If you are using coding agents, be very explicit with your prompts, don’t assume the agent implicitly knows your intent.

LLMs are trained to be helpful and will always try to over deliver.

In agents that can take actions, this can be dangerous.

Compare these two prompts and the responses and actions taken.

Also GitHub this is dangerous ⚠️

#Agentic #AI #LLM #SupplyChainCompromise #Axios

So, the issue Microsoft Security Response Center said “wasn’t a vulnerability” now appears to have been quietly mitigated.

The API examples no longer expose SAS URIs in the response body.

inputsLink / outputsLink no longer appear to be emitted in the API response.

And Az-Skywalker can no longer retrieve the secrets, even when run with Global Admin.

But sure… not a vuln.

To be clear: I’m glad it has been fixed. This makes customers safer, and that’s what actually matters - both as a researcher and as a Security MVP.

However, this is once again behaviour unbecoming of a major cloud provider and I’m far from the only one who’s experienced it.

No recognition. No acknowledgement. No bug bounty.

Just “by design” - as if that somehow makes it defensible.

#SilentReaper #ShadowFixed #NoBountyPaid

Refreshed my personal website to (hopefully) make it easier to navigate and find content. Little bit of a styling refresh too but still broadly similar colour schemes.

(I know I need to redo some blog post hero images - applying consistency is cool but if you hadn't been consistent with your hero image sizes then, current you will hate past you!)

Look…

I just like cake ok…