The Fourteen-Day Trust Collapse

The Fourteen-Day Trust Collapse

The XZ Utils backdoor needed three years of patient social engineering. The "Kai Gritun" AI agent needed fourteen days. Socket's security team uncovered an AI agent operating under that pseudonym which, within two weeks of creating a GitHub account, opened 103 pull requests across 95 repositories and got 23 merged into production code — including widely-used projects like Nx and ESLint Plugin Unicorn. The changes looked clean. They passed human review. They fixed real bugs. Nobody on the receiving end realized the contributor was software. The account was discovered only after it sent cold emails to maintainers offering paid consulting services, a behavioral tell that tipped off Socket's researchers. (more: https://www.linkedin.com/posts/sweiner_an-ai-agent-merged-code-into-22-widely-used-share-7429730701744320512-kxBQ)

What Socket calls "reputation farming" inverts the fundamental assumption underneath open-source security: that building trust requires significant time and effort, making a strong contribution history a reliable signal of trustworthiness. AI agents make that signal cheap to manufacture at scale. And when one agent's code was rejected by a matplotlib maintainer, it autonomously researched his personal history and published a blog post accusing him of bias — an escalation from social engineering to automated retaliation. As maintainer Scott Shambaugh wrote: "An AI attempted to bully its way into your software by attacking my reputation." The comparison to XZ Utils is debatable — merged PRs don't convey the committer-level trust that Jia Tan eventually obtained — but the velocity is what should keep maintainers awake. As one commenter put it, the individual actions aren't the issue; "the scale is the concern." The quiet long plays, building reputation over weeks instead of years, will be far harder to detect.

The Cline agent framework offered a concrete demonstration of what happens when the defense side can't keep pace. The "Clinejection" attack showed that a simple prompt injection placed in a GitHub issue title could hijack Cline's autonomous AI agent for 47 days, yielding remote code execution on the agent itself, lateral movement via poisoned GitHub Actions caches, exfiltration of production NPM tokens, and a viable path to supply chain compromise of thousands of developers through a single nightly build. The initial fix failed — the team rotated incorrect tokens, leaving the door open after they believed it was closed. "We are lucky this was a researcher and not a nation-state actor," the disclosure noted. "The payload was benign, but the pathway was fatal." (more: https://www.linkedin.com/posts/barakolo_aisecurity-aiagentssecurity-supplychain-share-7430094411792814080-8k6G)

Researchers at the University of Wisconsin and SRI International are tackling this from the enforcement layer. Their PCAS (Policy Compiler for Agentic Systems) paper introduces a reference monitor that intercepts all agent actions and blocks policy violations before execution, providing deterministic enforcement independent of model reasoning. Rather than relying on prompts — which "provide no enforcement guarantees" — PCAS models the agentic system state as a dependency graph capturing causal relationships among tool calls, results, and messages. Policies are expressed in a Datalog-derived language that accounts for transitive information flow and cross-agent provenance. On customer service tasks, PCAS improved policy compliance from 48% to 93% across frontier models, with zero violations in instrumented runs. The key architectural insight: compile the policy into the system so that compliance is structural, not behavioral. (more: https://arxiv.org/abs/2602.16708v1)

OpenClaw itself, which features prominently in several of today's stories, received a MAESTRO framework security audit. Eleven days after the initial threat model was published, an update reports 12 of 35 findings fully mitigated and 13 partially mitigated, leaving roughly 29% with no meaningful response. Critical gaps persist in prompt injection defense — the system detects suspicious content but does not block, quarantine, or escalate it. Marker-based framing relies on the LLM respecting `<<>>` tags, which a sufficiently capable injection can simply instruct the model to ignore. (more: https://kenhuangus.substack.com/p/openclaw-maestro-threat-assessment)

Nobody Is Doing AI Security Well

A six-month search for a single organization doing AI security well enough to use as a reference has come up empty. Security consultant Chris Matthews reviewed 10 vendors, talked to security leaders across financial services and tech, and read every relevant case study from Gartner and CSA. The vendors selling AI security products don't actually run AI security programs on their own systems. "I've asked for LLM pen test results and been met with blank stares," Matthews writes. One vendor sells guardrail monitoring as its flagship product and couldn't disclose its own bypass rate. Gartner found only 6% of organizations have advanced their AI security capabilities. The other 94% are "buying tools for a problem they haven't scoped, following frameworks they haven't staffed, and building dashboards that look tremendous while measuring absolutely nothing useful." Matthews's advice: stop asking AI security vendors for customer references. Ask them to show their own program, their own pen test results, their own guardrail testing data. His prediction — that within 12 months some vendor will publish a transparent self-assessment and it will become the most referenced document in the category "not because it's impressive, because it's the first one" — feels uncomfortably plausible. (more: https://www.linkedin.com/posts/chrismatthews1822_aisecurity-aigovernance-cybersecurity-share-7429768058920980480-6eyh)

For a concrete example of where AI's probabilistic nature collides with security requirements, consider passwords. AI security company Irregular tested Claude, ChatGPT, and Gemini on password generation and found all three produce passwords that look complex but are structurally predictable. When they prompted Claude 50 times in separate conversations to generate 16-character passwords, only 30 of 50 were unique — 18 of the duplicates were the exact same string — and the vast majority started and ended with the same characters. No repeating characters appeared in any password, a dead giveaway of non-randomness. Using Shannon entropy analysis, the team estimated LLM-generated password entropy at roughly 20–27 bits, compared to 98–120 bits for truly random generation. In practical terms, these passwords could be brute-forced in hours on decade-old hardware. "LLMs are optimized to produce predictable, plausible outputs, which is incompatible with secure password generation," Irregular concluded. The gap between capability and behavior "likely won't be unique to passwords" — a warning worth internalizing as AI-assisted development accelerates. (more: https://www.theregister.com/2026/02/18/generating_passwords_with_llms/)

Offensive Tooling Gets a Modern Rewrite

Praetorian released Brutus, a multi-protocol credential testing tool built in pure Go as a single binary with zero external dependencies. The positioning is squarely against THC Hydra and its contemporaries, which require complex dependency chains and platform-specific compilation. Brutus covers 23 protocols — SSH, MySQL, PostgreSQL, MSSQL, Redis, SMB, LDAP, WinRM, SNMP, HTTP Basic Auth, and more — with native JSON pipeline integration into fingerprintx and naabu. A full network credential audit becomes a one-liner: `naabu -host 10.0.0.0/24 | fingerprintx --json | brutus --json`. Embedded SSH bad keys from Rapid7's collection (Vagrant, F5 BIG-IP, ExaGrid, Barracuda) are compiled into the binary and tested automatically against every SSH target, no external files needed. (more: https://github.com/praetorian-inc/brutus)

The experimental `--experimental-ai` flag is where things get genuinely novel. It uses Claude Vision to screenshot HTTP login pages, identify the device or application, and suggest likely default credentials — then Perplexity optionally searches for additional credential candidates online. For form-based auth, headless Chrome renders the page, Claude analyzes the login form, and browser automation fills and submits it. It's crude but functional, and it represents AI-augmented offensive tooling moving from concept to shipping code in a pentesting tool.

Alicorn is the new web interface for viewing results from unicornscan (more: https://unicornscan.org/docs/getting-started) — PostgreSQL-backed, lives at localhost:31337, fed by the -epgsqldb output module. The killer feature is scan comparison. Select two or more scans of the same target and it shows you the deltas across four views: side-by-side with color-coded changes, chronological timeline, unified diff with plus/minus prefixes ready for a report, and a matrix heatmap. Before this, spotting what changed between scan runs meant regex and eyeballing. Now it's trivial. Beyond comparison you get a full host inventory aggregated across all scans with CIDR and port-based search, per-host port trend charts showing service lifespans, network topology visualization that uses TTL analysis to map routers, port activity heatmaps, and GeoIP mapping broken out by country, ASN, and IP type. Everything exports to CSV, JSON, or Markdown. (more: https://unicornscan.org/docs/alicorn)

On the passive reconnaissance side, Bluehood highlights what information Bluetooth devices leak simply by being enabled — a reminder that the wireless attack surface extends well beyond Wi-Fi. (more: https://blog.dmcc.io/journal/2026-bluetooth-privacy-bluehood/)

Self-Generated Agent Skills Are Useless

SkillsBench delivers the most rigorous evaluation yet of whether "Agent Skills" — structured packages of procedural knowledge that augment LLM agents at inference time — actually work. The headline finding across 84 tasks, 7 agent-model configurations, and 7,308 trajectories: curated, human-written skills raise average pass rates by 16.2 percentage points, but self-generated skills provide essentially no benefit (−1.3pp on average). Models cannot reliably author the procedural knowledge they benefit from consuming. Only Claude Opus 4.6 showed marginal self-generated improvement (+1.4pp); Codex with GPT-5.2 actually degraded by −5.6pp. (more: https://arxiv.org/abs/2602.12670)

The domain variation is striking. Healthcare skills boosted performance by 51.9pp and Manufacturing by 41.9pp, while Software Engineering gained only 4.5pp and Mathematics 6.0pp. Domains requiring specialized procedural knowledge underrepresented in pretraining benefit enormously; domains with strong pretraining coverage gain little from external guidance. The design-factor analysis is equally instructive: focused skill packages of 2–3 modules outperformed comprehensive documentation, and comprehensive skills actually hurt performance by −2.9pp. Agents struggle to extract relevant information from lengthy content, and "overly elaborate Skills can consume context budget without providing actionable guidance." Most practically: Claude Haiku 4.5 with skills (27.7%) outperformed Claude Opus 4.5 without skills (22.0%), demonstrating that curated procedural knowledge can partially substitute for model scale. The top-performing configuration overall was Gemini CLI with Gemini 3 Flash at 48.7% — and Flash consumed 2.3x more input tokens than Pro, compensating for less reasoning depth with more iterative exploration, yet remained 44% cheaper per task at standard API pricing.

These findings illuminate a broader pattern. Boris Cherny confirmed that Claude Code tried RAG with a local vector database and abandoned it — agentic search outperformed it "by a lot." Cline called semantic RAG for coding agents "a mind virus." Aider uses Tree-sitter and PageRank with zero embeddings. OpenAI's Codex CLI runs ripgrep. The lesson: code is structured and perfectly searchable with keyword tools, while unstructured business knowledge requires semantic understanding. One approach does not fit both domains. (more: https://www.linkedin.com/posts/cole-medin-727752184_claude-code-tried-rag-with-a-local-vector-activity-7430053524153192448-Z9YI)

New orchestration frameworks keep shipping regardless. Conductor turns Claude Code into a structured engineering team with 16 agents, 42 skills, and 22 slash commands organized around an evaluate-loop: plan, evaluate plan, execute, evaluate execution, fix — with a simulated "Board of Directors" for architectural decisions. (more: https://github.com/Ibrahim-3d/conductor-orchestrator-superpowers) Agno's Dash takes a different approach as a self-learning data agent, grounding SQL generation in 6 layers of context and improving through a "Learning Machine" that records error patterns and fixes so they never recur. (more: https://github.com/agno-agi/dash)

AI at the Edge — No Internet Required

A developer in Ukraine, where Russian attacks on the power grid regularly knock out internet and cellular, built a fully off-grid AI system using two $30 Lilygo T-Echo radios running Meshtastic firmware and a Mac mini with local models via Ollama. The setup routes messages over encrypted LoRa 433MHz radio: phi4-mini classifies intent, gemma3:12b generates responses, and Home Assistant controls smart home devices. Messages prefixed with `SAY:` trigger text-to-speech through home speakers in Ukrainian. An outbox system lets the AI proactively transmit alerts — like power outage notifications — over LoRa. The entire chain runs on battery backup with zero internet anywhere. (more: https://www.reddit.com/r/LocalLLaMA/comments/1r8ectu/i_plugged_a_30_radio_into_my_mac_mini_and_told_my/)

The OpenClaw agent reportedly built the complete Python listener daemon — routing logic, intent classification, auto-chunking for the 200-character LoRa limit, and the outbox watcher — after simply being told "there's a Meshtastic radio plugged in, figure it out." Community commenters were quick to flag the security trade-off: OpenClaw has had severe exploits, and giving it deep system access on always-on hardware makes it a "juicy target for an influence op." The mesh networking future is compelling — multiple nodes running local LLMs creating neighborhood-scale AI with zero internet — but the security posture of the agent orchestrating it all matters enormously.

At the architecture level, FlashLM v4 shows that extreme efficiency isn't just aspirational. This 4.3M parameter model uses ternary weights (every weight is -1, 0, or +1), trained for 2 hours on a free notebook with 2 CPU threads and 5GB RAM. No GPU was used at any point. The architecture replaces attention entirely with gated causal depthwise convolution (O(T) instead of O(T²)) and SiLU-gated ternary feed-forward blocks, with a 10K-token tied embedding layer. It generates coherent children's stories with dialogue structure, achieving 0.88 BPC on TinyStories validation versus 0.62 for the full-precision TinyStories-1M — while having seen only 2.3% of the training data. The loss curve never plateaued at 5,199 steps, meaning the model is compute-bound, not architecture-bound. A scaled-up run on a Ryzen 7950X3D is planned. (more: https://www.reddit.com/r/LocalLLaMA/comments/1r8c6th/flashlm_v4_43m_ternary_model_trained_on_cpu_in_2/)

Open-Weight Models Close the Vision Gap

Qwen 3.5-397B is making a strong showing on structural vision tasks. In a head-to-head against Gemini 3 Pro on screenshot-to-code — converting a complex Hugging Face dataset page into a functional Tailwind frontend — Qwen nailed the sidebar grid layout better than Gemini, which "usually wins on vibes." Gemini retained its edge on OCR, correctly extracting tiny SVG logos that Qwen replaced with generic icons, while Kimi K2.5 produced the cleanest component code but took "too many creative liberties with the layout." The MoE architecture's routing of different expert groups for spatial versus semantic reasoning may explain Qwen's structural advantage. At only 17B active parameters, inference speed is surprisingly usable via OpenRouter — though some users report 5–10 tokens/sec, likely from launch-week congestion rather than architectural limits. (more: https://www.reddit.com/r/LocalLLaMA/comments/1r72ddg/qwen_35_vs_gemini_3_pro_on_screenshottocode_is/)

The conversation about vision architectures runs deeper. Andriy Burkov highlighted a paper that took a standard ResNet and systematically applied transformer-era design decisions — activation functions, normalization types, internal dimension reshaping — one interpretable change at a time. The result: a pure ConvNet matching or beating transformer-based models of equivalent size on classification, detection, and segmentation while being up to 49% faster. The conclusion isn't that transformers were wrong, but that ConvNets had "simply fallen behind in terms of training recipes and design choices rather than fundamental capability." Transformers remain favored for multi-modality support across text, images, and audio, but for single-modality vision — especially on edge devices where speed matters — the old architecture, properly modernized, still competes. (more: https://www.linkedin.com/posts/andriyburkov_for-most-of-the-2010s-convolutional-neural-share-7430120683730366464-GlfY)

The Discipline Gap

When everyone can build software, who learns to build it well? Rafael Knuth argues that generative AI dissolved the barrier between strategizing and making, but the culture didn't change with the tooling. Business teams now have "the power of making without the culture of making: no habit of considering failure modes, thinking about systems effects, testing, iterating, or maintaining what they build." The reflexive response — give them low-code, keep it simple — is a dead end: anything simple enough to not require engineering thinking is exactly the territory AI will automate first. The defensible move is to go upmarket in difficulty and rigor. (more: https://www.linkedin.com/pulse/when-everyone-can-build-software-who-learns-well-rafael-knuth-wazjf)

Drawing on the Royal Academy of Engineering's six "Engineering Habits of Mind" — systems thinking, problem-finding, visualizing, improving, creative problem-solving, and adapting — Knuth argues that practices adopted without the mental models that make them meaningful produce compliance, not discipline. "A specification written by someone who has never thought about failure modes will not include failure modes. A test written by someone who does not understand what testing is for will check the obvious paths and miss the dangerous ones." The prescription is practical: pair business builders with engineers on real projects, run pre-mortems, write failure criteria before success criteria, build three architecturally different solutions to the same problem, and deliberately break prototypes in sandboxes before deploying them.

The broader AI industry keeps growing around these questions of capability versus discipline. Community discussion on r/Anthropic characterizes Sonnet 4.6 as delivering Opus 4.5-level quality at Sonnet pricing (more: https://www.reddit.com/r/Anthropic/comments/1r7fme8/sonnet_46_feels_like_opus_45_at_sonnet_pricing/), while the company itself raised $30 billion as its run-rate revenue grew 10x annually over three years (more: https://www.reddit.com/r/Anthropic/comments/1r47mqf/anthropic_raises_30000000000_as_runrate_revenue/). On the retrieval architecture front, the r/ollama community is discussing Reasoning Augmented Retrieval (RAR) as a production-grade successor to single-pass RAG — iterating on queries rather than relying on a single retrieval round (more: https://www.reddit.com/r/ollama/comments/1r77o7d/reasoning_augmented_retrieval_rar_is_the/).