Elusive Thoughts

The suits are rushing to integrate "AI" into every internal workflow, and they’re doing it with the grace of a bull in a china shop. If you aren't hardening your Large Language Model (LLM) implementation, you aren't just deploying a tool; you're deploying a remote code execution (RCE) vector with a personality. Here is the hardcore reality of securing LLMs in a corporate environment. 1. The "Shadow AI" Black Hole Your devs are already pasting proprietary code into unsanctioned models. It’s the new "Shadow IT." The Fix: Implement a Corporate LLM Gateway . Block direct access to openai.com or anthropic.com at the firewall. The Tech: Force all traffic through a local proxy (like LiteLLM or a custom Nginx wrapper) that logs every prompt, redacts PII/Secrets using Presidio , and enforces API key rotation. 2. Indirect Prompt Injection (The Silent Killer) This is where the real fun begins. If your LLM has access to the web or internal docs (RAG...

Claude Safety Guide for Developers (2026) — Securing AI-Powered Development Application Security Guide — March 2026 🛡️ Claude Safety Guide for Developers Securing Claude Code, Claude API & MCP Integrations in Your SDLC 📑 Contents Why This Guide Exists The AI Developer Threat Landscape in 2026 Real-World CVEs: Claude Code Vulnerabilities Understanding Claude Code's Permission Model Prompt Injection: Attack Vectors & Defences MCP (Model Context Protocol) Security AI Supply Chain Risks Claude API Safety Best Practices Claude Code Hardening Checklist Integrating Claude Security into CI/CD Compliance Considerations (SOC 2, GDPR, AI Act) Resources & References 1. Why This Guide Exists AI-powered development tools have moved from novelty to necessity. Anthropic's Claude ecosystem — spanning Claude Code (terminal-based agentic coding), Claude API (programmatic integration), and the broader Model Context Protocol (MCP) integrati...

🔍 Advanced Nmap Service Scanner – Bash Script This blog post introduces a powerful Bash script designed to automate and streamline network service scanning using Nmap . The script uses service-specific plugins, checks only open ports, logs results with timestamps, and outputs color-coded terminal feedback. 📂 View it on GitHub: github.com/ElusiveHacker/Tanker 🚀 Features ✅ Scans only open ports for efficiency 📜 Uses Nmap plugins/scripts tailored to each service 🎨 Color-coded terminal output : 🟡 Yellow for open ports 🔵 Blue for closed/filtered ports 📅 Start and end time displayed and logged 🕒 Total scan duration shown in the report 🗂️ Full report saved in scan_report.txt ⚙️ Requirements A Linux/Unix system with bash installed Nmap installed and in your $PATH 📦 Services Scanned The script includes a pre-configured list of commonly scanned services: Service Port Protoco...

Introduction  This article is going to focus on Smart Contract upgradability, why this important and how can we achieve it. When dealing with Smart Contracts we need to be able to upgrade our system code. This is because if security critical bugs appear , we should be able to remediate the bugs. We would also want to enhance the code and add more features. Smart Contract upgradability is not as simple as upgrading a normal software due to the blockchain immutability.   As already mentioned by design, smart contracts are immutable. On the other hand, software quality heavily depends on the ability to upgrade and patch source code in order to produce iterative releases. Even though blockchain based software profits significantly from the technology’s immutability, still a certain degree of mutability is needed for bug fixing and potential product improvements.   Preparing for Upgrades    In order to properly do the upgrade we should be focusing in the followi...

 Introduction  As Crypto currency technologies are becoming more and more prevalent, as the time is passing by, and banks will soon start adopting them. Ethereum blockchain and other complex blockchain programs are relatively new and highly experimental. Therefore, we should expect constant changes in the security landscape, as new bugs and security risks are discovered, and new best practices are developed [1].This article is going to discuss how to perform a source code review in Ethereum Smart Contracts (SCs) and what to look for. More specifically we are going to focus in specific keywords and how to analyse them.  The points analysed are going to be: User supplied input filtering, when interacting directly with SC Interfacing with external SCs Interfacing with DApp applications SC formal verification Wallet authentication in DApp SC Programming Mindset When designing an SC ecosystem (a group of SCs, constitutes an ecosystem) is it wise to have some specific concepts ...

  Elusive Thoughts celebrates 9 years of blogging about hacking  Elusive Thoughts just created its first  non-fungible token (NFT), a digital file whose unique identity and ownership are verified on a blockchain (a digital ledger).  There is a hidden secret in my NFT, please find it. Buy my NFT at  rarible.com  

INTRODUCTION  Ethereum Smart Contracts and other complex blockchain programs are new, promising and highly experimental. Therefore, we should expect constant changes in the security landscape, as new bugs and security risks are discovered, and new best practices are developed [1].  This article is going to focus on threat modeling of smart contract applications. Threat modelling is a process by which threats, such as absence of appropriate safeguards, can be identified, enumerated, and mitigation can be prioritized accordingly. The purpose of threat model is to provide contract applications defenders with a systematic analysis of what controls or defenses need to be included, given the nature of the system, the probable attacker's profile, the most likely attack vectors, and the assets most desired by an attacker.  Smart contract programming requires a different engineering mindset than we may be used to. The cost of failure can be high, and change can be difficult, ...