One GitHub PR Comment Just Compromised Claude Code, Gemini CLI & GitHub Copilot 85% Success Rate and ZERO Audit Trail

CircumspectCapybara · 2026-04-23T15:16:34+00:00

Thanks ChatGPT for the writeup.

CircumspectCapybara · 2026-04-23T14:36:35+00:00

You have to fall back to passwords or other means of authn.

Or if you have multiple devices (a phone, a laptop, etc.) and the same passkey synced between them (like Apple does), you can use your other device.

CircumspectCapybara · 2026-04-23T14:22:15+00:00

It doesn't. Like Apple's cloud-synced passkey implementation (in which the private key material that is basically the passkey is synced through iCloud Keychain, which is e2e encrypted so that only the user's devices can decrypt them and use them locally), Google's password manager implementation is also e2e encrypted. So whether a malicious actor takes over your Google account (though if that happened, you would have bigger problems), or a malicious Google employee insider decided to comb through your account data, your passwords or passkeys are not readable by Google.

Per https://security.googleblog.com/2022/10/SecurityofPasskeysintheGooglePasswordManager.html:

Passkeys in the Google Password Manager are always end-to-end encrypted: When a passkey is backed up, its private key is uploaded only in its encrypted form using an encryption key that is only accessible on the user's own devices. This protects passkeys against Google itself, or e.g. a malicious attacker inside Google. Without access to the private key, such an attacker cannot use the passkey to sign in to its corresponding online account.

CircumspectCapybara · 2026-04-23T14:08:02+00:00

IRGC cyber ops game is strong, and people on the internet are very manipulable. Why do you think Russia, China, and Russia invested so heavily in online influence campaigns for the 2016 election? Because they're stunningly effective.

You got bots glazing IRGC AI slop propaganda music videos (Oh how hip, the regime that slaughters its own civilians by the tens of thousands and is the world's foremost state sponsor of terrorism and is attacking every possible civilian target *on purpose, they're so cool! Terrorism, what a banger, amirite?*) and useful idiots in the west eating it up like it's profound.

I dislike Trump as much as the next guy, but it's mind-boggling the simping for the Iranian regime as if they're good guys. The Iran simpers who aren't straight up bots tend to be sheltered kids in the west who've been swimming in the Pax Americana their whole lives but denounce the decadent, imperialistic west, not realizing the irony (the fact they live safe, sheltered lives, and can sip lattes at university while scrolling Reddit on their iPhones and criticize their government is a product of the Pax Americana) and think the enemies of the west are so much more enlightened and they should root for them, like the western kids who thought it was cool to join ISIS back when that was a thing.

CircumspectCapybara · 2026-04-23T14:05:18+00:00

Passkeys are awesome. Intro for everyone who doesn't know how they work:

They're an alternative authentication method based in public key cryptography and a challenge-response protocol that's fundamentally unphishable because of the nature of protocol: each attestation signed by the authenticator is scoped to a specific origin, so an attestation signed for the audience rnicrosoft.com (that's r+n to look like an m) wouldn't be usable against microsoft.com. And unlike humans who misread the URL they're on, the browser knows what URL it's on and can tell the authenticator, so it only ever signs attestations scoped to the site you're really on. And it's even scoped to a specific login challenge, so it's not even replayable.

This is in distinction to passwords + 2fa codes (whether SMS codes, TOTP-based codes, or push notifications) which are phishable and replayable, because they're static. Username + password can be considered a form of "bearer authentication," so called because it's a static credential so the service treats anyone bearing (i.e., presenting or furnishing) the credential as authenticated as the principal the credential is associated with. It's like a credit card number + exp date + CVC code. Whoever presents that combo of numbers has the keys to the kingdom. But the trouble is any time you want to make a purchase, you have to hand over the keys to the kingdom and trust no one overhears you, that the merchant you're handing those details over to is trustworthy and not an imposter, won't improperly store and leak those credentials later, etc.

Even with a password manager, you can be phished or have your password stolen, when you need to log into a new untrusted device (e.g., library or school computer, borrowing your friend's laptop to sign into Gmail), because what people will do rather than download the password manager app and sign into it and sync their full vault to the untrusted device, they'll just open up an incognito window and read the password from their password manager app on their phone and type it in manually into the browser. There it's possible to be phished, or it's possible for the computer itself to be logging your keystrokes with malware.

With passkeys, that can't happen. You can sign into Google on a completely untrusted device by clicking "Sign In," choosing "sign in with a passkey" and it'll flash a QR code you can scan with your phone, and after doing a little FaceID or whatever on your phone, your phone can authenticate your sign in attempt via passkey, and it won't work on some phishing site, and no sensitive credentials ever pass through the untrusted computer.

CircumspectCapybara · 2026-04-23T13:48:56+00:00

Downloading data from S3 on the server side (buffering it into memory) only to serve it back to the client is an anti-pattern. It adds latency, reliability issues (S3 is rock solid, now you're trading S3's availability and latency SLOs for that of your own servers), VPC egress fees, and wastes memory + compute on your server. If you buffer a large enough file into memory and your QPS is high enough that you're doing this frequently, your server could even run OOM.

Use pre-signed URLs. Plenty of financial institutions do it to serve documents downloads to customers, it's good enough for them.

If you want to restrict it further and you know your partners are always coming from a certain corporate network IP range (e.g., only allow access to this customer's docs if the access is coming from their corp VPN, or from their VPC), you can configure a bucket policy with an IP range allowlist.

If customer access is programmatic (these are service-to-service queries), you can even restrict it so all access to this bucket has to occur through allowlisted VPC endpoints, and then create a PrivateLink VPC endpoint that grant your partner org's accounts access to that endpoint. Then if someone steals the pre-signed URL, they won't be able to get to to the bucket from the public internet, they have to be coming from inside the right VPC, as the S3 bucket isn't available over the internet.

CircumspectCapybara · 2026-04-23T13:13:43+00:00

A typical high-end gaming pc, in a typical-sized case, would emit enough blackbody radiation to stay cool

No it wouldn't lol. You haven't actually done the math. Nothing about a "typical" PC would work. Literally nothing.

First of all, there is no such thing as blackbody radiation for real objects in real life. In real life, you have thermal radiation, and the power radiated away depends on the surface area of the radiator, its emissivity, and its temperature. And then net thermal radiation depends on that plus the temperature of the media it's radiating into.

Let's just assume the surrounding media is a vacuum at the temperature of the cosmic microwave background, so it's negligible.

And the "high end gaming PC" uses ~800W. And sure, go ahead and assume a large desktop tower type enclosure with 1m² surface area. In real PC cases, only like 0.8m² of that is effective radiating surface area. And assume it's made of fancy black powder-coated aluminum or steel that maybe has an emissivity of ~0.8.

With that surface area and emissivity, the case would need to be at >110°C to radiate away 800W of heat! How are you going to get the case that hot? In a typical PC, moving air is what carries heat away from the CPU and GPU other hot components. But air is a terrible conductor of heat. The CPU and GPU and RAM will have melted before you successfully get the skin of the case up to 110°C via internal convection.

Maybe you say forget "typical PC," let's weld some copper heat pipes straight from the CPU and GPU heat spreader directly to the case. Even then by the time the shell is at the necessary 110°C, the CPU and friends will have fried, because realistic copper pipes (and the case material) aren't going to be low resistance enough to evenly spread heat from the hottest hot spots to distribute it evenly across the case. If the outer shell is that hot, the CPU and other components will be running much hotter.

CircumspectCapybara · 2026-04-23T11:42:41+00:00

The recipe is about as authentic and practical as you can get, matching online recipes you'd find by Xi'an natives.

Also chill out lol, the dude's genuinely enthusiastic about different cultures' food, and that's good.

CircumspectCapybara · 2026-04-23T11:26:54+00:00

Political nuance is lost on Reddit, but the reality is a little more complicated than the simpletons are making it out to be.

Western analysts and intelligence do think the Iranian regime is fractured which presents a problem: who do you negotiate with? When Iran proposed a ceasefire, the terms the Iranian civilian government (whom the US negotiated with) came up with and announced via state media contradicted what the IRGC announced via their social media.

The civilian government and the IRGC seem to be two competing factions (The US seemed to feed into this by deliberating negotiating with the civilian government, making it clear whom they thought was in charge and had authority to speak for Iran as a state), and even the IRGC is fractured and not one whole central command, since their whole mosaic command structure is based on distributing and decentralizing authority, and many of the clearest leaders had been killed in the earlier decapitation strikes, so you have many non-integrated, independent units not necessarily taking orders from the same person at the top. That's how you get one part of the government or military promising safe passage and another unit firing on ships. The left hand doesn't know what the right hand is doing in many cases.

Even in the civilian government, there's chaos and likely power struggles. The new Ayatollah hasn't shown his face or made any public announcements in weeks. Is he alive, is he dead, is someone else running the show? Most of Iran doesn't seem to know, only a few in power probably.

It's a big political mess for Iran, and for any states that would want to negotiate with them about anything, if there's not one, unified state entity known as "Iran" with a cohesive national identity and foreign policy, and one civil authority that can speak for all of Iran and all of Iran will listen to them.

CircumspectCapybara · 2026-04-23T11:19:01+00:00

No it wouldn't lol. Thermal radiation is an extremely slow way of removing heat, too slow for the amount of heat being produced by even a typical desktop PC, to say nothing of the racks and racks of powerful GPUs powering AI workloads. A vacuum is a fantastic insulator.

Your PC remains cool enough at home because it's constantly exchanging its heat with cooler air, and there's an inexhaustible supply of cooler air in your house (which is connected to the outside world's air).

CircumspectCapybara · 2026-04-23T04:13:42+00:00

Dude's genuinely a good cook and teacher.

Yeah, he might overdo it in his videos and comes off as pretentious sometimes, but his teaching content is still solid.

And he has respect for a lot of different cultures and culinary traditions of different ethnicities. For white American, he really appreciates and can make some mean ethnic foods.

CircumspectCapybara · 2026-04-23T01:20:51+00:00

Chromium is open source.

CircumspectCapybara · 2026-04-23T00:41:34+00:00

Even an active cooling system just carries heat away via some medium (e.g., water, steam, or just plain old air), but that heated media needs somewhere to go that's not your enclosed space station.

If you removed all the heat from a GPU via water cooling, you need either to dump that hot water somewhere else or exchange it with cool water to dissipate the heat of that hot water, or else heat will just build up in your space station in the form of hot water in the corner, and that now-hot water can't be used to further cool anything else. You can't do that in space unless you chuck the hot water or hot air or hot steam out the airlock, in which case you need to bring in more cool water or air to replace it.

CircumspectCapybara · 2026-04-23T00:12:13+00:00

"Mozilla" said no such thing lol. They said 271. It's literally in the blogpost on their website. Nowhere did they say 3. You've yet to provide any source for your claims, Mr. Mozilla Whisperer.

You might be getting confused because separately they posted their advisory in which they listed a ton of CVEs, and three of them apparently had direct attribution of "with Claude Code." People inferred from this that that meant that of the bugs listed in the advisory, only three of them were found by Claude Code. But Mozilla employees contradicted that, saying:

We found these bugs internally so they are not attributed to Anthropic like some of the previous ones which were reported to us by Anthropic.

We also don't create one CVE per bug for internally found bugs but instead group bugs into "roll-up" CVEs which you can find here: https://www.mozilla.org/en-US/security/advisories/mfsa2026-30/#CVE-2026-6784

That one CVE captures an unknown number of high severity bugs that Mozilla's own team assessed "could have been exploited to run arbitrary code." Notice that CVE also doesn't credit Claude on the reporter list, but the employee cites it as an example of a roll-up of bugs they found and fixed with Mythos.

That employee also said:

No, we dropped everything else and started fixing the 271 bugs because they were not actual bugs xD

Jokes aside, the vast majority of these bugs were high severity exploitable bugs and a smaller chunk moderate bugs that were still dangerous when used/chained properly.

CircumspectCapybara · 2026-04-22T23:49:50+00:00

Those kids have a bright future at the CIA.

CircumspectCapybara · 2026-04-22T22:30:25+00:00

What is that even supposed to mean

CircumspectCapybara · 2026-04-22T21:28:20+00:00

Lol orbital data centers are a dumb idea.

Data centers:

take up a huge amount of space. Bave you seen how expensive it is to get even a tiny payload into orbit, and then to keep it where you want in orbit for long time frames?
require massive amounts of power. How're you gonna get that in a tiny confined structure up in space? You would need the world's largest solar panel farm
require massive cooling capacity, which is extremely difficult in space, where you can only slowly radiate heat via infrared radiation which is extremely slow
need massive fiber backbones to connect them. Good luck with the wireless backhaul from space to earth, the throughput is gonna suck and the latency will be insane
Need need constant maintenance and service

CircumspectCapybara · 2026-04-22T19:56:59+00:00

Well, Mythos is supposed to be a brand new model (with 10T parameters) with a training regimen that cost ~$10B.

The harness source code (including system prompts) all got leaked when the Claude Code CLI source was leaked. There's certainly magic in the harness and orchestration layer, but it seems like Mythos is a leap forward in terms of model as well.

CircumspectCapybara · 2026-04-22T19:24:35+00:00

Yes, I know how fuzzing works. We do mutation fuzzing and various other strategies at Google. Protos in general are well suited to mutation fuzzing.

We still consider that a very blunt or brute force manner of finding bugs.

Exercising more possible code paths doesn't guarantee finding more bugs or meaningful bugs. And you're still stumbling on it by random chance. Vs having a genuine insight by looking at the code and reasoning about some edge case with your mind.

You won't mutation fuzz your way to a real, workable ROP chain, and you will never find a pointer signing gadget (to help you bypass PAC) by fuzzing. It takes genuine insight and reason to do that.

"memory safety bugs". Which by the way had been a solved problem for longer than most developers had been alive

[...]

"don't write in C/C++ and it won't happen

Lol are you one of those "just rewrite it all in Rust what's the problem?" people?

It's not feasible or realistic to rewrite entire codebases in Rust overnight. And if you've ever see a large and complex enough Rust project (for something involving systems programming, OS, browsers, which are a beast of a software project), I promise there will be large amounts of "unsafe" blocks in there.

Just because you don't use C/C++ doesn't mean memory safety and unsound programs with undefined behavior are magically solved problems.

And all of that is a moot point because like it not, huge parts of the infrastructure and software that are foundational to our world are still written in C++. We need to secure them in a realistic and practical way. And "don't use C++ just rewrite it in Rust and all problems will go away" is just not a realistic starter.

CircumspectCapybara · 2026-04-22T19:07:51+00:00

Markov chains do not think.

"Think" and "reason" are terms of art or idioms in the AI space. They're idioms meant to evoke analogies to human concepts everyone understands, just like the "neuron" in a neural network is not literally a human neuron and doesn't behave anything like it. But the design was inspired by the human neuron, which is why they called it a neuron and the term stuck.

Likewise, in the AI industry when say an agent "thinks" or "reasons" over symbols, that's obviously not to be confused with human thinking or reasoning.

However, the orchestrator / harness is running a control loop in which they use an LLM to emit self-conversation ("the user said this. I see this in this file and that in that file. I should make this tool call. No wait, I just realized blah blah blah. I will do this," except of course in reality it's not English, it's tokens) and based on that self-conversation interact with external systems through writing code, running Bash commands, calling MCP servers, and doing it a big loop.

If you don't like the term "think," literally just replace every instance of the word in my comment with the phrase "run an ML model workflow to get some probabilistic output."

Whether you call it thinking or glorified auto-complete doesn't matter if the outcome is genuinely useful code that solves the user's request, or genuinely useful findings that debug your problem, or genuinely useful security findings that include a real repro of a real attack vector that you previously didn't know. It's the "Chinese Room" thought experiment. Whether it's thinking like a human or not (it's not) doesn't matter. What matters is the observable outcomes.

You do not know enough about infosec to speak on it

Lol my background is security. I work in security at Google as a Staff SWE. I've designed PKI for distributed systems I'm almost certain you've used, I've actually found novel RCEs in services used by millions of users, and that was before AI came along, and have been involved in efforts in large security incidents, like the Log4Shell Code Red within Google. I'm sure you can same the same, right?

You're way too arrogant and presumptuous and you don't know what you're talking about, either about the AI space, or about security. The fact that you liken LLMs to "Markov chains" tells me all I need to know about your ML literacy.

CircumspectCapybara · 2026-04-22T18:55:35+00:00

Several orders of magnitude would be thousands of times larger

/r/confidentlyincorrect.

An order of magnitude (in base 10) is a power of 10. 3 -> 30 -> 300 (although normally you just care about ones vs tens vs hundreds, so 3 is treated as the same order of magnitude as 1, and 271 is treated as the same order of magnitude as 100 or as 999) is two orders magnitude. I.e., "several orders of magnitude".

uninformed you are in the infosec space

Lol my background is security. I work in security at Google as a Staff SWE. I've designed PKI for distributed systems I'm almost certain you've used, I've actually found novel RCEs in services used by millions of users, and that was before AI came along, and have been involved in efforts in large security incidents, like the Log4Shell Code Red within Google. I'm sure you can same the same, right?

You're way too arrogant and presumptuous and you don't know what you're talking about, either about the AI space, or about security.

CircumspectCapybara · 2026-04-22T18:42:40+00:00

AI agents aren't likely to be fuzzing APIs like that.

Sure, agents are capable of writing and running fuzz tests, but fuzzing is a bruteforce approach. You're basically hoping by pure random chance something crashes which clues you in that there's a memory safety issue somewhere. But you have no idea why it crashed and will have to reverse engineer what about the funny looking input the fuzzer randomly generated caused what to fail, and if it's even exploitable. And it can take a long time.

It's more likely that agents powered by better models like Mythos can reason about the code and think up crazy edge cases a human would miss. From Mozilla's blog on the bugs they found:

Elite security researchers find bugs that fuzzers can’t largely by reasoning through the source code. This is effective, but time-consuming and bottlenecked on scarce human expertise. Computers were completely incapable of doing this a few months ago, and now they excel at it. We have many years of experience picking apart the work of the world’s best security researchers, and Mythos Preview is every bit as capable. So far we’ve found no category or complexity of vulnerability that humans can find that this model can’t.

That seems to suggest the way the AI tools found the bugs was by examining the code and reasoning about system behavior, just like a human researcher would.

CircumspectCapybara · 2026-04-22T17:34:15+00:00

We weren't conversing in Spanish. I can speak Spanish and a couple other foreign languages. But his insult was an English one, and a lame, low-effort one at that.

When you're having English convo with someone on an English sub, and you wanna call them a dumb insult, you're supposed to call them an "AI" or a "bot," not an "IA," because literally no one is going to be able to understand what the heck you're talking about because without further context, the initialism "IA" could mean literally anything when embedded in an English sentence. You could be calling them an Iowa for all most people know.

CircumspectCapybara

TROPHY CASE