Security

The Latest AI Code Security Benchmark Is Useful for One Reason

The newest AI code security benchmark is worth reading, but probably not for the reason most people will share it.

The headline result is easy to repeat: across 534 generated code samples from six leading models, 25.1% contained confirmed vulnerabilities after scanning and manual validation. GPT-5.2 performed best at 19.1%. Claude Opus 4.6, DeepSeek V3, and Llama 4 Maverick tied for the worst result at 29.2%. The most common issues were SSRF, injection weaknesses, and security misconfiguration.

Codex Security and the Rise of AI Reviewing AI

The next big shift in AI-assisted software development is not more code generation. It is AI for verification.

OpenAI’s new Codex Security research preview, announced in early March 2026, is a good signal of where the market is going. The product scans repositories commit by commit, builds repository-specific threat models, validates findings in isolated environments, and ranks issues with proposed fixes. OpenAI says early adopters used it to detect more than 11,000 critical and high-severity vulnerabilities while cutting false positives by more than 50%.

Vibe Coding Won. Now What?

Vibe coding went from a niche provocation to the dominant paradigm of software development in less than 18 months. Collins English Dictionary named it 2025 Word of the Year. OpenAI co-founder Andrej Karpathy coined the term in February 2025; by early 2026, approximately 92% of US developers use AI coding tools daily, and 46% of all new code is AI-generated. The adoption battle is over—vibe coding won.

So why does it feel like the victory lap is getting complicated?

Prompt Injection Is Coming for Your Coding Agent

In early 2026, a critical vulnerability in Anthropic’s Claude Code made the rounds: CVE-2026-24887, which let an attacker bypass the user-approval prompt and execute arbitrary commands via prompt injection. Around the same time, researchers demonstrated prompt-injection-to-RCE chains in GitHub Actions—an external PR could trigger Claude Code in a workflow and, with a malicious payload in the PR title, achieve code execution with workflow privileges. Real incidents have shown agents exfiltrating SSH keys and credentials from hidden instructions in docs or comments. NIST has called prompt injection “generative AI’s greatest security flaw,” and it’s #1 on the OWASP LLM Top 10. If your team is rolling out AI coding assistants or agentic workflows, this isn’t theoretical. It’s the threat model you need to plan for.

OpenClaw in 2026: Security Reality Check and Where It Still Shines

OpenClaw (the project formerly known as Moltbot and Clawdbot) had a wild start to 2026: explosive growth, a rebrand after Anthropic’s trademark request, and adoption from Silicon Valley to major Chinese tech firms. By February it had sailed past 180,000 GitHub stars and drawn millions of visitors. Then the other shoe dropped. Security researchers disclosed critical issues—including CVE-2026-25253 and the ClawHavoc campaign, with hundreds of malicious skills and thousands of exposed instances. The gap between hype and reality became impossible to ignore.

Your AI-Generated Codebase Is a Liability

If a quarter of Y Combinator startups have codebases that are over 95% AI-generated, we should probably talk about what that means when those companies get acquired, audited, or sued.

AI-generated code looks clean. It follows conventions. It passes linting. It often has reasonable test coverage. By most surface-level metrics, it appears to be high-quality software.

But underneath the polished exterior, AI-generated codebases carry risks that traditional codebases don’t. Security vulnerabilities that look correct. Intellectual property questions that don’t have clear answers. Structural problems that emerge only under stress. Dependency chains that nobody consciously chose.

Social-Buttons.Com Spams Google Analytics

Typically when you see traffic in Google Analytics, you can be sure that it is legitimate traffic to your website. However, there are a few known spammers out there that successfully spam Google Analytics tracking codes with bogus visits, hoping that the Analytics users visit the site that is supposedly “referring” traffic. One such domain that is being used for this is Social-Buttons.com.

I have just begun to see traffic in Google Analytics from Social-Buttons.com in the middle part of March 2015, and if you look at the Google Trends statistics for search terms of Social-Buttons.com, you can see that there is a spike in searches for Social-Buttons.com in March 2015 from a baseline of 0 searches prior to March 2015.

Never Explicitly Trust Software Because It Is Open-Source

One of the major ideas behind open source projects is that allowing anyone that wants to view the source code of a project to be able to do so should make bugs and security weaknesses easy to find. While this did not work so well with OpenSSL and its various bugs that have been exposed recently, I do have an example where it worked extremely well.

Magento is an eCommerce platform that has two separate editions. One is a completely open-source and free as in beer Community edition. The other is a somewhat expensive Enterprise Edition. There is a large community of Magento developers that create extentions, or addons, for these two editions of Magento.

Authorize.Net Directpost is Overly Complex

One of the necessary evils that every ecommerce website that wants to accept credit card transactions must deal with is some sort of payment processing company. It just so happens that Authorize.net is one of the largest payment processors around, and they allow you to choose from a few different ways to integrate their payment processing functionality into your website. One of their ways is via DirectPost, which allows an eCommerce website to process a credit card transaction without the credit card information ever being sent through the website’s servers.

5 Ways to Keep Your Nude Pictures Secure

With the recent revelation that there was a massive release of naked or revealing photographs of many female celebrities, it seems to be an important time to remind people how to make sure private photos and other information don’t get shared all around the internet without your permission. As a result, here are my top 5 ways to keep your nude pictures secure.

1. Don’t Take Nude Selfies - Yes, the best and easiest way to keep your naked selfies out of the sight for the public viewers on the internet is to never take a naked selfie in the first place. Just don’t do it.

   #rant #security

   Read More

Hackers Exploiting Gullible Magento Site Administrators

Nexcess recently released a report of a Recent Exploit using Fake Magento Extensions was able to skim credit card information from affected Magento websites. While it seems that some of the stores were breached by correctly guessing simple admin usernames and passwords, others seemed to be the result of site administrators installing Magento Extensions that included backdoors that gave the hackers remote access to the website. Once the backdoor was installed, the hackers went on to modify core Magento files, ensuring that when a credit card order was placed, the credit card information would be saved to a text file that was hidden with an image file name extension .jpg, .gif, .bmp and saved in the /media directory, allowing the hackers, and anyone else on the internet to download the credit card information.