<!DOCTYPE html><html lang="en"><head><meta http-equiv="Content-Type" content="text/html charset=UTF-8"><meta charset="UTF-8"><meta name="viewport" content="width=device-width"><meta name="x-apple-disable-message-reformatting"><title>TLDR InfoSec</title><meta name="color-scheme" content="light dark"><meta name="supported-color-schemes" content="light dark"><style type="text/css">
:root {
color-scheme: light dark; supported-color-schemes: light dark;
}
*,
*:after,
*:before {
-webkit-box-sizing: border-box; -moz-box-sizing: border-box; box-sizing: border-box;
}
* {
-ms-text-size-adjust: 100%; -webkit-text-size-adjust: 100%;
}
html,
body,
.document {
width: 100% !important; height: 100% !important; margin: 0; padding: 0;
}
body {
-webkit-font-smoothing: antialiased; -moz-osx-font-smoothing: grayscale; text-rendering: optimizeLegibility;
}
div[style*="margin: 16px 0"] {
margin: 0 !important;
}
table,
td {
mso-table-lspace: 0pt; mso-table-rspace: 0pt;
}
table {
border-spacing: 0; border-collapse: collapse; table-layout: fixed; margin: 0 auto;
}
img {
-ms-interpolation-mode: bicubic; max-width: 100%; border: 0;
}
*[x-apple-data-detectors] {
color: inherit !important; text-decoration: none !important;
}
.x-gmail-data-detectors,
.x-gmail-data-detectors *,
.aBn {
border-bottom: 0 !important; cursor: default !important;
}
.btn {
-webkit-transition: all 200ms ease; transition: all 200ms ease;
}
.btn:hover {
background-color: #f67575; border-color: #f67575;
}
* {
font-family: Arial, Helvetica, sans-serif; font-size: 18px;
}
@media screen and (max-width: 600px) {
.container {
width: 100%; margin: auto;
}
.stack {
display: block!important; width: 100%!important; max-width: 100%!important;
}
.btn {
display: block; width: 100%; text-align: center;
}
}
body,
p,
td,
tr,
.body,
table,
h1,
h2,
h3,
h4,
h5,
h6,
div,
span {
background-color: #FEFEFE !important; color: #010101 !important;
}
@media (prefers-color-scheme: dark) {
body,
p,
td,
tr,
.body,
table,
h1,
h2,
h3,
h4,
h5,
h6,
div,
span {
background-color: #27292D !important; color: #FEFEFE !important;
}
}
a {
color: inherit !important; text-decoration: underline !important;
}
</style><!--[if mso | ie]>
<style type="text/css">
a {
background-color: #FEFEFE !important; color: #010101 !important;
}
@media (prefers-color-scheme: dark) {
a {
background-color: #27292D !important; color: #FEFEFE !important;
}
}
</style>
<![endif]--></head><body class="">
<div style="display: none; max-height: 0px; overflow: hidden;">Tanto Security's Sam C reverse-engineered the PUSR USR-G806AU 4G LTE industrial router (firmware 1.0.41 and 2.0.13) and found an undocumented uid=0 β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β </div>
<div style="display: none; max-height: 0px; overflow: hidden;">
<br>
</div>
<table align="center" class="document"><tbody><tr><td valign="top">
<table align="center" border="0" cellpadding="0" cellspacing="0" class="container" width="600"><tbody><tr class="inner-body"><td>
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr class="header"><td bgcolor="" class="container">
<table width="100%"><tbody><tr><td class="container">
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" style="margin-top: 0px;" width="100%"><tbody><tr><td style="padding: 0px;">
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div style="text-align: center;">
<span style="margin-right: 0px;"><a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Ftldr.tech%2Finfosec%3Futm_source=tldrinfosec/1/0100019e07b25bf2-000de689-08da-43d0-a5ea-d1f4568fdc0f-000000/D98Ay6C3rgdyZoVM-cx-kYv_mCNTCL0Nz_Vc-_NeEnI=452" rel="noopener noreferrer" target="_blank"><span>Sign Up</span></a>
|<span style="margin-right: 2px; margin-left: 2px;"><a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fadvertise.tldr.tech%2F%3Futm_source=tldrinfosec%26utm_medium=newsletter%26utm_campaign=advertisetopnav/1/0100019e07b25bf2-000de689-08da-43d0-a5ea-d1f4568fdc0f-000000/Vu9mEttAy5tflzWlcrSp6Rq1YJbM0BMvT8vX4cKal9I=452" rel="noopener noreferrer" target="_blank"><span>Advertise</span></a></span>|<span style="margin-left: 2px;"><a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fa.tldrnewsletter.com%2Fweb-version%3Fep=1%26lc=156924ca-84b7-11f0-8d58-47c5c04ad337%26p=5bd6de66-4adc-11f1-b437-bb2a4cee4ce1%26pt=campaign%26t=1778245589%26s=fb2e4b420f48b161fc07c7644cab8e030dd87204718933402b19a54beb9a7169/1/0100019e07b25bf2-000de689-08da-43d0-a5ea-d1f4568fdc0f-000000/TQAxlg-QohEjwngPIIo3ozvWdLsHzfWXG2g7gKXxufA=452"><span>View Online</span></a></span>
<br>
</span></div>
</td></tr></tbody></table>
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="text-align: center;"><span data-darkreader-inline-color="" style="--darkreader-inline-color:#3db3ff; color: rgb(51, 175, 255) !important; font-size: 30px;">T</span><span style="font-size: 30px;"><span data-darkreader-inline-color="" style="color: rgb(232, 192, 96) !important; --darkreader-inline-color:#e8c163; font-size:30px;">L</span><span data-darkreader-inline-color="" style="color: rgb(101, 195, 173) !important; --darkreader-inline-color:#6ec7b2; font-size:30px;">D</span></span><span data-darkreader-inline-color="" style="--darkreader-inline-color:#dd6e6e; color: rgb(220, 107, 107) !important; font-size: 30px;">R</span>
<br>
</td></tr></tbody></table>
<br>
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr id="together-with"><td align="center" height="20" style="vertical-align:middle !important;" valign="middle" width="100%"><strong style="vertical-align:middle !important; height: 100%;">Together With </strong>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fwww.sysdig.com%2Fheadlesscloudsecurity/1/0100019e07b25bf2-000de689-08da-43d0-a5ea-d1f4568fdc0f-000000/yQw_LD-9vfzizcs5vzpa4_vpJiWk2KvoQ-SxZRAPW_s=452"><img src="https://images.tldr.tech/sysdig.png" valign="middle" style="vertical-align: middle !important; height: 100%;" alt="Sysdig"></a></td></tr></tbody></table>
<table style="table-layout: fixed; width:100%;" width="100%"><tbody><tr><td style="padding:0;border-collapse:collapse;border-spacing:0;margin:0;">
<div style="text-align: center;">
<h1><strong>TLDR Information Security <span id="date">2026-05-08</span></strong></h1>
</div>
</td></tr></tbody></table>
<table style="table-layout: fixed; width:100%;" width="100%"><tbody><tr id="sponsy-copy"><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fwww.sysdig.com%2Fheadlesscloudsecurity/2/0100019e07b25bf2-000de689-08da-43d0-a5ea-d1f4568fdc0f-000000/Th8AG8TEAk6Sd0O5bHtIfJ97dXj-QPPxst0lFKW3VLY=452">
<span>
<strong>Sysdig Introduces the Industry's First Headless Cloud Security Platform Built for AI Agents (Sponsor)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
The dashboard is dead. Security wasn't built for machine-speed attacks, and it shows. Now available from Sysdig: <a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fwww.sysdig.com%2Fheadlesscloudsecurity%3Futm_campaign=Primary05082026%26utm_source=tldrai%26utm_medium=newsletter/1/0100019e07b25bf2-000de689-08da-43d0-a5ea-d1f4568fdc0f-000000/zAGW-wIGyhAK3tjryG_0y0wgSMJLrTxSZgdhnHTeV2Q=452" rel="noopener noreferrer nofollow" target="_blank"><span>headless cloud security</span></a> that embeds protection directly into AI agentsβso teams can detect, prioritize, and respond without waiting on dashboards or workflows. Built for modern cloud environments, it delivers fast, adaptive defense inside the tools you already use. Start reducing risk today. <a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fwww.sysdig.com%2Frequest-a-demo%3Futm_campaign=Primary05082026%26utm_source=tldrai%26utm_medium=newsletter/1/0100019e07b25bf2-000de689-08da-43d0-a5ea-d1f4568fdc0f-000000/N3f64_XYSOdj_IoqF8s2yG5Q0YIT47ESmEBB3GWPmHs=452" rel="noopener noreferrer nofollow" target="_blank"><span>See it in action</span></a>.
</span>
</span>
</div>
</td></tr></tbody></table>
</td></tr></tbody></table>
</td></tr></tbody></table>
</td></tr>
<tr bgcolor=""><td class="container">
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td style="padding: 0px;">
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding-top: 0px; padding-bottom: 0px;">
<div class="text-block">
<div style="text-align: center;"><span style="font-size: 36px;">π</span></div></div>
</td></tr></tbody></table>
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding-top: 0px; padding-bottom: 0px;">
<div class="text-block">
<div style="text-align: center;">
<h1><strong>Attacks & Vulnerabilities</strong></h1>
</div>
</div>
</td></tr></tbody></table>
<table style="table-layout: fixed; width: 100%;" width="100%"><tbody><tr><td style="padding:0;border-collapse:collapse;border-spacing:0;margin:0;" valign="top">
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Ftechcrunch.com%2F2026%2F05%2F07%2Fhackers-hack-victims-hacked-by-other-hackers%2F%3Futm_source=tldrinfosec/1/0100019e07b25bf2-000de689-08da-43d0-a5ea-d1f4568fdc0f-000000/_FZa2o_I1w7AiaEaae4T271V_5mHrPWRS2m78FimD-Y=452">
<span>
<strong>Hackers hack victims hacked by other hackers (3 minute read)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
An unidentified group broke into servers already compromised by TeamPCP, ejected them, wiped their tooling, and deployed a self-spreading worm that targeted their cloud services. It also stole their credentials for resale, accessed brokerage accounts, and engaged in extortion, including phishing for password manager logins and using fake help desk sites, without bothering with slower crypto-mining schemes.
</span>
</span>
</div>
</td></tr></tbody></table>
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Ftantosec.com%2Fblog%2F2026%2F04%2Froute-to-root-in-4g-industrial-router%2F%3Futm_source=tldrinfosec/1/0100019e07b25bf2-000de689-08da-43d0-a5ea-d1f4568fdc0f-000000/5NJfE8dTKNC_AyFgD4ZNfABeflCM5RXafBu_HIeK2jg=452">
<span>
<strong>A Route to Root in a 4G Industrial Router (8 minute read)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
Tanto Security's Sam C reverse-engineered the PUSR USR-G806AU 4G LTE industrial router (firmware 1.0.41 and 2.0.13) and found an undocumented uid=0 account named usr whose password sat in the /bin/usr_root helper, encoded by adding 0x61 (mod 256) to each character of a 14-byte blob and piped into su - usr -c at runtime, tracked as CVE-2024-42682. The same binary's command allowlist also enables local privilege escalation via $(...) and backtick command substitution (omitted from its &;|# denylist) and via /bin/sh -c argument stacking that smuggles /sbin/tcpdump past the valid-command check, with the recovered password granting remote root over the SSH and Telnet daemons exposed by default on ports 2222 and 2233. Owners should block management interfaces (HTTP, SSH, Telnet on 80/1080/8008/8888/9080, 23/2233/2323, 2222) from untrusted networks since PUSR stopped responding after July 2024, and no fix has been confirmed. Developers should replace embedded-credential su wrappers with sudoers policies that avoid storing recoverable passwords on disk.
</span>
</span>
</div>
</td></tr></tbody></table>
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Faisle.com%2Fblog%2Faisle-discovers-38-critical-security-vulnerabilities-in-healthcare-software-used-by-100000-providers%3Futm_source=tldrinfosec/1/0100019e07b25bf2-000de689-08da-43d0-a5ea-d1f4568fdc0f-000000/P6PJxEtaHQA3Ma93Di3zRQA8m2t5XhhmZkQVj5_K-XU=452">
<span>
<strong>AISLE Discovers 38 CVEs in Healthcare Software Used by 100,000 Medical Providers (5 minute read)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
AISLE's autonomous AI analyzer disclosed 38 CVEs in OpenEMR, the ONC-certified electronic health record platform serving over 100,000 providers and 200 million patients, accounting for more than half of all OpenEMR GitHub advisories in Q1 2026. The findings include two CVSS 10.0 SQL injections (CVE-2026-24908 in the Patient REST API _sort parameter and CVE-2026-23627 in the Immunization search/report patient_id field) where unsanitized concatenation into ORDER BY and WHERE clauses enables UNION-based extraction, time-based blind injection, and RCE via FILE privileges, plus a FHIR CareTeam patient compartment bypass (CVE-2026-24487) caused by FhirCareTeamService failing to implement the marker interface that triggers patient-scoping filters, alongside a long tail of IDORs, stored XSS crossing the patient-to-clinician trust boundary, path traversals, and a session-timeout bypass. Defenders running OpenEMR should immediately upgrade past 8.0.0 and the three subsequent March patch releases, audit OAuth2 token scope enforcement on FHIR endpoints, and revoke FILE privileges from the OpenEMR database account to contain any pre-patch SQL injection compromise.
</span>
</span>
</div>
</td></tr></tbody></table>
</td></tr></tbody></table>
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding-top: 0px; padding-bottom: 0px;">
<div class="text-block">
<div style="text-align: center;"><span style="font-size: 36px;">π§ </span></div>
</div>
</td></tr></tbody></table>
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding-top: 0px; padding-bottom: 0px;">
<div class="text-block">
<div style="text-align: center;">
<h1><strong>Strategies & Tactics</strong></h1>
</div>
</div>
</td></tr></tbody></table>
<table style="table-layout: fixed; width: 100%;" width="100%"><tbody><tr><td style="padding:0;border-collapse:collapse;border-spacing:0;margin:0;" valign="top">
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fblog.gitguardian.com%2Fthe-bot-fingerprint-detecting-llm-passwords%2F%3Futm_source=tldrinfosec/1/0100019e07b25bf2-000de689-08da-43d0-a5ea-d1f4568fdc0f-000000/jB5rteRD6YVvr8m4CHDdzYT0lIChbNdeBAoRY6w3nsg=452">
<span>
<strong>The Bot Left a Fingerprint: Detecting and Attributing LLM-Generated Passwords (8 minute read)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
GitGuardian researchers built Markov chains trained on 8,000 passwords from 40 LLMs across 11 providers, exploiting statistical biases like Claude Opus 4.6's 35% uniqueness rate and recurring substrings (e.g., Llama-3.3-70b's Gx#8dL in 96% of outputs) to identify model and provider with 55% and 65% accuracy respectively. Applied to 34M GitHub passwords from November 2025 to March 2026, the classifier flagged 28,000 as LLM-generated at ~1,500/week, with Anthropic, Qwen, and Google accounting for 63%, and 1,800 .env files plus Terraform configs containing hardcoded AI-generated credentials. Defenders should prohibit LLMs as password generators in policy, mandate vault-based generation, and deploy hook-event scanners like ggshield against Claude and Cursor agent outputs since the same Markov models enable far more efficient cracking than brute-force.
</span>
</span>
</div>
</td></tr></tbody></table>
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fslcyber.io%2Fresearch-center%2Fghosts-of-encryption-past-salesforce-exacttarget%2F%3Futm_source=tldrinfosec/1/0100019e07b25bf2-000de689-08da-43d0-a5ea-d1f4568fdc0f-000000/zvWa920ek6qSjAhzQtHcUnhF4sdkeB0oil5-3kvixuQ=452">
<span>
<strong>Ghosts of Encryption Past β How we Read All Your Emails in Salesforce Marketing Cloud (12 minute read)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
Searchlight Cyber chained AMPScript template injection (via TreatAsContent and a default double-evaluation of email subject lines) with a CBC padding oracle on the qs parameter shared across all SFMC tenants, then bypassed MicrositeURL's reserved-parameter blocklist by smuggling =0&LID=1&j=2&m=3&ls=4 into a single argument to forge arbitrary encrypted query strings cross-tenant. A legacy XOR scheme keyed off a static repeating string with a 0xFFFF ^ sum(bytes) checksum still validated on brand-new tenants, collapsing enumeration of the ls SubscriberID to one HTTP request per guess and exposing _Subscribers, _Sent, _Job, _Click, and _SMSMessageTracking data views across every Fortune 500 instance hosted on the platform. Salesforce shipped AES-GCM, expired all pre-January 23, 2026 21:00 UTC links, and disabled subject-line double evaluation under CVE-2026-22585, CVE-2026-22586, CVE-2026-22582, CVE-2026-22583, and CVE-2026-2298, so defenders should confirm no marketing email links remain pinned to the old format, audit any custom AMPScript that passes subscriber input to TreatAsContent, and treat any historical SFMC-rendered URL as untrusted.
</span>
</span>
</div>
</td></tr></tbody></table>
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fghostbyt3.github.io%2Fblog%2Fnday-research-ai%3Futm_source=tldrinfosec/1/0100019e07b25bf2-000de689-08da-43d0-a5ea-d1f4568fdc0f-000000/BM-Bl6aB6y7E_xHUQJaRkpup5HDrMWxsRAd5I29B0vI=452">
<span>
<strong>N-Day Research with AI: Using Ollama and n8n (8 minute read)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
A security researcher chained a local Ollama deployment running qwen3-coder:30b with n8n workflow automation and a Qdrant vector database to triage Microsoft Patch Tuesday binaries, feeding patched and vulnerable function diffs from Ghidra headless version tracking through an AI agent that produces a structured vulnerability report and pushes it to GitHub. A RAG pipeline ingests RSS feeds, URLs, and uploaded notes via a Document Processor agent using qwen3:embedding, giving the analyzer agent historical CVE context to ground its findings, though the ~20k token prompt budget forced tiktoken-based truncation of patched functions and occasionally drops the actual vulnerable one. The published reports at github.com/ghostbyt3/nday-automation-ai are a triage accelerator rather than ground truth, and defenders building similar pipelines should treat AI output as a starting point that still requires manual reverse engineering validation before any CVE assertion.
</span>
</span>
</div>
</td></tr></tbody></table>
</td></tr></tbody></table>
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding-top: 0px; padding-bottom: 0px;">
<div class="text-block">
<div style="text-align: center;"><span style="font-size: 36px;">π§βπ»</span></div>
</div>
</td></tr></tbody></table>
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding-top: 0px; padding-bottom: 0px;">
<div class="text-block">
<div style="text-align: center;">
<h1><strong>Launches & Tools</strong></h1>
</div>
</div>
</td></tr></tbody></table>
<table style="table-layout: fixed; width: 100%;" width="100%"><tbody><tr><td style="padding:0;border-collapse:collapse;border-spacing:0;margin:0;" valign="top">
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fboostsecurity.io%2F%3Futm_source=tldrinfosec/1/0100019e07b25bf2-000de689-08da-43d0-a5ea-d1f4568fdc0f-000000/nQ1Ez3AAzpM40kvrU2gVm6Ik97CrSiviY-rWML0LWFQ=452">
<span>
<strong>Boost Security (Product Launch)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
Boost Security offers an SDLC defense platform that secures developer endpoints and the software supply chain, using automated analysis to find and fix code vulnerabilities and block supply chain threats across multiple programming languages.
</span>
</span>
</div>
</td></tr></tbody></table>
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fbishopfox.com%2Fblog%2Fintroducing-aimap-security-testing-for-ai-agent-infrastructure%3Futm_source=tldrinfosec/1/0100019e07b25bf2-000de689-08da-43d0-a5ea-d1f4568fdc0f-000000/gcMDj2tKb6Ad_JFqbWTZ77xjOHysL0vLz5B36DQ8hh4=452">
<span>
<strong>Introducing AIMap: Security Testing For AI Agent Infrastructure (4 minute read)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
AIMap is an open-source discovery and security testing platform that queries Shodan and runs Nuclei templates plus live HTTP probes against exposed AI agent infrastructure including MCP servers, Ollama, vLLM, LiteLLM, LocalAI, LangServe, OpenWebUI, Gradio, ComfyUI, and HuggingFace TGI to fingerprint protocol, framework, authentication state, tools, models, and leaked system prompts. Each endpoint receives a 0-10 risk score weighted on auth posture, CORS, TLS, tool exposure, prompt leakage, and dangerous capability combinations, with built-in attack suites for MCP tool enumeration and unauthorized invocation, Ollama model weight extraction, and OpenAI-compatible system prompt extraction streamed in real time. The Docker Compose stack ships backend, frontend, MongoDB, and Redis services and requires only a Shodan API key to run, with full source at github.com/BishopFox/aimap, though operators are responsible for ensuring CFAA and GDPR compliance since active modules require explicit target confirmation.
</span>
</span>
</div>
</td></tr></tbody></table>
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fgithub.com%2Fengseclabs%2Ftrailtool%3Futm_source=tldrinfosec/1/0100019e07b25bf2-000de689-08da-43d0-a5ea-d1f4568fdc0f-000000/7u8NhQpXnhODXfvuQkDXPdrpSFXGpNmyY2zYnkQfnuM=452">
<span>
<strong>TrailTool (GitHub Repo)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
TrailTool aggregates CloudTrail logs to simplify analysis for AI agents using a Lambda for ingestion, parsing, and correlation, DynamoDB tables for persisting queryable entities, and a CLI for accessing entity data.
</span>
</span>
</div>
</td></tr></tbody></table>
</td></tr></tbody></table>
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding-top: 0px; padding-bottom: 0px;">
<div class="text-block">
<div style="text-align: center;"><span style="font-size: 36px;">π</span></div></div>
</td></tr></tbody></table>
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding-top: 0px; padding-bottom: 0px;">
<div class="text-block">
<div style="text-align: center;"><strong><h1>Miscellaneous</h1></strong></div>
</div>
</td></tr></tbody></table>
<table bgcolor="" style="table-layout: fixed; width: 100%;" width="100%"><tbody><tr><td style="padding:0;border-collapse:collapse;border-spacing:0;margin:0;" valign="top">
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Farstechnica.com%2Fsecurity%2F2026%2F05%2Fwidely-used-daemon-tools-disk-app-backdoored-in-monthlong-supply-chain-attack%2F%3Futm_source=tldrinfosec/1/0100019e07b25bf2-000de689-08da-43d0-a5ea-d1f4568fdc0f-000000/xDoIy8_GF1eL5f5QSYerE79HKjA1PabtlJ32IwVQfKA=452">
<span>
<strong>Widely used Daemon Tools disk app backdoored in monthlong supply-chain attack (3 minute read)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
Attackers backdoored Daemon Tools installers signed with the vendor's certificate, pushing Windows malware via official updates between April 8 and early May. The first-stage payload fingerprints hosts and reports data to attacker servers, while selected targets receive minimalistic backdoors or the more capable QUIC RAT, which supports multiple C2 protocols and process injection. At least 100 organizations in over 100 countries are affected, with about a dozen receiving advanced payloads.
</span>
</span>
</div>
</td></tr></tbody></table>
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fventurebeat.com%2Fsecurity%2Fone-command-open-source-repo-ai-agent-backdoor-openclaw-supply-chain-scanner%3Futm_source=tldrinfosec/1/0100019e07b25bf2-000de689-08da-43d0-a5ea-d1f4568fdc0f-000000/MBvYoA5qmvUHXsCODU4Wpkx-t09Q9G5QosxD_jskZss=452">
<span>
<strong>One command turns any open-source repo into an AI agent backdoor. OpenClaw proved no supply-chain scanner has a detection category for it (4 minute read)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
Researchers show CLI-Anything can turn open-source repos into agent backdoors by poisoning SKILL.md instructions that scanners ignore, enabling DDIPE-style payloads that survive code and dependency checks, ride flat authorization in coding agents, and abuse MCP marketplaces and ClawHub-style skill ecosystems.
</span>
</span>
</div>
</td></tr></tbody></table>
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Flinks.tldrnewsletter.com%2Fl9A5tH/1/0100019e07b25bf2-000de689-08da-43d0-a5ea-d1f4568fdc0f-000000/eLPqY9GlSCd4iReFpEBNJbJQzLP_VrN927Pl5b7R4KA=452">
<span>
<strong>AI Vibe-Coding Apps Leak Sensitive Data (3 minute read)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
Cybersecurity firm RedAccess found 5,000 websites built using vibe-coding tools from Replit, Netlify, Lovable, and Base44 that were publicly accessible and leaked private data with little or no authentication required. Some of these apps exposed data belonging to a hospital, private customer conversations, and financial information. Spokespeople from Replit, Lovable, and Base44 reported to Axios that RedAccess did not provide them sufficient notice or information to identify and help customers secure the sites prior to publication.
</span>
</span>
</div>
</td></tr></tbody></table>
</td></tr></tbody></table>
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding-top: 0px; padding-bottom: 0px;">
<div class="text-block">
<div style="text-align: center;"><span style="font-size: 36px;">β‘</span></div></div>
</td></tr></tbody></table>
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding-top: 0px; padding-bottom: 0px;">
<div class="text-block">
<div style="text-align: center;">
<h1><strong>Quick Links</strong></h1>
</div>
</div>
</td></tr></tbody></table>
<table bgcolor="" style="table-layout: fixed; width: 100%;" width="100%"><tbody><tr><td style="padding:0;border-collapse:collapse;border-spacing:0;margin:0;" valign="top">
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fwww.theverge.com%2Ftech%2F925696%2Fyarbo-robot-lawn-mower-hack-remote-control-camera-access-mqtt%3Futm_source=tldrinfosec/1/0100019e07b25bf2-000de689-08da-43d0-a5ea-d1f4568fdc0f-000000/FAiM1R2kZaIcy9aJg6CH65sHkiSRSeH9cl0OCXk4oqo=452">
<span>
<strong>A hacker ran me over with a robot lawn mower (2 minute read)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
Security researcher Andreas Makris remotely hijacked a $5,000 Yarbo mower from thousands of miles away and drove it over the reporter's body to prove control.
</span>
</span>
</div>
</td></tr></tbody></table>
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Flinks.tldrnewsletter.com%2FXhI9FN/1/0100019e07b25bf2-000de689-08da-43d0-a5ea-d1f4568fdc0f-000000/suHyd_d-w04hoLhJsNRzw602ezljnAOPnw667pExSwY=452">
<span>
<strong>Claude Code OAuth Tokens Can Be Stolen Through Stealthy MCP Hijacking (2 minute read)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
Mitiga shows how a malicious npm package can hijack Claude Code MCP traffic by editing ~/.claude.json and inserting an attacker-controlled proxy.
</span>
</span>
</div>
</td></tr></tbody></table>
</td></tr></tbody></table>
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td align="left" style="word-break: break-word; vertical-align: top; padding: 5px 10px;">
<p style="padding: 0; margin: 0; font-size: 22px; color: #000000; line-height: 1.6; font-weight: bold;">
Love TLDR? Tell your friends and get rewards!
</p>
</td></tr>
<tr><td class="container" style="padding: 0px 10px 15px;">
<div class="text-block">
Share your referral link below with friends to get free TLDR swag!
</div>
</td></tr>
<tr><td align="left" style="padding: 10px;">
<div class="text-block">
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Frefer.tldr.tech%2F78de0e20%2F8/1/0100019e07b25bf2-000de689-08da-43d0-a5ea-d1f4568fdc0f-000000/p-F4TQULTSjZLbXOcCfSb8qQMSbNU1CPzQ8JZt697uo=452" style="color: #464ba4; text-decoration: underline;">https://refer.tldr.tech/78de0e20/8</a>
</div>
</td></tr>
<tr></tr>
<tr><td align="left" style="padding:5px 10px;">
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fhub.sparklp.co%2Fsub_d62447d5a74a%2F8/1/0100019e07b25bf2-000de689-08da-43d0-a5ea-d1f4568fdc0f-000000/yKx2l4xLFUR-mdFD1cX6MyrR6FXDxwlN9sTOncAzTYk=452" style="font-size: 16px; line-height: 1.6; padding: 10px 0; display: inline-block; text-decoration: underline;"><span style="mso-text-raise:13pt; text-decoration: underline;">Track your referrals here.</span></a>
</td></tr></tbody></table>
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td align="left" style="word-break: break-word; vertical-align: top; padding: 5px 10px;">
<p style="padding: 0; margin: 0; font-size: 22px; color: #000000; line-height: 1.6; font-weight: bold;">
Want to advertise in TLDR? π°
</p>
<div class="text-block" style="margin-top: 10px;">
If your company is interested in reaching an audience of cybersecurity professionals and decision makers, you may want to <a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fadvertise.tldr.tech%2F%3Futm_source=tldrinfosec%26utm_medium=newsletter%26utm_campaign=advertisecta/1/0100019e07b25bf2-000de689-08da-43d0-a5ea-d1f4568fdc0f-000000/u1vIU8aKmUZAqFvS-g0tWkdhWGkVVHCJmVbxIgUkW_I=452"><strong><span>advertise with us</span></strong></a>.
</div>
<br>
<!-- New "Want to work at TLDR?" section -->
<p style="padding: 0; margin: 0; font-size: 22px; color: #000000; line-height: 1.6; font-weight: bold;">
Want to work at TLDR? πΌ
</p>
<div class="text-block" style="margin-top: 10px;">
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fjobs.ashbyhq.com%2Ftldr.tech/1/0100019e07b25bf2-000de689-08da-43d0-a5ea-d1f4568fdc0f-000000/Yq-qCnTzEFuPDk6PGMldzCA8FRfIEYcQdunkzE5qsxo=452" rel="noopener noreferrer" style="color: #0000EE; text-decoration: underline;" target="_blank"><strong>Apply here</strong></a>,
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fjobs.ashbyhq.com%2Ftldr.tech%2Fc227b917-a6a4-40ce-8950-d3e165357871/1/0100019e07b25bf2-000de689-08da-43d0-a5ea-d1f4568fdc0f-000000/oEFcUVX99ONqhcq_9Bc7uT4GCK6ABG0nEqlPp5L9Nfs=452" rel="noopener noreferrer" style="color: #0000EE; text-decoration: underline;" target="_blank"><strong>create your own role</strong></a> or send a friend's resume to <a href="mailto:jobs@tldr.tech" style="color: #0000EE; text-decoration: underline;">jobs@tldr.tech</a> and get $1k if we hire them! TLDR is one of <a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fwww.linkedin.com%2Ffeed%2Fupdate%2Furn:li:activity:7401699691039830016%2F/1/0100019e07b25bf2-000de689-08da-43d0-a5ea-d1f4568fdc0f-000000/eVud5zMmbK8KebRUgdjNN5q4PBZTWgejR6k8hTUlMy4=452" rel="noopener noreferrer" style="color: #0000EE; text-decoration: underline;" target="_blank"><strong>Inc.'s Best Bootstrapped businesses</strong></a> of 2025.
</div>
<br>
<div class="text-block">
If you have any comments or feedback, just respond to this email!
<br>
<br> Thanks for reading,
<br>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fwww.linkedin.com%2Fin%2Fprasannagautam%2F/1/0100019e07b25bf2-000de689-08da-43d0-a5ea-d1f4568fdc0f-000000/ckeEZLNTuWJQaMDe1v-qQ1S0z-HnxexUU6DnQUi2hig=452"><span>Prasanna Gautam</span></a>, <a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fwww.linkedin.com%2Fin%2Fericfernandezdelcampo%2F/1/0100019e07b25bf2-000de689-08da-43d0-a5ea-d1f4568fdc0f-000000/i6PdCd-Ln4EIMLmLd3PBOT30lIifkRls-_h5Rg1NJGI=452"><span>Eric Fernandez</span></a> & <a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fwww.linkedin.com%2Fin%2Fsammy-tbeile%2F/1/0100019e07b25bf2-000de689-08da-43d0-a5ea-d1f4568fdc0f-000000/CZyhD57lxH_orPVrCV4zHq1cpYjLZTzLJ-zgi-mKAhE=452"><span>Sammy Tbeile</span></a>
<br>
<br>
</div>
<br>
</td></tr></tbody></table>
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block" id="testing-id">
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Ftldr.tech%2Finfosec%2Fmanage%3Femail=silk.theater.56%2540fwdnl.com/1/0100019e07b25bf2-000de689-08da-43d0-a5ea-d1f4568fdc0f-000000/aLFhk9CzebzLkYp8rTdzmjz9h8KLmm_6lYX0YkX9wbo=452">Manage your subscriptions</a> to our other newsletters on tech, startups, and programming. Or if TLDR Information Security isn't for you, please <a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fa.tldrnewsletter.com%2Funsubscribe%3Fep=1%26l=8d9cea11-3e94-11ed-9a32-0241b9615763%26lc=156924ca-84b7-11f0-8d58-47c5c04ad337%26p=5bd6de66-4adc-11f1-b437-bb2a4cee4ce1%26pt=campaign%26pv=4%26spa=1778245272%26t=1778245589%26s=bb26cbdde11d4dc7512b121af6edd6797a9947603c8914c640d10171e99515bc/1/0100019e07b25bf2-000de689-08da-43d0-a5ea-d1f4568fdc0f-000000/XzIBVleLOZQ2cwgCLcnCE6yMbbU87ff4jelwohr9NkA=452">unsubscribe</a>.
<br>
</div>
</td></tr></tbody></table>
</td></tr></tbody></table>
</td></tr></tbody></table>
</td></tr></tbody></table>
</td></tr></tbody></table>
<img alt="" src="http://tracking.tldrnewsletter.com/CI0/0100019e07b25bf2-000de689-08da-43d0-a5ea-d1f4568fdc0f-000000/VAZq9vCMbJx4DIxK2dho_RQcnmiZEvDT0YRcxduY_1U=452" style="display: none; width: 1px; height: 1px;">
</body></html>