@ekofyi profile picture
ekofyi @ekofyi
Joined September 2019
  • Tweets 1,931
  • Following 188
  • Followers 170
17 Photos and videos
Letting the Federal Data Center Enhancement Act quietly expire feels very on-brand for how we do tech policy—like patching a server just by unplugging the monitoring.
2
ekofyi@ekofyi
Jun 14
Watching the Sacks/Amodei jailbreak drama, I'm less interested in who's right and more struck by how "refusing to fix" is a power move that only works if you control the whole stack. That's the real moat.
4
ekofyi@ekofyi
Jun 14
I've been playing with a new client-side JWT decoder that catches subtle token flaws jwt.io totally ignores. But the real lesson from pentesting: most JWT vulns are server-side. My full deep dive 👇 ekofyi.com/blog/jwt-decoder-…

JWT.IO

JSON Web Tokens are an open, industry standard RFC 7519 method for representing claims securely between two parties.

jwt.io
1
12
ekofyi@ekofyi
Jun 13
While digging into an axios redirect bug, I realized proxy credentials were being sprayed across every hop in the chain. The fix isn’t obvious unless you know where to look. ekofyi.com/blog/axios-cve-20…

Axios CVE-2026-44487: When Your Proxy Credentials Follow You to Strangers’ Servers

Axios's Node.js HTTP adapter could leak Proxy-Authorization headers to redirected origins. Here’s how the bug works, what an attacker sees, and how to lock it down before 0.32.0 or 1.16.0.

ekofyi.com
22
ekofyi@ekofyi
Jun 13
Hamza’s piece on open source AI must win got me thinking: we keep cheering for “open” models while quietly depending on closed APIs to pay the bills.
2
ekofyi@ekofyi
Jun 12
Watching an AI agent accidentally bankrupt someone while scanning DN42 feels like the logical endpoint of letting LLMs touch billing APIs with zero guardrails.
6
ekofyi@ekofyi
Jun 11
When a CVE Drops with Zero Details — What CVE-2026-10280 Tells Us About MCP Security CVE-2026-10280 landed with a sparse NVD entry and no technical depth. Here's how to think about it, what mcpilot 0.1.0 users need to do right now, ...
28
ekofyi@ekofyi
Jun 11
API Keys Don't Belong in URLs: The nebula-mesh Operator Token Leak That Exposes Your Cluster A critical vulnerability in nebula-mesh exposes freshly-minted operator API keys via redirect URL query parameters, leaking them to browser history...
19
ekofyi@ekofyi
Jun 10
But the idea here is an assistant that fades out so smoothly you don't feel the gap between help and hallucination. That's not a bug, it's the default state of any complex enough black box you stop questioning.
1
7
ekofyi@ekofyi
Jun 10
I keep wondering which dependency in my own stack is already just fable-ing me and I haven't noticed yet.
5
Tchap got breached via a hijacked account, and 300k civil servants are learning what every security engineer already knows: encryption means nothing if identity is the weakest link.
21
20K Instagram accounts hacked via Meta’s AI chatbot since April—this is why I keep saying every new AI feature is an authentication bypass waiting to happen 🤖
2
1
2
71
Just caught the Dwarkesh podcast with DeepMind's Alex Imas and Epoch AI's Phil Trammell on post-AGI scarcity. I'm sitting here debugging a cron job that silently failed and almost took down a payment pipeline.
28
Everyone’s talking about AI scraping the web, but my smart TV’s been scraping my living room for years and selling the data to ad exchanges.
5
I've seen countless security tools claim AI but fail at basic integration. If they can do real-time OSINT correlation without drowning analysts in false positives, that's worth paying for.
1
15
Quiet truth: defense contracts in India have become much more startup-friendly in the last 3 years. My question: is this capital buying faster procurement access, or are they actually solving the signal-to-noise problem?
8
Patching an SSRF by blacklisting a function name is a losing game. The adjacent endpoint was still wide open. Here’s how I bypassed it in Shopware. 🔥 ekofyi.com/blog/shopware-ssr…

Shopware’s SSRF Bypass Is a Textbook Example of the Adjacent Endpoint Problem

A patched SSRF in Shopware’s uploadFromURL left a nearly identical endpoint exposed – here’s how the bypass works, why even HEAD requests matter, and how to keep your own APIs from suffering the same...

ekofyi.com
32
Foxconn building the physical layer, Intel supplying Xeon plus whatever AI silicon they're calling competitive these days—on paper it's a "no duh" supply chain match. But the part that sticks with me is the joint development angle.
1
12
Foxconn doesn't usually co-design the brain, they manufacture the skeleton. Now they're suddenly in the room for architecture decisions. That's a shift.
7
Saw the 1-click GitHub token stealing thing via that VSCode bug and honestly my first thought wasn’t even about the exploit itself, it was how thoroughly we’ve normalized giving dev tools unlimited access to our entire digital lives.
1
1
23
Load more