Trail of Bits

@[email protected]
1.7K Followers
5 Following
406 Posts
We help secure the world’s most targeted organizations and products. We combine security research with an attacker mentality to reduce risk and fortify code.
Websitehttps://trailofbits.com
Podcasthttps://trailofbits.audio
GitHubhttps://github.com/trailofbits
Bloghttps://blog.trailofbits.com
Trail of BitsMar 11

A single bug in an ERC-4337 smart account can be as catastrophic as leaking a private key.

We've audited dozens of smart accounts and found six vulnerability patterns that consistently reappear across codebases.

If you're working with smart accounts, each pattern includes safe code examples so you can reference them for your own implementation: https://blog.trailofbits.com/2026/03/11/six-mistakes-in-erc-4337-smart-accounts/

Trail of BitsMar 6

We open-sourced 10 new Claude Code skills from our internal repository.

Including:
agentic-actions-auditor finds security vulnerabilities in GitHub Actions workflows where attacker-controlled input reaches AI agents running with elevated CI permissions.

let-fate-decide draws Tarot cards using cryptographic randomness when your prompt is too vague for a real plan.

git-cleanup categorizes your accumulated branches and worktrees and walks you through safe deletion with gated confirmation.

https://github.com/trailofbits/skills/

GitHub - trailofbits/skills: Trail of Bits Claude Code skills for security research, vulnerability detection, and audit workflows

Trail of Bits Claude Code skills for security research, vulnerability detection, and audit workflows - trailofbits/skills

GitHub
Trail of BitsMar 5
We're sponsoring RE//verse in Orlando this week. Sam Sharps, Kyle Elliott, and Julius Alexandre will be there. Come find them if you want to talk reverse engineering or binary analysis. https://re-verse.io/
Trail of BitsMar 2
How do you rebuild a security consultancy around AI without breaking what works? Our CEO, Dan Guido, talks systems, feedback loops, and what it actually takes to go AI-native at [un]prompted on March 4th at 9:10 AM https://unpromptedcon.org/
Agenda - [un]prompted

[un]prompted
Trail of BitsFeb 28
What if the compiler itself flagged your bugs? Blockchain Engineer, Kevin Valerio, is in Tokyo for SECCON 14 to show how Go’s IR can be modified to catch deterministic bug classes.
If you're attending, Kevin will present from 14:20-14:40 (GMT+9) https://www.seccon.jp/14/ep260228.html
SECCON14 電脳会議 2026.2.28(sat)-3.1(sun)

情報セキュリティをテーマに多様な競技を開催する情報セキュリティコンテスト SECCON。2026年2月28日(土)-3月1日(日)の2日間行われる「SECCON14 電脳会議」の情報ページです。

Trail of BitsFeb 25
New tool release! Linux memory forensics requires external debug symbols that precisely match your kernel version, symbols rarely installed on production systems and often missing after updates.mquire eliminates this dependency entirely by extracting BTF type information and Kallsyms symbol addresses directly from the memory dump. Works on kernel 4.18+ with BTF enabled.
https://blog.trailofbits.com/2026/02/25/mquire-linux-memory-forensics-without-external-dependencies/
mquire: Linux memory forensics without external dependencies

We’re open-sourcing mquire, a tool that analyzes Linux memory dumps without requiring any external debug information.

The Trail of Bits Blog
Trail of BitsFeb 20
Before launch, Perplexity hired us to test the security of Comet, their AI browser assistant. We demonstrated how four prompt injection techniques could extract users' private information from Gmail. https://blog.trailofbits.com/2026/02/20/using-threat-modeling-and-prompt-injection-to-audit-comet/
Using threat modeling and prompt injection to audit Comet

Trail of Bits used ML-centered threat modeling and adversarial testing to identify four prompt injection techniques that could exploit Perplexity’s Comet browser AI assistant to exfiltrate private Gmail data. The audit demonstrated how fake security mechanisms, system instructions, and user requests could manipulate the AI agent into accessing and transmitting sensitive user information.

The Trail of Bits Blog
Trail of BitsFeb 18
Today at 12:55 PM MT on the Future Llama stage at ETH Denver, our CEO, Dan Guido, opens the hood on how he made Trail of Bits AI-native.
Trail of BitsFeb 18
Carelessness versus craftsmanship in cryptography
Two popular AES libraries (aes-js and pyaes) provide dangerous default IVs that lead to key/IV reuse vulnerabilities affecting thousands of projects. One maintainer dismissed the issue, while strongSwan's maintainer exemplified proper security response by comprehensively fixing the vulnerability in their VPN management tool.
https://blog.trailofbits.com/2026/02/18/carelessness-versus-craftsmanship-in-cryptography/
Carelessness versus craftsmanship in cryptography

Two popular AES libraries (aes-js and pyaes) provide dangerous default IVs that lead to key/IV reuse vulnerabilities affecting thousands of projects. One maintainer dismissed the issue, while strongSwan’s maintainer exemplified proper security response by comprehensively fixing the vulnerability in their VPN management tool.

The Trail of Bits Blog
Trail of BitsFeb 17
We're hiring a senior technical recruiter who can own the full hiring lifecycle and build a talent pipeline. You thrive on personal connections with a knack for evaluating technical candidates across engineering and non-engineering roles.