The Threat Cycle Pushed Down Into Crypto Primitives and Agent Trust Surfaces
This run covered May 22 through May 29, 2026 and processed 234 high and critical vulnerabilities across CISA KEV, NVD, the Go Vulnerability Database, and 10 editorial security sources. The pattern was sharper than usual: two of the most severe issues were not in application code at all, but in the cryptographic libraries underneath it. The remaining pressure came from agent trust surfaces—places where AI agents are expected to fetch, summarize, and render external content without questioning whether that content was designed to harm the user.
That showed up in four concrete ways. First, golang.org/x/crypto at v0.50.0 carries multiple SSH protocol logic flaws—including integer overflow in framing, FIDO/U2F signature bypasses, and key constraint stripping—that allow memory and CPU exhaustion against any Go binary using SSH transport. Second, the "ChatGPhish" pattern is maturing: attackers host malicious markdown on benign-looking third-party sites, then trick AI agents into fetching and rendering remote image and link payloads that perform zero-click credential harvesting. Third, deep-file memory corruption RCEs are burying executable markers tens of megabytes inside seemingly benign uploads, well past the shallow header windows most scanners inspect. Fourth, supply-chain attacks have moved into mid-tier dependencies, bypassing small static blocklists that only cover the most famous package names.
What 1-SEC Hardened From This Cycle
We responded with a focused, architecture-respecting hardening pass. Same single binary. Same 16 modules. No new cloud services, no auxiliary scanners, no extra runtime dependencies. The goal was to close the exact gaps the report surfaced while preserving the operating model customers rely on: deterministic local detection, bounded memory behavior, and a dependency footprint they can audit.
Go Cryptography Dependency Patching
The engine itself was running the vulnerable versions. We bumped golang.org/x/crypto to v0.52.0 and golang.org/x/sys to v0.45.0, the current secure patch releases, and re-ran the full regression matrix. That removes the SSH framing overflow, FIDO bypass, and constraint-stripping surface from the 1-SEC binary itself. For operators, this is a silent win: the engine now protects against the same class of abuse it was previously susceptible to, with no configuration change required.
SSH Protocol Exhaustion Detection in the Rust Sidecar
Network Guardian already tracks flow metadata, but it does not dissect SSH binary framing. The Rust sidecar now performs active port-22 tracking: per-flow payload accumulation and packet-rate heuristics inside a one-second rolling window. If a single SSH flow exceeds 262KB of payload or sends more than 50 packets in one second, the sidecar flags it as ssh_oversized_frame or ssh_channel_exhaustion and signals the Go core to drop the connection. This covers the resource-exhaustion variants of the Go crypto CVEs without requiring full SSH protocol parsing or new crate dependencies.
Contextual Taint Tracking for ChatGPhish Markdown Poisoning
LLM Firewall now subscribes to agent_web_fetch, agent_markdown_ingest, and llms_txt_access events. When an agent fetches external web content, the session is marked with a WebContextFetch taint. If a subsequent llm_output event from the same session contains external markdown image or link syntax pointing to non-localhost URLs, the engine fires an ASI-Markdown-Poisoning alert at CRITICAL severity. This closes the zero-click exfiltration window where an agent blindly renders attacker-controlled markdown into the user's frontend.
16KB Sliding-Chunk Deep-Buffer Inspection
Injection Shield and the Rust sidecar previously capped binary inspection at a 2048-byte header window. That is no longer the only line of defense. The Rust sidecar now scans TCP payloads larger than 2KB in overlapping 16KB chunks, searching for ELF, PE, and 7zXZ executable signatures buried deep inside large files or datastreams. The chunks overlap by 16 bytes so boundary-crossing signatures are not missed. For customers, this means a 50MB upload with shellcode at byte offset 25 million is now inspectable without loading the entire payload into memory.
PDF FlateDecode Stream Hardening
The LLM Firewall multimodal scanner already decompressed PDF FlateDecode streams using Go's standard compress/flate and compress/zlib libraries. We widened the detection window from 512 bytes to 2048 bytes before each stream so the stream dictionary containing /FlateDecode is found more reliably, even in documents with verbose metadata or nested object references. The decompressed plaintext is then fed through the existing hidden-content and prompt-injection regex checks.
Supply Chain Baseline Expansion and Typosquat Accuracy
Supply Chain Sentinel's static typosquat baseline grew from roughly 70 packages to roughly 300, covering the most popular NPM and PyPI names where mid-tier dependency attacks now concentrate. We also fixed an exact-match bypass bug in the Levenshtein checker: packages that are legitimately present in the baseline are now returned as safe immediately, instead of being falsely flagged against other similar names in the expanded list. The CI/CD install-hook heuristics for preinstall and postinstall abuse via curl, wget, base64, eval, and shell handoff patterns remain active and unchanged.
Architecture Posture After This Drop
The implementation stayed inside the core 1-SEC design: sixteen Go modules, one optional Rust sidecar, deterministic local detection, and no expansion of the runtime dependency footprint. The Go changes used only the standard library and existing project dependencies. The Rust changes used only the existing Tokio, pcap, etherparse, regex, and aho-corasick crates—no new crates were added. The full Go test suite passed across all 18 module suites, and the Rust sidecar passed its no-default-features regression matrix including new tests for large-payload chunking and SSH flow tracking.
Dependency Health and Audit Summary
The report found two matching Go dependency advisories: golang.org/x/crypto at v0.50.0 and golang.org/x/sys at v0.43.0. Both were patched in this cycle. No other engine dependencies carried matching CVEs. The vulnerability intelligence pipeline itself remains available in the main repository: it introspects the Go modules, Rust sidecar, and core engine, scrapes 12 live sources, cross-references them against real detection coverage, and produces both a markdown report and a structured action manifest. This run produced 5 action items, all of which were implemented in the same hardening cycle.
Why This Cycle Matters Right Now
The broader lesson is that attacker tradecraft is converging on two places: the cryptography primitives teams assume are safe because they are "standard," and the agent trust surfaces teams assume are safe because they are "convenient." Both assumptions are becoming expensive. A vulnerable crypto library underneath your security engine is not a theoretical concern—it is a direct compromise path. An AI agent that blindly fetches and renders external markdown is not a usability feature—it is a zero-click exfiltration channel.
Behavioral coverage is the antidote. You do not need a separate kernel module, a cloud AI service, or a fleet of companion scanners to catch these patterns. You need the existing engine to understand what abnormal looks like at each layer—network framing, document compression, agent session taint, deep binary structure, and package installation behavior—and to say no quietly and deterministically. This release pushed 1-SEC further in that direction.