Pluto Security @pluto_security

A few things the #Miasma source code reveals about this supply chain attack that weren't in the existing research 🧵

@silver_samyak97 Exactly! One setting alone shouldn't be treated as a security boundary.

The security assumption every AI team gets wrong: "As long as trust_remote_code=False is set, we are safe." ❌ We put that to the test. What we uncovered is a critical RCE vulnerability in @huggingface Transformers (CVE-2026-4372) that completely bypasses this control. A thread on how a routine model load turns into complete environment compromise 👇 1/3 🔍 The Exploit & ScaleBy abusing model configuration fields, an attacker can embed a malicious payload inside a configuration file. It executes arbitrary code even with remote code disabled. The affected versions were downloaded over 232M times while live. 2/3 🚨 The RiskSuccessful exploitation means full environment compromise—exposing cloud credentials, API keys, source code, and proprietary datasets. Impacts Transformers versions 4.56.0 through 5.2.x. 3/3 🛡️ Remediation• Upgrade to version 5.3.0 immediately. • Audit previously downloaded model configurations. • Move beyond checkbox security—static ecosystem flags aren't enough. Kudos to the Hugging Face team for the quick patch collaboration. 👇 Full technical breakdown link in the replies!

copilotsec.pluto.security

Last time, we published ClaudeSec - our security-first hub for the Claude ecosystem. Now, CopilotSec is officially LIVE. A new community knowledge hub for security of the Microsoft AI ecosystem, powered by Pluto. Ever wanted a single place to understand what Microsoft AI connectors actually do? Wondered which ones are high-risk? Trying to figure out how to securely deploy Copilot Studio, agents, MCP servers, or AI workflows in production? That’s exactly why we built CopilotSec. Inside you’ll find: 1,718 Microsoft ecosystem connectors mapped by capability and riskSecurity guides for Copilot Studio and Microsoft AI deploymentsCurated security updates and findings that actually matter to security teams Built for practitioners. Open to everyone. Give it a try and let us know what you think! Link in the first comment 👇

Someone finally built a security database for the Claude ecosystem. It's called ClaudeSec, and Pluto Security just launched it for free. Here's the gap it fills => 53 new Claude connectors shipped in the last 30 days. Your security team reviewed zero of them. Someone on your team authorized at least one. Most enterprises adopting Claude have no process to evaluate connectors before authorization. ClaudeSec tracks 384 connectors. 103 flagged high risk. That's around 27% of the ecosystem. Every entry shows: → What capabilities the connector actually has → What tools it exposes to the model → Why it's rated risky → Source-code findings where they did the review Security guides are live for Claude Managed Agents and Cowork. Real configuration - policies, hooks, permission scopes, allow/deny rules. The Cowork guide is the one Enterprise teams need to read first. Cowork runs code, browses with real user sessions, and operates unattended. The architecture is solid, gVisor sandbox, layered network controls. But Cowork activity is excluded from Audit Logs, the Compliance API, and Data Exports. All plan tiers. Including Enterprise. Your visibility tools don't see what Cowork is doing. Claude Code and Office Agents guides ship next. The curated news feed flags CVEs and incidents as they happen. The window between a connector being compromised and detection is roughly 3 hours. The feed is built around that window. Read here: ClaudeSec: claudesec.pluto.security Launch blog: pluto.security/blog/introduci… Cowork teardown: pluto.security/blog/claude-co… Thanks to @pluto_security for supporting this post.

@eugeneychan Exactly. Deployed means running. Governed means you actually know what it's doing!

The average enterprise now runs 37 deployed AI agents. More than half have zero security oversight or logging. You can't govern what you can't see.

@sama @VampireGurlAI Big move. Most enterprises are still figuring out how to govern the AI they already have. Now they need to secure what's securing them too.

@AnthropicAI Opening up bug bounties is the right call. Finding the vulnerability is step one. The harder question is what happens in production before anyone finds it.

@0xcorte That's the goal. Getting there in real time is where most teams get stuck.

Your AI agent just connected to Salesforce, GitHub, and Slack. It has more access than most of your employees. Does your security team know that?

@satyanadella Agent Mode default across Word, Excel, and PowerPoint. Every enterprise just got a much bigger AI footprint to secure.

@AnthropicAI Models that can self-report misalignment is a big step. The harder question is whether enterprises can act on that signal in real time.

claudesec.pluto.security

ClaudeSec is officially LIVE! Meet the new security-first hub for the Claude ecosystem, powered by @pluto_security. ❓Always yearned for a unified search of all existing extensions? ❓Ever wondered what ones are flagged as high-risk? ❓Dreaming of knowing how to deploy safely with Claude? All of this (and more) is now waiting for you on our new planet. Give it a go and let us know in the comments what you thought! Link in the first comment.

@claudeai Agents that learn from every session are powerful. They also accumulate context that most security teams have zero visibility into.

@omarsar0 Self-evolving agents are impressive. They're also the hardest thing to put guardrails on.

@Baron_VonSnatch That's what makes this pattern so dangerous. The software is easy to run. The blast radius is not easy to see.

Our research team disclosed CVE-2026-33032, a critical CVSS 9.8 vulnerability in nginx-ui that exposed over 500K users to full server takeover through a single unauthenticated request. No credentials. No exploit chain. Actively exploited in the wild. The root cause: MCP endpoints that inherit an application's full capabilities but skip its security controls entirely. The pattern is clear - and it's only getting more common as agentic workflows connect deeper into enterprise workspace infrastructure. Most security teams have no visibility into what MCP servers are running in their environment, no inventory of the endpoints they're exposing, and no way to enforce it. Full breakdown → lnkd.in/dmbkkQAp As covered by The Hacker News → lnkd.in/gWTZt4e4

@wkeything Good point. Action monitoring matters. Visibility into what the agent does after it's in is exactly the gap we're focused on.