AI hackers are coming for my C++ code
Are they white hat or black hat?
Last night I got this email at 9:12 PM:
This message was automatically sent to me by GitHub, the open-source collaboration platform, after someone (or some thing) reported a security vulnerability in a piece of code I have been maintaining for nearly 15 years. That code was written by a contractor working for me when I was a professor at the Naval Postgraduate School. It’s part of a digital forensics tool that was once widely used by digital investigators and governments, and continues to be used by digital archivists as part of the BitCurator platform.
You can see the whole report here — https://github.com/simsong/bulk_extractor/security/advisories/GHSA-rh8m-9xrx-q64q
For those of you who don’t speak the language of security vulnerabilities and C++, what’s happened here is that the Mobasi AI Team found a security vulnerability in my program and has provided me (and the world) with an exploit that demonstrates the vulnerability. Right now, the exploit only causes my program to perform an illegal memory operation, something it can typically recover from. However, this exploit can likely be crafted into a remote code execution (RCE) exploit. That is, a motivated attacker could probably create a special file or disk image that, when analyzed with my digital forensics tool, would run code on the computer running my program as if that code were entered and run by the tool’s operator.
Imagine being able to run attack code on the forensic investigator's or police officer's computer after they have seized your phone or laptop and returned it to their lab. Imagine you could run that code silently, undetected. What kind of payload would you craft? Delete files? Implicate the investigators? Worm your way to the internet? That’s the level of threat raised by this security report. The investigators or AI agents that filed the report report it rated the vulnerability as having high exploit potential. For users of my program, I would say this is a 7 on a scale of 0 to 10.
In practice, this vulnerability is not very significant today, January 28, 2026, because it was only recently discovered, and bulk_extractor is being used to analyze data seized last year. However, any data seized or otherwise obtained this year might have hidden exploits. And, of course, others might have discovered this vulnerability and chosen not to report it.
At 1:32 am, I got another message from the Mobasi AI Team:
This is a new vulnerability in another digital forensics tool that I maintain. You can read the report here: https://github.com/simsong/tcpflow/security/advisories/GHSA-q5q6-frrv-9rj6
Once again, the attackers have provided a proof-of-concept demonstrating a memory vulnerability in code written more than 15 years ago. Once again, this is code I didn’t write but am responsible for maintaining.
AI never sleeps.
Unfortunately, the AI hasn’t provided me with a bug fix for these errors. Typically, it’s easier to find security vulnerabilities than to fix them. Finding vulnerabilities just requires coming up with an input that makes the program perform an illegal operation. Fixing them requires understanding the program and devising a patch that corrects the bug without introducing new vulnerabilities.
There’s also the problem of distributing the fixed version. Making sure that all of my users get it, or at least are aware of the potential vulnerability. I don’t even know who my users are!
There are many lessons to be gleaned from this brief exchange between the team finding these problems and me. Here are some:
I wonder how many organizations are running AI vulnerability discovery tools and simply using the results to mount cyberattacks, rather than posting vulnerability reports in open-source repos.
Both of these programs were written in a combination of C and C++ rather than a modern memory-safe programming language like Rust. Are we better off incrementally rewriting old C/C++ programs in Rust, or throwing away our old tools and writing brand-new tools in Rust?
Yes, we have to eliminate C programs and replace them with Rust programs. Maintaining the old programs is becoming increasingly expensive as the legions of C and C++ programmers trained over the past four decades enter retirement. Who is going to pay for replacing all of those old programs?
Where do we start?
Wow, that Mobasi is something else! Go to their website, and you will see that the company bills itself as the Autonomous Digital Investigative Agent. But who are they, really? And what are they up to?
It seems a bit strange that Mobasi joined Github 2 days ago?