toxsec.hashnode.devOne Magic String from Anthropic Silences Claude (RAG DoS Exposed)s_!S825!,w_1456,cFeb 21·9 min read
toxsec.hashnode.devWatch Me Poison Your MCPTL;DR: I demo three MCP hacks. The first poisons an MCP tool description and gets the model to spill API keys. The second wraps a blocked payload in conversation JSON and watches the model comply. The screenshots are real. The fix isn't smarter model...Feb 18·6 min read
toxsec.hashnode.devF*ck Your Guardrails: Live Fire Prompt InjectionFour attack chains to hit system prompt theft, remote code execution, SSRF through agent tools, and weapons content bypass. Step by step with the exact payloads bug bounty hunters use. TL;DR: Four prompt injection chains that worked on flagship mode...Feb 10·13 min read
toxsec.hashnode.devPSA:Moltbot Is Wildly InsecureTL;DR: Moltbot went viral last week. So did its attack surface. Hundreds of instances are sitting on Shodan with zero auth, leaking API keys, OAuth tokens, and full chat histories. One researcher extracted a private key via prompt injection in five m...Jan 29·7 min read
