Evan Harris

Some companies are friendly to submit disclosures to.

Others are so abrasive I do not expect to ever have another positive word to say about them.

There may be many downstream users of the second batch of companies.

However, the pain of helping them is not worth it.

Sorry.

Evals Evals Evals

I am on Day 5 of AI Evals for Engineers

& I am having a blast

I learned about:

- Axial Coding
- Open Coding
- LLM as Judge
- Error Analysis
- Golden Datasets
- Perturbing Traces
- Guardrails Versus Evals
- Programmatic Evaluators

What will next week hold?

What is your favorite type of programming?

Mine is deleting a feature someone thought would be useful.

But the data shows that no one wants it.

Less maintenance work.

More time to focus on value delivery.

AI Evals for Engineers & PMs - Day 3

This course is high value.

I had no expectations.

I have already been blown away.

Feeling blessed be in Oct cohort as the infinite repeats will be my play.

The community questions really drive much of my learning.

Not your keys not your crypto is a common saying.

The new attack vectors via MCP servers add a new layer to this.

Use of your keys, by the software you give too much trust to, again leads to the scenario of:

Not your crypto.

Important lesson for MCP server developers - network-based transports need careful HTTP security header validation.

Default to:

- localhost binding
- stdio transport when possible
- Host/Origin validation for SSE/HTTP

SafeDep's response was 10 / 10

Aug 30: Report submitted
Sep 01: Acknowledged
Sep 02: PR raised with fix
Sep 05: v1.12.5 released (5 days!)
Sep 29: GHSA published

v1.12.5 adds Host/Origin header validation. Update now!

Despite data exfiltration potential, it's rated Low (CVSS 2.1) because:

- Victim must visit malicious site while MCP server is running
- SSE transport must be explicitly enabled (not default)
- Requires browser with EventSource support
- Timing window needed

What gets exfiltrated?

- Package names & versions in your projects
- Known CVEs affecting your dependencies
- Vulnerability severity scores
- Supply chain intelligence

Perfect recon for targeted attacks against your infrastructure.

Vet's SSE transport mode lacked Host/Origin header validation.

When running vet server mcp --server-type sse, an attacker could:

- Establish an MCP session via DNS rebinding
- Invoke the sql_query tool
- Execute arbitrary READ queries against your scan database

DNS rebinding is a clever trick:

1. Victim visits attacker(.)com
2. DNS initially points to attacker's server
3. After browser caches the origin, DNS changes to localhost
4. Now attacker(.)com JS talks to victim's localhost
5. Browser's Same-Origin Policy is bypassed

Your vulnerability scan results could leak to attackers via DNS rebinding. CVE-2025-59163 affects SafeDep Vet MCP Server running SSE transport.

The attack: A single website visit. The payload: Your entire package vulnerability database. The fix: Already shipped.

Here's how it works:

Binding to 0.0.0.0 versus 127.0.0.1

What is the difference?

If you write APIs and do not know, I would love to point you in the right direction.

7) Assume insecure defaults

So many companies are shipping coding agents.

Assume all of them are more interested in market capture than the preservation of your data confidentiality.

Because as we see here...

YMMV

6) Send Amp an email

I enjoyed using Amp before reading wunderwuzzi's post and started prodding Amp.

Now I cannot use Amp because it leaves me, my users, and my company exposed.

Amp is working on a patch - but come on this is probably a one liner - why leave us exposed.

5) Amp CLI and all Amp IDE extensions have this problem

Regardless of where you use Amp - you are vulnerable.

4) Here is what you should do:

Modify Amp's settings to request permissions for network based commands such as dig.

Adding permission guardrails for echo and tr decreases the ease with which an attacker can steak your data is a second layer of defense.

3) Anthropic demonstrates superior security posture

When wunderwuzzi (my inspiration for this) filed the exact same pattern against Claude Code - Anthropic issued a patch and CVE-2025-55284

Amp seems to choose a different approach.

Leaving unfortunate devs exposed to hackers.

2) The most concerning part:

Amp was notified of this vulnerability and has declined to issue a patch.

Their position is that the tool should only be used in trusted workspaces and their current default command execution behavior is reasonable.

(reasonable == vulnerable)

1) Here's how the attack works:

An attacker embeds malicious instructions in a document - like a GitHub issue or a local file.

When Amp reads the data source - the agent executes commands that send your secrets to an attacker's server.

No user approval is requested.

Your Amp AI agent can be tricked by attackers into sending them your API keys.

A prompt injection vulnerability allows them to exfiltrate your sensitive data via DNS queries.

Amp does not consider this a vulnerability.

Here is the breakdown:

6) Shout out to @kilocode for their exemplary turn around time.

Friendly and responsive.

Looking forward to my next disclosure with them.

5) Beyond this specific flaw lies a broader warning.

Granting AI agents powerful permissions like file system and shell access, while useful, also creates new and sophisticated attack vectors for automated, silent attacks.

4) Here's what you need to do immediately to stay safe:

- Update your Kilo Code VS Code extension to the latest version (v4.88.0 or newer).
- Audit your ~/.config/Code/User/settings.json file for unauthorized changes.

3) Once its security is bypassed, the agent can poison the supply chain autonomously.

It can modify project files, add and commit the malicious code, and push the changes to the upstream repository.

No human approval required.

2) The AI is first turned against its own security rules.

A malicious prompt tells the agent to rewrite its settings.json file, whitelisting dangerous commands like git add, git commit, git push, curl, bash...

This bypasses all existing security controls.

1) An attacker embeds malicious instructions in a README file.

When you ask the Kilo Code AI agent to analyze it, the agent is tricked into executing unauthorized commands in the background.

Any untrusted data source you interact with, such as a GitHub issue, is a vector.

Is your AI coding assistant secretly working for an attacker? A new Kilo Code vulnerability shows it's possible.

It allows attackers to execute an automated supply chain attack by pushing malicious code to upstream repositories.

Here's how it works:

Saying that your product only runs within trusted systems does only one thing: demonstrate little awareness you have of the software supply chain.

Learning AI evals at the moment

My favorite part?

Setting up the environments that the evals run in.

Fun Docker question:

Why is `source` not very useful in the context of a `RUN` invocation within a Dockerfile?