🍗 Bardcore

I randomly stumbled across this Bardcore cover of Golden, and it’s delightful.

“What ‘tis Bardcore?” you beseech me.

It’s when hit songs are “medievalised.” Give it a listen and you’ll see. I remember stumbling across the genre and writing about it in tl;dr sec, so I searched the archives and apparently it was… literally 5 years ago in September 2020 in issue #50.

I feel old 👴 

It’s fun looking back on things I wrote and remembering what was going on in my life then.

I’ve found journaling tends to be tough to sit down and do, but I’m always glad once I’ve done it. Recently I’ve been taking long walks and doing a bit of speech → text with my phone in Obsidian notes.

Speaking of music, the most unhinged recent music thing I came across is otamatones, which I’d never heard of before, but I can’t watch this without laughing.

P.S. Try spending 5min/day for the next week writing down whatever is currently on your mind, and then read it at the end of the week.

Sponsor

📣 AppSec’s New Horizon

Development velocity is only increasing—but most “shift-left” approaches stop at finding issues instead of preventing them.

At our upcoming virtual event, discover a prevention-first AppSec playbook grounded in new Unit 42® research and proven practices from Palo Alto Networks’ own security experts.

See how you can outpace emerging threats, stop risks before production, and embed security without slowing developers down.

Secure your spot today and explore the future of application security with Cortex® Cloud.

👉 Secure your spot 👈

AppSec

Prototype Pollution in Python
Abdulraheem Khaled introduces "Class Pollution," a Python variant of Prototype Pollution in JavaScript, where instead of polluting the prototype of an object, this attack overwrites attributes of a Python class. And you can actually overwrite more than just a given Python class or its ancestors, using __globals__ , you can overwrite defined variables or imported modules in the global namespace. Neat!

Memory Integrity Enforcement: A complete vision for memory safety in Apple devices
Epic announcement from Apple! 🔥 Apple introduced Memory Integrity Enforcement (MIE), a comprehensive memory safety protection system built into iPhone 17 and iPhone Air that combines the Enhanced Memory Tagging Extension (EMTE) with secure memory allocators and tag confidentiality protections. MIE works synchronously and always-on to block buffer overflows and use-after-free vulnerabilities by tagging memory allocations with secrets that must match for access to be granted, while also protecting against side-channel and speculative-execution attacks. MIE effectively blocks exploitation paths in real-world exploit chains, making it significantly more difficult and expensive for attackers to develop and maintain mercenary spyware targeting iOS devices.

💡 This seems like it’s going to be the biggest net improvement to average consumer device security in awhile, and it’s been thoughtfully designed and integrated with hardware so it’s a) always on b) with minimal performance impact 🤯 Shout-out to Google for also investing in MTE for Pixel devices. Huge.

💡 Almost always there are stronger market forces for “build the new shiny thing” and “ship it faster” and “lol pay us to get the logs or SSO” vs “we’ve spent a ton of money making it secure by default for you.” Huge props to companies making investments like this.

💡 Now if only there wasn’t a major supply chain disaster every week on NPM… (to be clear, this is a challenge for all package ecosystems)

Sponsor

📣 From Overwhelmed to Efficient: Elastic’s Security Transformation

What if your security team could turn hours of manual scanning into minutes? That’s exactly what Elastic discovered with ProjectDiscovery. By automating the heavy lifting (including tricky cases like Next.js), they saved dozens of hours and gained the freedom to focus on strategic projects that move security forward. See how the Elastic team was able to make meaningful gains in proactive defense [Read the case study]

👉 See How Elastic Saved Dozens of Hours 👈

“Elastic scanned 14,500 assets in under 5 minutes.” 🤯 

Cloud Security

Hardening Google Cloud: Insights from the latest Cloud VRP bugSWAT
An overview of the recent event where Google Cloud invited 20 top hackers to montage over a few days and report as many vulnerabilities as possible. 91 identified vulnerabilities, ~$1.6M paid out. High impact findings: a network egress filter bypass enabling SSRF attacks against instance metadata services, and SQL injection vulnerabilities in BigQuery Connector that could allow privilege escalation.

Simulating Ransomware with AWS KMS
I’ve already covered in tl;dr sec a number of posts on using KMS + an external key for ransomware purposes (e.g. Fog Security’s Jason Kao, Chris Farris), but I thought this overview and walk through by Alexis Obeng was useful. If you joined recently and haven’t already read posts on this, basically the idea is an attacker uses a key they control to encrypt resources (e.g. RDS, EBS) and then deletes the key to make the data inaccessible without the attacker’s copy of the key.

💡 Seems like if your company doesn’t use KMS with external keys, a Service Control Policy or Resource Control Policy to block that from happening at all is 👌 

Sandboxed to Compromised: New Research Exposes Credential Exfiltration Paths in AWS Code Interpreters
Sonrai Security’s Nigel Sood demonstrates that sandboxed Bedrock AgentCore Code Interpreters, despite having "no external network access," can still have their AWS role credentials exfiltrated through the MicroVM Metadata Service (MMDS). There are simple filters that attempt to limit access to MMDS, but they can be trivially bypassed by splitting the request into multiple steps. The point: attackers can extract role credentials from Code Interpreter sandboxed environments and use them outside the interpreter to access whatever AWS services the interpreter has permissions for.

See also Nigel’s first article on Bedrock AgentCore Code Interpreters, in which he demonstrated that custom code interpreters can be coerced into performing AWS control plane actions by non-agentic identities.

Sponsored Tool

📣 Save Your Engineers
(From Privileged Access Toil)

Legacy PAM can't keep up with modern infrastructure. Disjointed AI and human identities expose risk. Engineering teams drown in complexity trying to catch up. 

Tune in Sept 25 to find out how teams use Teleport to eliminate privileged access toil by unifying all identity types, removing elevated privileges, and establishing a single source of truth.

👉 Register Now 👈

Supply Chain

Quick note: Upon reflection, I think I was a bit unfairly snarky about GitHub’s (specifically NPM’s) handling of secret scanning and PII leaking into NPM packages in issue #294, shout-out to Zach Steindler for sending me a very polite and fair email about it. I appreciate his (and your, dear reader) feedback! 🙏 

npm debug and chalk packages compromised
Aikido’s Charlie Eriksen discovered that an NPM library maintainer with access to a number of popular repos was compromised via phishing email, and the packages were injected with obfuscated code that silently intercepts crypto transactions in browsers and redirects funds to attacker-controlled wallets. Socket has a nice breakdown of the payload.

💡 Semgrep has also open sourced an MIT licensed Semgrep rule that you can use to discover if you were running a vulnerable package.

s1ngularity's aftermath: analysis of Nx supply chain attack
Nice follow-up post by Wiz’s Rami McCarthy. The attack exfiltrated over 2,000 secrets and 20,000 files from 1,700+ users, with attackers later exposing 6,700+ private repositories. The attack leveraged AI tools (Claude, Gemini, Amazon Q) to identify sensitive files to exfiltrate, with 3 distinct payloads across the malicious Nx packages. The AI-driven exfiltration was only successful in about 25% of cases due to CLI configuration issues and LLM safety guardrails.

💡 It was neat to see how the attack used several distinct prompt payloads, see the post for the specific prompts. Also interesting that the non deterministic nature of LLMs and refusals helped limit the attack success rate 😂 

Releases now support immutability in public preview
GitHub has introduces immutable releases to enhance supply chain security by preventing tampering with release assets and tags after publication. Once enabled at the repo or organization level, all new releases become immutable with locked assets and protected tags, and receive signed attestations in Sigstore bundle format that can be verified using GitHub CLI commands, or you can integrate it with Sigstore-compatible tooling and have automated policy enforcement in CI/CD pipelines.

💡 Love it, it’s great to see platforms building in more security features that can raise the ecosystem security bar.

Blue Team

0x4D31/finch
By Adel Ka: A fingerprint-aware TLS reverse proxy. Use Finch to outsmart bad traffic—collect client fingerprints (JA3, JA4 +QUIC, JA4H, HTTP/2) and act on them: block, reroute, tarpit, or deceive in real time (e.g. via on‑the‑fly, LLM‑generated responses via Galah).

iCloud Calendar abused to send phishing emails from Apple’s servers
Threat actors are abusing iCloud Calendar invites to send callback phishing emails that appear to come from Apple's legitimate email servers ([email protected]), allowing them to bypass email security checks like SPF, DMARC, and DKIM. The scammers create calendar invites with phishing text in the Notes field, inviting Microsoft 365 email addresses they control (likely mailing lists that forward to targets), which then deliver fake PayPal charge notifications with phone numbers that victims are urged to call.

Red Team

MeetC2 a.k.a Meeting C2
Dhiraj Mishra introduces MeetC2, a cross-platform proof-of-concept C2 framework that uses the Google Calendar API as a covert communication channel between attackers and compromised systems. Commands are sent to compromised systems by creating events, and the command output is returned by updating the event descriptions.

TLS NoVerify: Bypass All The Things
Felix Eberstaller introduces tls-preloader, a universal TLS certificate bypass tool for security researchers analyzing embedded devices and industrial applications, that works by using LD_PRELOAD to intercept certificate verification functions across multiple libraries (OpenSSL, GnuTLS, NSS, mbedTLS, wolfSSL, libcurl). Tls-preloader dynamically interposes certificate verification functions to return success values, eliminating the need for binary patching, recompilation, or complex certificate infrastructure when analyzing network traffic.

TIL: “When executing binaries that change privileges, the kernel sets AT_SECURE=1, causing the dynamic linker to ignore most LD_* environment variables.”

mandatoryprogrammer/thermoptic
By Matthew Bryant : A next-generation HTTP stealth proxy which perfectly cloaks requests as the Chrome browser across all layers of the stack. It’s designed to bypass services that use fingerprinting such as JA4+ to block certain HTTP clients. Using this proxy, you can use your preferred HTTP clients like curl and still have indistinguishable fingerprints from a real (Chrome/Chromium) web browser. thermoptic also comes with features to mitigate JavaScript-based fingerprinting.

💡 Mandatory is the the hero we need but don’t deserve 🥹

Subverting code integrity checks to locally backdoor Signal, 1Password, Slack, and more
Trail of Bits’ Darius Houle describes a vulnerability affecting Electron applications that allows attackers to bypass code integrity checks by tampering with executable content outside of their code integrity checks (V8 heap snapshot files). This allows attackers to inject malicious JavaScript code that executes when the application loads, which is particularly dangerous because the modified files don't trigger OS code-signing checks, making it an ideal persistence mechanism for attackers with filesystem write access to user-writable application directories. Fixed by Electron as CVE-2025-55305.

AI + Security

The crazy, true story behind the first AI-powered ransomware
Apparently the “PromptLock” malware discovered by ESET researchers on VirusTotal (referenced in tl;dr sec #294) was a project some NYU grad students were prototyping for a paper. Lol. Paper link, NYU write-up.

Building a Personal AI Infrastructure (PAI)
Super cool post by my bud Daniel Miessler on his Personal AI Infrastructure (PAI) system called "Kai," which uses a file-system-based context architecture to create a powerful digital assistant that he iteratively extends to help him with any task. The core unique insights in my opinion are:

• How his custom commands/agents are dynamically hydrated with relevant context for the task to complete, see his ~/.claude/context folder structure for details.

• How he ensures Claude actually reads the desired context files (via prompting techniques and a custom user prompt context loader TypeScript file).

• The examples of how everything fits together and applications are also cool, like retrieving notes to self, generating custom images, security testing, etc.

See also Daniel’s YouTube video about it and GitHub repo.

Can AI weaponize new CVEs in under 15 minutes?
Efi Weiss and Nahman Khayet describe an AI system they built that generates working exploits for published CVEs in 10-15 minutes for ~$1 each. Their multi-stage pipeline uses Claude Sonnet 4.0 to analyze CVE advisories and code patches (e.g. from a GitHub Advisory), creates both vulnerable test applications and exploit code, and validates exploits by testing against both vulnerable and patched versions to eliminate false positives. The system uses pydantic-ai and dagger for containerization, and successfully created 14 working exploits so far across multiple languages including JavaScript, Python, and Ruby.

See https://autoexploit.ai for the exploits generated, as well as this GitHub repo.

💡 Questions I’m curious about: their system worked on 14 CVEs, but how many did they test on? That is, what’s the success rate? Does it work better or worse on different programming languages, repo sizes, vulnerability classes, other?

💡 Checks their current roles on LinkedIn: Israel Defense Forces 🤔 

From CVE Entries to Verifiable Exploits: An Automated Multi-Agent Framework for Reproducing CVEs
Paper by Saad Ullah et al (including Christopher Kruegel and Giovanni Vigna) present CVE-GENIE, an automated, LLM-based multi-agent framework designed to reproduce CVEs. Given a CVE entry as input, CVE-GENIE gathers the relevant resources, automatically reconstructs the vulnerable environment, and (re)produces a verifiable exploit. CVE-GENIE successfully reproduces ~51% (428 of 841) CVEs published in 2024-2025, complete with their verifiable exploits, at an average cost of $2.77 per CVE.

💡 Implication of this and the above blog: If CVEs can be cost effectively weaponized at scale quickly, defenders need to up their game, as rolling out patches quickly and reducing detection time becomes more critical.

Misc

AI

• Using Claude Code SDK to Reduce E2E Test Time by 84% - A clever approach that uses git diff main…HEAD (+ thoughtful flags) to run only the relevant end to end tests given PR code changes, reducing test times from 44 to 7 minutes for $30 per dev per month.

• I’m a High Schooler. AI Is Demolishing My Education.

• Cloudflare Radar AI Insights - Dashboard of HTTP traffic and more of crawlers from OpenAI, Anthropic, and others.

• i ran Claude in a loop for three months, and it created a genz programming language called cursed - sus, slay, and vibez are keywords 😂 

Feelz

• Mark Manson - Why Australia Doesn’t Give a F*ck

• Justin Bieber - Lonely

• How EJAE went from a K-pop trainee to topping charts with 'Golden' - Man, her career journey and finally achieving her childhood dream 😭 

• Modern Wisdom - You Can’t “Solve” Your Relationship - Arthur Brooks

Misc

• Introducing Signal Secure Backups 🙌 

• Will Amazon S3 Vectors Kill Vector Databases—or Save Them?

• The $69 Billion Domino Effect: How VMware’s Debt-Fueled Acquisition Is Killing Open Source, One Repository at a Time

• One-shot vaccines for HIV and covid

• Python: The Documentary | An origin story

• Ex-WhatsApp cybersecurity head says Meta endangered billions of users in new suit - The claim is that ~1,500 engineers had unrestricted access to user data (“move or steal user data” including contact information, IP addresses and profile photos “without detection or audit trail”), and that the company failed to remedy the hacking and takeover of more than 100,000 accounts each day.

• The Storm Hits the Art Market - “…blood will flow in the streets before the art market finds a new balance.”

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I’d love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,
Clint
@clintgibler