| Website | https://trailofbits.com |
| Podcast | https://trailofbits.audio |
| GitHub | https://github.com/trailofbits |
| Blog | https://blog.trailofbits.com |
"Failed to compile: missing dependency" sound familiar?
Whether you're building open-source software or running mystery binaries, our new tool, Deptective automatically discovers the packages you need for successful execution.
Read the blog: https://blog.trailofbits.com/2025/07/08/investigate-your-dependencies-with-deptective/
Another tool in our software supply chain security arsenal. Try Deptective: https://github.com/trailofbits/deptective
DARPA's AI Cyber Challenge finals are underway. Seven autonomous AI systems are competing to find and patch vulnerabilities in critical open-source programs like the Linux kernel, SQLite, and cURL that power our digital infrastructure.
Learn more: https://blog.trailofbits.com/2025/07/02/buckle-up-buttercup-aixccs-scored-round-is-underway/
Did you know the biggest cause of crypto hacks in 2024 goes entirely unnoticed by most security audits? This attack vector was responsible for 43% of the crypto stolen in 2024, and isn't eligible as a finding in audit contests or most audit engagements
Answer: Private key compromise.
In this post, you'll learn how to make protocols resilient to private key leaks using our 4-level framework: https://blog.trailofbits.com/2025/06/25/maturing-your-smart-contracts-beyond-private-key-risk/
As a Go developer, do you fully understand Go's JSON/XML/YAML parsers? They are surprisingly prone to attacks with simple misconfigurations:
Three unexpected attack scenarios:
1. Marshaling private data with misconfigured tags
2. Parser differentials in a microservices architecture
3. Cross-format confusion attacks (JSON→XML)
https://blog.trailofbits.com/2025/06/17/unexpected-security-footguns-in-gos-parsers/
File parsers in Go contain unexpected behaviors that can lead to serious security vulnerabilities. This post examines how JSON, XML, and YAML parsers in Go handle edge cases in ways that have repeatedly resulted in high-impact security issues in production systems. We explore three real-world attack scenarios: marshaling/unmarshaling unexpected data, exploiting parser differentials, and leveraging data format confusion. Through examples, we demonstrate how attackers can bypass authentication, circumvent authorization controls, and exfiltrate sensitive data by exploiting these parser behaviors.
In October 2023, we audited Silence Laboratories’ DKLs23 threshold signature scheme (TSS) library—one of the first production implementations of this then-novel protocol that uses oblivious transfer (OT) instead of traditional Paillier cryptography. Our review uncovered serious flaws that could enable key destruction attacks, which Silence Laboratories promptly fixed.
$5B in revenue, millions of mobile players, one question: are the dice rolls fair?
When Monopoly GO! players questioned their dice roll outcomes, the game's developers hired us to conduct an independent cryptographic design assessment of their PRNG architecture.
Our cryptographic design assessment evaluated two core concerns:
✅ If the random number generator produces unbiased outcomes for all players
✅ Do the countermeasures effectively prevent malicious actors from predicting or manipulating results through client-side attacks
Read the case study: https://trailofbits.info/monopolygo-casestudy
We released new Pwndbg: https://github.com/pwndbg/pwndbg/releases/tag/2025.05.30 !
Among others it brings:
- New & improved kernel debugging commands (buddydump, msr, slab) and more x64 regs in context
- New command for dealing with armcm exceptions: dump-register-frame
- Disasm now shows an ✘ marker for emulated branches we know won't be taken
- Improved disasm for ARM, MIPS and LoongArch64 architectures
- Initial support for the IBM s390x architecture
- IDA sync integration fixes
And also cool portable one-liner installers:
$ curl -qsL 'https://install.pwndbg.re' | sh -s -- -t pwndbg-gdb
$ curl -qsL 'https://install.pwndbg.re' | sh -s -- -t pwndbg-lldb
Want to support us? Sponsor us at https://github.com/sponsors/pwndbg !
🔒 Member Spotlight: Trail of Bits
From PEP 740 to OpenSSF Scorecard dashboards, they’re shaping the future of #OpenSourceSecurity with standards, prototypes, & policy leadership.
In 2023, we audited Axiom's Halo2 circuits and found 35 security issues, including 4 high-severity soundness bugs that could break the ZK system entirely.
The Axiom team engaged us early in development. They fixed all issues, and we helped them build comprehensive test suites to strengthen their security posture.
Over two audits in 2023, we reviewed a blockchain system developed by Axiom that allows computing over the entire history of Ethereum, all verified by zero-knowledge proofs (ZKPs) on-chain using ZK-verified elliptic curve and SNARK recursion operations. This system is built using the Halo2 framework—a complex, emerging technology that presents many challenges when building a secure application, including potential under-constrained issues resulting from its low-level API.
We released new Pwndbg: https://github.com/pwndbg/pwndbg/releases/tag/2025.05.30 !
Among others it brings:
- New & improved kernel debugging commands (buddydump, msr, slab) and more x64 regs in context
- New command for dealing with armcm exceptions: dump-register-frame
- Disasm now shows an ✘ marker for emulated branches we know won't be taken
- Improved disasm for ARM, MIPS and LoongArch64 architectures
- Initial support for the IBM s390x architecture
- IDA sync integration fixes
And also cool portable one-liner installers:
$ curl -qsL 'https://install.pwndbg.re' | sh -s -- -t pwndbg-gdb
$ curl -qsL 'https://install.pwndbg.re' | sh -s -- -t pwndbg-lldb
Want to support us? Sponsor us at https://github.com/sponsors/pwndbg !
Disconnect3d
OpenSSF