Jashid Sany
Security researcher and red teamer. I work at the intersection of Windows internals, malware development, and the emerging attack surface of AI coding tools.
Background
I build offensive tooling and publish original security research. My work covers the full stack: low-level PE parsing and DLL hijacking in C, command injection RCEs in production web services, and the trust boundary failures and prompt injection primitives that show up in agentic developer tools like Claude Code and Windsurf.
I grounded myself in the fundamentals first: rooting HackTheBox machines, writing Python enumeration tooling for Windows and Linux, and parsing PE binaries from scratch in C. That grounding shapes how I approach the rest. I treat modern AI agents the same way I would treat any under-audited target. Read the source, map the trust boundaries, find where they break, and write up the finding end to end with reproducible PoCs.
When a finding has broader ecosystem implications, I turn it into a research paper.
Alongside the research, I run Advent Cybersecurity, a Virginia-based consultancy offering penetration testing, red team engagements, and security architecture review.
Currently Researching
Mapping the attack surface of agentic AI coding tools: Claude Code, Windsurf Cascade, and Claude Desktop. Focus areas: MCP trust models, indirect prompt injection, permission-bypass chains, and enterprise risk posture for regulated environments.
Seven published findings so far across Claude Code and Windsurf, plus two research papers.
Disclosed Vulnerabilities
- DLL Hijacking in CactusViewer v2.3.0 (
CWE-427). Arbitrary code execution via insecure DLL load order. - OS Command Injection RCE in iOS-remote (
CWE-78). Unsanitized subprocess call in a Flask app yields remote code execution. - Unauthenticated RCE as Root in docker-wkhtmltopdf-aas (
CWE-78). A single HTTP request to root inside the container.
AI Coding Tool Security Research
- Claude Code Findings 1 to 5. MCP silent command execution, blanket trust escalation, confirmation prompt misrepresentation, remote session hijacking, and permission deny bypass via script write and execute.
- Windsurf Findings 1 and 2. Overly permissive Cascade agent bypassing auto execution controls, and indirect prompt injection with credential exfiltration via GitHub Gists.
Papers
- Trust Boundary Failures in AI Coding Agents. Empirical analysis of MCP configuration attacks in Claude Code, with enterprise defensive architecture recommendations.
- Enterprise Risk Assessment: Claude Desktop and Cowork. Risk model for deploying AI-assisted tooling in regulated environments. DOI: 10.5281/zenodo.19024890.
Open-Source Tools
Windows PE file parser. Parses DOS and NT headers and sections, displays entry point, image base, and architecture.
Windows and Active Directory enumeration tool built for pentest operations and OSCP-style engagements.
Automated Linux system enumeration for offensive security assessments.
PNG-based steganography tool for embedding and extracting binary payloads using LSB techniques.
Proof-of-concept for the DLL hijacking vulnerability in CactusViewer v2.3.0.
Field Manuals
I maintain two reference works alongside the blog.
- The Offensive Security Field Manual. Commands, decision trees, and variable glossaries for time-pressured red team engagements.
- AI Security Reference. Research-backed reference on AI coding tool vulnerabilities, prompt injection primitives, and defensive architecture.
Contact
Open to research collaborations, responsible-disclosure coordination, and red team and offensive security engagements.
- GitHub: github.com/jashidsany
- LinkedIn: linkedin.com/in/jashidsany