Tag: 安全
All the articles with the tag "安全".
-
GLM 5.2 Beats Claude on a Cyber Benchmark: Is China's 'Scenario-Specific Superiority' the New Inflection Point?
Updated:Zhipu's GLM 5.2 hit 39% F1 on Semgrep's IDOR vulnerability detection benchmark, beating every Claude Code Opus version at roughly 1/6 the per-finding cost — while still trailing about 2 points on aggregate benchmarks. Kimi and Qwen reproduce the same pattern. Is "scenario-specific superiority" the 2026 inflection point for Chinese models?
-
How Electron Desktop Wallets Should Store Private Keys: safeStorage Isn't Enough — Learn from MetaMask and Phantom
A few days ago I wrote a teardown of safeStorage — the conclusion was that it's fine for ordinary API keys. But what if you need to store a wallet private key worth tens of thousands of dollars? safeStorage falls short. This post looks at how real desktop wallets like MetaMask and Phantom do it, and why the trio of "encryption + master password + short-lived unlock" is unavoidable.
-
Letting Claude Code Touch My Real-Money Trading Code: The Lines I Refused to Cross
I've spent 10 months using Claude Code on a real-money futures trading project. This is an honest retrospective: the AI never touched the money directly (I'm not that bold), but it did write code on the critical order/stop-loss/close-position paths. Here are the boundaries I held, where AI genuinely helped, and the moments I had to take over.
-
Cracking Open the Electron safeStorage Black Box: AES-128-CBC, a Hardcoded IV, and the Things Nobody Tells You
safeStorage is Electron's recommended API for storing secrets, but its implementation details are rarely discussed. This post cracks open the source: roughly 100 lines of C++ wrapping Chromium's OSCrypt, AES-128-CBC, an IV hardcoded to 16 spaces, and PBKDF2 with a single iteration. Paired with real cases — VS Code credentials read directly by extensions, VoidStealer grabbing the master key with a hardware breakpoint — it ends with a threat-model-based storage decision table.
-
AI Tooling Supply Chain Security Checklist: 8 Defense Principles Distilled from the Vercel and Nx Console Incidents
Neither the Vercel breach nor the Nx Console incident was a protocol vulnerability—both were credential governance failures. This post distills these two AI tooling supply chain attacks into 8 defense principles plus a 1-hour audit checklist, covering OAuth least privilege, secret tiering, managed device isolation, and IDE extension credential isolation—a security playbook indie developers and small teams can act on immediately.
-
AI Toolchain Supply Chain Security: A Full Post-Mortem of the Vercel Breach
A post-mortem of the April 2026 Vercel breach and its full attack chain: Roblox cheat script → Lumma Stealer → over-permissive OAuth → SSO lateral movement → leaked environment variables. We break down the security blind spot behind each link and the defenses developers should put in place.
-
Inside the Axios Poisoning: How a North Korean APT Infected Millions of Developer Environments in 3 Hours
In March 2026, the axios npm package was hijacked by a North Korean state-level APT, planting a RAT into millions of developer environments within 3 hours. This post breaks down two separate but related incidents: the full supply-chain poisoning attack chain, and the technical mechanics and real-world exploitability debate around CVE-2026-40175 (CVSS 10.0).
-
The AI Agent Security Landscape: From the ClawHavoc Poisoning to Cisco DefenseClaw and Microsoft's Governance Toolkit
A ClawHavoc-style supply chain attack poisons 1,184 agent skills and hits 300,000 users; within two weeks, Cisco and Microsoft ship agent security tooling. This post breaks down the threat model, compares the two defense architectures, and walks through real integration code.