The Latest News and Information from Trail of Bits
The Trail of Bits Blog Recent content on The Trail of Bits Blog
- Safer cold storage on Ethereum
on September 5, 2025 at 11:00 amBy using smart contract programmability, exchanges can build custody solutions that remain secure even when multisig keys are compromised.
- Subverting code integrity checks to locally backdoor Signal, 1Password, Slack, and moreon September 4, 2025 at 4:00 am
A vulnerability in Electron applications allows attackers to bypass code integrity checks by tampering with V8 heap snapshot files, enabling local backdoors in applications like Signal, 1Password, and Slack.
- Intern projects that outlived the internshipon August 28, 2025 at 11:00 am
Our business operations intern at Trail of Bits built two AI-powered tools that became permanent company resources—a podcast workflow that saves 1,250 hours annually and a Slack exporter that enables efficient knowledge retrieval across the organization.
- Implement EIP-7730 todayon August 27, 2025 at 11:00 am
EIP-7730 enables hardware wallets to decode transactions into human-readable formats, eliminating blind signing vulnerabilities with minimal implementation effort for dApp developers.
- Speedrunning the New York Subwayon August 25, 2025 at 11:00 am
We optimized the route for visiting every NYC subway station using algorithms from combinatorial optimization, creating a 20-hour tour that beats the existing world record by 45 minutes.
- Weaponizing image scaling against production AI systemson August 21, 2025 at 11:00 am
In this blog post, we’ll detail how attackers can exploit image scaling on Gemini CLI, Vertex AI Studio, Gemini’s web and API interfaces, Google Assistant, Genspark, and other production AI systems. We’ll also explain how to mitigate and defend against these attacks, and we’ll introduce Anamorpher, our open-source tool that lets you explore and generate these crafted images.
- Marshal madness: A brief history of Ruby deserialization exploitson August 19, 2025 at 11:00 am
This post traces the decade-long evolution of Ruby Marshal deserialization exploits, demonstrating how security researchers have repeatedly bypassed patches and why fundamental changes to the Ruby ecosystem are needed rather than continued patch-and-hope approaches.
- Trail of Bits’ Buttercup wins 2nd place in AIxCC Challengeon August 9, 2025 at 2:30 pm
Our team won the runner-up prize of $3M at DARPA’s AI Cyber Challenge, demonstrating Buttercup’s world-class automated vulnerability discovery and patching capabilities with remarkable cost efficiency.
- Buttercup is now open-source!on August 8, 2025 at 4:00 am
Now that DARPA’s AI Cyber Challenge (AIxCC) has officially ended, we can finally make Buttercup, our CRS (Cyber Reasoning System), open source!
- AIxCC finals: Tale of the tapeon August 7, 2025 at 4:00 am
While the AIxCC winner has not yet been announced, differences in the finalists’ approaches show that there are multiple viable paths forward to using AI for vulnerability detection.
