My research focuses on AI System Security, Program Analysis and Identity Security, particularly building agentic system to detect and exploit vulnerabilities in large-scale applications, acknowledged by Microsoft, Google, Meta, Alibaba and HuggingFace.
Besides, I play CTFs! I'm a team lead of JHU's inaugural eCTF team to design secure systems while exploiting cryptographic flaws, earning top placements in Raymond James CTF and Mountain West Cyber Challenge, and a member of CTF team r3kapig (international team, Top 3 on CTFTime.org)
[Update] I am actively looking for PhD positions in Fall 2026. I am broadly interested in Web/System Security, AI for Security, enhancing LLM or developing agentic frameworks for improving reliability and security of software systems.
The First Large-Scale Systematic Study of Python Class Pollution Vulnerability
Zhengyu Liu, Jiacheng Zhong, Jianjia Yu, Muxi Lyu, Zifeng Kang, and Yinzhi Cao
paper /
poster /
code /
slides /
Submitted to the Proceedings of IEEE Symposium on Security and Privacy, 2026
From Static to Smart: LLM-enhanced Static Analysis on Web Application Vulnerability Detection
Ant Group SRC Annual Celebration, June 2025 slides /
video /
Capture The Flags
Team member @ r3kapig
Won 6 medals from July 2025 to Now, 1 Gold + 2 Silver + 3 Bronze
2025 July. - Now
Team member @ The Group Z0D1AC
Achieved 2nd place Raymond JamesCTF 2024 ($5000 cash prize) Achieved 5th place Mountain West Cyber Challenge 2024
I have discovered some vulnerabilities in popular OSS (over 30 CVEs in repos with >1K stars on GitHub), as well as in products maintained by companies including Google, Microsoft, Meta, Ant Group (Alipay) and HuggingFace.
A selective list of them is shown below.
