news newest ask show jobs

Made with ♥ by @iamnishanth

Open Source @Github

fp.

Open in hackernews

MCP Breach-to-Fix Labs – 9 Dockerized Agent Exploits (RCE, Injection)

https://github.com/PawelKozy/mcp-breach-to-fix-labs

1•PawelKozy•30m ago

Comments

PawelKozy•29m ago

OP here.

With the release of Anthropic's MCP, I realized we are effectively creating API endpoints that accept natural language as input, but I couldn't find many practical resources on the security implications.

I built this repo to move beyond theory. It contains 9 Dockerized labs covering vulnerabilities I’ve seen in the wild, including:

Indirect Prompt Injection (via GitHub Issues) Tool Output Poisoning (The 'Rug Pull') Filesystem Traversal (CVE-2025–53110)

Each lab has a 'Vulnerable' and 'Secure' implementation so you can diff the code to see the fix.

I wrote a longer breakdown of the philosophy here if interested: https://medium.com/@kozielpawe/when-agents-get-tools-10-mcp-...

Happy to answer questions about agent security.

ServiceNow Acquires Veza's Leading AI-Native Identity Security Platform

https://newsroom.servicenow.com/press-releases/details/2025/ServiceNow-to-Expand-Security-Portfol...

1•bobbiechen•2m ago•0 comments

Face transplants promised hope. Patients were put through the unthinkable

https://www.theguardian.com/science/2025/nov/27/face-transplant-patients-results-outcomes

1•binning•2m ago•0 comments

Pilar galleon artifacts reveal what CHamorus treasured

https://www.postguam.com/lifestyle/local/pilar-galleon-artifacts-reveal-what-chamorus-really-trea...

1•sipofwater•3m ago•1 comments

Statement from the American Economic Association

https://www.aeaweb.org/news/aea-statement-dec-2-2025

1•xqcgrek2•4m ago•0 comments

The three-party identity problem in MCP servers

https://reducibl.com/2025/12/01/the-three-party-identity-problem-in-mcp-servers.html

1•davidcrowe•5m ago•0 comments

Ask HN: What did onboarding training look like in OS kernel teams?

3•markus_zhang•7m ago•1 comments

Bending Spoons Acquires EventBrite

https://www.inc.com/ava-levinson/eventbrite-just-announced-its-acquisition-agreement/91273082

2•fairity•7m ago•0 comments

Beloved soccer coach Dickson loses son to suicide

https://www.postguam.com/sports/local/beloved-soccer-coach-dickson-loses-son-to-suicide/article_9...

2•sipofwater•7m ago•1 comments

Ipproto_ICMP sockets for unprivileged ping on Linux

https://lwn.net/Articles/420800/

1•fanf2•8m ago•0 comments

Apple to resist India order to preload state-run app as political outcry builds

https://www.reuters.com/sustainability/boards-policy-regulation/apple-resist-india-order-preload-...

4•coloneltcb•9m ago•0 comments

Encountering Japanese Ellipses in English Translations

https://legendsoflocalization.com/articles/japanese-ellipsis-usage/

1•tosh•10m ago•0 comments

Monotype accused of overcharging Japanese devs for Japanese language fonts

https://www.gamedeveloper.com/business/american-company-is-overcharging-japanese-devs-for-japanes...

1•AJ007•12m ago•0 comments

Show HN: I built a simple trust portal because the existing ones were too much

https://www.simpletrustportal.com

1•cadence-•13m ago•0 comments

Show HN: The Almanac – Generate Wikipedia-style biographies of anyone

https://www.thealmanac.ai/

2•reveriedev•13m ago•0 comments

Prove It All Night: With no fame or fortune, what keeps a band onstage? (1999)

https://chicagoreader.com/news/prove-it-all-night/

1•NaOH•13m ago•0 comments

What Is a Bomb Cyclone? Why This Winter Storm Doesn't Qualify

https://www.scientificamerican.com/article/what-is-a-bomb-cyclone-why-this-winter-storm-doesnt-qu...

1•quapster•15m ago•0 comments

MillenniumPrizeProblemBench Stress-testing AI on the hardest math we know

https://mppbench.com/

1•kelseyfrog•15m ago•0 comments

Show HN: Docmd v0.3 – Static documentation generator (built-in search, no React)

https://github.com/mgks/docmd

2•enigmazi•16m ago•0 comments

EmacsConf 2025

https://emacsconf.org/2025/

2•birdculture•18m ago•0 comments

Postgres 18: Skip Scan – Breaking Free from the Left-Most Index Limitation

https://www.pgedge.com/blog/postgres-18-skip-scan-breaking-free-from-the-left-most-index-limitation

1•pgedge_postgres•19m ago•0 comments

Snapit: Snapshot Testing for C

https://mattjhall.co.uk/posts/snapit-snapshot-testing-for-c.html

2•mattjhall•19m ago•0 comments

Show HN: Give your customers pricing clarity, especially the enterprise ones

1•phil611•20m ago•0 comments

Annotator.js: library to easily add annotation functionality to any webpage

http://annotatorjs.org

1•klaussilveira•22m ago•0 comments

UK ministers aim to ban cryptocurrency political donations over anonymity risks

https://www.theguardian.com/politics/2025/dec/02/cryptocurrency-political-donations-uk-ban-electi...

5•chrisjj•23m ago•0 comments

Show HN: Davia – A Visual Wiki, Generated by Your Coding Agent (Open-Source)

https://www.npmjs.com/package/davia

4•ruben-davia•25m ago•0 comments

Teaching AI to Spot Fake Xkcd Comics with DSPy and GEPA (Part 1)

https://danprice.ai/blog/xkcd-dspy-gepa

1•halfprice06•25m ago•0 comments

Higher Education and AI: Some Musings

https://bastian.rieck.me/blog/2025/education/

2•speckx•27m ago•0 comments

US Apartment rents drop further, with vacancies at record high

https://www.cnbc.com/2025/12/02/apartment-rents-vacancies-november.html

2•toomuchtodo•27m ago•0 comments

AlphaFold – Interview with dr John Jumper by "two minute papers" [video]

https://www.youtube.com/watch?v=Vhcwjzeukts

1•perakojotgenije•29m ago•0 comments

MCP Breach-to-Fix Labs – 9 Dockerized Agent Exploits (RCE, Injection)

https://github.com/PawelKozy/mcp-breach-to-fix-labs

1•PawelKozy•30m ago•1 comments