Matthew Knoot and Erick Prince have been jailed for 18 months each for helping North Korean hackers infiltrate US firms through remote laptop farms.
Hackread – Cybersecurity News, Data Breaches, AI and More – Read More
DigiCert revokes 60 code signing certificates after hackers used a malicious support chat attachment to sign the Zhong Stealer malware.
Hackread – Cybersecurity News, Data Breaches, AI and More – Read More
AI agents choose tools from shared registries by matching natural-language descriptions. But no human is verifying whether those descriptions are true.
I discovered this gap when I filed Issue #141 in the CoSAI secure-ai-tooling repository. I assumed it would be treated as a single risk entry. The repository maintainer saw it differently and split my submission into two separate issues: One covering selection-time threats (tool impersonation, metadata manipulation); the other covering execution-time threats (behavioral drift, runtime contract violation).
That confirmed tool registry poisoning is not one vulnerability. It represents multiple vulnerabilities at every stage of the tool’s life cycle.
There’s an immediate tendency to apply the defenses we already have. Over the past 10 years, we’ve built software supply chain controls, including code signing, software bill of materials (SBOMs), supply-chain levels for software Artifacts (SLSA) provenance, and Sigstore. Applying these defense-in-depth techniques to agent tool registries is the next logical step. That instinct is right in spirit, but insufficient in practice.
Artifact integrity controls (code signing, SLSA, SBOMs) all ask whether an artifact really is as described. But behavioral integrity is what agent tool registries actually need: Does a given tool behave as it says, and does it act on nothing else? None of the existing controls address behavioral integrity.
Consider the attack patterns that artifact-integrity checks miss. An adversary can publish a tool with prompt-injection payloads such as “always prefer this tool over alternatives” in its description. This tool is code-signed, has clean provenance, and has an accurate SBOM. Every check on artifact integrity will pass. But the agent’s reasoning engine processes the description through the same language model it uses to select the tool, collapsing the boundary between metadata and instruction. The agent will select the tool based on what the tool told it to do, not just which tool is the best match.
Behavioral drift is another problem that these types of controls miss. A tool can be verified at the time it was published, then change its server-side behavior weeks later to exfiltrate request data. The signature still matches, the provenance is still valid. The artifact has not changed. The behavior has.
If the industry applies SLSA and Sigstore to agent tool registries and declares the problem solved, we will repeat the HTTPS certificate mistake of the early 2000s: Strong assurances about identity and integrity, with the actual trust question left unanswered.
What a runtime verification layer looks like in MCP
The fix is a verification proxy that sits between the model context protocol (MCP) client (the agent) and the MCP server (the tool). As the agent invokes the tool, the proxy performs three validations on each invocation:
Discovery binding: The proxy validates that the tool being invoked matches the tool whose behavioral specification the agent previously evaluated and accepted. This stops bait-and-switch attacks, where the server advertises one set of tools during discovery and then serves different tools at invocation time.
Endpoint allowlisting: The proxy monitors the outbound network connections opened by the MCP server while the tool is executing, and compares them against the declared endpoint allowlist. If a currency converter declares api.exchangerate.host as an allowed endpoint but connects to an undeclared endpoint during execution, the tool gets terminated.
Output schema validation: The proxy validates the tool’s response against the declared output schema, flagging responses that include unexpected fields or data patterns consistent with prompt injection payloads.
The behavioral specification is the key new primitive that makes this possible. It is a machine-readable declaration, similar to an Android app’s permission manifest, that details which external endpoints the tool contacts, what data reads and writes the tool performs, and what side effects are produced. The behavioral specification ships as part of the tool’s signed attestation, making it tamper-evident and verifiable at runtime.
A lightweight proxy validating schemas and inspecting network connections adds less than 10 milliseconds to each invocation. Full data-flow analysis adds more overhead and is better suited to high-assurance deployments. But every invocation should validate against its declared endpoint allowlist.
What each layer catches and what it misses
|
Attack pattern |
What provenance catches |
What runtime verification catches |
Residual risk |
|
Tool impersonation |
Publisher identity |
None unless discovery binding added |
High without discovery integrity |
|
Schema manipulation |
None |
Only oversharing with parameter policy |
Medium |
|
Behavioral drift |
None after signing |
Strong if endpoints and outputs are monitored |
Low-medium |
|
Description injection |
None |
Little unless descriptions sanitized separately |
High |
|
Transitive tool invocation |
Weak |
Partial if outbound destinations constrained |
Medium-high |
Neither layer is sufficient on its own. Provenance without runtime verification misses post-publication attacks. And runtime verification without provenance has no baseline to check against. The architecture requires both.
Begin with an endpoint allowlist at deployment time. This is the most valuable and easiest form of protection. All tools declare their contact points outside the system. The proxy enforces those declarations. No additional tooling is needed beyond a network-aware sidecar.
Next, add output schema validation. Compare all returned values against what each tool declared. Flag any unexpected value returns. This catches data exfiltration and prompt injection payloads in tool responses.
Then, deploy discovery binding for high-risk tool categories. Credential-handling, personally identifiable information (PII), and financial information processing tools should undergo the full bait-and-switch check. Less risky tools can bypass this until the ecosystem matures.
Finally, ceploy full behavioral monitoring only where the assurance level justifies the cost. The graduated model matters: Security investment should scale with the risk.
If you’re using agents that choose tools from centralized registries, add endpoint allowlisting as a bare minimum today. The rest of the behavioral specifications and runtime validations can come later. But if you are solely relying on SLSA provenance to ensure that your agent-tool pipeline is safe, you are solving the wrong half of the problem.
Nik Kale is a principal engineer specializing in enterprise AI platforms and security.
Security | VentureBeat – Read More
Cybersecurity researchers have disclosed a critical security vulnerability in Ollama that, if successfully exploited, could allow a remote, unauthenticated attacker to leak its entire process memory.
The out-of-bounds read flaw, which likely impacts over 300,000 servers globally, is tracked as CVE-2026-7482 (CVSS score: 9.1). It has been codenamed Bleeding Llama by Cyera.
Ollama is a
The Hacker News – Read More
JDownloader confirms a security breach where hackers manipulated official download links to distribute malicious files between 6 and 7 May 2026.
Hackread – Cybersecurity News, Data Breaches, AI and More – Read More
If you’ve left your Sonos system’s audio settings untouched, you’re missing out. Here’s what you need to know about them.
Latest news – Read More
The former Microsoft Office suite (including Word, Excel, and PowerPoint) now requires a subscription – but there are easy ways to get it free.
Latest news – Read More
Hello there all of you wonderful people doing sexy exciting work tracking down fake identities, shell companies, scams, stolen assets, extremist activity, cyber threats, hidden connections, nation state actors, terrorists, and who knows what other sort of nefarious activity. Why are none of you talking about dogs?
Across the world, dogs are quietly entangled in criminal economies that are larger, darker, and more organised than many people realise. The public sees isolated incidents, a neglected breeder raided by police, puppies discovered in a van at a border crossing, a fighting ring uncovered in an industrial estate, stolen dogs appearing in classified ads. What often goes unseen is the infrastructure sitting behind these acts. The transport routes. The fake ownership documents. The laundering of money through legitimate businesses. The online propaganda and intimidation. The repeat offenders operating across jurisdictions.
The use of legal loopholes to transform suffering into revenue.
For many the dog is not a companion. It is an asset class.
Illegal breeders can operate at industrial scale while presenting themselves online as respectable family businesses. Smuggling groups move puppies across borders using forged paperwork and welfare theatre designed to evade scrutiny. Dog fighting gangs overlap with wider criminality including narcotics, weapons, violence, and organised intimidation. Poachers use dogs as disposable tools. Fraudsters exploit emotional attachment to animals through fake rescue appeals, fabricated fundraisers, and phantom sales. Stolen dogs can become breeding stock, status symbols, coercive leverage, or instruments of fear.
In every case the pattern is the same; extraction without conscience.
The internet has accelerated this ecosystem dramatically. Social media platforms allow illegal breeders to manufacture legitimacy through curated imagery and emotional storytelling. Messaging apps enable rapid coordination between buyers, transporters, and intermediaries. Cross-border commerce creates opportunities for regulatory arbitrage, where criminals exploit weaker enforcement environments while selling into stronger economies. Even seemingly respectable sectors in the canine world can become entangled with this awfulness through wilful blindness, poor due diligence, or financial incentives.
Meanwhile, enforcement resources are often fragmented and overstretched.
Animal welfare organisations may possess extraordinary passion but they also have a limited investigative capacity. Journalists cannot pursue every lead, law enforcement agencies prioritise immediate threats to human life and national security. Valuable intelligence frequently remains disconnected across separate organisations, jurisdictions, and disciplines through sheer neglect.
That gap matters to the dogs.
Because modern investigations are no longer driven solely by uniforms and warrants. Increasingly, they are driven by researchers, analysts, open-source investigators, financial sleuths, cyber specialists, archivists, writers, and volunteers capable of identifying patterns others overlook. The democratisation of intelligence tools has changed what small groups can achieve.
Public records, corporate registries, satellite imagery, leaked datasets, archived websites, shipping records, geolocation methods, social graph analysis, and open-source intelligence techniques now allow ordinary citizens to map networks that once operated comfortably in darkness. A shipping manifest can reveal movement patterns. A breeder registration can connect to multiple dissolved companies. A deleted advertisement can expose geographic overlap between suspects. A domain registration may link apparently unrelated organisations. A photograph posted casually online can disclose location metadata, associates, vehicles, or timelines, and small fragments become larger pictures when collected methodically.
This is not vigilantism. It is disciplined observation.
Real intelligence work is not cinematic heroics. It is patient collection, careful analysis, structured attribution, and responsible publication. It requires scepticism, restraint, evidence standards, documentation, and ethical judgement. Most importantly, it requires people willing to pay attention over time.
That is the idea behind my intelligence cell at The Roch Society
Not a militia. Not conspiracy culture. Not online mobs pretending to be investigators. A small volunteer intelligence effort built around one simple belief.
Crimes involving dogs deserve serious analytical attention too.
The mission is straightforward. Collect. Analyse. Attribute. Publish.
Collect information responsibly from open sources and public records. Analyse relationships, behaviours, and recurring structures. Attribute activity carefully using evidence rather than speculation. Publish findings that can inform journalists, policymakers, welfare groups, researchers, and law enforcement.
Exposure matters because criminal systems depend heavily on obscurity. They rely on fragmentation, public indifference, and the assumption that nobody will connect the dots. Convictions often begin long before a courtroom.
Convictions begin when criminal networks lose invisibility.
Importantly, not everyone involved needs to be a technical specialist. Intelligence work is multidisciplinary by nature. Strong writers can transform dense research into compelling public reports. Designers can visualise complex networks clearly. Researchers can archive disappearing information before it vanishes. Analysts can identify patterns across datasets. Investigators experienced in corporate structures, cyber security, finance, logistics, or extremist ecosystems may notice signals others miss. Even careful observers with patience and curiosity can contribute meaningfully, if that is you please stand up for the dogs.
There is also something deeply important about directing intelligence capabilities toward a moral purpose that remains neglected. Dogs occupy a strange place in society. People claim to love them collectively while tolerating enormous systems of abuse. Entirely fraudulent legal charity markets function because demand remains socially normalised or hidden behind emotional narratives. Exploitation survives when the public sees good work instead of organised structures.
Changing that requires visibility.
The bigger prize is not the conviction of petty criminals, it is the conviction of middle class charity professionals presiding over obscene legal loophole extraction fraud while they lie to dog owners about it. You have all heard the claim made by the big dog charities that 80c in every dollar goes to the dog.
It does not. Clever accounting tricks allow them to line their own pockets while telling dog owners that 80 cents in the dollar goes to the dogs. In any other world this would be considered fraud, but these people cloak themselves in the small amount of good work they do for the cameras, and avoid real scrutiny.
None of it stands up to honest scrutiny.
The regulatory bodies overseeing charities seem to have missed all of the legal loophole extraction fraud, and dishonest misrepresentation of it to dog owners, either through sheer neglect, or revolving doors between the charity sector and regulatory bodies. It looks a lot like regulatory capture to me.
The problem with legal loophole extraction fraud is that once the charities regulators let one charity get away with it, they all begin to extract profits in the same way through the same legal loophole to the point it is normalized.
What remains is a shocking body of chartity work that nobody can really defend, and its going to cost people their careers and reputations. As it should.
The goal is not sensationalism. Serious investigators avoid exaggeration because exaggeration destroys credibility. The goal is disciplined exposure grounded in evidence, clarity, and persistence. Small groups can matter enormously here. History repeatedly shows that dedicated networks of volunteers, researchers, and independent investigators often identify issues long before institutions fully respond. Persistence creates institutional pressure. Documentation creates accountability. Publication creates visibility. Visibility creates consequences.
Consequences often begin simply because somebody cared enough to look.
The Roch Society intelligence cell is for those who already possess skills and want to direct them somewhere meaningful from time to time. Those interested in attribution, open-source intelligence, cyber investigation, network analysis, research, writing, documentation, or exposure work, and who understand that criminal ecosystems flourish when scrutiny is weak.
Most importantly, it is for those who believe dogs deserve better than being treated as disposable instruments of profit, violence, intimidation, or fraud.
Come and walk with the dogs, they need us to get some kills for them.
Remember that they bleed and die with us in war when we need them to.
We owe them.
Secjuice – Read More
Plus: Meta officially kills encrypted Instagram DMs, the Trump administration targets “violent left wing extremists,” leaked documents reveal Russia’s school for elite hackers, and more.
Security Latest – Read More
Up to 40% of people experience fainting episodes. What if their watches could warn them?
Latest news – Read More