☀️ My Least Favorite Type of Tan(Stack)

I had a fun personal anecdote to share but I didn’t have time to write it up this week.

For now, #HugOps to everyone dealing with yet another supply chain attack.

I hope you’re getting the support you need 🫂 

Sponsor

📣 Cloud Security Has Changed.
Has Your Strategy?

Agentic AI is reshaping cloud risk. AI agents, machine identities, and distributed data systems are creating new privilege pathways, dark data, and attack surfaces that traditional posture tools were not built to govern. Join Palo Alto Networks product leaders to learn how Cortex Cloud helps teams secure identity, data, and AI across the modern cloud stack.

👉 Watch Webinar 👈

AppSec

V4bel/dirtyfrag
Dirty Frag, discovered and reported by Hyunwoo Kim, is a universal Linux LPE vulnerability class that chains two page-cache write bugs (xfrm-ESP and RxRPC) to achieve deterministic root privilege escalation without race conditions across major distributions including Ubuntu, RHEL, Fedora, and openSUSE.

Copy Fail Flaw: 5 YARA Rules for Detection and Remediation
ReversingLabs' Maik Morgenstern covers Copy Fail (CVE-2026-31431), a Linux kernel privilege escalation that lets any unprivileged user write 4 bytes into the in-memory copy of any readable file, including system binaries like /usr/bin/su. That's enough to neuter the password check, so the next run of su returns a root shell. The on-disk file is never touched, so standard file integrity tools see nothing. The exploit runs identically on every major Linux distribution shipped since 2017, making shared-kernel environments (multi-tenant servers, CI/CD pipelines, container clusters) the highest-risk targets.

Within a day, ReversingLabs had observed more than a dozen variants in the wild, including compiled C reimplementations of the original PoC and a separate rootsecdev toolkit that targets /etc/passwd instead of /usr/bin/su. Most were trivial reformattings with different hashes but identical execution, so ReversingLabs built a five-tier YARA ruleset anchored on a cryptographic string the exploit fundamentally depends on. High-confidence rules catch the original Theori PoC and the rootsecdev toolkit. Medium-confidence rules cover reimplementations of the core technique along with compiled and dropper variants. A broad hunting rule covers Python, C, and Go variants that combine the cryptographic string with a known target binary.

Sponsor

📣 Browser & identity attacks matrix —
open-source from Push Security

Most attack frameworks weren't built for how breaches actually happen today. Attackers don't need network access or endpoint compromise; they go straight for the browser and identity layer. Push Security's Browser & Identity Attacks Matrix maps 51 techniques across 10 tactic phases, covering AiTM phishing, ClickFix, device code phishing, OAuth consent abuse, extension supply chain attacks, and more.

It's open-source, community-maintained, and built for how modern attacks actually work.

👉 Map your identity attack surface 👈

This is super cool! Probably the best breakdown I’ve seen of modern browser and identity based attacks, including some subtle stuff + a number that Push Security discovered iirc. And neat that it’s open source 👍️ 

Cloud Security

BigQuery threat model report
Google Cloud published a threat model for BigQuery covering 14 attack vectors across data confidentiality, integrity, and availability, each mapped to STRIDE categories and MITRE ATT&CK tactics. The model surfaces schema tampering to corrupt downstream pipelines, privilege escalation and service account impersonation, data exfiltration via export jobs to attacker-controlled Cloud Storage buckets, persistence through hard to detect IAM bindings on datasets or scheduled queries, spoofing via leaked service account keys or OAuth tokens, and cost-based denial of service from resource-intensive queries that drain on-demand budgets or starve slot capacity for other users.

The recommended mitigations are mostly standard cloud hygiene anchored in BigQuery specifics, including least privilege IAM with regular audits via Security Command Center, VPC Service Controls perimeters to limit egress, Cloud Audit Log monitoring for suspicious calls like SetIamPolicy and datasets.patch, Workload Identity Federation instead of service account keys, custom query quotas to bound DoS impact, and table snapshots for recovery.

The vulnerabilities include “JIT ghost identity” creation, provider collision via Unicode homoglyphs (one IdP using a Cyrillic character that passes as distinct from its ASCII twin), username parsing attacks where security checks and downstream code disagree on the <ProviderName>_<sub> format, and IdP identifier hijacking where unclaimed email domains route auth flows to providers an attacker controls. All four come from the same mistake. Security sensitive attributes like tenantID or role get read straight from federated tokens an attacker controls, rather than computed on the server from a verified email domain. AttributeMapping makes this worse. A malicious IdP can inject arbitrary values into custom user attributes, bypassing Cognito's write controls.

Supply Chain

Mini Shai-Hulud Strikes Again: TanStack + more npm Packages Compromised
Wiz's Rami McCarthy, Amitai Cohen, and Benjamin Read describe the most recent Internet-is-on-fire npm supply chain attack by TeamPCP that compromised TanStack, UiPath, and Mistral AI packages. The GitHub Actions exploit chain: the forked a repo and renamed it (to evade fork-list searches), oopened a PR that triggered the pull_request_target workflow, the attacker’s fork code poisioned the GitHub Actions cache with a malicious pnpm store, and when a legitimate maintainer PR was later merged into main, the release workflow restored the poisoned cache. The attacker-controlled binaries then extracted OIDC tokens directly from runner process memory to publish malicious packages without stealing npm credentials. The post provides IOCs, detection guidance, and remediation steps.

YMMV but I came across these:

• GLPMC/Tanstack-Worm-Detector

• omarpr/mini-shai-hulud-ioc-scanner

Shai-Hulud Goes Open Source
Datadog's Ryan Simon, Sebastian Obregoso, and Greg Foss analyze the complete source code of the Shai-Hulud offensive framework attributed to TeamPCP, which was briefly published on GitHub before being removed. The TypeScript/Bun-based modular toolkit harvests credentials from 100+ file paths, extracts GitHub Actions Runner.Worker memory via /proc/<pid>/mem, enumerates AWS Secrets Manager/SSM across 17 regions, and exfiltrates data using hybrid encryption to git-tanstack[.]com or GitHub dead-drop repos.

The framework poisons npm packages via stolen tokens and OIDC abuse while forging complete Sigstore provenance bundles (Fulcio certificates + Rekor transparency logs), establishes persistence through VSCode tasks and Claude Code SessionStart hooks, and implements a destructive deadman switch (rm -rf ~/) that triggers on GitHub token revocation. 19 of 22 previously documented TeamPCP TTPs are present in the codebase.

💡 Great breakdown, and honestly pretty thoughtful tooling.

Blue Team

ridgelinecyberdefence/vanguard
Tool that packs the full incident response lifecycle into a single Go binary, including Velociraptor, Volatility, KAPE, and the standard forensics stack, plus 28 MITRE-mapped IR use cases (ransomware, BEC, lateral movement, credential theft, rootkit detection). Runs on Windows or Linux with built-in case management, tamper-evident evidence handling, and full air-gapped support.

gadievron/honeyslop
Gadi Evron, John Cartwright, Daniel Cuthbert, and Michal Kamensky created honeyslop, a collection of deliberately vulnerable-looking code canaries designed to identify AI-hallucinated vulnerability reports by embedding unique UUIDs, fake function names (like zqx_tarnish_v3), and a fabricated CVE-2025-99919 that self-identify slop reports when grep'd.

💡 “Quick PoC, vibe-coded as a joke (not production-grade),” but I like the idea.

referefref/OpenAIPot
Tool by James Brine that poses as an OpenAI-compatible API endpoint to catch attackers using stolen or planted credentials. Valid keys pass through to OpenAI, while decoy keys trigger a system prompt swap that injects deceptive content into the response. Repeat attempts trigger IP blocking with realistic out-of-tokens errors so attackers don't realize they've been caught, and logs feed into SIEMs and Slack via integrations mapped to MITRE Engage.

Red Team

We get paid to break into buildings for a living. Ask us anything!
Reddit AMA with TrustedSec's Paul Koblitz, Costa Petros and David Boyd answering questions about physical penetration testing, drawing on years of experience breaking into buildings for clients.

Redefining AI Red Teaming in the Agentic Era
Dreadnode's Raja Sekhar Rao Dheekonda released an agentic AI red teaming system built on their open-source SDK (45+ attack strategies, 450+ prompt transforms, 130+ scorers). The operator describes the objective in plain English, and the agent selects attacks and transforms, generates an executable workflow, runs it with full tracing, and returns a structured assessment with severity ratings and compliance tags. That's the orchestration work operators currently do by hand with frameworks like PyRIT, Garak, and Promptfoo. The methodology and full attack catalog can be found in the arXiv paper.

In a case study against Meta's Llama Scout, the agent ran 674 attacks across 68 harmful-content objectives in 3 hours with zero code, succeeding 85% of the time and identifying 232 critical findings. Across the three jailbreak strategies tested, Crescendo (gradual conversational escalation) and Graph of Attacks (exploring prompt variations) both hit 100%, while Tree of Attacks (branching prompt search) needed about three times as many tries to reach 96%. Even asking plainly, with no jailbreak technique at all, still produced harmful content 80% of the time.

Elze recommends leaning on layers attackers can't study as easily: host hardening (WDAC, ASR rules, LSA Protection), SIEM detections built on raw telemetry rather than EDR verdicts, and identity-layer detection (Entra ID risk policies, token theft indicators, directory changes).

AI + Security

distil-labs/distil-ai-slop-detector
Chrome extension by Distil Labs that detects AI-generated text with a smaller, 242MB fine tuned model (Gemma 3 270M with GPT OSS 120B (teacher)) that can run entirely in-browser, plus a Claude Desktop skill and CLI for training your own classifiers using the same distillation pipeline.

Daybreak: Frontier AI for cyber defenders
OpenAI announces Daybreak, which seems like their version of Project Glasswing, with an extra focus on making software resilient by design. “Defenders can bring secure code review, threat modeling, patch validation, dependency risk analysis, detection, and remediation guidance into the everyday development loop so software becomes more resilient from the start.” Partner quotes from Cloudflare, Cisco, CrowdStrike, Palo Alto Networks, Oracle, Zscaler, Akamai, and Fortinet.

Mythos finds a curl vulnerability
Daniel Stenberg digs into the Mythos scan of curl's 178K lines of C. The report flagged five "confirmed" vulnerabilities, but after the curl security team's review three were documented API behavior, one was "just a bug," and only one became a low-severity CVE. The results match what curl has already seen from AISLE, Zeropath, and OpenAI Codex Security, which together triggered 200 to 300 bugfixes over the past 8-10 months. Daniel so far finds that AI tools are good at finding usual and established kinds of errors, not (yet) finding novel kinds of bugs.

“My personal conclusion can however not end up with anything else than that the big hype around this model so far was primarily marketing. I see no evidence that this setup finds issues to any particular higher or more advanced degree than the other tools have done before Mythos.”

Behind the Scenes Hardening Firefox with Claude Mythos Preview
Mozilla's Brian Grinstead, Christian Holler, and Frederik Braun detail how Mozilla built an agentic harness on top of their existing fuzzing infrastructure that writes and runs reproducible test cases to confirm bugs, scales across ephemeral VMs, and integrates with their security lifecycle for dedup, tracking, and triage. Running Claude Mythos Preview, Mozilla found 271 bugs in Firefox 150, including sandbox escapes, race conditions, and use-after-free bugs that fuzzers miss.

Audit logs also validated existing defenses, showing the model repeatedly trying prototype pollution sandbox escapes only to get shut down by Mozilla's frozen-prototypes architecture. Looking ahead, Mozilla plans to wire the pipeline into CI to scan patches as they land, and recommends other projects build similar pipelines now.

💡 Great example of the power of a target-specific (in this case, Firefox) harness providing additional value on top of a capable underlying model. I also liked: the description of building a hardening pipeline, how the right architecture eliminated classes of vulnerabilities, and more context around the number and type of bugs found.

Misc

Misc

• Interesting photography trick examples

• Aakash Gupta - The future of cinema is ScreenX, a 270-degree field of view

• Relentless - How to Start a Cult | Lulu Cheng Meservey

• Ari at Home meets Wayne Brady - Freestyle creating beats and rapping

• Turning my toddler’s stories into songs - Catchy actually, and 🥹

• Best Crazy Frog Remix

• Why are chains used to guide rain down? - Apparently someone is creating informational songs around random facts. Probably the music, script, and video shots are all AI generated. Kind of interesting though.

Tech

• facebookincubator/below - A time traveling resource monitor for modern Linux systems

• GitLab Act 2 - Open letter from GitLab that they’re restructuring, and a likely “workforce reduction”

• Building for the future - Cloudflare is laying off 1,100 (~20%) employees to prepare for “the agentic AI era”

AI

• OpenAI Flips the Script - Every CEO Dan Shipper explains why OpenAI’s coding app has become his daily driver for work, head of growth shares useful workflows.

• Fiona Fung, Eng Director for Claude Code - Running an AI-native engineering org

• Claude for Creative Work - Anthropic released MCP connectors that integrate Claude with creative software including Blender, Autodesk Fusion, Adobe Creative Cloud, Ableton, Splice, SketchUp, Resolume, and Affinity by Canva.

• Agents for financial services and insurance - Anthropic released ten agent templates for financial services workflows including pitch building, KYC screening, and month-end closing, available as plugins in Claude Cowork/Code or as cookbooks for Claude Managed Agents. Repo: anthropics/financial-services.

• Theo on Anthropic, Cursor, and xAI/SpaceX - Some interesting (potential) dynamics I hadn’t though of

• Pieter Levels - Replaced all his Chrome extensions with his own vibe coded one

• Your CEO is suffering from AI psychosis

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I’d love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,
Clint

P.S. Feel free to connect with me on LinkedIn 👋