https://defensive.works/ Weekly security recon across cloud, agents, and supply chain. One attack, one rule, one defender move. Five minutes, every Tuesday. en-us https://defensive.works/recon/p/005 https://defensive.works/recon/p/005 Tue, 19 May 2026 12:00:00 +0000 A malicious repo can now turn one trust prompt in a coding CLI into native code execution, Dev Tunnels are much closer to remote access software than a harmless forwarder, and the tooling around agent runtime visibility is finally starting to catch up. This issue is about convenience features that quietly became execution surfaces. https://defensive.works/recon/p/004 https://defensive.works/recon/p/004 Tue, 12 May 2026 12:00:00 +0000 LiteLLM went from GitHub Advisory Database index to honeypot exploitation in 36 hours, pnpm 11 added a 24-hour default delay before brand-new packages resolve, and the Context.ai to Vercel chain showed why OAuth grants need the same default friction as package installs. https://defensive.works/recon/p/003 https://defensive.works/recon/p/003 Tue, 05 May 2026 12:00:00 +0000 A one-megabyte padding trick that walks around Docker's last line of defense, the AWS session-policy pattern for forensic artifact collection, and the Kubernetes 1.36 features that quietly change who can impersonate whom. https://defensive.works/recon/p/002 https://defensive.works/recon/p/002 Tue, 28 Apr 2026 12:00:00 +0000 A Claude Code skill riding authenticated Slack sessions, a Dependabot PR auto-merged 5 minutes after malicious publish, and the AWS pattern that scopes an MCP agent per tool call. https://defensive.works/recon/p/001 https://defensive.works/recon/p/001 Tue, 21 Apr 2026 12:00:00 +0000 AWS Bedrock AgentCore, the IAM blast radius its starter toolkit quietly ships, and the 30-minute audit to run this week.