blog.trailofbits.com
Resources curated from this publisher and indexed across appsec.fyi topic pages. Last item added: 2026-06-23.
| Date Added | Resource | Excerpt |
|---|---|---|
| 2026-06-23 2026 | Introducing Patch the PlanetAIBug Bounty | Library for coordinating open-source project hardening, "Patch the Planet," leverages frontier models like GPT-5.5-Cyber to discover and fix vulnerabilities. This initiative, involving Trail of Bits engineers and project maintainers, has already addressed issues in 19 projects including cURL, NATS, and pyca. Patches range from bug fixes and new tests to supply-chain improvements and the integration of CI security scanning with tools like zizmor. The program aims to measurably improve the security posture of essential open-source software by focusing on the challenging aspects of vulnerability confirmation, patching, and long-term hardening. |
| 2026-06-08 2026 | Extending Ruzzy with LibAFLFuzzing | Library for extending Ruzzy, a coverage-guided fuzzer for Ruby code, with LibAFL. This integration leverages LibAFL's LLVM compatibility layer and addresses challenges like ELF `.preinit_array` section restrictions by utilizing LLVM `ld`, and resolves "No maps available; cannot fuzz!" errors by ensuring proper SanitizerCoverage initialization timing, critical for fuzzing campaigns. |
| 2026-06-08 2026 | C/C++ checklist challenges, solvedBug Bounty | Library offers a walkthrough of C/C++ security checklist challenges, detailing an `inet_ntoa` global buffer vulnerability in a Linux `ping` program and a Windows driver registry handler exploit. This exploit leverages a missing `RTL_QUERY_REGISTRY_TYPECHECK` flag and an attacker-controlled registry path to achieve a kernel write primitive, escalating from local denial of service. The library also introduces a Claude skill, `c-review`, to transform the checklist into LLM-executable bug-finding prompts. |
| 2026-06-08 2026 | Go fuzzing was missing half the toolkit. We forked the toolchain to fix it.Fuzzing | Library, gosentry, is a fork of the Go toolchain that enhances native fuzzing capabilities. It integrates LibAFL, Nautilus for grammar-based fuzzing, and capabilities for structured inputs, integer overflow detection (building on go-panikint), goroutine leak detection (via goleak), data race detection, and timeout detection. Existing Go fuzz harnesses can be used with gosentry without modification, offering improved bug detection and coverage reporting for vulnerabilities like those found in Optimism and Revm. |
| 2026-06-08 2026 | We hardened zizmor's GitHub Actions static analyzerSecretsSupply Chain | Library that hardened zizmor, a static analyzer for GitHub Actions workflows, by fixing parsing bugs related to YAML anchors and surfacing deserialization edge cases. This work addressed issues like malformed findings and silent data mishandling, improving zizmor's analysis of workflows from 6,612 high-value open-source repositories and aligning its expression evaluator with GitHub's test suite. The improvements enhance protection against supply-chain attacks, such as the aquasecurity/trivy-action exploit. |
| 2026-06-08 2026 | The sorry state of skill distributionAIAuthZ | Library analyzing public skill marketplaces reveals prevalent malicious skills designed to steal credentials and exfiltrate data. Tested scanners from ClawHub, Cisco, and skills.sh were bypassed using techniques like file truncation and embedding malicious `.pyc` bytecode within seemingly harmless scripts. The article highlights weaknesses in static analysis and LLM-based scanning, demonstrating how attackers can exploit packaging and binary obfuscation, mirroring supply chain attacks like the xz-utils backdoor. |
| 2026-04-22 2026 | Detect Go's silent arithmetic bugs with go-panikintFuzzing | Library for detecting silent integer arithmetic bugs in Go projects. go-panikint modifies the Go compiler to transform integer overflows and truncations into explicit panics, making them detectable by fuzzers. It successfully identified an integer overflow vulnerability in the Cosmos SDK's RPC pagination logic. The library includes mechanisms to filter intentional overflows via source location whitelisting or in-code comments. |
| 2026-04-11 2026 | Unleashing Medusa: Smart Contract FuzzingFuzzing | Library for coverage-guided, parallel, and on-chain fuzzing of EVM smart contracts. Medusa v1, built on Geth and written in Go, uses Slither insights for smart mutational value generation and provides enhanced debugging with rich execution traces. It offers an alternative to Echidna, focusing on scalability and maintainability for faster vulnerability discovery in blockchain systems. |
| 2026-04-10 2026 | Supply Chain Attacks Are Exploiting Our AssumptionsSupply Chain | Library of techniques for defending against software supply chain attacks, addressing implicit trust assumptions exploited by attackers. It analyzes recent incidents such as the XZ Utils backdoor, npm and PyPI package compromises like `rustdecimal` and `torchtriton`, and attacks leveraging compromised accounts (e.g., `ctrl/tinycolor`, `Nx`, `rspack`). The library highlights methods to move beyond dependency scanning and SBOMs, focusing on verifying code provenance and build integrity to mitigate risks from deceptive doubles, stolen secrets, and poisoned pipelines. |
| 2026-04-10 2026 | Prompt Injection to RCE in AI AgentsRCE | Writeup on prompt injection leading to RCE in AI agents, detailing design antipatterns that enable argument injection attacks against pre-approved commands. The article demonstrates one-shot RCE exploits across three AI agent platforms, bypassing human approval through techniques like `go test -exec` and `git show --format`/`ripgrep --pre`. Recommendations focus on limiting impact via sandboxing and argument separation for developers, users, and security engineers. |
| 2026-04-10 2026 | Marshal Madness: A Brief History of Ruby Deserialization ExploitsDeser | Library detailing the historical evolution of Ruby Marshal deserialization exploits, from early bug tracker issues by Charlie Somerville Hailey to modern industrialized gadget discovery techniques. It traces the decade-long cycle of patches and bypasses, highlighting contributions from researchers like joernchen, Luke Jahnke, and Alex Leahu, and discusses the ongoing challenges presented by these vulnerabilities, referencing CVEs from Java and PHP as comparative examples. |
| 2025-08-14 2025 | Security assessment techniques for Go projects | Trail of Bits Blog | Library of Go security assessment techniques, this resource details static analysis tools like go-vet, staticcheck, and ineffassign, alongside dynamic approaches such as fuzzing with dvyukov/go-fuzz and property testing using the testing/quick sub-package or the gopter framework. It highlights language semantics like short variable declarations that can lead to vulnerabilities, and discusses compiler configurations for effective instrumentation. |
| 2020-05-27 2020 | Security assessment techniques for Go projects | Trail of Bits Blog | Library for assessing Go project security, covering static analysis with tools like go-vet, staticcheck, and ineffassign to identify issues such as unused return values and variable shadowing, as well as dynamic analysis techniques including fuzzing with dvyukov/go-fuzz and google/gofuzz, and property testing using the testing/quick sub-package and the gopter framework for detecting property violations and handling stateful tests. |