~/blog

Blog

What I learn building agents — short, no fluff.

tags →rss feed →

May 14, 20266 min
How I Used Cursor & Codex Independently to Rediscover CVE-2026-42945 — The Nginx RCE
One generic security prompt, one vulnerable source file, no fuzzers or static analyzers. Cursor found the nginx bug fast; Codex validated it with a real ASan crash.
May 12, 202612 min
Mini Shai-Hulud: TanStack supply-chain worm (May 2026)
Technical deep-dive into the Mini Shai-Hulud worm: GitHub Actions cache poisoning, npm propagation, persistence in Claude Code and VS Code, credential theft, dead-man’s switch, and why AI “vibe coding” widens the attack surface.
May 8, 20262 min
Why BinaryClerk
Cloud AI assistants are great until you notice where your data lives and what they can actually touch. Here's what I'm building instead.
May 1, 20261 min
What this blog is
A short note on why I'm posting again, what I'll cover, and how to follow along.
- meta

follow

New posts are infrequent but dense — X, LinkedIn, and GitHub are where I ship in public.

followX LinkedIn GitHub