems — after a new build, before a release, or as part of a compliance cycle. TIBER-EU and DORA both require it. If you’re running one annually and after major changes, you’re doing the basics right.

Red teaming is for organisations that have already done the basics. You need mature security processes in place first — incident detection, response playbooks, trained staff — otherwise a red team engagement mostly finds that your foundations are weak, which a pen test would have told you for a fraction of the cost. When that foundation is there, red teaming stress-tests the whole picture: not just whether systems are patched, but whether your people, processes, and assumptions hold up under a realistic attack.

The other factor is the threat model. If you handle sensitive data, operate critical infrastructure, or are the kind of target sophisticated threat actors actively pursue, red teaming answers a question pen testing can’t: not “is this system secure?” but “could a determined adversary get into our organisation?”

If you’re not sure which fits, start with a pen test. And if you want to understand what a red team engagement actually involves, explore our red team services.

Technical depth isn’t enough

The best pen testers and red teamers share two things: deep technical expertise and genuine creativity.

The technical side is obvious – you need to understand how systems behave under pressure, and how to adapt when a vector doesn’t work as expected. But creativity is what separates good from exceptional.

Testing isn’t a checklist. When a system reacts unexpectedly, the question isn’t “what does the tool say next?” – it’s “what does this tell me, and where does it lead?” That kind of thinking can’t be scripted. It has to be developed.

You need to think like an attacker – then explain the risk in language a board member can act on.

The second half of that matters as much as the first.

A brilliant technical finding is worthless if it can’t be translated into plain language. The job isn’t just to find vulnerabilities – it’s to help the organisation understand what they mean and what to do about them.

Why no scanner replaces this

Our research into AI-generated code security found that automated tools are good at cataloging CVEs, misconfigured headers, and outdated libraries.

They’re fast, they’re consistent, and they’re useful. But they operate on fixed logic. They flag what they’re programmed to flag, and they stop there.

A skilled tester doesn’t stop there.

They notice how a system reacts, chain together findings that no single tool would connect, and pursue lines of attack that require judgment – not just pattern matching.

Automated scanners also can’t walk through your front door pretending to be IT support, or craft a phishing email convincing enough to fool a trained employee.

Nine times out of ten, real attackers get in through people, not ports. A scanner has nothing to say about that. Manual testing does.

This is why organisations that rely on automated tools as their primary security layer end up with a false sense of coverage. The scanner ran clean – but that’s only true for the things the scanner knows how to look for. The cost of finding out too late is well-documented in our breakdown of the real cost of a cyberattack, which shows what’s actually at stake.

Attackers aren’t limited by that constraint.

A vendor with a quiet network connection into your environment, a help desk employee who clicks the wrong attachment – these don’t show up on a dashboard. They show up when it’s too late.

Want to discover security vulnerabilities before attackers do?

Explore the full list of our cybersecurity services.

So, the question isn’t whether to test.

It’s whether you’re testing the right things, in the right way, with people who can tell the difference. Automated tools have their place – but they’re a floor, not a ceiling.

The post Pen Testing, Red Teaming, and Why No Scanner Can Replace Either appeared first on Infinum.

The Axios npm Attack: What It Means for Every JavaScript Project

Hrvoje Filaković — Wed, 01 Apr 2026 13:00:03 +0000

On March 31, attackers compromised axios — a JavaScript library downloaded roughly 100 million times a week. Here’s what happened, who’s affected, and what to do now.

If you’ve never heard of axios, here’s the short version: it’s the library that most JavaScript applications use to talk to the internet.

Fetching data from an API, submitting a form, making a request to a backend service – axios handles it. It’s in frontend apps, backend services, CI pipelines, and internal tools. Chances are it’s somewhere in your stack right now, possibly several places.

On March 31, 2026, axios—with roughly 100 million weekly downloads—became the vector for one of the most significant npm supply chain attacks in recent memory.

Two malicious versions of axios were published to npm: axios@1.14.1 and axios@0.30.4. Both contained a hidden dependency designed to install a cross-platform remote access trojan on any developer machine that ran npm install. The window was under three hours — but given axios’s scale, that was enough. If your team ships JavaScript and installed either version during that period, treat the affected machine as compromised.

You don’t need to have installed axios directly to be at risk.

Any package in your dependency tree that lists axios with a floating version range (^1.x) and was rebuilt during the exposure window may have pulled in the malicious version automatically. This also includes AI coding assistants and automated tooling — anything that ran npm install on your behalf yesterday should be treated the same as a manual install.

We’ve written before about software supply chain security and the systemic risks that come with modern dependency management. This attack is exactly the scenario we described – not a theoretical edge case, but a live incident affecting one of the most widely used libraries in the JavaScript ecosystem.

Google’s Threat Intelligence Group has attributed the attack to UNC1069, a North Korean group previously active in cryptocurrency theft.

Here’s what happened, how it worked, and what you should check right now.

What happened

The attacker didn’t touch a single line of axios source code.

Instead, they compromised a long-lived npm access token belonging to jasonsaayman, the project’s lead maintainer. With that token, they published two new releases – one for the 1.x branch and one for the legacy 0.x branch – 39 minutes apart, covering both release lines simultaneously.

Both releases modified exactly one file: package.json. The only substantive change was adding plain-crypto-js@4.2.1 as a runtime dependency. That package was pre-staged 18 hours earlier, under a separate attacker-controlled account, with a clean version first to build registry history before the malicious update was pushed.

Why this matters: When you run npm install, you’re not just downloading the package you asked for — you’re downloading everything it depends on, including any setup scripts those dependencies declare. The attacker’s package declared one. Most developers never see this happening. It runs silently, by design. By the time npm install finished, the script had already executed, phoned home, and delivered its payload.

plain-crypto-js contains a full copy of the legitimate crypto-js library – every source file identical, bit-for-bit. The only difference is a postinstall hook: “node setup.js”.

When npm resolves the dependency tree and runs that hook, the dropper fires. It contacts the attacker’s command-and-control server, delivers a platform-specific payload for macOS, Windows, or Linux, then deletes itself and replaces package.json with a clean stub reporting version 4.2.0.

By the time npm install finishes, there’s no error, no warning, no obvious trace. The directory node_modules/plain-crypto-js/ exists, but npm list shows version 4.2.0 – not the malicious 4.2.1 that actually ran. Standard npm audit finds nothing.

Why this specific attack is worth studying

Most supply chain incidents involve obvious red flags – a zero-history package, a suspicious name, a sudden maintainer change.

This one was deliberately engineered to avoid all of them.

Put plainly: most security tools work by recognising known bad things – a flagged domain, a suspicious file, a package with no history. This attack had none of those signals. It arrived under a trusted name, from a legitimate account, with clean source code and a registry history. The tools that were supposed to catch it passed it through.

HRVOJE FILAKOVIC, CYBERSECURITY ENGINEER

That’s what makes it worth paying attention to, even if axios isn’t in your stack – the technique will be reused.

The attacker published a clean decoy package 18 hours before activating the payload – long enough to avoid “brand new account” alerts from registry scanners. The malicious axios releases were signed by the legitimate maintainer’s account. No corresponding commit or tag appeared on GitHub (that gap is the forensic signal, in hindsight), but most CI systems don’t verify OIDC provenance on pull.

The plain-crypto-js package was designed to survive a human code review. The library files were identical to the legitimate crypto-js. A developer diffing the package against its stated source would find nothing. The malicious payload lived in package.json and setup.js – a postinstall script that looks, at a glance, like a standard build step.

This is the attack pattern that NIS2 and CRA regulations are increasingly focused on: not a breach of your perimeter, but a compromise of the supply chain your code depends on.

Your code didn’t have a vulnerability. Your tooling did.

The OIDC misconfiguration that made it possible

Axios had OIDC Trusted Publishing configured for its release workflow.

In theory, this should have made a token-based publish impossible – OIDC ties releases to specific GitHub Actions runs, and the ephemeral token can’t be stolen.

In practice, the GitHub Actions workflow passed both the OIDC credentials and a classic NPM_TOKEN environment variable. When both are present, npm defaults to the token. The long-lived token – which can be exfiltrated – was effectively the only authentication method that mattered.

This is a common misconfiguration. Many projects enable OIDC Trusted Publishing and consider the job done, without removing or rotating the classic token that overrides it.

Check if you’re affected – right now

Step 1 – Check your lockfile for the malicious versions

grep -E '"axios"' package-lock.json | grep -E "1\.14\.1|0\.30\.4"
npm list axios 2>/dev/null | grep -E "1\.14\.1|0\.30\.4"

Step 2 – Check for the malicious dependency in node_modules

The presence of this directory – regardless of what version package.json now reports – means the dropper executed.

ls node_modules/plain-crypto-js 2>/dev/null && echo "DROPPER RAN"

Step 3 – Check for persistent artifacts

# macOS
ls -la /Library/Caches/com.apple.act.mond 2>/dev/null && echo "COMPROMISED"


# Linux
ls -la /tmp/ld.py 2>/dev/null && echo "COMPROMISED"


# Windows (cmd.exe)
dir "%PROGRAMDATA%\wt.exe" 2>nul && echo COMPROMISED

If you find any of these

The response depends on where the install ran.

For ephemeral CI runners (e.g. GitHub-hosted), the runner is destroyed after each job — rotate any secrets that were injected during the affected run and move on.

For developer machines and self-hosted runners, treat the system as fully compromised: isolate it from the network immediately and re-image it or restore from a verified clean backup taken before March 30.

Do not attempt to clean in place — the RAT deploys persistence mechanisms that survive a reboot, so credential rotation on a live system is not sufficient.

Once you have a clean machine, rotate everything that was accessible from it: npm tokens, SSH keys, cloud credentials (AWS, GCP, Azure), CI/CD secrets, and any values in .env files present at install time.

To downgrade cleanly

npm install axios@1.14.0  # for 1.x users
npm install axios@0.30.3  # for 0.x users

What to change in your CI/CD configuration

Beyond the immediate incident, this attack exposes a few controls worth auditing across your pipelines.

Remove or rotate long-lived npm tokens. If your publish workflow uses a classic NPM_TOKEN alongside OIDC, the token wins. Either remove it from the workflow entirely, or rotate it and restrict it to the minimum necessary scope.
Add –ignore-scripts to CI installs. This prevents postinstall hooks from running during automated builds:

npm ci --ignore-scripts

Pin versions explicitly. Avoid floating ranges like ^1.14.0. Both malicious releases were tagged latest, so any unpinned install resolved to them.
Add provenance verification to your review process. For major releases of critical packages, check npm registry metadata for OIDC provenance. Legitimate axios 1.x releases show GitHub Actions as the publisher with a trustedPublisher field. The malicious release showed the maintainer’s username directly – no OIDC binding, no corresponding GitHub tag.
Block the C2 domain at the network level. If you have a firewall or DNS filtering in place, block the C2 domain sfrclak[.]com and IP address 142[.]11[.]206[.]73 on port 8000. Flag this to your network or DevOps team rather than handling it at the host level — a firewall rule covers all machines rather than requiring per-device changes.

The broader pattern

This isn’t an isolated incident.

The axios attack follows the same playbook as the CrowdStrike npm compromise, the IoliteLabs VSCode extension backdoor, and the fake ClawdBot VS Code extension we documented earlier this year — all incidents where a trusted-looking package or installer was used to deliver a credential stealer to unsuspecting developers.

The package manager ecosystem runs on implicit trust: if a package is in npm under a recognizable name and a legitimate maintainer’s account, most tooling and most developers treat it as safe.

That model is under sustained attack.

The attacker here invested 18 hours of prep time, built platform-specific payloads for three operating systems, and designed the dropper to self-destruct. This is not someone experimenting – it’s operational tradecraft applied to the JavaScript supply chain.

As we covered in our supply chain security framework, the highest-risk entry points are often not your own code but the tools and processes you depend on to build and deploy it.

The question isn’t whether your perimeter is secure, it’s whether your CI pipeline would have caught this before it ran.

For teams with third-party risk exposure

If you’re managing a product that runs JavaScript in CI and you have compliance obligations – PCI DSS, NIS2, ISO 27001 – this incident is worth documenting even if you weren’t affected.

Our third-party cyber risk management work often starts with incidents like this one: not after a breach, but as a trigger to audit what dependency hygiene actually looks like in practice across an engineering org.

The controls that would have caught this – OIDC provenance checks, version pinning, –ignore-scripts in CI, outbound network monitoring – aren’t difficult to implement. They just tend not to exist until something goes wrong.

If you want to review your current posture, get in touch.

Indicators of compromise

Malicious packages
Malicious package	axios@1.14.1 (shasum: 2553649f)
Malicious package	axios@0.30.4 (shasum: d6f3f62f)
Malicious dependency	plain-crypto-js@4.2.1
Attacker npm account	jasonsaayman (email changed to ifstap[at]proton[.]me)
Staging npm account	nrwise (email: nrwise[at]proton[.]me)
Network indicators
C2 domain	sfrclak[.]com
C2 IP	142[.]11[.]206[.]73
C2 URL	hxxp://sfrclak[.]com:8000/6202033
C2 port	8000
macOS POST body	packages.npm[.]org/product0
Windows POST body	packages.npm[.]org/product1
Linux POST body	packages.npm[.]org/product2
Filesystem artifacts
macOS artifact	/Library/Caches/com.apple.act.mond
Windows (persistent)	%PROGRAMDATA%\wt.exe
Windows temp (self-deletes)	%TEMP%\6202033.vbs \| %TEMP%\6202033.ps1
Linux artifact	/tmp/ld.py
Advisory references
GitHub advisory	GHSA-fw8c-xr5c-95f9
Malware advisory	MAL-2026-2306
Malware family (GTIG)	WAVESHAPER.V2
Safe versions
Safe 1.x version	axios@1.14.0 (shasum: 7c29f4cf)
Safe 0.x version	axios@0.30.3

Infinum’s cybersecurity team provides penetration testing, third-party risk management, and secure development advisory for enterprise and regulated-industry clients. Learn more at infinum.com/cybersecurity.

The post The Axios npm Attack: What It Means for Every JavaScript Project appeared first on Infinum.

Understanding & Defeating Android Protections

Hrvoje Filaković — Thu, 19 Mar 2026 11:13:28 +0000

Many modern Android applications are highly advanced and operate in sensitive domains like banking, money transfers, and other critical services people rely on daily. A rooted environment gives attackers elevated access to the device, which they can abuse in order to bypass the app’s restrictions, extract sensitive data, and interfere with the app’s behavior.

To counter these threats, many apps implement protections against common tools and techniques used in reverse engineering. These include anti-root, anti-hook, and anti-debug mechanisms, which are designed to make an attacker’s job significantly more difficult—often requiring considerable effort and creativity to bypass.

Anti-Root – Detects whether the device has been rooted.
Anti-Hook – Detects function hooking attempts using tools like Frida.
Anti-Debug – Detects whether the application is being debugged.

A practical look at protection mechanisms

This article provides other security researchers with a practical look at how some of these protection mechanisms are implemented and how they can be bypassed during penetration testing or security research.

Additionally, by understanding how these protections work, developers can build stronger, more resilient security mechanisms into their apps and even extend these ideas to develop more advanced and effective techniques.

Furthermore, during this research, an application called TamperLab was created. It includes various protection mechanisms to detect whether a device is rooted, whether any hooking is in place, or whether the application is being debugged. The project is fully open-source, and contributions are welcome.

It can be found on the following GitHub page for you to check out:

https://github.com/infinum/cs-tamperlab

Anti-Root Protections

In this section, we will look at some commonly used root detection techniques and their implementations, and immediately follow each one with an example of how it can be bypassed during testing or reverse engineering.

The “One Function” Folly

The most common way of implementing protection measures such as anti-root, anti-hook, and anti-debug is by placing all checks inside a single function. This is a common mistake, as it gives attackers the opportunity to bypass all protections within seconds.For example, in the following scenario, the RootBeer library is used to quickly demonstrate why placing all checks in a single function can be problematic. As shown in the code snippet below, the isRooted() function is called.

boolean isRooted = rootBeer.isRooted();
showRootStatusDialog(isRooted);

Such a function includes various methods to detect if the device is rooted.

public boolean isRooted() {
        return detectRootManagementApps() || 
        detectPotentiallyDangerousApps()  || 
        checkForBinary(BINARY_SU)         ||
        checkForDangerousProps()          ||
        checkForRWPaths()
        [...SNIP...]
}

Although the function includes many ways to detect if the device is rooted, it is not sufficient because the isRooted() function itself can be hooked, allowing an attacker to bypass all detections with a single hook.

Using the following simple Frida script, we can do exactly that. We obtain a reference to the RootBeer class and hook the isRooted() function, immediately returning false.

Java.perform(() => {
    const rootbeer = Java.use("com.scottyab.rootbeer.RootBeer");

    rootbeer.isRooted.implementation = function() {
        console.log("[+] isRooted() hooked -> returning false");
        return false;
    }
});

Using the following command, the targeted application can be started with the hook applied.

frida -U -l evade_root.js -f com.hacking.tamperlab

As shown in the following image, the previously created script successfully bypasses all the checks because they are contained within a single function.

Testing this inside TamperLab shows that we successfully bypass the protection measure, and a green checkmark is displayed.

SU Binary Check (Shell)

All rooted Android devices contain the su binary, and any application requiring root access must use su to elevate privileges and perform privileged actions on the device.

When present on a device, applications can detect the existence of the binary and conclude that the device is rooted. A quick way to check for it is by programmatically executing the which su system command.In my application, I created a simple HelperClass that contains various functionalities and detection methods. One of its purposes is to execute system commands.

String output = HelperClass.executeCommand("which su");

The executeCommand() function essentially passes the given command as an argument to the exec() function, which executes it on the device.

Process process = Runtime.getRuntime().exec(command);
BufferedReader reader = new BufferedReader(new InputStreamReader(process.getInputStream()));
String output = reader.readLine();
reader.close();
return output;

If the su binary exists, the command will return its full system path, otherwise, an error code will be returned.

Using Frida, we can bypass this technique by hooking the exec() function itself. If we detect a command such as which su, we can replace it at runtime with another non-existent command.

Java.perform(() => {
    const Runtime = Java.use("java.lang.Runtime");

    Runtime.exec.overload("java.lang.String").implementation = function(command) {
        if (command.trim() === "which su") {
            console.log("\n[i] called exec(" + command +")");
            console.log("\t[+] returning a fake binary.");
            command = "which DoesNotExist";
            return this.exec(command);
        }
        return this.exec(command);
    }
});

As demonstrated, by using this technique, we can target specific exec() parameters after reverse engineering the application and bypass the detection mechanisms in place.

SU Binary Check (Native C/C++)

Another way developers may check for the su binary or for rooted devices in general is by writing native C/C++ code using JNI. In case you are unfamiliar, JNI (Java Native Interface) is a framework that allows Java code running on the Android platform to interact with native applications and libraries written in C or C++.

For example, we can check for the su binary by iterating through common system paths where it might exist, and then using the std::ifstream function to check if the file can be opened.

extern "C" JNIEXPORT jboolean JNICALL
Java_com_hacking_tamperlab_NativeChecks_CheckSuBinaryNative(JNIEnv *env, jclass clazz) {
    const char* paths[] = {
            "/data/local/",
            "/data/local/bin/",
            "/data/local/xbin/",
            "/sbin/",
            "/su/bin/",
            "/system/bin/",
            "/system/bin/.ext/",
            "/system/bin/failsafe/",
            "/system/sd/xbin/",
            "/system/usr/we-need-root/",
            "/system/xbin/",
            "/cache/",
            "/data/",
            "/dev/"
    };

    // Scan directories for "su" binary, if found return true.
    for (const char* path: paths) {
        std::string fullPath = std::string(path) + "su";
        std::ifstream file(fullPath);
        if (file.good()) {
            file.close();
            return JNI_TRUE;
        }
    }
    return JNI_FALSE;
}

A small Java class is then created to serve as a bridge between the Java code and the native C/C++ code in the application. It uses JNI (Java Native Interface) to perform the native task.

public class NativeChecks {
    static {
        System.loadLibrary("tamper-lib");
    }
    public static native boolean CheckSuBinaryNative();
}

Under normal circumstances, you wouldn’t have access to the source code. However, a common way to reverse engineer the application is by decompiling it using JADX, which can be done with the following command.

$ jadx -d $(pwd)/TamperLab_Decompiled $(pwd)/TamperLab.apk

Once decompiled, your application may contain various libraries. You can easily filter through them by searching for files with the .so extension, which indicates native libraries.

$ find TamperLab_Decompiled -type f -name "*.so"                        
TamperLab_Decompiled/resources/lib/arm64-v8a/libtamper-lib.so
TamperLab_Decompiled/resources/lib/arm64-v8a/libtoolChecker.so

To reverse engineer the library, tools such as Ghidra or IDA Pro can be used. In this case, Ghidra was used.

The decompiled code shows that ifstream is first used (1) to check whether the file exists. Based on this check, the function returns \x01 (JNI_TRUE) (2) if the su binary is found, otherwise, it returns \x00 (JNI_FALSE) (3).

Since this is a JNI function and is exposed using extern “C”, it appears in the symbol table with the exact name observed in Ghidra.

Java_com_hacking_tamperlab_NativeChecks_CheckSuBinaryNative

Bypassing such checks is relatively straightforward. To hook a native function using Frida, we use Interceptor.attach() and specify the target function using Module.findExportByName().

Interceptor.attach(Module.findExportByName("libtamper-lib.so", "Java_com_hacking_tamperlab_NativeChecks_CheckSuBinaryNative"), {
    onEnter: function (args) {
        console.log("\n[i] CheckSuBinaryNative() called");
    },
    onLeave: function (retval) {
        console.log("\t[+] Overriding return with JNI_FALSE");
        retval.replace(0);
    }
});

Since we are intercepting a function from the native library, we need to attach to the process while it is already running by using the -n parameter with the following command.

frida -U -l evade_root.js -n tamperlab

As shown in the script’s output, we successfully bypass the check even though it resides within JNI code.

Another clever approach is to hook the open() function instead of the entire native function implemented in the application.

Since std::ifstream() ultimately invokes the open() system call, we can hook open() to intercept any attempt to access a binary whose path contains “su”. We can then substitute that path with a fake one to bypass the check.

Interceptor.attach(Module.getExportByName(null, "open"), {
    onEnter: function (args) {
        const path = args[0].readUtf8String();

        if (path.includes("su")) {
            console.log("[i] called open(" + "'" + path + "'" + ");");
            console.log("\t[i] App searching for the 'su' binary");
            console.log("\t[+] Overriding with random path value.");
            const newPath = Memory.allocUtf8String("/dev/null");
            args[0] = newPath;
        }
    }
});

As shown in the image, this technique effectively bypasses native checks early by using the -f flag to hook before execution, unlike the -n flag, which attaches the hook while the process is already running.

Spoofing /proc/mounts

Nowadays, many Android devices are commonly rooted using Magisk, which comes with a variety of built-in features.

The /proc/mounts file contains a list of all currently mounted filesystems on the device. Additionally, when a device is rooted using Magisk, it modifies the boot image and mounts partitions dynamically by default, so you may find traces of Magisk there as well.

An implementation to detect this might look like the following, where an application reads the contents of /proc/mounts in search of Magisk.

public static boolean isMagiskInMounts() {
  try {
    BufferedReader reader = new BufferedReader(new FileReader("/proc/mounts"));

    String line;
    while ((line = reader.readLine()) != null) {
      if (line.contains("magisk")        ||
          line.contains("/sbin/.magisk") ||
          line.contains("/dev/") && line.contains("magisk")) {
        return true;
      }
    }
    reader.close();
  } catch (IOException e) {
    e.printStackTrace();
  }
  return false;
}

To bypass this, we can create a script like the following, where we define a list of mounts that don’t contain Magisk traces or any other suspicious entries, for that matter.

The first interceptor hooks the open() system call to capture the file descriptor used when accessing /proc/mounts.

The second interceptor hooks read(), checks if the file descriptor corresponds to /proc/mounts, ensures the content hasn’t already been spoofed (to prevent repeated modifications and potential crashes), and finally replaces the buffer with our fake mount data defined at the top.

const fake_mounts = `
/dev/block/dm-8 / ext4 ro,seclabel,relatime 0 0
tmpfs /dev tmpfs rw,seclabel,nosuid,relatime,size=3896612k,nr_inodes=974153,mode=755 0 0
devpts /dev/pts devpts rw,seclabel,relatime,mode=600,ptmxmode=000 0 0
proc /proc proc rw,relatime,gid=3009,hidepid=2 0 0
sysfs /sys sysfs rw,seclabel,relatime 0 0
selinuxfs /sys/fs/selinux selinuxfs rw,relatime 0 0
tmpfs /mnt tmpfs rw,seclabel,nosuid,nodev,noexec,relatime,size=3896612k,nr_inodes=974153,mode=755,gid=1000 0 0
tmpfs /mnt/installer tmpfs rw,seclabel,nosuid,nodev,noexec,relatime,size=3896612k,nr_inodes=974153,mode=755,gid=1000 0 0
`;

const fakeMountBuffer = Memory.allocUtf8String(fake_mounts);
let fakeMountFds = new Set();
let hasSpoofed = false;

Interceptor.attach(Module.getExportByName(null, 'open'), {
    onEnter: function(args) {
        this.path = Memory.readUtf8String(args[0]);
    },
    onLeave: function(retval) {
        if (this.path === "/proc/mounts" && retval.toInt32() > 0) {
            console.log("[i] /proc/mounts opened -> file descriptor:", retval.toInt32());
            fakeMountFds.add(retval.toInt32());
        }
    }
});

Interceptor.attach(Module.getExportByName(null, 'read'), {
    onEnter: function(args) {
        this.fd = args[0].toInt32();
        this.buf = args[1];
        this.count = args[2].toInt32();
    },
    onLeave: function(retval) {
        if (fakeMountFds.has(this.fd)) {
            if (!hasSpoofed) {
                const length = fake_mounts.length;
                if (length <= this.count) {
                    hasSpoofed = true;
                    console.log("\t[+] Spoofing read() from /proc/mounts with fake one.");
                    Memory.copy(this.buf, fakeMountBuffer, length);
                    retval.replace(length);
                } else {
                    console.log("\t[-] Buffer too small to spoof.");
                }
            } else {
                console.log("\t[+] /proc/mounts already spoofed, continuing...");
                retval.replace(0);
            }
        }
    }
});

By running the hook, we successfully spoof the contents of /proc/mounts with our fake data, effectively bypassing the detection check.

It’s important to note that these techniques can be implemented and bypassed in various ways. Consequently, multiple solutions and countermeasures exist to address them.

Anti-Hooking Protections

Hooking is a powerful technique used during mobile penetration tests because it allows intercepting, modifying, and monitoring an application’s behavior at runtime. It provides direct access to function calls, arguments, return values, and the internal logic of methods.

To perform such attacks, Frida is a widely used tool that enables pentesters and attackers to bypass security controls or extract potentially sensitive data.

Frida Port Detection

A common way to detect Frida is by checking for open frida-server ports, since Frida communicates using WebSockets. Simple checks often look for ports like 27042 or 27043, which are the default ports used by Frida.

Such checks can be easily bypassed by simply starting the Frida server on a different port using the following command.

./frida-server-16.5.9-android-arm64 -l 0.0.0.0:1337 &

A more advanced detection method involves scanning all ports by sending specific HTTP requests and checking for a 101 Switching Protocols response, which indicates the presence of a Frida server.An example of such native code would involve sending a WebSocket upgrade request to every open port on the device. If the response contains 101 Switching Protocols, it confirms that a Frida server has been successfully detected.

[...SNIP...]
for (int i = 1; i < 65535; i++) {
        [...SNIP...]
        if (connect(sock, (const struct sockaddr*)&addr, sizeof(addr)) == 0) {
        snprintf(req, sizeof(req),
                 "GET /ws HTTP/1.1\r\n"
                 "Host: %s:%d\r\n"
                 "Upgrade: websocket\r\n"
                 "Connection: Upgrade\r\n"
                 "Sec-WebSocket-Key: CpxD2C5REVLHvsUC9YAoqg==\r\n"
                 "Sec-WebSocket-Version: 13\r\n"
                 "User-Agent: Frida\r\n\r\n",
                 inet_ntoa(addr.sin_addr), ntohs(addr.sin_port));

        write(sock, req, strlen(req));

        ssize_t bytes_read = read(sock, res, sizeof(res) - 1);
        if (bytes_read > 0) {
                res[bytes_read] = '\0';

            if (strstr(res, "101 Switching Protocols")) {
                    close(sock);
                return JNI_TRUE;
            }
[...SNIP...]

This check can be bypassed by hooking the read() calls and inspecting the buffer content after the call completes. If the buffer contains 101 Switching Protocols, indicating a Frida server query, we can modify the response to something benign such as HTTP/1.1 200 OK\r\nContent-Length: 0\r\n\r\n to evade detection.

Interceptor.attach(Module.findExportByName(null, "read"), {
    onEnter: function(args) {
        this.buffer = args[1];
        this.size = args[2].toInt32();
        this.curr_retval = 0;
    },
    onLeave: function(retval) {
        this.curr_retval = retval.toInt32();

        if (this.curr_retval > 0) {
            var response = this.buffer.readCString();
            if (response.includes("101 Switching Protocols")) {
                console.log("\n[i] Application detected Frida server via WebSocket");
                console.log("\t[+] Modifying the WebSocket response");
                
                var modifiedResponse = "HTTP/1.1 200 OK\r\nContent-Length: 0\r\n\r\n";
                this.buffer.writeUtf8String(modifiedResponse);
                retval.replace(modifiedResponse.length);
            }
        }
    }
});

As demonstrated, once the hook is executed, the check is successfully bypassed.

Frida Threads Detection

In Linux-based environments (including Android), each process has a task directory located at /proc/self/task, containing a subdirectory for each thread within the process. Each of these subdirectories includes a comm file that holds the name of the corresponding thread.

When Frida is injected into a process, it typically creates several threads for its internal operations. These threads often have distinctive names such as frida, gum-js-loop, gmain, gdbus or some other which can be used to detect Frida’s presence.

To better understand this, we can run the following command on the device to retrieve the names of all threads for a specified process.

PPID=$(pidof com.hacking.tamperlab); for i in /proc/$PPID/task/*; do cat "$i/comm" 2>/dev/null; done

As shown in the following snippet, this is the output of the thread list when no Frida hooks are active.

[...SNIP...]
cking.tamperlab
Signal Catcher
perfetto_hprof_
ADB-JDWP Connec
Jit thread pool
mali-utility-wo
mali-cmar-backe
ged-swd
[...SNIP...]

When a Frida hook is applied to the process, threads named gmain and gdbus appear both associated with Frida’s runtime. This allows us to detect Frida based on the presence of these thread names.

[...SNIP...]
cking.tamperlab
perfetto_hprof_
ADB-JDWP Connec
Jit thread pool
mali-cmar-backe
RenderThread
cking.tamperlab
gmain
gdbus
[...SNIP...]

To detect this, we can use C++ code like the following, which loops through each comm file in the /proc/self/task directory to retrieve thread names and checks them against a list of common thread names used by Frida.

[...SNIP...]
        DIR *dir = opendir("/proc/self/task");
    [...SNIP...]
    struct dirent *entry;
    char path[PATH_MAX];
    char comm[256];

    while ((entry = readdir(dir)) != NULL) {
        [...SNIP...]
        snprintf(path, sizeof(path), "/proc/self/task/%s/comm", entry->d_name);
        [...SNIP...]
        if (fgets(comm, sizeof(comm), fp) != NULL) {
            comm[strcspn(comm, "\n")] = 0;
            
            if (strstr(comm, "frida") ||
                strstr(comm, "gum")   ||
                strstr(comm, "gmain")) {
                fclose(fp);
                closedir(dir);
                return JNI_TRUE;
            }
        }
        fclose(fp);
    }
    closedir(dir);
    return JNI_FALSE;
[...SNIP...]

One intriguing approach to evade detection is to patch the entire frida-server binary by replacing all occurrences of strings like gmain. By searching for gmain in Ghidra, we can observe the following results.

By selecting one of the instances, we can examine the disassembled code to pinpoint its exact location.

We can now use Ghidra’s built-in hex editor to modify these strings, replacing gmain with another string, such as hackr.

After injecting the Frida hook, we can see that we have successfully bypassed the detection, as it no longer identifies Frida’s threads.

If we loop through the thread names again for the application we are attacking, we can see that it now successfully contains the hackr thread name.

[...SNIP...]
cking.tamperlab
ReferenceQueueD
FinalizerDaemon
FinalizerWatchd
binder:7261_1
binder:7261_2
hackr
gdbus
[...SNIP...]

Of course, there are other detectable strings, but this simple example demonstrates one way to bypass detection by directly patching the frida-server binary yourself. This way you could build an entirely different frida-server to avoid detections or modify the original source code as well.

Anti-Debug Protections

Anti-debug protections are another way to protect your Android application from reverse engineering. These mechanisms aim to detect or prevent debugging attempts, stopping attackers from stepping through the app’s code instruction by instruction to understand its internal logic.

Like most security measures, anti-debug mechanisms can also be bypassed using Frida hooks. However, I want to show you how you can defeat these protections using a debugger itself.

Defeating Anti-Debug using Debugger

isDebuggerConnected()

This is a simple, ready-made function that checks if a debugger is connected to the application. It returns true if a debugger is detected, otherwise, it returns false.

Implementing such a function is straightforward, and you can call it as follows:

Debug.isDebuggerConnected()

To use the debugger and bypass this check, we can utilize JADX’s integrated debugger. Before launching it, ensure the application is already running.

Another way to start an application is by using the following ADB command, which will launch the app but pause and wait for the debugger to attach.

adb shell am set-debug-app -w com.hacking.tamperlab

As shown, when you launch the application, it will display a message indicating that it is waiting for a debugger.

In my case, it doesn’t work, but I can open the application without it waiting for the debugger. However, your application might require this behavior, so it’s important to test both methods.

Additionally, whenever you’re done or close the application, make sure to run the following command to remove the app from waiting for a debugger.

adb shell am clear-debug-app

Once ready, you can open JADX and load the APK file of the target application. You can also pull the APK from your device using ADB.

Once loaded into JADX, select the green bug icon, which opens a dialog prompting you to choose the application to debug along with its process ID.

After the debugger attaches, the application’s execution is automatically paused inside the MainActivity. You can then press the green play button to continue running the application.

Once you find the correct position to set a breakpoint, you can do so by pressing the F2 key. For this example, I set the breakpoint exactly where the isDebuggerConnected() function is called.

The following instruction essentially calls the isDebuggerConnected() function using the invoke-static opcode.

invoke-static {}, Landroid/os/Debug;->isDebuggerConnected()Z # method@0008

Then, the move-result instruction moves the return value of the function (either true or false) into the v0 register.

move-result v0

By stepping over these two instructions, we can observe that the v0 register contains the value 1, indicating that a debugger has been detected.

To bypass this check, we can simply set the value to 0 using the debugger, as shown below:

Continuing the application’s execution, we successfully bypass the check by manipulating the variables during debugging.

Detection via USB & ADB

Another interesting way to detect debugging is by checking if the device is connected via USB with ADB enabled. While this isn’t a direct debugger detection method, it remains a useful check nonetheless.

A simple implementation might look like the following, where the app dynamically listens for the USB_STATE broadcast and parses the connected and adb boolean extras from the received intent.

[...SNIP...]
IntentFilter filter = new IntentFilter("android.hardware.usb.action.USB_STATE");

        BroadcastReceiver usbReceiver = new BroadcastReceiver() {
            @Override
            public void onReceive(Context ctx, Intent intent) {
                boolean connected = intent.getBooleanExtra("connected", false);
                boolean adbEnabled = intent.getBooleanExtra("adb", false);

                callback.accept(connected && adbEnabled);
                ctx.unregisterReceiver(this);
            }
        };

        context.registerReceiver(usbReceiver, filter);

        Intent sticky = context.registerReceiver(null, filter);
        if (sticky != null) {
            usbReceiver.onReceive(context, sticky);
        }
[...SNIP...]

We can also bypass this check by using the debugger to place breakpoints at the appropriate locations.

In this case, I set a breakpoint on the if-eqz instructions, which checks whether the values in registers v0 and v2 are equal to zero. These registers correspond to the connected and adbEnabled flags.

When the breakpoint is hit, we observe that both values are set to 1 (true), indicating that USB is connected and ADB is enabled.

We can now simply set these two values to 0 (false), causing the check to fail and allowing the app to continue execution.

Conclusion

We have explored several common anti-root, anti-hook, and anti-debug techniques and demonstrated how each can ultimately be bypassed. However, it is important to recognize that these protections still play a critical role in Android security.

No protection is entirely foolproof. Given enough time and the right tools, a determined attacker can often find a way around most defenses. However, the goal of these mechanisms isn’t to create an unbreakable application, but rather to increase the complexity of attacks. This raises the time, effort, and skill required for an attacker to compromise the application, which can deter casual attackers and slow down more advanced ones.

In short, while these security checks can be bypassed, they remain a valuable part of a defense-in-depth strategy. Labs like TamperLab that we have created, provide a practical environment where you can practice implementing these detection mechanisms and learn how to bypass them. It’s about making it hard enough that breaking the security is no longer worth the effort.

At Infinum, we help you stay ahead with tailored cybersecurity services, including penetration testing and security assessments. Whether launching new products or protecting existing ones, we identify weaknesses before attackers do so you can focus on what matters. Learn more about how we keep your digital world secure on our cybersecurity page.

The post Understanding & Defeating Android Protections appeared first on Infinum.

Is AI-Generated Code Secure? What Business Leaders Need to Know About AI and Application Security

Hrvoje Filaković — Fri, 06 Mar 2026 13:47:45 +0000

AI is changing how software gets built: faster timelines, leaner teams, fewer blockers. But does all that speed come at a cost? We put AI to the test in a real-world security experiment, and what we learned should matter to anyone leading modern product, platform, or tech teams.

According to Collins Dictionary, vibe coding is officially the word of the year – and if you’ve spent literally any time around engineering teams lately, that probably doesn’t surprise you.

Obviously, it’s catching on fast.

Microsoft recently shared that around 30% of the code in some of its repositories is now AI-generated. This shift is one of the defining cybersecurity risks of 2026 — our cybersecurity trends overview covers the trade-off between vibe coding and security in depth.

At Infinum, we see this trend up close, both in internal experimentation and in conversations with clients who are increasingly curious about AI-assisted development.

The appeal is clear: development is faster, prototypes turn into products at record speed, and teams feel confident shipping.

But is that confidence earned? We decided to find out.

Security doesn’t work on vibes

A growing belief is quietly taking hold in many teams:

“If I tell the AI to make it secure, it probably will.”

That assumption is understandable because AI is very good at reproducing patterns that look correct. When prompted, it can generate code that resembles common security practices and includes familiar terminology, giving the impression that risk has been addressed. But is it, really?

Instead of debating, our cybersecurity engineer designed a simple, hands-on experiment.

He asked AI to build apps with varying levels of security guidance, from none to OWASP-level detail, and then he tried to break them.

We didn’t want to test whether AI could write code. We know it can.

Likewise, the goal wasn’t to assess if AI builds insecure apps by default. We wanted to test whether adding “make it secure” to your prompt is enough to stop vulnerabilities – and how that changes as you get more specific.

Let’s see the results.

The apps we built (and broke)

We asked AI to build three medium-complexity web applications, realistic enough to offer an attack surface, but not so complex that AI failed to build them. One app was generated with no security input at all, one with light guidance, and one with detailed, best-practice-driven instructions.

App	Security guidance	Security quality	Outcome
Simple Project Tracker – task and project manager for small teams	None	Poor	Multiple critical issues in input validation, design, and session handling, easily leading to worst-case exploitation scenarios. Users could make themselves admins.
Project Resource Hub – internal portal for sharing documents and guides	Light	Mixed	Critical issues reduced, but several vulnerabilities remain that could still expose sensitive information, such as SSRF and malicious file uploads.
Niche Vault – hobbyist catalog site for personal collections	Detailed & OWASP-based	Better, but insufficient	Significantly fewer vulnerabilities; none severe, but still issues that could pose risks over time. Missed CSV injection, rate-limiting, and open redirects.

Turns out, not even specific prompts are enough to build applications that can survive real-world attacks.

Want to learn all technical details of the experiments, including exact prompts, a detailed overview of found issues, and our engineer’s conclusion?

Explore the complete overview of this experiment.

What actually went wrong

Even with better prompts, the same kinds of security gaps kept popping up.

AI didn’t forget libraries or miss syntax. It just couldn’t reason about how things might go wrong, and that’s where real-life threats were.

While we are aware that this is an experiment of a limited scope, it is still important to note recurring issues we recognized:

Trust in user input

AI simply trusted what users said about themselves. In multiple apps, user roles (such as admin) were accepted directly from client input, with no validation or enforcement. If someone claimed to be an admin, the system said: “Sure, sounds legit.” Just like that, admin access was self-serve.

Broken or missing access control

Even when roles were assigned correctly, features didn’t enforce them properly. There were no ownership checks, no context validation, no guardrails. Anyone logged in could view, modify, or delete other users’ data.

Feature-level defenses, system-level blind spots

AI knew to sanitize an input field, but it didn’t think about how that input might travel through the system. Security was applied in pieces, not as a pattern, which means defenses weren’t absent; they were just easy to step around. This fragmentation is also why software supply chain security requires a systemic approach — the weakest link is rarely where you’re looking.

Reactive security instead of proactive thinking

The apps didn’t lack rate limiting, but rate limiting was only added to endpoints the prompt specifically called “sensitive.” In other words, if you want a feature to be secure, you have to explicitly tell the AI – every time.

No imagination for abuse cases

And this might be the most important insight of all: the AI assumed good-faith users. It never asked the question that is the foundation of real-world security: What if someone does the wrong thing on purpose?

In conclusion, the issues discovered weren’t bugs in the traditional sense. They were assumptions – that roles are respected, that the app can trust user input, that attackers won’t be creative.

Most of the problems were not broken locks, but doors that simply weren’t locked because AI assumed nobody would try them.

HRVOJE FILAKOVIĆ,
CYBERSECURITY ENGINEER

But attackers are creative, and they have all the time in the world to look for what you missed.

Why this matters beyond the code

Security is not just a dev problem. It’s a systems-thinking problem, and it affects every role involved in shipping software.

For CTOs & Heads of Engineering

AI speeds things up, no question, but it can’t replace architectural thinking.

The biggest failures in these apps weren’t in the code; they were bad assumptions about how trust, roles, and permissions work. Even when AI adds security controls, it struggles to secure the system as a whole.

We’ve all recently witnessed this: in our deep dive into OpenClaw (ex Moltbot), we explored what happens when AI sidekicks are given broad access with no guardrails. The takeaway? When AI has too much control, your data is very likely at risk.

Again, that’s an architectural one. And it’s still up to humans to get it right.

For Founders & Execs

All three apps worked. Some even looked secure. But they could still be exploited in serious ways, often through features that seemed harmless.

Remember this: AI gives a false sense of security. Without hands-on testing, issues like these show up only after damage is done. If you’re building with AI and need it to be secure from the start, our custom AI development services combine speed with security by design.

For Security Leaders

The vulnerabilities we found didn’t have CVE numbers. They weren’t from outdated libraries or missing headers. They were logic and abuse-case failures – the exact kind of problems automated scanners don’t catch. Addressing these systematically through structured security governance, risk assessment, and compliance frameworks is exactly what governance, risk, and compliance services are designed to support.

Manual penetration testing still matters because it mirrors how attackers behave, not just what vulnerabilities exist – and AI-assisted code makes this more important, not less.

For Developers

AI can implement what you tell it, but it’s not a security expert. It won’t catch logic flaws, system-wide assumptions, or the creative misuse attackers are known for. For a practical look at how to work with AI coding assistants without sacrificing code quality, see our roundup of AI tools for development teams.

Writing secure apps still requires developer intuition, threat awareness, and curiosity about how features might be abused.

The key takeaway: “Please make it secure” is not a security strategy. AI can help you build faster only if you know exactly what to ask for, and even then, it often misses the bigger picture.

So, yes. AI-generated code can be secure, but it takes judgement, experience, and most importantly, testing.

What should you do now

Use AI. Embrace the speed. Build more, experiment faster, prototype wildly.

But don’t confuse working code with secure code.

Bring in experienced engineers. Secure software doesn’t just happen, it’s built intentionally. SSDLC practices are more essential than ever when code is being generated at speed. For mobile developers in particular, intentional security means implementing runtime protections that resist reverse engineering — something we explore hands-on in our guide to Android anti-root, anti-hook, and anti-debug mechanisms. Before scaling AI-assisted development across your team, it helps to have a clear AI strategy — one that accounts for security, governance, and the right use cases from the start.
Test like an attacker. Manual penetration testing reveals what AI misses: the logic flaws, the edge cases, all the blind spots that open into serious vulnerabilities.

Why automated scanners won’t help

Automated tools catch known and “low-hanging fruit” types of vulnerabilities. But issues discovered in this experiment weren’t in any vulnerability database, because they weren’t traditional bugs – they were incorrect assumptions about how systems would be used.

The AI knew the best practices, it just couldn’t connect the dots to anticipate misuse. That’s what manual testing is for – to expose unknown risks.

Automation wouldn’t have caught that, but manual testing told us whether the system could survive a curious attacker.

Want to see how your AI-generated app holds up?

Let’s test it, break it (safely), and help you fix what matters most.

The real takeaway

The apps worked and security looked reasonable.

But AI inherently doesn’t understand security, which is especially obvious once software interacts with real users, real data, and real incentives to misuse it. Security failures rarely come from missing syntax or forgotten libraries; they emerge from incorrect assumptions about behavior, trust, and intent.

AI builds what you ask for.
It protects what you explicitly mention.
It doesn’t secure the system as a whole.
It doesn’t imagine creative misuse.

Attackers do nothing but imagine misuse.

This is exactly why manual penetration testing exists: not to check a box, but to ask the one question that AI won’t:

“What happens if someone does the wrong thing on purpose?”

Security still requires human intent and adversarial thinking. No matter how well you prompt it, AI can’t protect against what it doesn’t anticipate.

If your app was built with AI assistance, this isn’t a theoretical risk. It’s a structural one.

If you want real, certified humans to have a go at your app – partner with Infinum’s security team to test your app the way real attackers would. We’ll help you find the blind spots, close the gaps, and build safer systems, so you can move fast without leaving yourself exposed. If we find zero issues, the beer is on us.

The post Is AI-Generated Code Secure? What Business Leaders Need to Know About AI and Application Security appeared first on Infinum.

Security Gaps in Vibe-Coded Applications

Hrvoje Filaković — Wed, 11 Feb 2026 11:32:15 +0000

As vibe coding enters real-world development, I set out to evaluate the security of AI-generated code in practice. After building and attacking three vibe-coded applications with increasing security guidance, clear improvements emerged – alongside consistent gaps.

Large language models are already part of everyday development workflows.

Development teams use them to scaffold features, generate boilerplate, wire APIs, and, increasingly, to assemble entire applications from natural-language prompts.

In many cases, the output is functionally correct and fast enough to be genuinely useful.

What is less obvious is how this code behaves once it is exposed to real attackers rather than happy-path usage. This is especially relevant as regulatory pressure on the software supply chain increases and attackers adopt AI-assisted tooling.

We examined how security posture changes as we instruct an AI model to implement different levels of secure development best practices.

I asked Gemini Pro to generate three different web applications and for each one, I progressively increased the level of security detail in my prompts.

The results were instructive, occasionally impressive, and ultimately a reminder that security does not emerge automatically – no matter how advanced the model. For a business-focused interpretation of these findings, see our AI-generated code security risks guide for CTOs and business leaders.

The plan and methodology

To make the experiment realistic, I needed applications complex enough to expose meaningful attack surfaces, but not so large that the AI would collapse into contradictory logic or endless refactoring loops.

I intentionally avoided very simple apps (e.g., To-do apps), since their limited functionality results in a small and unrealistic attack surface, while overly complex systems often exceed what current models can reliably reason about end-to-end.

Medium-complexity web applications turned out to be the sweet spot. They are large enough to expose meaningful security issues, but not so large that the AI collapses under its own code.

They include authentication, authorization, data storage, and user interaction patterns that are common in real-world systems—and therefore make attractive targets for attackers.

For each application, I generated the entire codebase using Gemini Pro, varying only the level of security detail in the prompt.

I then reviewed the resulting code from the perspective of a realistic attacker, including both unauthenticated users and low-privileged authenticated users attempting to escalate access or abuse functionality. The focus was on practical exploitation paths rather than theoretical weaknesses.

The test subjects

Based on these criteria, the following three web applications were born:

Simple Project Tracker

A lightweight tool for small teams to manage projects and track tasks, vibe coded with no explicit security instructions.

Project Resource Hub

A centralized internal portal for storing and accessing important documents, links, and guides (similar to a mini-wiki), built with light security instructions.

Niche Vault

A site for hobbyists to catalog and showcase personal collections (e.g., vinyl records, comics, board games, etc.), created with detailed and precise security instructions (e.g., OWASP guidelines).

Each application was built independently, with the only variable being the depth and specificity of security requirements provided to the AI.

Discoveries and vulnerabilities

In this section, we analyze the key vulnerabilities identified across the three generated applications. Rather than listing every individual issue, the focus is on the most impactful findings, recurring security patterns, and the extent to which the level of prompt detail directly influenced the security posture of the generated code.

Results at a glance: What broke and why

The following table provides a high-level summary of the results from the tested applications.

Application	Security quality	Notes
Simple Project Tracker	Poor	Multiple critical vulnerabilities across input validation, authorization, and session management.
Project Resource Hub	Mixed	Major improvements, but still several exploitable issues.
Niche Vault	Better, but insufficient	Major improvements, but several exploitable issues remain.

The trend is clear: more detailed security prompts lead to better outcomes – but not to secure-by-default systems.

For security researchers looking to understand what these runtime gaps look like from an attacker’s perspective on mobile, where protections like root detection and Frida detection can be systematically defeated — see our walkthrough of Android penetration testing techniques.

For a real-world example of what happens when an AI tool is shipped without any of these guardrails in place — no authentication, broad system access, and easily bypassed safety measures see our security analysis of OpenClaw, the viral AI agent that exposed over 1,500 unauthenticated instances on the public internet within weeks of launch.

Simple Project Tracker: No security, just vibes

The first application generated was the Simple Project Tracker, a lightweight web application where regular users can create, update, and sort tasks, while administrators can additionally create projects and assign users.

No explicit security requirements were provided. The prompt focused solely on functional goals such as building a lightweight project tracker with database integration, role-based user and admin access, and all files needed for local deployment. As a result, the following prompt was used:

I would like to build a simple project tracker web application. Please include a database integration and an API that distinguishes between user and admin permissions. The goal is to have a completely operational application that remains lightweight by focusing exclusively on high-impact, necessary features. Additionally, make sure to generate every file necessary to run the web application locally.

The AI was only told what the application should do, not how it should defend itself.

For this application, AI selected the following technology stack:

Frontend: HTML, Tailwind, JavaScript
Backend: Node.js
API: REST (express.js)
Database: SQLite3

As illustrated in the screenshot below, the generated web application exhibited a polished and well-designed interface.

Unsurprisingly, the absence of security guidance resulted in an application that implicitly trusted all user input. There was no input sanitization anywhere in the codebase, which led to pervasive cross-site scripting vulnerabilities across forms, task descriptions, and project metadata.

Below is an example of the generated code.

The registration flow was particularly revealing. User roles were assigned directly from client-controlled input:

{
  "username": "herc",
  "password": "password",
  "role": "user"
}

Changing “role” to “admin” was enough to gain full administrative privileges. There was no server-side validation, enforcement, or role integrity check.

Authorization was equally fragile. While the application exposed separate API endpoints for managing tasks and projects, none of them implemented ownership checks.

Any authenticated user could view, modify, or delete any other user’s data which can be seen in the following request where oddly specific x-user-id and x-user-role headers are used by default.

Session handling further reinforced the trust-in-the-client model. Authentication state was stored in unsigned cookies containing raw user objects:

{"id":2,"username":"user","role":"user"}

Overall, in terms of design and functionality, the AI delivered exactly what was requested. However, from the security standpoint, the application had no sense of security at all and every possible aspect was completely insecure.

Functionally, the application worked exactly as requested. From a security standpoint, it operated entirely on the assumption that “logged-in users will behave correctly.” Needless to say, attackers do not follow that assumption.

Project Resource Hub: Better, but not bulletproof

The second application, the Project Resource Hub, was designed as a platform where users could share resources such as files, links, and documentation, while administrators were able to manage all users.

This time, alongside the application details, I instructed the AI to also take security into account. Each feature was required to be implemented in a way that was secure and resistant to abuse, rather than merely functional.

… web application details …

You may use modern, standard technologies commonly used in contemporary web application development, such as a database and an API. The application must support multiple users and include an administrator role. There should be at least 2–5 distinct features for both regular users and administrators to demonstrate a reasonable level of application complexity.

Additionally, it is critically important that security is considered throughout the entire application. Every feature should be designed and implemented securely, following best practices and ensuring that no functionality can be easily exploited.

This time, the AI was instructed to consider security throughout the application, without explicit defense measures.

Compared to the previous application, this one showed noticeable improvements in security while keeping the same tech stack. Specifically, the AI implemented several measures, including:

JWT tokens for authorization
Rate limiting on login, file uploads, and other sensitive routes
Cross-Origin Resource Sharing (CORS) configuration
File upload validation
Content Security Policy (CSP)

As illustrated in the screenshot below, the generated web application was simple and provided functionality for storing several resource types.

With a moderately detailed security prompt, the AI implemented effective input sanitization, and most tested inputs (including XSS, SSTI, and other relevant attack vectors) were handled appropriately.

Even modest security instructions can significantly improve baseline resilience. However, a deeper inspection revealed critical blind spots in less than five minutes.

After less than five minutes of reviewing the generated code, I discovered a major flaw in the file upload functionality: the AI considered filename, file size, and MIME type checks sufficient for security, leaving the system vulnerable.

Because there were no extension checks (or other meaningful protections) an attacker could easily spoof the content type and upload arbitrary files.

[...]
-----------------------------235905183813478547083317251969
Content-Disposition: form-data; name="file"; filename="shell.exe"
Content-Type: application/pdf

{any_malicious_content_here}
[...]

Another feature in this application allowed users to store website links as resources, along with a preview function. Such feature by its description alone is a hacker’s dream to test for SSRF and unsurprisingly, the generated code was vulnerable.

While the preview was rendered inside an iframe, the backend still made unrestricted requests, making blind SSRF fully exploitable.

Despite additional issues, such as an insecure CSP configuration and predictable secrets, this application was still an improvement over the previous one.

However, several security measures were either ineffective against real attacks or failed because the AI didn’t anticipate certain attack scenarios at all.

Niche Vault: Not the Fort Knox just yet

The third application is Niche Vault, a platform that lets hobbyists log, browse, and share items from their personal collections, complete with individual profile pages.

On the administrative side, it includes full user management capabilities, such as deleting, suspending, or banning accounts, along with basic analytics and the ability to publish site-wide announcements.

For this project, I placed a strong emphasis on security from the outset.

I instructed the AI to strictly adhere to OWASP WSTG guidelines and OWASP best practices, ensuring that every feature was analyzed for potential attack vectors and that appropriate mitigations were implemented from the outset. In addition, every piece of generated code was required to undergo a second security review by AI again.

A minimal web application designed for hobbyists to log, manage, view, and share items from their personal collections, such as vinyl records, comics, or similar collectibles.

…web application features…

Security is the highest priority. Ensure that every component and feature is implemented securely and cannot be abused. Apply OWASP Web Security Testing Guide (WSTG) methodologies throughout the development process, and explicitly consider the OWASP Top 10 vulnerabilities to ensure the application is thoroughly protected by applying every best practice defense mechanism for each request, feature, functionality, and more.

This time, the AI generated a web application using Python (although I had to manually fix the code in several places) with the following tech stack:

Frontend: HTML, Jinja2 (templating engine), Bootstrap
Backend: Python, Flask
API: REST (implicitly created by Flask routes)
Database: SQLite, accessed via SQLAlchemy

The following image shows the generated web application with its functionalities implemented.

User input was well protected across the board, and the application even included safeguards against SSTI attacks, which is especially important given its use of Jinja2. Both authentication and authorization were implemented cleanly and thoughtfully.

After explicitly requiring adherence to security guidelines and best practices, with a second security review step mandated for all generated code, the AI produced a robust application that exceeded my expectations. However, even here, vulnerabilities surfaced.

The application was not without flaws. One notable issue appeared in the CSV export feature, where it was possible to inject malicious payloads that could be executed by Excel or LibreOffice.

As shown in the image below, the relevant code lacks any form of input sanitization, leaving it vulnerable to CSV injection attacks.

As a result, an attacker can embed a malicious payload. In this example, a calculator application was executed; however, real-world attacks may involve reverse shell payloads that grant remote access to the victim’s desktop or download and execute malware.

=cmd|' /C calc'!'A1'

As shown in the image below, the payload is evaluated when the CSV file is opened, causing the calculator process to be launched.

It goes without saying that the following prerequisites are required for the attack to work:

1. Dynamic Data Exchange (DDE) needs to be enabled.

2. Victim needs to enable such content to be opened after a few warnings.

Similarly, for the LibreOffice, the “Evaluate formulas” options needs to be ticked.

In addition to the glaring CSV injection vulnerability, several critical endpoints lacked rate-limiting controls.

While the AI correctly implemented rate limiting for the registration and login endpoints, it failed to apply similar protections to the following endpoints, which attackers could exploit to perform potential denial-of-service (DoS) attacks as well as destructive behavior.

/post/new
/admin/toogle_ban/{user_id}
/admin/delete_user/{user_id}

Additionally, the code contained a minor open redirect vulnerability, which could be exploited in phishing attack scenarios where an attacker can supply a malicious domain to the next URL argument.

login_user(user)
return redirect(request.args.get('next') or url_for('dashboard'))

In conclusion, even when provided with a highly detailed prompt that explicitly instructs the AI to generate secure code, it is still likely to fall short in other areas or to overlook security considerations in certain features altogether.

Without precise, feature-specific security requirements, the AI tends to leave parts of the application insufficiently protected.

As demonstrated in this example, it successfully sanitized input fields, prevented SQL injection, and applied several other best practices, yet still failed to implement comprehensive, end-to-end security.

Ultimately, these gaps resulted in additional vulnerabilities despite the overall focus on secure development.

The secret tokens predictability game

While generating multiple web applications, I noticed a recurring pattern: AI models frequently produce “secret” tokens and keys that follow similar structures and wording.

This observation told me to take a deeper look into how predictable these generated secrets can be.

For example, when further creating even simpler web applications, the following tokens were generated in docker-compose and other configurational files:

dev-key-change-in-prod-982374
change_this_to_something_long_and_random_12345
your_ultra_secure_random_string_here
must_be_changed_to_secure_key_987123

While these values may not appear in common brute-force wordlists (such as those targeting JWT secrets and other), they are not cryptographically secure and I could potentially see them being used.

The real risk is not that an attacker brute-forces a single secret, but that AI-generated applications at scale may share similar default or placeholder secrets that are not cryptographically secure. An attacker could leverage this predictability by compiling lists of common AI-generated keys and testing them across mass-produced, “vibe-coded” web applications.

Overall, this demonstrates a plausible attacker strategy: using multiple AI models to generate and aggregate common secret placeholders, then testing them against large numbers of similarly generated applications.

The verdict

Bottom line is:

Vibe coding is only as secure as the vibe coder’s understanding of potential vulnerabilities and their ability to instruct the AI to account for them.

When building an application using AI, it is critical to explicitly guide the model on the types of vulnerabilities that may arise in the generated code.

For instance, if you ask the AI to implement a file-upload feature, you must already provide clear requirements regarding file extensions, MIME-type validation, size limits, and other relevant mitigations.

The broader issue is that even the most detailed prompts do not guarantee secure output. AI can still generate insecure code or introduce subtle loopholes in unexpected places, and create critical business logic issues.

If you are using AI to accelerate development, the takeaway is not to avoid it. It is to treat it as a powerful assistant, not a security authority. Security remains a deliberate engineering discipline, not an emergent property of better prompts.

For this reason, it is highly recommended to conduct real-world penetration testing, in which security professionals review both the code and the application’s runtime behavior to identify and mitigate risks before they become exploitable.

Explore our cybersecurity services — from penetration testing to security architecture — and partner with experts who can identify risks before they become exploitable.

The post Security Gaps in Vibe-Coded Applications appeared first on Infinum.

Cyber Security Model v4: How MOD Suppliers Can Prepare for Stricter Cyber Rules

Tom Miller — Mon, 02 Feb 2026 15:21:04 +0000

The UK Ministry of Defence has officially rolled out Cyber Security Model v4, introducing stricter, more structured cyber security requirements for defence suppliers. Learn how CSM v4, DEFSTAN 05-138, and Defence Cyber Certification fit together and prepare for CSM v4 with a DCC Level 1 certified partner.

The UK Ministry of Defence (MOD) has raised the bar for everyone in its supply chain.

Starting December 3, 2025, all companies working with the MOD – whether a prime contractor, a Tier 2 supplier, or a third-party vendor buried three layers deep – must follow a new set of cyber rules called the Cyber Security Model (CSM v4).

The interim process tied to DEFCON 658 is out.

In its place? A more structured, standardised framework that holds every supplier and their subcontractors accountable for how they assess, manage, and report cyber risk.

If you’re doing business with the MOD, you’ll need to follow stricter requirements, use new government tools, and be ready to show exactly how you’re protecting your digital systems and sensitive data.

So, what’s changed, and what does compliance actually look like now?

Learn how MOD suppliers can prepare for Cyber Security Model v4 from AMR CyberSecurity – part of Infinum, a Defence Cyber Certification Level 1 certified company.

What is CSM and why does it matter?

The Cyber Security Model (CSM) is the MOD’s framework to make sure every link in its supply chain takes cybersecurity seriously. It’s a risk-based model that applies proportionate security controls based on the nature and sensitivity of the work being delivered.

But this isn’t just about your organisation. Under CSM v4, cyber accountability flows downstream, meaning you’re also responsible for assessing and validating the cyber posture of your subcontractors and third-party vendors. No matter how large or small, one weak link can put an entire contract at risk.

So, what exactly does the MOD expect you to do?

Complete or respond to Risk Assessments (RAs)

Before any procurement or contract work begins, the MOD Delivery Team will carry out a Risk Assessment to determine your Cyber Risk Profile (CRP) – essentially, how risky your role is from a cybersecurity standpoint. Based on this, your organisation will be assigned a CRP level (from Basic to Expert), which then dictates the level of controls you’ll need to meet.

Fill out a Supplier Assurance Questionnaire (SAQ)

Once your CRP is set, you’ll need to complete a Supplier Assurance Questionnaire (SAQ) through the Supplier Cyber Protection Service portal. This self-assessment shows how your organisation stacks up against the security controls required for your CRP level and is a mandatory part of the MOD’s supplier onboarding and compliance process.

Apply relevant cyber controls from DEFSTAN 05-138

The cyber controls you’re being measured against are defined in DEFSTAN 05-138, a detailed MOD standard that outlines the minimum cyber security requirements for each CRP level. These range from essential controls at the lowest level, all the way up to comprehensive, expert-level defences for higher-risk contracts.

Create a Cyber Improvement Plan (CIP) if you’re not fully compliant

Not quite meeting the requirements? That’s not an automatic disqualification, but you’ll need to document why. A Cyber Improvement Plan (CIP) outlines the gaps in your current setup, the steps you’re taking to close them, and the timeline for becoming fully compliant. It’s a structured way to stay in the game while actively improving your security posture.

Bottom line: If you want to work with the MOD, you need to take cybersecurity seriously – and be able to prove it.

The MOD’s CSM v4 process flow: From initial risk assessment to contract award, suppliers must demonstrate cyber-readiness through self-assessment, compliance checks, and, if needed, improvement plans.

DEFSTAN 05-138: What the MOD Expects

Building on the CRP levels established during the initial CSM risk assessment, DEFSTAN 05-138 outlines the specific cybersecurity controls that suppliers must meet based on their assigned risk profile.

This MOD standard acts as the benchmark for what’s expected at each level, from basic hygiene to expert-grade defences. The higher the risk, the more comprehensive and stringent the requirements. These controls form the foundation of both the SAQ process and any future DCC certification.

Here’s what each level includes:

Level 0 – Basic (3 controls)

The Level 0 ‘Basic’ profile applies where there is a very low assessed cyber risk. It’s typically used for suppliers delivering outputs with minimal exposure to sensitive systems or data. At this level, organisations are expected to demonstrate basic cyber security hygiene: simple, essential measures that reduce common risks.

Level 1 – Foundational (101 controls)

The Level 1 ‘Foundational’ profile is assigned where there is a low to moderate level of cyber risk. Suppliers at this level must show they have a comprehensive cyber security programme in place, covering core areas such as governance, access control, incident response, and secure system management. Good practice is expected here.

Level 2 – Advanced (139 controls)

The Level 2 ‘Advanced’ profile applies to suppliers delivering higher-risk contracted outputs. At this stage, organisations need to demonstrate advanced oversight, planning, and control of their cyber environment. This means mature policies, active monitoring, and well-embedded security processes that support robust organisational and operational resilience.

Level 3 – Expert (144 controls)

The Level 3 ‘Expert’ profile represents the highest level of assessed cyber risk. Suppliers operating at this level are expected to demonstrate expert cyber security capabilities, fully embracing a defence in depth approach. Controls are designed to protect against sophisticated, evolving threats and assume that breaches are possible, focusing on prevention, detection, response, and recovery.

It’s important to note that these controls are considered a minimum baseline.

Depending on the nature of the contract, the MOD may impose additional cyber requirements on top of DEFSTAN 05-138, raising the bar even further for critical or sensitive work.

Enter DCC: Independent certification for defence suppliers

To move beyond self-assessments and strengthen assurance across the defence supply chain, the MOD, together with IASME as the Certification Authority, introduced the Defence Cyber Certification (DCC).

Got questions about CSM v4 or DCC? Let’s talk.

AMR CyberSecurity – part of Infinum is a Level 1 certified DCC Certification Body, and our security-cleared consultants are ready to help you navigate the requirements and move forward with confidence.

DCC isn’t a full replacement for the Supplier Assurance Questionnaire (SAQ), at least not yet. But it’s clear that the MOD is positioning DCC as the gold standard for demonstrating cyber maturity.

Over time, it’s expected to become more tightly integrated into the Supplier Cyber Protection Service and potentially reduce the burden of repeated self-reporting.

How it works:

DCC certification is available in four levels, each aligned to CRP Levels 0 through 3, ensuring suppliers are measured against the appropriate risk threshold.
Certification offers a point-in-time snapshot of a supplier’s compliance with DEFSTAN 05-138.
To stay certified, suppliers must complete an annual check-in and undergo full recertification every three years, through an approved DCC Certification Body, such as AMR CyberSecurity – part of Infinum.

For suppliers working on sensitive contracts, or for the ones hoping to, DCC is quickly becoming table stakes. It’s a proactive way to prove compliance, strengthen your competitive edge in defence tenders, and demonstrate to the MOD that cyber security is not just a policy on paper, but a practice in action.

How can we help

Whether you’re tackling your first Risk Assessment or gearing up for DCC certification,we are here to support you.

As a Level 1 certified DCC Certification Body, we provide more than just checklists. We’ve partnered with both prime contractors and subcontractors throughout the MOD supply chain, helping defence suppliers navigate CSM v4 from day one – whether you’re assessing your CRP, preparing for DCC, or building a CIP roadmap.

From independent assessments to hands-on consultancy, we tailor our approach to fit your organisation’s needs, so you’re not just compliant, you’re truly cyber-resilient. If you want to discuss your next steps, contact us.

The post Cyber Security Model v4: How MOD Suppliers Can Prepare for Stricter Cyber Rules appeared first on Infinum.