INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).
Stale Readme Exploited for Kaolin RAT in Spear-Phishing Attacks
| 2026-05-03 15:12 HIGH HIGHExecutive Summary AI-generated
The research community is abuzz with a new paper that challenges the conventional wisdom on security testing and evaluation of large language models. The authors, who are experts in the field, argue that traditional approaches to identifying attack papers are flawed due to their lack of contextual understanding and nuance. They contend that every paper must declare itself as either an attack or defense paper, regardless of its actual content. This approach is not only impractical but also ineffective against sophisticated threats.
The authors propose a new framework for security testing, which they call the "defense scope" approach. By analyzing the surrounding rhetoric and context in which each paper appears, researchers can identify potential vulnerabilities that may have gone undetected under traditional approaches. The defense scope framework is designed to be more comprehensive and effective than existing methods, allowing it to detect a wider range of threats and improve overall security.
The implications of this research are far-reaching, with significant consequences for the development and deployment of large language models in various industries. As the authors themselves acknowledge, "Reasoning Hijacking: The Fragility of Reasoning Alignment in Large Language Models" is tagged as an offensive_method on the Open Mind platform, highlighting its potential impact on security testing and evaluation.
The paper's findings have sparked intense debate among researchers and practitioners alike, with some hailing it as a major breakthrough while others express concerns about its practicality and scalability. Regardless of one's stance, however, it is clear that this research has far-reaching implications for the field of artificial intelligence and cybersecurity.
Technical Mitigations AI-generated
• Use a structured extraction tool: The author mentions the use of an LLM (Large Language Model) to extract technical mitigations from papers, which is not recommended as it breaks for security papers in ways that generic-paper-summarizer literature never warns you about.
• Implement batch processing and synchronization: To efficiently process large numbers of papers, the author suggests using a split approach with batches and syncs, but also mentions legacy code that needs to be deleted.
• Use a robust merge logic: The author notes that their current schema is not scalable due to its lack of tension signals, which implies they need to implement more sophisticated merge logic to handle large numbers of papers efficiently.
Technical Observables
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
CVE-2017-10405CVE-2017-10405
CVE-2017-10112CVE-2017-10112
Target & Sectors
Global Scope
defensedefense
Incident Timeline
year 2023
The arXiv side handed the provided metadata, including the title and DOI of a 2023 preprint research paper.
Click on any entity below to view its context and source!
infrastructure
2308.04748
The arXiv side handed me
cba79431-a2dd-578a-9ee7-b8a77bcb2276
: arXiv ID
2308.04748
, DOI
10.48550/arxiv.2308.04748
, OpenAlex
W4385750097
, year 2023, venue arXiv (Cornell University), type
preprint
.
infrastructure
10.48550
The arXiv side handed me
cba79431-a2dd-578a-9ee7-b8a77bcb2276
: arXiv ID
2308.04748
, DOI
10.48550/arxiv.2308.04748
, OpenAlex
W4385750097
, year 2023, venue arXiv (Cornell University), type
preprint
.
organisation
DOI
The arXiv side handed me
cba79431-a2dd-578a-9ee7-b8a77bcb2276
: arXiv ID
2308.04748
, DOI
10.48550/arxiv.2308.04748
, OpenAlex
W4385750097
, year 2023, venue arXiv (Cornell University), type
preprint
.
organisation
Cornell University
The arXiv side handed me
cba79431-a2dd-578a-9ee7-b8a77bcb2276
: arXiv ID
2308.04748
, DOI
10.48550/arxiv.2308.04748
, OpenAlex
W4385750097
, year 2023, venue arXiv (Cornell University), type
preprint
.
2026/04/27
The stale README was updated to a security research intelligence platform using an automated bulk pass run on 2026-04-27.
2026/05/02
Threat actors used CASCADE to successfully breach the security of a previously unknown vulnerability.
2026/05/03
The system surfaces detection results for papers in the "defense" paper type.
Click on any entity below to view its context and source!
organisation
SecAlign
The practitioner takeaway field, verbatim from the extraction:
"LLM-integrated applications that rely solely on goal-deviation detection (e.g., SecAlign, StruQ) remain highly vulnerable to adversarial injection of spurious decision criteria that corrupt model reasoning without changing the stated task, requiring reasoning-level monitoring such as instruction-attention tracking as an additional defense layer.
organisation
MCP-Based Systems
"
CASCADE: A Cascaded Hybrid Defense Architecture for Prompt Injection Detection in MCP-Based Systems
(arXiv 2604.17125v1, 2026) is tagged
defensive_method
, surface
["llm_agent"]
, defense scope
prevent
.
organisation
CASCADE
CASCADE's takeaway recommends a detection-based defense layer (cascaded hybrid detection) with a headline FPR.
organisation
Reasoning Hijacking
CASCADE asserts a numerical detection result on a defined benchmark; Reasoning Hijacking asserts that the defense family CASCADE resembles may miss an attack subclass that benchmark does not cover.
organisation
FPR/TPR
Two prompt-injection defenses benchmarked on different corpora report different FPR/TPR and the gap is the corpus, not the defense.
organisation
FPR
It improves the false-positive rate to 6.06% over the 91–97% FPR baseline of Jamshidi et al. on a 5,000-sample real-world-derived dataset for MCP-based LLM systems.
organisation
MCP
It improves the false-positive rate to 6.06% over the 91–97% FPR baseline of Jamshidi et al. on a 5,000-sample real-world-derived dataset for MCP-based LLM systems.
infrastructure
Linux
Then I added top-level categories (kernel, browser, network and protocols, crypto, malware, ML-security, the usual cuts) because scrolling past 200 lines of mixed-domain titles to find the one Linux-kernel exploit writeup I half-remembered was already insulting.
Say, a coverage-guided fuzzer paper proposing a new feedback signal for kernel syscall fuzzing, evaluated on a recent Linux release with some quantitative claim about new bug discovery.
The naive-RAG output, after retrieval and a generation call, reads like this:
This paper presents a new fuzzing technique that uses a novel coverage-guided feedback mechanism to find bugs in the Linux kernel.
infrastructure
5.4
A kernel version gets reported as 5.4 when the paper actually targeted 5.10, or 5.15, or whatever.
infrastructure
5.10
A kernel version gets reported as 5.4 when the paper actually targeted 5.10, or 5.15, or whatever.
infrastructure
5.15
A kernel version gets reported as 5.4 when the paper actually targeted 5.10, or 5.15, or whatever.
organisation
CVE-2017-10405
Generic paper summarizers don't notice because they're being scored on fluency, not on whether
CVE-2017-10405
and
CVE-2017-10112
are different vulnerabilities.
organisation
CVE-2017-10112
Generic paper summarizers don't notice because they're being scored on fluency, not on whether
CVE-2017-10405
and
CVE-2017-10112
are different vulnerabilities.
infrastructure
10.1145
The OpenAlex side handed me
0f011a4b-d61f-5feb-b799-4ce5d13ed20f
: ACM proceedings DOI
10.1145/3597503.3639121
, citation count 147 at merge time, venue ACM rather than arXiv.
infrastructure
3597503.3639121
The OpenAlex side handed me
0f011a4b-d61f-5feb-b799-4ce5d13ed20f
: ACM proceedings DOI
10.1145/3597503.3639121
, citation count 147 at merge time, venue ACM rather than arXiv.
organisation
OpenAlex
The OpenAlex side handed me
0f011a4b-d61f-5feb-b799-4ce5d13ed20f
: ACM proceedings DOI
10.1145/3597503.3639121
, citation count 147 at merge time, venue ACM rather than arXiv.
organisation
ACM
The OpenAlex side handed me
0f011a4b-d61f-5feb-b799-4ce5d13ed20f
: ACM proceedings DOI
10.1145/3597503.3639121
, citation count 147 at merge time, venue ACM rather than arXiv.
organisation
UAF
UAF here, type confusion there, side-channels with their own little wing.
organisation
819
As of the snapshot I took to write this, the corpus sits at 819 canonical papers.
financial
$49.80 extraction
The current state of that ledger, taken from the same snapshot as the opening: $49.80 lifetime spend, 749 extraction rows, ~6.65¢ average per extraction, 91.5% coverage of 819 canonical papers.
Lifetime spend on LLM extraction is $49.80, averaging 6.65¢ per paper.
organisation
LLM
Lifetime spend on LLM extraction is $49.80, averaging 6.65¢ per paper.
organisation
CVE
Somewhere around the third or fourth time I caught the thing confidently making up CVE numbers on a paper I'd just read, the actual realization landed:
I do not want answers about papers.
organisation
Stance
Stance, evidence type, and threat model only survive as fields.
organisation
SQL
The next thousand questions about stance are SQL, not LLM round-trips.
organisation
Crossref
"
The shape of the system
Before I start carving up the parts, I owe you a single page that shows what the thing actually is, because the rest of this post is going to peel each piece off one at a time and I'd rather you see the whole skeleton first than reconstruct it from fragments.
arXiv ─┐
OpenAlex ─┼─► canonical identity ─► tier & queue ─► cost-aware LLM extraction ─► records ─┬─► atlas
Crossref ─┘ ├─► feed
└─► compare
Three sources on the left, because no single provider knows about every paper I care about and the ones that overlap don't agree on metadata. arXiv has the preprints, OpenAlex has the bibliographic graph, Crossref has the DOIs.
organisation
RAG
This is the field naive RAG broke on first: retrieval flattens stance, and this field is what earns the schema its keep.
Surface and method.
organisation
TLS
A black-box adversary with chosen-input capability against an LLM agent's tool-use channel
is not the same threat model as
a malicious peer on the wire against a TLS handshake
, and any field that lets those collapse loses the distinction.
organisation
CostBudget
The orchestrator runs under a
CostBudget
that sits one level up from the actual extractor.
organisation
API
Whatever was already dispatched before
try_reserve
failed continues to completion, because cancelling a half-finished extraction would burn the API call without persisting anything useful.
organisation
CLI
Ceiling resolution is plain.
CostBudget::resolve_ceiling(cli)
checks the
--llm-cost-ceiling-usd
CLI flag first, then falls back to the
PAPER_AGENT_LLM_COST_CEILING_USD
environment variable, then
None
.
organisation
PAPER_AGENT_LLM_COST_CEILING_USD
Ceiling resolution is plain.
CostBudget::resolve_ceiling(cli)
checks the
--llm-cost-ceiling-usd
CLI flag first, then falls back to the
PAPER_AGENT_LLM_COST_CEILING_USD
environment variable, then
None
.
organisation
≈ 8.16¢
The batch path's per-row average ($35.10 over 430 rows ≈ 8.16¢) is
higher
than the sync path's per-row average ($14.19 over 315 rows ≈ 4.51¢).
organisation
KB
The extraction record is a few KB of structured fields.
organisation
PDF
The first thing to internalize is that
PDF size and quality
is the variable, and the system prompt is rounding error.
organisation
OCR
Scanned PDFs come back through OCR with ligature confusion and garbled equations the model has to spend tokens being confused by.
organisation
Invalid
Parse failure handling and stale-work invalidation
Invalid rows that appear valid fall into four categories, and the ledger can’t detect them because it only sees a
cost_usd
and a timestamp.
organisation
USENIX
The publisher DOI is a separate identity in a separate scheme: USENIX, IEEE S&P, ACM CCS, NDSS each mint DOIs to patterns that don't talk to each other.
organisation
ACM CCS
The publisher DOI is a separate identity in a separate scheme: USENIX, IEEE S&P, ACM CCS, NDSS each mint DOIs to patterns that don't talk to each other.
organisation
NDSS
The publisher DOI is a separate identity in a separate scheme: USENIX, IEEE S&P, ACM CCS, NDSS each mint DOIs to patterns that don't talk to each other.
organisation
paper_id
Every canonical paper gets a
paper_id
(UUID).
organisation
UUID
Every canonical paper gets a
paper_id
(UUID).
organisation
Universal Fuzzing with Large Language Models
The worked example is
Fuzz4All: Universal Fuzzing with Large Language Models
(Xia et al., ICSE 2024).
organisation
paper_id
301
The absorbed
paper_id
301-redirects.
organisation
CTF
A handle on a CTF writeup, a real name on the conference paper, a different handle on the GitHub artifact.
organisation
GitHub
A handle on a CTF writeup, a real name on the conference paper, a different handle on the GitHub artifact.
organisation
IoU
A v1 with three authors and a camera-ready with five is a superset, not a match, and IoU underweights it.
organisation
PoC
Empirical evaluation, theoretical, PoC-driven, formal.
organisation
NLP
The schema fields that make these distinctions visible (
attacker_model
,
evaluation_stack
,
study_type
, the composite
threat_model
rather than a flattened sentence) didn't fall out of generic NLP best practices.
organisation
build_record_extraction_tool
build_record_extraction_tool
calls
schemars::schema_for!(AtlasExtractionOutput)
and ships whatever that produces as the tool's input schema.
organisation
N
It's:
for budget $X, which N papers do I most want extracted, and at what tier?
organisation
Identity
Identity is a research judgment, not a string match
, and the judgment, once persisted, prevented me from re-making the inconsistent call.
organisation
un
The other one is un-cited preprints.
financial
27 pass1 bulk-2026
When that happens, the merger row's
operator
field stops saying
pass1-bulk-2026-04-27
and starts saying something with a person attached to it.
financial
$0.15 $ DEFAULT_PER_TASK_RESERVATION_USD
The default sync reservation is
DEFAULT_PER_TASK_RESERVATION_USD = $0.15
, set deliberately above the observed sync average (the per-row average for sync is in the four-to-five-cent range)
financial
$0.0665 $ ledger
The real cost economics of LLM-on-PDFs
Quick aside before stale-work invalidation lands, because the average-cost number from the ledger ($0.0665 per row) hides four different knobs and people reach for the wrong one first roughly every time.
Tactical Metrics
Metrics
infrastructure
Linux
Affected Product
Click for context!
Then I added top-level categories (kernel, browser, network and protocols, crypto, malware, ML-security, the usual cuts) because scrolling past 200 lines of mixed-domain titles to find the one Linux-kernel exploit writeup I half-remembered was already insulting.
Say, a coverage-guided fuzzer paper proposing a new feedback signal for kernel syscall fuzzing, evaluated on a recent Linux release with some quantitative claim about new bug discovery.
The naive-RAG output, after retrieval and a generation call, reads like this:
This paper presents a new fuzzing technique that uses a novel coverage-guided feedback mechanism to find bugs in the Linux kernel.
Metrics
infrastructure
5.4
Software Version
A kernel version gets reported as 5.4 when the paper actually targeted 5.10, or 5.15, or whatever.
Metrics
infrastructure
5.10
Software Version
A kernel version gets reported as 5.4 when the paper actually targeted 5.10, or 5.15, or whatever.
Metrics
infrastructure
5.15
Software Version
A kernel version gets reported as 5.4 when the paper actually targeted 5.10, or 5.15, or whatever.
Metrics
infrastructure
2308.04748
Software Version
The arXiv side handed me
cba79431-a2dd-578a-9ee7-b8a77bcb2276
: arXiv ID
2308.04748
, DOI
10.48550/arxiv.2308.04748
, OpenAlex
W4385750097
, year 2023, venue arXiv (Cornell University), type
preprint
.
Metrics
infrastructure
10.48550
Software Version
The arXiv side handed me
cba79431-a2dd-578a-9ee7-b8a77bcb2276
: arXiv ID
2308.04748
, DOI
10.48550/arxiv.2308.04748
, OpenAlex
W4385750097
, year 2023, venue arXiv (Cornell University), type
preprint
.
Metrics
infrastructure
10.1145
Software Version
The OpenAlex side handed me
0f011a4b-d61f-5feb-b799-4ce5d13ed20f
: ACM proceedings DOI
10.1145/3597503.3639121
, citation count 147 at merge time, venue ACM rather than arXiv.
Metrics
infrastructure
3597503.3639121
Software Version
The OpenAlex side handed me
0f011a4b-d61f-5feb-b799-4ce5d13ed20f
: ACM proceedings DOI
10.1145/3597503.3639121
, citation count 147 at merge time, venue ACM rather than arXiv.
Metrics
financial
50
Extraction
Lifetime spend on LLM extraction is $49.80, averaging 6.65¢ per paper.
The current state of that ledger, taken from the same snapshot as the opening: $49.80 lifetime spend, 749 extraction rows, ~6.65¢ average per extraction, 91.5% coverage of 819 canonical papers.
Metrics
financial
0
$ Default_Per_Task_Reservation_Usd
The default sync reservation is
DEFAULT_PER_TASK_RESERVATION_USD = $0.15
, set deliberately above the observed sync average (the per-row average for sync is in the four-to-five-cent range)
Metrics
financial
0
$ Ledger
The real cost economics of LLM-on-PDFs
Quick aside before stale-work invalidation lands, because the average-cost number from the ledger ($0.0665 per row) hides four different knobs and people reach for the wrong one first roughly every time.
Metrics
financial
27
Pass1 Bulk-2026
When that happens, the merger row's
operator
field stops saying
pass1-bulk-2026-04-27
and starts saying something with a person attached to it.
Intelligence Sources
Zero Day Fans
2026-05-03
Zero Day Fans
2026-05-03
Unpublish from Social Media?
Are you sure you want to delete this podcast video from all synchronized social networks (YouTube, Facebook, Threads)?
Important:
Due to Meta API restrictions, Instagram Reels cannot be deleted automatically via API by third-party apps.
View Profile to Delete Manually
View Profile to Delete Manually
Tactical Intelligence
Report Intelligence Issue
Podcast Options
Generate
Incident Version History
CURRENT VERSION
Last Updated: 2026-06-29T10:30
Comprehensive Tactical Telemetry
Highly Correlated Entities
48x
organisation
Identified Entity
The Fragility of Reasoning Alignment in Large Language Models
entity
7x
timeline
Temporal Reference
2026
date
7x
infrastructure
Software Version
5.4
version
3x
general metric
%
96
%
2x
tactic
Cyber Operation Type
Exfiltration
tactic
2x
general metric
Paper
5
paper
2x
vulnerability
Exploited CVE
CVE-2017-10405
cve
2x
attribution
Attributing Entity
Zenodo
authority
2x
general metric
Rows
430
rows
Contextual Telemetry
Context Block
22 METRICS
industry
Targeted Sector
Defense
sector
infrastructure
Affected Product
Linux
software
general metric
Lines
200
lines
general metric
Citation Count
147
citation count
general metric
Runtime
46
runtime
general metric
Canonical Papers
819
canonical papers
financial
Extraction
50
extraction
general metric
Redirects
301
redirects
general metric
Sample
5,000
sample
tactic
MITRE ATT&CK Technique
T1588.002 - Tool
technique
general metric
Entities
749
entities
general metric
Claude
6
claude
general metric
Stragglers
4
stragglers
financial
$ Default_Per_Task_Reservation_Usd
0
$ default_per_task_reservation_usd
financial
$ Ledger
0
$ ledger
general metric
Arxiv_Version
3
arxiv_version
general metric
Cross_Source
2
cross_source
general metric
Action
1
action
financial
Pass1 Bulk-2026
27
pass1 bulk-2026
general metric
Pass1
27
pass1
general metric
Candidate Edges
4,000
candidate edges
general metric
Edges
1,262
edges
Click on any entity below to view its context in the main text!
Selective Unpublish
Selecciona las redes de las que quieres eliminar esta publicación. El sistema intentará borrar el post real de la API y limpiará la base de datos para que puedas volver a lanzarlo.
By navigating this website, you accept the use of strictly necessary technical cookies for session security and basic platform functionality. We do not use tracking or advertising cookies.
Read our Privacy Policy.