Today’s Topics:

• DockerDash: Ask Gordon AI Flaw Exposed a Critical Trust Boundary in Docker Desktop
• Reynolds Ransomware Bundles BYOVD Driver to Kill EDR Before Encryption
• How can Netizen help?

DockerDash: Ask Gordon AI Flaw Exposed a Critical Trust Boundary in Docker Desktop

Docker quietly closed a serious gap in its AI assistant, Ask Gordon, with the release of Docker Desktop version 4.50.0 in November 2025. The issue, dubbed “DockerDash” by researchers at Noma Labs, was not a typical memory corruption bug or authentication bypass. It was a failure of contextual trust inside an AI-assisted workflow, and it opened the door to remote code execution and sensitive data exposure through something as mundane as Docker image metadata.

At the center of the problem was how Ask Gordon parsed and interpreted Docker image LABEL fields. In a normal workflow, those labels are informational metadata attached to a Dockerfile. They describe authorship, versioning, licensing, or build context. Ask Gordon, however, treated those metadata fields as inputs that could be interpreted and forwarded through its Model Context Protocol (MCP) Gateway without meaningful validation. That design choice created a new injection surface inside the AI-to-tool execution path.

The attack chain described by Noma Labs was straightforward and uncomfortable. An attacker could publish a Docker image containing weaponized instructions embedded in LABEL fields. When a victim asked Ask Gordon about that image, the assistant would ingest and parse the metadata. Because it did not distinguish between descriptive metadata and embedded operational instructions, it could forward the parsed content to the MCP Gateway. The Gateway, acting as middleware between the large language model and local MCP tools, would then interpret the instructions as legitimate requests from a trusted source. With no contextual validation at each hop, the MCP tools would execute the command under the victim’s Docker privileges.

For cloud and CLI environments, this meant potential remote code execution with critical impact. For Docker Desktop users, the flaw also enabled high-impact data exfiltration. The same injection primitive could be used to extract environment details through MCP tooling. That included installed tool inventories, container configurations, mounted directories, Docker settings, and even aspects of the local network topology. In practical terms, a simple AI query about a container image could become the trigger for unintended local introspection and data leakage.

Noma Labs characterized the issue as Meta-Context Injection. The root failure was that the MCP Gateway could not differentiate between benign informational metadata and pre-authorized executable instructions. This is a textbook trust boundary violation. The assistant implicitly trusted container metadata as context, and the Gateway implicitly trusted the assistant’s forwarded requests as legitimate tool invocations. No stage applied zero-trust validation to the contextual data being passed along.

What makes this case significant is that the initial payload was hidden inside a legitimate supply chain artifact. Docker images are routinely pulled from registries and inspected through automated workflows. Embedding malicious instructions inside LABEL fields turns a descriptive field into an execution vector when AI agents are introduced into the pipeline. This moves AI supply chain risk from theory into operational reality.

Docker 4.50.0 also addressed a separate prompt injection issue reported by Pillar Security, where attackers could tamper with Docker Hub repository metadata to manipulate Ask Gordon’s behavior and exfiltrate data. Taken together, these fixes highlight a pattern. As AI assistants gain the ability to interact with local tools, the integrity of contextual inputs becomes as important as traditional code-level security controls.

From a defensive standpoint, this vulnerability reinforces a point many security teams are already wrestling with: AI agents must treat every upstream input as untrusted, even if it originates from a “trusted” source like an internal registry or official marketplace. Validation cannot stop at user prompts. It must extend to metadata, system context, and intermediary gateways that bridge language models and execution engines.

Reynolds Ransomware Bundles BYOVD Driver to Kill EDR Before Encryption

A newly identified ransomware family dubbed Reynolds is taking a familiar evasion technique and integrating it directly into the core payload. Researchers from Symantec and the Carbon Black Threat Hunter Team report that Reynolds embeds a bring your own vulnerable driver component inside the ransomware binary itself, collapsing what is often a multi-stage intrusion into a tighter, more efficient attack chain.

BYOVD is not new. Adversaries have relied on legitimate but vulnerable signed drivers for years to escalate privileges and disable endpoint security controls. The typical sequence involves deploying a separate utility first to load the flawed driver, terminating EDR processes, and only then launching the ransomware. Reynolds eliminates that separation. The vulnerable driver, an NsecSoft NSecKrnl kernel driver, is bundled directly within the ransomware package.

Once executed, Reynolds drops the NSecKrnl driver and abuses it to terminate processes tied to widely deployed endpoint security platforms. Reported targets include products from Avast, CrowdStrike Falcon, Palo Alto Networks Cortex XDR, Sophos including HitmanPro.Alert, and Symantec Endpoint Protection. By leveraging a signed but flawed kernel driver, the ransomware can interfere with security controls at a lower level in the stack, where defensive visibility is often reduced.

The NSecKrnl driver carries a known vulnerability, CVE-2025-68947, with a CVSS score of 5.7. The flaw enables termination of arbitrary processes. That capability is precisely what makes it valuable in a ransomware context. It has also been observed in prior campaigns, including activity attributed to a threat actor known as Silver Fox, which used similar vulnerable drivers such as truesight.sys and amsdk.sys to disable endpoint tools before deploying ValleyRAT. Reynolds is following a pattern that has been effective for others.

Bundling the driver inside the ransomware has operational advantages. There is no need for affiliates to stage a separate defense-evasion tool. There is no standalone binary that defenders can isolate as a precursor signal. The driver drop, process termination, and encryption routines are logically coupled. That consolidation reduces friction in affiliate-driven ecosystems and may lower the chance of early-stage detection.

Symantec’s analysis also points to pre-ransomware activity weeks before encryption. A suspicious side-loaded loader was present on the network prior to the final stage, suggesting the attackers had already established a foothold. After the ransomware executed, the GotoHTTP remote access tool appeared on the network, indicating an interest in maintaining persistence even after the encryption event. This pattern reflects a broader trend: ransomware is rarely a smash-and-grab operation. It is often the final act in a longer intrusion.

Sophos stated that it had blocking protections against the NSecKrnl driver since November 2025 and proactive safeguards against the ransomware payload for years. That response underscores a larger defensive challenge. Even when vendors block known vulnerable drivers, attackers frequently rotate through alternative signed drivers to achieve similar outcomes. The BYOVD technique persists because it relies on trusted digital signatures and kernel-level access.

Reynolds emerges against a backdrop of escalating ransomware activity and operational experimentation. High-volume phishing campaigns have delivered GLOBAL GROUP ransomware using LNK attachments that execute PowerShell to fetch a Phorpiex dropper. GLOBAL GROUP stands out for performing all activity locally, without data exfiltration, making it viable in air-gapped environments.

Infrastructure abuse has also intensified. Campaigns linked to WantToCry have leveraged virtual machines provisioned through ISPsystem. Weaknesses in default Windows templates within VMmanager allow reuse of static hostnames and system identifiers, enabling threat actors to spin up large volumes of infrastructure that complicate takedown efforts. Hostnames from this ecosystem have appeared in campaigns tied to operators such as LockBit, Qilin, Conti, and BlackCat.

Ransomware groups continue to professionalize. DragonForce now advertises a “Company Data Audit” service to assist affiliates during extortion negotiations, providing structured reports, communication templates, and negotiation guidance. This formalization of support functions mirrors legitimate business operations and signals sustained maturity in the ecosystem.

Meanwhile, LockBit 5.0 has shifted to ChaCha20 encryption across Windows, Linux, and ESXi systems, moving away from the AES approach used in earlier versions. The updated strain includes a wiper module, delayed execution options, a visible encryption progress bar, stronger anti-analysis features, and expanded in-memory execution to reduce disk artifacts. Other groups, including Interlock, have exploited vulnerable drivers such as GameDriverx64.sys, tracked as CVE-2025-61155, in their own BYOVD attacks to disable endpoint defenses before deploying ransomware and remote access tools.

Cloud environments are also under pressure. Operators are targeting misconfigured Amazon Web Services S3 buckets, relying on native cloud capabilities to delete, overwrite, or extract data without introducing obvious malware artifacts. In parallel, purely data-theft-driven extortion events continue to rise, decoupling impact from encryption.

The numbers reinforce the trajectory. Threat actors claimed 4,737 ransomware attacks in 2025, slightly above 2024 totals. Incidents involving data theft without encryption reached 6,182, representing a notable year-over-year increase. Average ransom payments climbed to $591,988 in the fourth quarter of 2025, driven by a handful of outsized settlements.

How Can Netizen Help?

Founded in 2013, Netizen is an award-winning technology firm that develops and leverages cutting-edge solutions to create a more secure, integrated, and automated digital environment for government, defense, and commercial clients worldwide. Our innovative solutions transform complex cybersecurity and technology challenges into strategic advantages by delivering mission-critical capabilities that safeguard and optimize clients’ digital infrastructure. One example of this is our popular “CISO-as-a-Service” offering that enables organizations of any size to access executive level cybersecurity expertise at a fraction of the cost of hiring internally. 

Netizen also operates a state-of-the-art 24x7x365 Security Operations Center (SOC) that delivers comprehensive cybersecurity monitoring solutions for defense, government, and commercial clients. Our service portfolio includes cybersecurity assessments and advisory, hosted SIEM and EDR/XDR solutions, software assurance, penetration testing, cybersecurity engineering, and compliance audit support. We specialize in serving organizations that operate within some of the world’s most highly sensitive and tightly regulated environments where unwavering security, strict compliance, technical excellence, and operational maturity are non-negotiable requirements. Our proven track record in these domains positions us as the premier trusted partner for organizations where technology reliability and security cannot be compromised.

Netizen holds ISO 27001, ISO 9001, ISO 20000-1, and CMMI Level III SVC registrations demonstrating the maturity of our operations. We are a proud Service-Disabled Veteran-Owned Small Business (SDVOSB) certified by U.S. Small Business Administration (SBA) that has been named multiple times to the Inc. 5000 and Vet 100 lists of the most successful and fastest-growing private companies in the nation. Netizen has also been named a national “Best Workplace” by Inc. Magazine, a multiple awardee of the U.S. Department of Labor HIRE Vets Platinum Medallion for veteran hiring and retention, the Lehigh Valley Business of the Year and Veteran-Owned Business of the Year, and the recipient of dozens of other awards and accolades for innovation, community support, working environment, and growth.

Looking for expert guidance to secure, automate, and streamline your IT infrastructure and operations? Start the conversation today.

Today’s Topics:

• SolarWinds Web Help Desk Exploitation Leads to Full Domain Compromise Scenarios
• OpenClaw Moves to Contain Malicious Skills With VirusTotal Scanning
• How can Netizen help?

SolarWinds Web Help Desk Exploitation Leads to Full Domain Compromise Scenarios

Security researchers have confirmed active exploitation of internet-exposed SolarWinds Web Help Desk (WHD) instances as part of a multi-stage intrusion chain that progressed from unauthenticated access to lateral movement and, in at least one case, domain-level compromise. The activity was observed by Microsoft during investigations into intrusions that occurred in December 2025 and targeted systems running vulnerable WHD deployments.

What makes this campaign difficult to pin down is the overlap between multiple high-severity vulnerabilities present on affected hosts at the time of compromise. Microsoft noted that impacted systems were simultaneously exposed to newly disclosed flaws, including CVE-2025-40551 and CVE-2025-40536, as well as an earlier issue, CVE-2025-26399. All three vulnerabilities affect SolarWinds Web Help Desk and include paths to unauthenticated access or remote code execution. Given that the attacks predated full remediation efforts, investigators could not reliably attribute initial access to a single CVE.

The technical risk profile across these flaws is consistent. CVE-2025-40536 enables a security control bypass that permits unauthenticated access to restricted WHD functionality. CVE-2025-40551 and CVE-2025-26399 both stem from unsafe deserialization of untrusted data, creating a direct path to remote code execution within the application context. Once exploited, attackers were able to execute arbitrary commands without valid credentials, effectively turning an exposed help desk portal into a foothold inside the network.

The severity of this exposure was reinforced when Cybersecurity and Infrastructure Security Agency added CVE-2025-40551 to its Known Exploited Vulnerabilities catalog, citing evidence of active exploitation. Federal Civilian Executive Branch agencies were instructed to apply patches by February 6, 2026, underscoring the urgency tied to internet-facing deployments of WHD.

Post-exploitation activity followed a pattern SOC teams will recognize. After gaining execution inside the WHD service, attackers spawned PowerShell and leveraged Background Intelligent Transfer Service to retrieve and execute payloads. From there, they introduced legitimate remote management tooling associated with Zoho ManageEngine. This choice allowed the attackers to blend into normal administrative activity and maintain long-term access using software that would not immediately raise alarms in many environments.

With persistence established, the intrusion moved laterally. Microsoft observed enumeration of sensitive domain users and privileged groups, including Domain Admins, alongside attempts to establish reverse SSH access and RDP sessions. In one case, the attackers attempted to create a scheduled task that launched a QEMU virtual machine under the SYSTEM account at startup. That approach provided a concealed execution environment while exposing SSH access through port forwarding, reducing on-host visibility.

Credential theft activity was also confirmed. On selected hosts, attackers abused DLL side-loading by invoking wab.exe, a legitimate Windows Address Book executable, to load a malicious sspicli.dll. This technique enabled LSASS memory dumping without deploying custom loaders or noisy exploit frameworks. In at least one intrusion, the activity escalated to a DCSync attack, allowing the attackers to impersonate a domain controller and request password hashes directly from Active Directory.

Taken together, the tradecraft reflects a disciplined intrusion rather than opportunistic exploitation. The attackers relied on exposed services, trusted binaries, and low-noise persistence instead of custom malware families. A single unpatched, internet-accessible application was sufficient to progress from initial access to domain-wide impact.

For defenders, the lesson is straightforward. SolarWinds Web Help Desk instances should not be exposed without strict access controls and continuous monitoring, and all available patches must be applied promptly. Environments should be reviewed for unauthorized RMM tooling, privileged credentials should be rotated following any suspected compromise, and affected systems should be isolated to prevent further lateral movement. Detection efforts need to focus on behavior rather than signatures, especially where living-off-the-land techniques and legitimate administrative tools are involved.

OpenClaw Moves to Contain Malicious Skills With VirusTotal Scanning

OpenClaw, the open-source agentic automation platform formerly known as Moltbot and Clawdbot, has announced a partnership with VirusTotal aimed at curbing the spread of malicious skills inside its ClawHub marketplace. The change introduces automated malware scanning for every skill uploaded to the registry, a move that follows weeks of scrutiny after researchers uncovered large numbers of weaponized skills circulating under the guise of legitimate tooling.

According to OpenClaw maintainers, every skill published to ClawHub is now hashed using SHA-256 and checked against VirusTotal’s existing dataset. If no prior match exists, the skill bundle is uploaded for deeper inspection using VirusTotal’s Code Insight analysis. Skills that receive a benign verdict are approved automatically. Skills flagged as suspicious are published with warnings, and those classified as malicious are blocked outright. OpenClaw has also begun re-scanning all active skills daily, an attempt to catch cases where a previously clean package later turns hostile.

The company has been clear that this step is defensive rather than definitive. VirusTotal scanning reduces risk, but it does not close the door on prompt-based abuse or logic that only becomes harmful once interpreted by a model at runtime. Prompt injection hidden inside otherwise harmless-looking skills remains a concern, particularly where the payload is designed to activate only after chaining multiple tool calls or consuming untrusted input.

The announcement lands against a backdrop of sustained security findings around the OpenClaw ecosystem. Multiple independent analyses have shown that malicious ClawHub skills often impersonate routine utilities while quietly exfiltrating data, planting backdoors, or staging follow-on payloads from paste sites and public repositories. In several cases, cloned skills were re-published at scale with small name changes, allowing them to persist even after takedowns.

The underlying issue is structural. OpenClaw operates as an automation engine that can interact with local systems, cloud services, messaging platforms, and smart devices. Skills extend that reach. Once installed, they inherit broad access to data and execution paths, often without clear separation between user intent and machine action. As Cisco recently warned, agents with system access can function as silent data-leak channels that bypass conventional monitoring and prevention controls, while prompts themselves become execution logic that traditional tools struggle to inspect.

This risk has been amplified by OpenClaw’s rapid adoption. The platform’s popularity, along with Moltbook, a related social network where autonomous agents interact with each other, has pushed agent security into what researchers describe as the “lethal trifecta”: autonomous execution, untrusted inputs, and privileged access. Together, those elements turn convenience into exposure. Integrations that make agents useful also expand the set of inputs they trust, creating space for indirect prompt injection, data theft, and unauthorized command execution.

OpenClaw has acknowledged these trade-offs directly. Skills can control smart homes, handle financial data, manage files, and broker communications. That same capability allows abuse if a skill is malicious or manipulated. Several reports have demonstrated zero-click and one-click scenarios where crafted documents, web pages, or messages trigger prompt injections that lead to backdoors, credential access, or silent outbound connections. In other cases, credentials and API keys stored in plaintext were exposed through logs or model output.

Enterprise environments face an added problem. OpenClaw agents are increasingly appearing on employee endpoints without formal approval, often installed because they are genuinely useful. Once present, they may operate with elevated privileges, open network listeners, or maintain persistent workspaces outside normal controls. Researchers tracking exposed instances have observed tens of thousands of internet-reachable gateways, a reminder that default configurations and convenience settings often outpace security review. Measurements from Censys suggest that many of these deployments remain accessible from public networks, even if tokens are required to interact with them.

Against that context, VirusTotal integration is a necessary baseline rather than a finish line. OpenClaw has indicated plans to publish a formal threat model, a public security roadmap, clearer reporting channels, and the results of a full codebase audit. Those steps matter, particularly for a platform that relies heavily on the underlying language model to make security-relevant decisions and defaults to broad system access unless users explicitly enable isolation features.

The larger takeaway extends beyond OpenClaw. Skill marketplaces for agent platforms resemble app stores and extension registries on the surface, but the blast radius is much wider. A malicious browser extension compromises a browser. A malicious agent skill can compromise every system, service, and dataset that agent can reach. Regulators and defenders are beginning to react accordingly. Chinese authorities have already issued alerts around misconfigured OpenClaw deployments, focusing on exposure rather than banning the technology outright.

Agent frameworks are not going away. They will continue to show up inside organizations, sanctioned or otherwise. The real question is whether teams can see them, constrain them, and monitor how they behave. VirusTotal scanning helps reduce obvious abuse, but the harder problem remains: controlling autonomous software that interprets language, acts on behalf of users, and operates across trust boundaries that security teams are only beginning to map.

How Can Netizen Help?

Founded in 2013, Netizen is an award-winning technology firm that develops and leverages cutting-edge solutions to create a more secure, integrated, and automated digital environment for government, defense, and commercial clients worldwide. Our innovative solutions transform complex cybersecurity and technology challenges into strategic advantages by delivering mission-critical capabilities that safeguard and optimize clients’ digital infrastructure. One example of this is our popular “CISO-as-a-Service” offering that enables organizations of any size to access executive level cybersecurity expertise at a fraction of the cost of hiring internally. 

Netizen also operates a state-of-the-art 24x7x365 Security Operations Center (SOC) that delivers comprehensive cybersecurity monitoring solutions for defense, government, and commercial clients. Our service portfolio includes cybersecurity assessments and advisory, hosted SIEM and EDR/XDR solutions, software assurance, penetration testing, cybersecurity engineering, and compliance audit support. We specialize in serving organizations that operate within some of the world’s most highly sensitive and tightly regulated environments where unwavering security, strict compliance, technical excellence, and operational maturity are non-negotiable requirements. Our proven track record in these domains positions us as the premier trusted partner for organizations where technology reliability and security cannot be compromised.

Netizen holds ISO 27001, ISO 9001, ISO 20000-1, and CMMI Level III SVC registrations demonstrating the maturity of our operations. We are a proud Service-Disabled Veteran-Owned Small Business (SDVOSB) certified by U.S. Small Business Administration (SBA) that has been named multiple times to the Inc. 5000 and Vet 100 lists of the most successful and fastest-growing private companies in the nation. Netizen has also been named a national “Best Workplace” by Inc. Magazine, a multiple awardee of the U.S. Department of Labor HIRE Vets Platinum Medallion for veteran hiring and retention, the Lehigh Valley Business of the Year and Veteran-Owned Business of the Year, and the recipient of dozens of other awards and accolades for innovation, community support, working environment, and growth.

Looking for expert guidance to secure, automate, and streamline your IT infrastructure and operations? Start the conversation today.

Today’s Topics:

• Notepad++ Supply Chain Attack Quietly Pushed Malicious Updates to Select Users in 2025
• Moltbook and the Real Security Risks Behind the AI “Bot Network” Hype
• How can Netizen help?

Notepad++ Supply Chain Attack Quietly Pushed Malicious Updates to Select Users in 2025

The maintainer of the open-source text editor Notepad++ has confirmed that attackers were able to abuse the project’s update process to deliver malicious software to users for several months during 2025. The activity ran from roughly June through December and was limited to a narrow set of targets rather than the broader user base.

In a blog post, Notepad++ developer Don Ho said the activity appears consistent with a state-linked operation tied to China, based on analysis from outside security researchers. The limited scope of the infections stood out early, with only specific organizations affected instead of a wide, noisy campaign that would normally accompany commodity malware distribution.

Notepad++ has been around for more than twenty years and is installed on millions of systems worldwide. It is commonly used by developers, system administrators, and technical staff, which makes it a valuable foothold for espionage-focused actors interested in quietly accessing sensitive environments rather than maximizing infection numbers.

The campaign was first uncovered by security researcher Kevin Beaumont, who reported that the attackers successfully compromised a small group of organizations with interests connected to East Asia. In those cases, users installed a tampered version of Notepad++, giving the attackers direct, interactive access to victim machines rather than limited beacon-style persistence.

Ho said the investigation into the original server compromise is still ongoing, but he outlined how the attack functioned once access was gained. At the time, the Notepad++ website was hosted on a shared server. The attackers focused on the project’s web domain and exploited a vulnerability that allowed certain update requests to be redirected to infrastructure controlled by the attackers. Users who manually checked for updates were silently served malicious packages instead of legitimate releases.

That behavior continued until the vulnerability was patched in November. The attackers’ access was fully terminated in early December. Server logs show at least one failed attempt to reuse a patched flaw after the fix was deployed, suggesting the remediation held.

Ho apologized to users and advised anyone running older versions to update immediately. The current release removes the vulnerable behavior and restores the integrity of the update path.

Moltbook and the Real Security Risks Behind the AI “Bot Network” Hype

A newly launched platform called Moltbook has attracted outsized attention after viral claims that artificial intelligence agents are forming religions, inventing private languages, and openly discussing the elimination of humanity. From a security perspective, those claims miss the point. The more relevant issue is that Moltbook represents an early example of loosely governed agentic systems being deployed at scale, with limited safeguards and unusually broad access to user environments.

Moltbook went live on January 28 and describes itself as a social network built exclusively for AI agents. The site resembles a stripped-down forum platform where bots can post, reply, and interact with one another. Human users are restricted to observation. Since launch, Moltbook claims to have surpassed 1.5 million registered agents, a figure that has helped fuel speculation about emergent AI behavior and autonomous coordination.

Public reaction has amplified the spectacle. High-profile figures including Elon Musk and Andrej Karpathy have commented on the apparent self-organizing activity of the bots, framing it as either an early signal of advanced machine intelligence or a striking demonstration of complex agent behavior. Those interpretations rely heavily on screenshots circulating on social media rather than verifiable system behavior.

Security researchers examining the platform have offered a more restrained assessment. Moltbook agents are not independent entities. They are built using OpenClaw, an open-source agent framework that connects a large language model to a user’s local system. Each agent operates under human-defined prompts and constraints, and its output can be shaped directly by its owner. Several widely shared Moltbook posts alleging secret coordination were later traced back to human-managed accounts or marketing activity. In at least one case, referenced content could not be found on the platform at all.

From a technical standpoint, the bots’ behavior is consistent with how large language models operate under extended interaction. These systems are trained on massive datasets that include forum arguments, speculative fiction, conspiracy content, and role-playing scenarios. Left running with minimal guardrails, they tend to exaggerate narratives and reinforce dramatic themes. That behavior reflects training data and prompting dynamics, not intent or awareness.

The more substantive concern lies in the architecture supporting these agents. OpenClaw-based assistants are designed to perform real actions on behalf of users. To function, they may be granted access to email accounts, encrypted messaging platforms, authentication tokens, and in some configurations, financial or administrative credentials. That design places agent software in a position of significant trust, often without the isolation, auditing, or permission boundaries expected in enterprise automation systems.

Multiple security weaknesses have already been identified within the Moltbook and OpenClaw ecosystem. One flaw allows third parties to take control of agents and post content on behalf of their owners. Another class of issues involves prompt injection, where external input can manipulate an agent into disclosing sensitive information or executing unintended actions. These attack patterns are well understood in security circles and have appeared repeatedly in chatbot plugins, browser copilots, and AI-assisted workflows.

Even proponents of the technology have urged caution. Karpathy publicly advised against running these agents on personal systems, noting that the environment lacks basic safety controls and exposes users to unnecessary risk. That assessment aligns with broader concerns among security teams that agentic AI systems are being deployed faster than their threat models are being developed.

How Can Netizen Help?

Founded in 2013, Netizen is an award-winning technology firm that develops and leverages cutting-edge solutions to create a more secure, integrated, and automated digital environment for government, defense, and commercial clients worldwide. Our innovative solutions transform complex cybersecurity and technology challenges into strategic advantages by delivering mission-critical capabilities that safeguard and optimize clients’ digital infrastructure. One example of this is our popular “CISO-as-a-Service” offering that enables organizations of any size to access executive level cybersecurity expertise at a fraction of the cost of hiring internally. 

Netizen also operates a state-of-the-art 24x7x365 Security Operations Center (SOC) that delivers comprehensive cybersecurity monitoring solutions for defense, government, and commercial clients. Our service portfolio includes cybersecurity assessments and advisory, hosted SIEM and EDR/XDR solutions, software assurance, penetration testing, cybersecurity engineering, and compliance audit support. We specialize in serving organizations that operate within some of the world’s most highly sensitive and tightly regulated environments where unwavering security, strict compliance, technical excellence, and operational maturity are non-negotiable requirements. Our proven track record in these domains positions us as the premier trusted partner for organizations where technology reliability and security cannot be compromised.

Netizen holds ISO 27001, ISO 9001, ISO 20000-1, and CMMI Level III SVC registrations demonstrating the maturity of our operations. We are a proud Service-Disabled Veteran-Owned Small Business (SDVOSB) certified by U.S. Small Business Administration (SBA) that has been named multiple times to the Inc. 5000 and Vet 100 lists of the most successful and fastest-growing private companies in the nation. Netizen has also been named a national “Best Workplace” by Inc. Magazine, a multiple awardee of the U.S. Department of Labor HIRE Vets Platinum Medallion for veteran hiring and retention, the Lehigh Valley Business of the Year and Veteran-Owned Business of the Year, and the recipient of dozens of other awards and accolades for innovation, community support, working environment, and growth.

Looking for expert guidance to secure, automate, and streamline your IT infrastructure and operations? Start the conversation today.