Episode Details

Michael Lubas, CEO of Paraxial.io, returns to the Elixir Mentor Podcast to talk about AI's dual role in cybersecurity: finding the vulnerabilities and writing the code that creates them. Michael was my first-ever guest, and a lot has changed since his last appearance — most of it driven by the inflection point of the past six months.

We open with the Hex package manager penetration test that Paraxial conducted as part of the Aegis initiative under the Erlang Ecosystem Foundation, funded through Alpha Omega and its donors. Michael caught a remote code execution vulnerability before it shipped, and the public report gives Elixir a strong story to tell about the security of its package ecosystem. From there we get into GitHub Actions supply chain attacks, why zizmor is the tool every maintainer should be running, and the recent campaigns where malicious code targets release pipelines rather than application source.

The conversation turns to the AI inflection point. The Erlang Ecosystem Foundation's CNA issued nine CVEs in all of 2025 and is on track for well over a hundred in 2026, driven by researchers like Peter Ullrich using AI to find vulnerabilities that already existed in source code. Firefox went from an average of 20 valid bug reports a month to over 400 in April 2026. Michael argues that Anthropic and OpenAI have been responsible stewards of these capabilities, and that defenders without access to state-of-the-art models are at a structural disadvantage. We also talk about why bug bounty programs are collapsing under AI-generated noise — something I experienced firsthand running Killswitch's program earlier this year.

In the second half we get practical. Michael walks through what a real penetration test costs, when Claude Code is actually useful for solo developers, and the common Elixir-specific gotchas: binary term deserialization, server-side request forgery, dynamic atom creation, and the importance of staying inside Ecto's default query syntax. We also touch on Erik Stenman's BEAM Book, the difference between Paraxial and Sobelow, and what SOC 2 compliance does and does not cover.

Resources Mentioned:
- Securing Hex, the Backbone of the Elixir Ecosystem (Paraxial blog): https://paraxial.io/blog/hex-pentest
- Hex Package Manager security audit report: https://hex.pm/reports/2026/paraxial.pdf
- Erlang Ecosystem Foundation CNA: https://cna.erlef.org/
- Behind the Scenes Hardening Firefox with Claude (Mozilla Hacks): https://hacks.mozilla.org/2026/05/behind-the-scenes-hardening-firefox/
- Project Glasswing (Anthropic): https://www.anthropic.com/project/glasswing
- The First CVE Wave (VulnCheck): https://www.vulncheck.com/blog/ai-assisted-vulnerability-discovery
- Third major Linux kernel flaw in two weeks found by AI (ZDNet): https://www.zdnet.com/article/third-major-linux-kernel-flaw-in-two-weeks-found-by-ai/
- What the CVE? — Peter Ullrich:

Listen Now