Research
Research and disclosures.
Published work on AI agents, developer tools, infrastructure, and the places where an instruction turns into an action it should never have been allowed to take.
- Ideasagent economy · security operations · 2026

The Agent Economy: Who Commands The Fleet
An argument for understanding modern teams through the agent fleets they direct, and for treating authority and blast radius as the central security questions.
Authors: Eilon Cohen, Ziv Karliner - Researchn8n · sandbox escape · 2026

Zero Click Unauthenticated RCE in n8n: A Contact Form That Executes Shell Commands
A double-evaluation flaw in n8n Form nodes allowed attacker-controlled expressions to cross a public form boundary and reach unauthenticated shell execution.
Authors: Eilon CohenCVE-2026-27493 and CVE-2026-27577; over 50,000 potentially vulnerable forms identified - Threat researchAI coding tools · malvertising · 2026

AI Coding Tools Under Fire: Mapping the Malvertising Campaigns Targeting the Vibe Coding Ecosystem
A cross-ecosystem study mapped how attackers use advertisements, fake extensions, cloned sites, and malicious packages to target users of popular AI development tools.
Authors: Eilon CohenAt least 20 distinct campaigns documented between February 2025 and March 2026 - ResearchLLM supply chain · chat templates · 2026

Inference-Time Backdoors via Chat Templates: From LLM Supply Chains to Agentic System Compromise
Hidden instructions embedded in model chat templates created conditional inference-time backdoors that generalized across model families and inference engines.
Authors: Ariel Fogel, Omer Hofman, Eilon Cohen, Roman VainshteinEvaluated across 18 models, seven model families, and four inference engines - Threat researchLLMjacking · honeypots · 2026

Operation Bizarre Bazaar: First Attributed LLMjacking Campaign with Commercial Marketplace Monetization
Internet-facing honeypots exposed a coordinated supply chain that scanned, validated, and resold unauthorized access to LLM and Model Context Protocol infrastructure.
Authors: Eilon Cohen, Ariel Fogel35,000 attack sessions captured across the investigation - Researchprompt injection · Docker · 2025

Ask Gordon, Meet the Attacker: Prompt Injection in Docker's Built-in AI Assistant
Malicious instructions placed in trusted Docker Hub metadata steered Ask Gordon into invoking internal tools and sending sensitive results to an attacker-controlled service.
Authors: Eilon CohenResolved by Docker with human approval for sensitive and network-egressing tool calls - ResearchJava · denial of service · 2025

Skibidi Java: The Infinite Loop in Java Collections; Edge Case to Java Universal DoS
A language-level edge case in Java collection behavior turned ordinary object operations into infinite recursion and a reusable denial-of-service primitive.
Authors: Eilon Cohen - ResearchLLM security · web browsing · 2023

Hidden Dangers of LLM Web Browsing Technologies
A proof of concept showed how attacker-controlled web content could use encoded URLs to exfiltrate information through browsing-enabled language-model systems.
Authors: Eilon Cohen