Building AI agents that ship.

latest writing

Notes I keep when something in the stack deserves a careful teardown.

• May 14, 20266 min

  How I Used Cursor & Codex Independently to Rediscover CVE-2026-42945 — The Nginx RCE

  One generic security prompt, one vulnerable source file, no fuzzers or static analyzers. Cursor found the nginx bug fast; Codex validated it with a real ASan crash.

  • nginx
  • security
  • cve
  • cursor
  • codex
  • ai-agents
  • vulnerability-research
• May 12, 202612 min

  Mini Shai-Hulud: TanStack supply-chain worm (May 2026)

  Technical deep-dive into the Mini Shai-Hulud worm: GitHub Actions cache poisoning, npm propagation, persistence in Claude Code and VS Code, credential theft, dead-man’s switch, and why AI “vibe coding” widens the attack surface.

  • supply-chain-attack
  • github-actions-security
  • npm-worm
  • ai-coding-agents
  • claude-code
  • post-exploitation
  • shai-hulud
• May 8, 20262 min

  Why BinaryClerk

  Cloud AI assistants are great until you notice where your data lives and what they can actually touch. Here's what I'm building instead.

  • binaryclerk
  • local-first
  • agents

all posts → · rss →

current project

BinaryClerk — local-first desktop AI for people who live in the browser.

One app on your machine that chats with capable models, drives your real Chrome through a companion extension, and keeps projects, chats, and files on disk (SQLite) instead of in someone else's cloud.

what it is

Cursor-style depth, but for the browser and your local data.

how it works

Two halves, one pairing. Everything stays on your machine unless you say otherwise.

preview