series: Review Bomb
> Your Phone as a Terminal: One Command, One QR Code, No SSH Client
A code review of TermBeam, a Node CLI that shares a local terminal to your phone over a QR code — no SSH, no port forwarding, no static IP.
TAG://#security
7 posts tagged #security
series: Review Bomb
> When AI Writes Your Firewall, Check the Math
An AI-generated eBPF firewall with 8,500 lines of Rust, an LLM honeypot, and a suspicion scoring bug that made its own behavioral engine useless. I read the code, fixed the math, and wrote it up.
series: Charlotte MCP
> Anatomy of a GitHub Actions Supply Chain Attack Targeting MCP Repos
A pull request to my MCP server Charlotte led me to uncover a supply chain attack spanning 250+ repos, 64 sockpuppet accounts, and five phases of escalating access — all funneling GitHub OIDC tokens to a single organization.
> Anthropic Leaked Its Own Source Code and May Not Own It
The Claude Code leak exposed 500,000 lines of source code. The DMCA takedowns that followed may have exposed something worse — that Anthropic can't legally claim copyright over code its own AI wrote.
series: Review Bomb
> Your Encrypted Backups Are Slow Because Encryption Isn't the Bottleneck
A look at Concryptor, a Rust CLI that pipelines io_uring and AES-256-GCM to hit GB/s file encryption on commodity NVMe — and the CI cleanup PR that followed.
series: Review Bomb
> The Blackwall Between Your AI Agent and Your Filesystem
A code review of greywall, a container-free sandbox that isolates AI coding agents with kernel-level enforcement — no Docker required.
series: Guardrails
> Secrets, Agents, and .env Files
Your AI agent can read your environment variables. It can also commit them. Here's how to make sure it doesn't.