Trail of Bits used ML-centered threat modeling and adversarial testing to identify four prompt injection techniques that could exploit Perplexity’s Comet browser AI assistant to exfiltrate private Gmail data. The audit demonstrated how fake security mechanisms, system instructions, and user requests could manipulate the AI agent into accessing and transmitting sensitive user information.
Two popular AES libraries (aes-js and pyaes) provide dangerous default IVs that lead to key/IV reuse vulnerabilities affecting thousands of projects. One maintainer dismissed the issue, while strongSwan’s maintainer exemplified proper security response by comprehensively fixing the vulnerability in their VPN management tool.
Trail of Bits engineers contributed over 375 merged pull requests to more than 90 open-source projects in 2025, including significant work on Sigstore rekor-monitor, the Rust compiler and Clippy, pyca/cryptography’s ASN.1 API, hevm performance optimizations, PyPI Warehouse, and pwndbg.
We collaborated with the Sigstore community to build cryptographic agility into the software signing ecosystem, enabling organizations to use different signing algorithms while maintaining security through predefined algorithm suites and out-of-band configuration rather than dangerous in-band signaling.
We exploited a lack of isolation mechanisms in multiple agentic browsers to perform attacks ranging from the dissemination of false information to cross-site data leaks. These attacks resurface decades-old patterns of vulnerabilities that the web security community spent years building effective defenses against.
