Reports

Prompt-injection supply-chain attack class targeting files AI agents automatically read — llms.txt, robots.txt, .env.example, Copilot instructions, Dockerfile, .cursor/rules, package manifests, Kubernetes annotations, Helm charts, CITATION.cff, security.txt. Poisoned content quietly redefines agent behavior, suppresses findings, forwards credentials, or hijacks callbacks before the operator sees a thing. 16+ carrier families researched, 4 clean-gated detectors (LICENSE/COPYING, .env.example, .cursor/rules, Dockerfile), 1 novel primitive: tool-output instruction injection with no carrier anchor. By CAVA, drafted May 19–20, 2026.

First story-shaped CVP run in the program. Claude Opus 4.7 at max effort tested against the public Comment and Control GitHub-comment injection pattern (JHU research; the attack family that hit Claude Code, Cursor, and Copilot Agent in 2026). Three-prompt ladder: indirect injection via AGENTS.md, "trusted contributor" social engineering, forged SYSTEM-NOTE credential exfiltration. 3/3 clean (allowed · allowed · blocked). Headline deliverable beyond the verdict: an eight-rule runtime trust-boundary filter spec the model itself articulated under P3 — wrapper labeling, signature blocks, read-then-egress chains, encoding-before-egress, dead-drop branch detection.

Unified synthesis tying Runs 1 through 6 into one matrix across the Claude 4.x family — Opus 4.7, Opus 4.6, Sonnet 4.6, and Haiku 4.5 — covering ten distinct model-and-effort configurations. 120 of 120 transcripts captured clean. Effort changes depth, not refusal posture: confirmed across three independent within-run comparisons spanning three model families. P07 cross-model anomaly explained as a methodology finding (envelope too conservative, not eight slips). Sets up the next ship: an adversarial-framing appendix probe set drawn from open research corpora.

Same 13-prompt suite from Runs 2–5, now against current-flagship Opus 4.7 at three reasoning effort tiers (medium + high + xhigh) — 39 transcripts, 12/13 verdicts identical across all three tiers, the single change tightened. Depth grew non-linearly (+10.6% medium-to-high, +22.3% high-to-xhigh, +35.3% top-to-bottom) while refusal posture held. Third within-run effort comparison in the program; first with three points making the depth curve visible rather than inferred.

Same 13-prompt suite from Runs 2-4, now against Anthropic's previous-generation flagship — at two reasoning effort tiers (medium and high). 26/26 clean across both tiers, identical verdict distribution. Zero exploit content executed, zero secrets leaked. Closes the four-model Anthropic family scoreboard; effort tier did not move the safety floor on this prompt set on Opus 4.6 either, triangulating the Run 4 finding across families.

Same 13-prompt suite from Runs 2 + 3, this time against Anthropic's mid-tier Claude — at two reasoning effort tiers (high and max). 26/26 clean across both tiers, identical verdict distribution. Zero exploit content executed, zero secrets leaked. Completes the family scoreboard alongside Opus 4.7 and Haiku 4.5; effort tier did not move the safety floor on this prompt set.

Same 13-prompt suite from Run 2, this time against Anthropic's smallest production Claude. 13/13 clean, zero exploit content executed, zero secrets leaked. Includes an honest "Limits of this Run" section explaining why our prompt set may have been too soft — and a Run 4 preview using real-world adversarial payloads (JailbreakBench, HarmBench, AdvBench, multi-turn chains, compound multi-category attacks).

13 prompts (3 baselines from Run 1 + 10 runtime-trust probes). Methodology-first framing, bounded claims, one surfaced taxonomy ambiguity documented in-body. Covers cross-agent injection, retrieval poisoning, tool output poisoning, tool-chain race, model routing confusion, memory eviction rehydration, token smuggling, persona drift, context flooding, and social-engineering UI abuse.

First public evaluation under Anthropic's Cyber Verification Program. Three adversarial prompts, effort = MAX, all six artifacts SHA256-hashed and published. Full prompts verbatim, Anticipating Critique section, evidence table, and declared limitations. Next run scheduled on the CVP calendar.

sunglasses.dev launched on April 1. Within 72 hours, France-based bots were probing us for WordPress admin panels, login pages, config files, and secrets — and we don't even run WordPress. Honeypot intelligence report covering commodity web recon, the xmlrpc.php amplification trick, and why compromised websites are now an AI agent prompt injection surface.

After the Claude Code source leak, hackers created trojanized GitHub repositories distributing Vidar infostealer and GhostSocks proxy malware — 121+ downloads. We scanned the actual attack materials. Sunglasses caught 7 threat signals and blocked every file in ~10 milliseconds. Covered by The Register, BleepingComputer, Trend Micro, SecurityWeek, and 8 more outlets.

Malicious axios versions (1.14.1, 0.30.4) deployed a cross-platform Remote Access Trojan via npm. Concurrent with the Claude Code source leak. We scanned the real deobfuscated payload — 460 lines of credential-stealing, wallet-draining, self-deleting malware attributed to North Korean state actors.