Origin @originhq

@logangraham @AnthropicAI We posted our research on this same area last month and came to the same conclusion. Pre-Mythos class models, given adequate tooling, are more than capable of constructing n-day exploits. originhq.com/research/patch…

Do you know where your most expensive tokens are going? Filter by model and find out. Every session in your org, grouped by the work it was actually doing.

Project plugins and startup hooks make coding agents extensible and quick to set up. We found that in Opencode, just opening the agent inside a hostile repo runs the repo's own code at startup, no command typed, before the model is even in the loop. originhq.com/research/the-r…

An early look inside MXC, Microsoft's experimental OS-level sandbox for AI agents in recent Windows Preview builds. New APIs, how folder-sharing grants the whole subtree beneath a path, and the blocklist quirk documented right in the source comments. originhq.com/research/mxc-e…

Counting tokens is easy. Knowing what they bought is the part nobody had solved. Origin reads every session across every provider and clusters them by the work itself, so the same task done by 3 engineers or 300 collapses into one topic. Spend attaches to the work, not the prompt. The answer in the clip wasn't a one-off. Save it as a kernel and it becomes a live query: same chart, recomputed every time you open the board.

Do you know where your tokens are going? You can see what you spent. Not what it bought. We fixed that. ↓

@HackyBoiiiii @akshat_b 👀

Claude Code's background sessions survive terminal close, managed by a new supervisor daemon. We used it to build a persistent C2 agent whose entire payload is natural language in a Markdown file, executed by the signed binary under the user's identity. originhq.com/research/backg…

N-day exploits from Patch Tuesday used to require dedicated VR teams. @tyholms built the same workflow from off-the-shelf parts for ~$300 per CVE. The skill and resources gating this work are now within reach of any threat actor with a credit card. originhq.com/blog/patch-dif…

Most security teams are spending the day pulling SBOMs, querying EDR, pinging engineering, and assembling a spreadsheet in response to the #TanStack supply chain compromise that dropped yesterday evening. Our customers ran one prompt against their fleets in Origin. It swept every IOC across network traffic, files, lockfiles, and all AI agent activity on every endpoint, then returned the exact versions in use, the engineers running them, and any agent activity that touched them. They had answers in seconds, not hours. The screenshot below shows what our own internal query returned. This is what full endpoint observability looks like on a day like today.

Last month we showed Claude Code's remote-control channel could be redirected to any server with one flag. Anthropic added a hardcoded domain allowlist as a fix. Because the allowlist lives in the client, the redirect still works. It just takes one more hop. originhq.com/blog/reversing…

LLM agents are taking away our ability to make predictive claims about the behavior of software. The security industry is not ready for a world where "Why did my agent do that?" can only be answered on a system-by-system basis.

New on the blog: @michaelbarclay_ on the hidden supply chain behind every computer use agent. CLAUDE.md, skills, and MCP configs on disk compose its behavior at runtime, and a few lines in one of them can redirect a session in ways file telemetry can't see. originhq.com/blog/protectin…

The endpoint is the execution environment for AI agents. It's where we trust them with our data and let them do real work on our behalf. Most orgs have no way to see which agents are running there or what they're doing, which is the gap endpoint observability closes. originhq.com/blog/what-is-e…

Agent features don't need vulnerabilities to become tradecraft. They just need to be useful, installed, and exposed. Codex ships with a documented IPC surface for remote TUI sessions, and one bind flag turns a compromised endpoint into a remotely controlled agent. originhq.com/blog/codex-on-…

ACP standardizes how editors talk to coding agents. It also standardizes how an adversary on a compromised endpoint talks to those same agents - prompts invisible to command line logging, permissions auto-granted without the flags defenders look for. originhq.com/blog/acp-adver…

My research from last week on Claude Code's Remote Control protocol has landed in the latest release of Praxis C2 framework - try it out for yourself now! github.com/originsec/prax…

Process argument spoofing has focused on modifying the PEB before a suspended process resumes. @jdu2600 traces what happens after and finds the initialization timeline has its own injection windows - ones that fire after the allow decision has already been made. originhq.com/blog/post-star…

axios (100M weekly downloads) just got compromised by North Korean hackers via hidden dependency. LiteLLM backdoored on PyPI. tj-actions leaked secrets from 23K repos. Same playbook every time: slip malicious code in, rely on nobody diffing v1.14.0 vs v1.14.1. I built a fix. 🧵

Claude Code's remote control protocol lets developers orchestrate instances programmatically. @tyholms reverse engineered it and found an undocumented flag that redirects any instance to attacker-controlled infrastructure, silently bypassing all permission checks. originhq.com/blog/reversing…