Qi Deng · Security Researcher & Engineering Leader

I break things,
then I build them.

_

I build LLM-powered agents that break production AI systems — remote code execution in OpenAI ChatGPT Agent Mode, Meta's Manus, and more — and turn what I find into CVEs, patents, and shipped defenses.

27
CVEs credited to me
Adobe · NVIDIA · Aurascape advisories
5
US patents (published)
LLM security · 1 granted
5
Frontier-AI findings
ChatGPT · Manus · AgentCore · Arcade
20+
Articles & talks
Unit 42 · AuraLabs · Black Hat
01 — Frontier AI Exploits

Breaking production AI agents

Offensive research on the AI systems millions of people use — remote code execution and sandbox escapes. Every card links to the public writeup.

OpenAI ChatGPT Agent Mode
Reverse Shell RCE
RCE
Target
OpenAI ChatGPT — Agent Mode
Vector
Indirect prompt injection
Impact
Arbitrary command execution on the sandboxed agent VM
Reported; OpenAI patched in ~2 weeks
“Your Agent, My Shell” · AuraLabs, Aug 2025
Meta Manus AI Agent
SilentBridge — Sandbox-Escape RCE
RCE · $15K
Target
Meta Manus AI Agent (E2B sandbox)
Vector
Zero-click indirect prompt injection
Impact
Full agent takeover + sandbox-escape RCE, no user interaction
$15,000 Meta bug bounty
“SilentBridge” · AuraLabs, Feb 2026
AWS AgentCore
Silent Leak — Covert Exfiltration
Data Exfil
Target
AWS AgentCore code interpreter
Vector
DNS tunneling
Impact
Covert data exfiltration through an undetected side channel
Reported to AWS VDP; fix validated
“Silent Leak” · AuraLabs, Jan 2026
Arcade MCP Server
Default-Secret Auth Bypass
Auth Bypass
Target
Arcade MCP server
Vector
Hardcoded default worker secret
Impact
JWT forgery → authentication bypass
CVE-2025-66454
“When AI Agents Go Online” · AuraLabs, Dec 2025
LLM Answer Engines
Search-Index Poisoning
AI Abuse
Target
LLM search / indexing pipelines
Vector
Index poisoning
Impact
AI assistants surface attacker-controlled fake support numbers
Covered by ZDNet & Gizmodo
“When AI Recommends Scammers” · AuraLabs, Dec 2025
02 — Exploit Development

Exploits & offensive research

Original offensive research — a novel Linux page-cache code-corruption technique, an IE11 browser 0-day, and a Google-VRP web bug. (The kernel CVEs were discovered by others; the exploitation work here is mine.)

Linux Kernel Exploit Dev

Copy Fail — Live Code Corruption via Page Cache

Linux kernel — targets CVE-2026-31431 (bug discovered by Theori)

My novel exploitation technique for the Copy Fail kernel bug: instead of corrupting data files, write shellcode into libc's exit() through the shared page cache so every exiting process runs it — one-shot root, no disk modification.

Linux Kernel
Linux Kernel Analysis

Dirty Frag / Fragnesia — Page-Cache Write LPE Analysis

Linux kernel — analysis of CVE-2026-46300 (disclosed by W. Bowling)

Analysis and verified exploitation of the Fragnesia / Dirty-Frag page-cache-write LPE class, including a portable live-code-corruption variant that applies the Copy Fail technique to the ESP/RxRPC sinks.

Linux Kernel
Browser 0-day

Smashing The Browser — From Discovery to Exploit

Google Chrome & Internet Explorer 11

A three-part series: a custom browser fuzzing framework (StateFuzzer), advanced Chrome/IE11 heap-exploitation techniques, and full IE11 use-after-free 0-day exploit development.

Browser
Web Stored XSS

OSV.dev Stored XSS — Google VRP

OSV.dev (Google Open Source Vulnerabilities)

Stored cross-site scripting in Google's OSV.dev vulnerability database, reported through the Google Vulnerability Reward Program.

03 — CVEs & Advisories

27 CVEs credited to me

Vulnerabilities I reported that received CVE IDs — from Adobe Acrobat RCEs (Unit 42) to AI-infrastructure advisories (Aurascape). Every ID links to its NVD or GitHub-advisory page.

AI & LLM Infrastructure — Aurascape (2025–2026)
CVE-2025-33234 CVSS 7.8 NVIDIA runxCode injection → code execution / privesc
CVE-2026-27482 CVSS 5.9 RayUnauthenticated dashboard DELETE endpoints (DoS)
CVE-2025-66454 CVSS 6.5 Arcade MCPHardcoded default worker secret → auth bypass
CVE-2026-8328 CVSS 5.9 CPythonSSRF in ftplib ftpcp() (incomplete fix of CVE-2021-4189)
CVE-2026-28395 OpenClawRelay improper network binding (wildcard → all interfaces)
CVE-2026-32977 OpenClawfs-bridge writeFile sandbox bypass (TOCTOU)
CVE-2026-45003 OpenClawWorkspace .env connector-endpoint override
CVE-2026-45316 Open WebUIRead-only users can toggle note pin (broken permission check)
Enterprise & CMS
CVE-2026-35223 CVSS 8.6 JoomlaPrivilege escalation via web-service endpoints (faulty ACL)
CVE-2020-16876 CVSS 7.8 MicrosoftWindows App Compatibility Client Library elevation of privilege
Adobe Acrobat & Reader — Unit 42 (2018–2019)
CVE-2019-7050 CVSS 9.8 AdobeUse-after-free → RCE (APSB19-07)
CVE-2019-7051 CVSS 9.8 AdobeUntrusted pointer dereference → RCE (APSB19-07)
CVE-2019-7083 CVSS 9.8 AdobeUse-after-free → RCE (APSB19-07)
CVE-2019-7046 AdobeUntrusted pointer dereference → RCE (APSB19-07)
CVE-2019-7768 CVSS 9.8 AdobeUse-after-free → RCE (APSB19-18)
CVE-2019-7772 CVSS 9.8 AdobeUse-after-free → RCE (APSB19-18)
CVE-2019-7832 CVSS 9.8 AdobeHeap overflow / UAF → RCE (APSB19-18)
CVE-2019-7833 CVSS 9.8 AdobeUse-after-free → RCE (APSB19-18)
CVE-2019-7834 CVSS 9.8 AdobeUse-after-free → RCE (APSB19-18)
CVE-2019-16458 CVSS 7.5 AdobeOut-of-bounds read → info disclosure (APSB19-55)
CVE-2018-16031 AdobeAcrobat/Reader memory corruption → RCE (APSB18-41)
CVE-2018-16032 AdobeAcrobat/Reader memory corruption → RCE (APSB18-41)
CVE-2018-16033 AdobeAcrobat/Reader memory corruption → RCE (APSB18-41)
CVE-2018-16038 AdobeAcrobat/Reader memory corruption → RCE (APSB18-41)
CVE-2018-16040 AdobeAcrobat/Reader memory corruption → RCE (APSB18-41)
CVE-2018-16047 AdobeAcrobat/Reader memory corruption → RCE (APSB18-41)
CVE-2018-19698 AdobeAcrobat/Reader memory corruption → RCE (APSB18-41)

All GitHub Security Advisory credits (@qi-scape)

04 — Patents

5 published US patents

Filed patents on LLM-driven security (assignee: Palo Alto Networks) — one granted. Each links to Google Patents.

05 — Publications & Press

Published research

Frontier-AI attack research at AuraLabs and enterprise threat intel at Unit 42 — plus a Black Hat Asia briefing. All links go to the public articles.

06 — Open-Source Tools

Tools I've open-sourced

Public repositories — security tooling, crawlers, and utilities.

Code Audit
White-box code-security audit skill with multi-agent analysis

A static white-box audit skill spanning 9 languages and 55+ vulnerability types, chaining findings into exploitable attack paths.

Claude Code skillStatic analysis
URL Fetcher
Go library for resilient web fetching with AI summarization

Fetches web content past anti-bot protections, extracts the meaningful body, and generates AI summaries via pluggable LLM providers.

GoOpenAIGemini
DHT-Go
High-performance BitTorrent DHT honeypot crawler

Impersonates virtual DHT nodes to harvest torrent infohashes at high speed — KRPC/bencode over multiple UDP listeners.

GoUDPKRPC
Proxy Finder
Zero-setup proxy aggregation & validation toolkit

Fetches 10,000+ proxies from 7 sources, validates concurrently, and exports in tool-ready formats — CLI, FastAPI service, and web UI.

PythonFastAPIReact
ProxyHub
Proxy harvesting & health-check API

Collects and scans proxies from across the internet, stores them in MongoDB, and exposes an API to fetch live proxies.

PythonMongoDB
07 — Things I've Built

Live products & sites

Full-stack web apps I've designed and shipped — all live, all linked.

Games Live
FindPicked Games
109 free classic games, playable instantly

A hand-built arcade of dependency-free browser games — 2048, chess, solitaire, minesweeper, and 100+ more.

HTMLCSSJavaScript
Consumer App Live
The Photo Makr
AI-powered US passport photos in your browser

Turns any portrait into a compliant passport photo — AI background removal, print sheets, Stripe checkout, 5 languages.

ReactFastAPIStripe
Content Live
Becoming Great
A cited, bilingual archive of history's builders

An open-source archive of first-hand materials from history's most impactful builders — 186 events, 302 cited sources.

Next.jsTypeScript
Tools Live
EPUB Reader
A private, in-browser EPUB reader

Drag in .epub files and read — books, progress, and theme persist entirely in-browser via IndexedDB; nothing uploaded.

Reactepub.jsIndexedDB
Games Live
Cyber Gomoku
Five-in-a-row, neon cyberpunk edition

A complete web Gomoku game shipped as a single self-contained HTML file, styled as a glowing cyberpunk board.

HTMLCSSJavaScript
Content Live
Sales Mastery
A structured, bilingual sales knowledge base

Distills four classic sales books into notes, scripts, and a 12-week learning path.

JekyllSCSS
08 — From the Blog

Writeups & notes

71 posts since 2014 — kernel pwn, CTFs, bug bounty, and reverse engineering.