<!DOCTYPE html><html lang="en"><head><meta http-equiv="Content-Type" content="text/html charset=UTF-8"><meta charset="UTF-8"><meta name="viewport" content="width=device-width"><meta name="x-apple-disable-message-reformatting"><title>TLDR InfoSec</title><meta name="color-scheme" content="light dark"><meta name="supported-color-schemes" content="light dark"><style type="text/css">
:root {
color-scheme: light dark; supported-color-schemes: light dark;
}
*,
*:after,
*:before {
-webkit-box-sizing: border-box; -moz-box-sizing: border-box; box-sizing: border-box;
}
* {
-ms-text-size-adjust: 100%; -webkit-text-size-adjust: 100%;
}
html,
body,
.document {
width: 100% !important; height: 100% !important; margin: 0; padding: 0;
}
body {
-webkit-font-smoothing: antialiased; -moz-osx-font-smoothing: grayscale; text-rendering: optimizeLegibility;
}
div[style*="margin: 16px 0"] {
margin: 0 !important;
}
table,
td {
mso-table-lspace: 0pt; mso-table-rspace: 0pt;
}
table {
border-spacing: 0; border-collapse: collapse; table-layout: fixed; margin: 0 auto;
}
img {
-ms-interpolation-mode: bicubic; max-width: 100%; border: 0;
}
*[x-apple-data-detectors] {
color: inherit !important; text-decoration: none !important;
}
.x-gmail-data-detectors,
.x-gmail-data-detectors *,
.aBn {
border-bottom: 0 !important; cursor: default !important;
}
.btn {
-webkit-transition: all 200ms ease; transition: all 200ms ease;
}
.btn:hover {
background-color: #f67575; border-color: #f67575;
}
* {
font-family: Arial, Helvetica, sans-serif; font-size: 18px;
}
@media screen and (max-width: 600px) {
.container {
width: 100%; margin: auto;
}
.stack {
display: block!important; width: 100%!important; max-width: 100%!important;
}
.btn {
display: block; width: 100%; text-align: center;
}
}
body,
p,
td,
tr,
.body,
table,
h1,
h2,
h3,
h4,
h5,
h6,
div,
span {
background-color: #FEFEFE !important; color: #010101 !important;
}
@media (prefers-color-scheme: dark) {
body,
p,
td,
tr,
.body,
table,
h1,
h2,
h3,
h4,
h5,
h6,
div,
span {
background-color: #27292D !important; color: #FEFEFE !important;
}
}
a {
color: inherit !important; text-decoration: underline !important;
}
</style><!--[if mso | ie]>
<style type="text/css">
a {
background-color: #FEFEFE !important; color: #010101 !important;
}
@media (prefers-color-scheme: dark) {
a {
background-color: #27292D !important; color: #FEFEFE !important;
}
}
</style>
<![endif]--></head><body class="">
<div style="display: none; max-height: 0px; overflow: hidden;">TeamPCP, the same group behind the Shai-Hulud npm campaigns and the Trivy scanner breach, pushed a rogue version (2026.5.09) β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β </div>
<div style="display: none; max-height: 0px; overflow: hidden;">
<br>
</div>
<table align="center" class="document"><tbody><tr><td valign="top">
<table align="center" border="0" cellpadding="0" cellspacing="0" class="container" width="600"><tbody><tr class="inner-body"><td>
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr class="header"><td bgcolor="" class="container">
<table width="100%"><tbody><tr><td class="container">
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" style="margin-top: 0px;" width="100%"><tbody><tr><td style="padding: 0px;">
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div style="text-align: center;">
<span style="margin-right: 0px;"><a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Ftldr.tech%2Finfosec%3Futm_source=tldrinfosec/1/0100019e2171c2e6-35edacd7-79a0-4205-a8ad-ab93a1d714ae-000000/VRAFCWZMTQ_dPpY5_v0UdlyYAnJLYqIqSitmJAkQgsc=452" rel="noopener noreferrer" target="_blank"><span>Sign Up</span></a>
|<span style="margin-right: 2px; margin-left: 2px;"><a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fadvertise.tldr.tech%2F%3Futm_source=tldrinfosec%26utm_medium=newsletter%26utm_campaign=advertisetopnav/1/0100019e2171c2e6-35edacd7-79a0-4205-a8ad-ab93a1d714ae-000000/2OjKFvBpLZoeXaK-rnHjeAvhSMz3WeQ4xEKvmjPIUPs=452" rel="noopener noreferrer" target="_blank"><span>Advertise</span></a></span>|<span style="margin-left: 2px;"><a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fa.tldrnewsletter.com%2Fweb-version%3Fep=1%26lc=156924ca-84b7-11f0-8d58-47c5c04ad337%26p=16926f58-4ea8-11f1-9176-b1bc346ef36d%26pt=campaign%26t=1778677564%26s=46d18893a89397e550b5f2088083fe3343246e1b6fbe248bfd6882bbe3073e35/1/0100019e2171c2e6-35edacd7-79a0-4205-a8ad-ab93a1d714ae-000000/7wHcaYK7IAt_natI_z5Lz9-KyEqyS2ZnYKLvSKdXSq8=452"><span>View Online</span></a></span>
<br>
</span></div>
</td></tr></tbody></table>
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="text-align: center;"><span data-darkreader-inline-color="" style="--darkreader-inline-color:#3db3ff; color: rgb(51, 175, 255) !important; font-size: 30px;">T</span><span style="font-size: 30px;"><span data-darkreader-inline-color="" style="color: rgb(232, 192, 96) !important; --darkreader-inline-color:#e8c163; font-size:30px;">L</span><span data-darkreader-inline-color="" style="color: rgb(101, 195, 173) !important; --darkreader-inline-color:#6ec7b2; font-size:30px;">D</span></span><span data-darkreader-inline-color="" style="--darkreader-inline-color:#dd6e6e; color: rgb(220, 107, 107) !important; font-size: 30px;">R</span>
<br>
</td></tr></tbody></table>
<br>
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr id="together-with"><td align="center" height="20" style="vertical-align:middle !important;" valign="middle" width="100%"><strong style="vertical-align:middle !important; height: 100%;">Together With </strong>
<a href="http://tracking.tldrnewsletter.com/CL0/http:%2F%2Fhumansecurity.com%2Fcisos-guide-to-ai-agentic-traffic%2F%3Futm_source=tldr_infosec%26utm_medium=newsletter%26utm_campaign=brand_agentic_trust%26utm_content=cisos_guide_to_ai_agentic_traffic/1/0100019e2171c2e6-35edacd7-79a0-4205-a8ad-ab93a1d714ae-000000/R0J1it30NNYa39ID7WTwgzfV7yIaowQzWF6IHe3tBik=452"><img src="https://images.tldr.tech/human.png" valign="middle" style="vertical-align: middle !important; height: 100%;" alt="Human"></a></td></tr></tbody></table>
<table style="table-layout: fixed; width:100%;" width="100%"><tbody><tr><td style="padding:0;border-collapse:collapse;border-spacing:0;margin:0;">
<div style="text-align: center;">
<h1><strong>TLDR Information Security <span id="date">2026-05-13</span></strong></h1>
</div>
</td></tr></tbody></table>
<table style="table-layout: fixed; width:100%;" width="100%"><tbody><tr id="sponsy-copy"><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="http://tracking.tldrnewsletter.com/CL0/http:%2F%2Fhumansecurity.com%2Fcisos-guide-to-ai-agentic-traffic%2F%3Futm_source=tldr_infosec%26utm_medium=newsletter%26utm_campaign=brand_agentic_trust%26utm_content=cisos_guide_to_ai_agentic_traffic/2/0100019e2171c2e6-35edacd7-79a0-4205-a8ad-ab93a1d714ae-000000/mjJFWJsdFXr7BTK0cSZhG8_fNv5mA8jkLgzCU2YbAsg=452">
<span>
<strong>The CISO's Guide to AI & Agentic Traffic (Sponsor)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
AI agents grew <strong>7,851%</strong> last year, introducing a new class of autonomous risk. With only <strong>0.5%</strong> separating benign assistants from malicious threats, CISOs must shift from blocking bots to validating intent. <a class="ng-star-inserted" href="http://tracking.tldrnewsletter.com/CL0/http:%2F%2Fhumansecurity.com%2Fcisos-guide-to-ai-agentic-traffic%2F%3Futm_source=tldr_infosec%26utm_medium=newsletter%26utm_campaign=brand_agentic_trust%26utm_content=cisos_guide_to_ai_agentic_traffic/3/0100019e2171c2e6-35edacd7-79a0-4205-a8ad-ab93a1d714ae-000000/hVD-8r-9Dj4hjueQHm6RWjWbxW6iTauPPtjLlBxaHfw=452" rel="noopener" target="_blank"><span><strong>Download the guide</strong></span></a> to:
<ul>
<li><strong>Govern three AI traffic categories</strong> and their distinct risk profiles.</li>
<li><strong>Neutralize post-login threats</strong> and automated account compromises.</li>
<li><strong>Build intent-based trust</strong> to secure the 2026 agentic landscape.</li>
</ul>
<p><a class="ng-star-inserted" href="http://tracking.tldrnewsletter.com/CL0/http:%2F%2Fhumansecurity.com%2Fcisos-guide-to-ai-agentic-traffic%2F%3Futm_source=tldr_infosec%26utm_medium=newsletter%26utm_campaign=brand_agentic_trust%26utm_content=cisos_guide_to_ai_agentic_traffic/4/0100019e2171c2e6-35edacd7-79a0-4205-a8ad-ab93a1d714ae-000000/9RBO9rtgCX68b3lbOd3Bd3ovX0M4mmaAQWik-K2Yrds=452" rel="noopener" target="_blank"><span><strong>Get the framework</strong></span></a> to gain visibility and govern the fastest-growing source of internet traffic.
</p>
</span></span></div>
</td></tr></tbody></table>
</td></tr></tbody></table>
</td></tr></tbody></table>
</td></tr>
<tr bgcolor=""><td class="container">
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td style="padding: 0px;">
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding-top: 0px; padding-bottom: 0px;">
<div class="text-block">
<div style="text-align: center;"><span style="font-size: 36px;">π</span></div></div>
</td></tr></tbody></table>
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding-top: 0px; padding-bottom: 0px;">
<div class="text-block">
<div style="text-align: center;">
<h1><strong>Attacks & Vulnerabilities</strong></h1>
</div>
</div>
</td></tr></tbody></table>
<table style="table-layout: fixed; width: 100%;" width="100%"><tbody><tr><td style="padding:0;border-collapse:collapse;border-spacing:0;margin:0;" valign="top">
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Flinks.tldrnewsletter.com%2FrazrHv/1/0100019e2171c2e6-35edacd7-79a0-4205-a8ad-ab93a1d714ae-000000/oYKCardx-CIfAG-Bg9emMiXUnGSKl3U3aUMkJ4zz10c=452">
<span>
<strong>Official CheckMarx Jenkins package compromised with infostealer (3 minute read)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
TeamPCP, the same group behind the Shai-Hulud npm campaigns and the Trivy scanner breach, pushed a rogue version (2026.5.09) of Checkmarx's Jenkins AST plugin to the Jenkins Marketplace on May 9. They pivoted in via credentials stolen during their March compromise of Trivy, which Checkmarx never rotated. The malicious build sat outside the plugin's release pipeline, lacked a Git tag and GitHub release, and broke the project's date-based versioning scheme. Users should roll back to 2.0.13-829.vc72453fa_1c16 (December 17, 2025) or earlier, rotate every secret that touched a Jenkins runner executing the plugin, and hunt for lateral movement and persistence. Defenders should treat any vendor breach involving stolen repository credentials as a standing supply-chain risk until rotation is confirmed, and pull Checkmarx's published IOCs into CI/CD telemetry.
</span>
</span>
</div>
</td></tr></tbody></table>
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fcloud.google.com%2Fblog%2Ftopics%2Fthreat-intelligence%2Fai-vulnerability-exploitation-initial-access%3Futm_source=tldrinfosec/1/0100019e2171c2e6-35edacd7-79a0-4205-a8ad-ab93a1d714ae-000000/g4gBwT0CTag4iL2nEHublQGdFqfMRC8MlgcJD8U1X0E=452">
<span>
<strong>GTIG AI Threat Tracker: Adversaries Leverage AI for Vulnerability Exploitation, Augmented Operations, and Initial Access (26 minute read)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
The Google Threat Intelligence Group reported the first observed criminal use of an AI-developed zero-day, a 2FA-bypass exploit against an open-source sysadmin tool that GTIG disrupted before deployment. They also detailed PRC actors chaining persona jailbreaks with the "wooyun-legacy" Claude skill plugin and 85,000 historical bug cases to scale CVE analysis, along with Russia-nexus malware padding payloads with LLM-generated decoy logic to evade static signatures. The report highlights threats like PROMPTSPY, an Android backdoor that interprets on-screen UI and autonomously issues actions, and TeamPCP pivoting from supply-chain compromises to AI gateways using the SANDCLOCK stealer, with defenders advised to focus on AI tooling stacks, supply-chain assets, and detecting semantic logic flaws that static analysis tools may miss.
</span>
</span>
</div>
</td></tr></tbody></table>
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Farstechnica.com%2Fsecurity%2F2026%2F05%2Flinux-bitten-by-second-severe-vulnerability-in-as-many-weeks%2F%3Futm_source=tldrinfosec/1/0100019e2171c2e6-35edacd7-79a0-4205-a8ad-ab93a1d714ae-000000/oplXf132SWr0IHcXikVYNNzRghP6Jr7tavJwBAhyGpc=452">
<span>
<strong>Linux bitten by second severe vulnerability in as many weeks (3 minute read)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
Dirty Frag chains two Linux kernel bugs, CVE-2026-43284 and CVE-2026-43500, to allow low-privilege users to gain root by corrupting page cache data via the esp4/esp6 and rxrpc networking paths. The exploit code is public and has already been tested by attackers. Major distros like Debian, AlmaLinux, and Fedora now ship fixes, but protection still depends on fast patching and reboots, especially on shared servers and VMs.
</span>
</span>
</div>
</td></tr></tbody></table>
</td></tr></tbody></table>
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding-top: 0px; padding-bottom: 0px;">
<div class="text-block">
<div style="text-align: center;"><span style="font-size: 36px;">π§ </span></div>
</div>
</td></tr></tbody></table>
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding-top: 0px; padding-bottom: 0px;">
<div class="text-block">
<div style="text-align: center;">
<h1><strong>Strategies & Tactics</strong></h1>
</div>
</div>
</td></tr></tbody></table>
<table style="table-layout: fixed; width: 100%;" width="100%"><tbody><tr><td style="padding:0;border-collapse:collapse;border-spacing:0;margin:0;" valign="top">
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fcybersecurityreach.org%2Finvestigations%2Fifyourevokethistokenitwillwipethecomputeroftheowner-shai-hulud-2026%3Futm_source=tldrinfosec/1/0100019e2171c2e6-35edacd7-79a0-4205-a8ad-ab93a1d714ae-000000/_0ClT6ILF4ASNr-NSyCL7TfTX9nCGOiBixbXCBZpJ8Q=452">
<span>
<strong>IfYouRevokeThisTokenItWillWipeTheComputerOfTheOwner: Inside the New Shai-Hulud npm Worm (7 minute read)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
A new Shai-Hulud variant has hit 42 @tanstack/* packages via a pull_request_target "Pwn Request" plus GitHub Actions cache poisoning and runtime OIDC token extraction from the Runner.Worker process, then harvested AWS, GCP, Kubernetes, Vault, GitHub, and SSH credentials on every install host. The worm uses GitHub's commit search index as a peer-to-peer bulletin board β infected hosts find each other's stolen tokens by querying for the literal sigil string β and plants a gh-token-monitor dead-man's switch that triggers destructive actions if the token is revoked before the persistence units are removed. Defenders should remove persistence (launchd/systemd units, Claude Code SessionStart hooks, VS Code tasks.json with runOn: folderOpen) before rotating tokens, block egress to api.masscan.cloud and the Session seed nodes, and hunt for .github/workflows/*.yml files.
</span>
</span>
</div>
</td></tr></tbody></table>
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Flinks.tldrnewsletter.com%2FYty5B8/1/0100019e2171c2e6-35edacd7-79a0-4205-a8ad-ab93a1d714ae-000000/jYr2VqEZSBZagc_9LsGkiKqU0Wkqoi6527sk64jpcIw=452">
<span>
<strong>Detecting Remote Thread Creation with Windows Driver (4 minute read)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
S12 walks through how EDRs detect CreateRemoteThread-style injection using PsSetCreateThreadNotifyRoutine, a kernel callback that fires in the creator's context β so comparing PsGetCurrentProcessId() against the notification's ProcessId reliably flags cross-process thread creation. The PoC WDF driver registers the callback in DriverEntry, logs creator/target PID pairs, and filters PID 4 (System) to suppress legitimate kernel-initiated threads. Defenders building on this should layer in thread start-address inspection (unbacked memory, non-image regions), creator process reputation, and correlation with image-load and handle-open callbacks before alerting, since the raw signal alone is noisy.
</span>
</span>
</div>
</td></tr></tbody></table>
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Ftanstack.com%2Fblog%2Fnpm-supply-chain-compromise-postmortem%3Futm_source=tldrinfosec/1/0100019e2171c2e6-35edacd7-79a0-4205-a8ad-ab93a1d714ae-000000/S4s50y3HtD-uQEjpHHXMTQ4rzNAkAedjXFD-NwPQKOM=452">
<span>
<strong>Postmortem: TanStack npm supply-chain compromise (18 minute read)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
On May 11, an attacker used a pull_request_target workflow, GitHub Actions cache poisoning, and OIDC token theft from runner memory to push 84 malicious versions of 42 @tanstack/* npm packages. The payload ran during install, harvested cloud, Kubernetes, Vault, npm, GitHub, and SSH credentials, then exfiltrated them over the Session/Oxen network and tried to republish other packages owned by the victim. Detection came from external researchers within about 20 minutes. All bad versions were deprecated, caches purged, and workflows hardened.
</span>
</span>
</div>
</td></tr></tbody></table>
</td></tr></tbody></table>
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding-top: 0px; padding-bottom: 0px;">
<div class="text-block">
<div style="text-align: center;"><span style="font-size: 36px;">π§βπ»</span></div>
</div>
</td></tr></tbody></table>
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding-top: 0px; padding-bottom: 0px;">
<div class="text-block">
<div style="text-align: center;">
<h1><strong>Launches & Tools</strong></h1>
</div>
</div>
</td></tr></tbody></table>
<table style="table-layout: fixed; width: 100%;" width="100%"><tbody><tr><td style="padding:0;border-collapse:collapse;border-spacing:0;margin:0;" valign="top">
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fwww.sysdig.com%2Fheadlesscloudsecurity%3Futm_campaign=Secondary05132026%26utm_source=tldrai%26utm_medium=newsletter/1/0100019e2171c2e6-35edacd7-79a0-4205-a8ad-ab93a1d714ae-000000/RUPkybtEvjV4ERYLLBTTecggoDTJWNQx4nGn955f340=452">
<span>
<strong>Stop Reporting on Risk. Start Reducing It (Sponsor)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
Sysdig redefines cloud security for the AI era, no dashboards, just action. Run security how you want with AI agents that detect, prioritize, and respond in real time.<br><p><a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fwww.sysdig.com%2Fheadlesscloudsecurity%3Futm_campaign=Secondary05132026%26utm_source=tldrai%26utm_medium=newsletter/2/0100019e2171c2e6-35edacd7-79a0-4205-a8ad-ab93a1d714ae-000000/P7Cr8NleAIPy2ZwY-UR1WxZyaSqRhoxI3GfCTaaSKlM=452" rel="noopener noreferrer nofollow" target="_blank">Explore headless cloud security.</a>
</p>
</span></span></div>
</td></tr></tbody></table>
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fgithub.com%2Fjonny-jhnson%2FEtwWatcher%3Futm_source=tldrinfosec/1/0100019e2171c2e6-35edacd7-79a0-4205-a8ad-ab93a1d714ae-000000/zrQ3QmkvjvjS668K16yPwOqK3B3ON2UeK6ElEnHqTig=452">
<span>
<strong>EtwWatcher (GitHub Repo)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
EtwWatcher is a static, browser-side web app for browsing and diffing snapshots of Windows ETW provider state across builds, letting detection engineers and threat hunters see which providers, events, keywords, and template fields shifted between Windows builds (including Patch Tuesday cumulative updates and Insider builds) without spinning up VMs. Snapshots are produced by the companion PowerShell module ETWInspector and committed as NDJSON. Users can also drop in their own .ndjson or .ndjson.gz for full in-browser analysis. Coverage spans Manifest, MOF, and TraceLogging providers β WPP is not yet supported, and MOF event metadata enumeration remains incomplete due to WMI quirks.
</span>
</span>
</div>
</td></tr></tbody></table>
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Flinks.tldrnewsletter.com%2F5VSiga/1/0100019e2171c2e6-35edacd7-79a0-4205-a8ad-ab93a1d714ae-000000/A7bg-uQy6O4xYt6PFQbiWR2U1WEi9iCs1RVhAPXLUvw=452">
<span>
<strong>Daybreak OpenAI for cybersecurity (2 minute read)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
OpenAI Daybreak introduces a defensive program that bakes security into software development by using GPTβ5.5 and Codex Security for secure code review, threat modeling, patch validation, and dependency risk analysis. It supports workflows from triage and malware analysis to red teaming through graded access tiers, including GPTβ5.5βCyber, which offers stronger verification and account controls, and is being rolled out with industry and government partners.
</span>
</span>
</div>
</td></tr></tbody></table>
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fframesecurity.com%2F%3Futm_source=tldrinfosec/1/0100019e2171c2e6-35edacd7-79a0-4205-a8ad-ab93a1d714ae-000000/OqIeDn9ogRT3atKz9UsBFWNgGuEYEubSv9ZD3Mp06d4=452">
<span>
<strong>Frame Security (Product Launch)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
Frame Security has developed a human risk management platform covering the full security awareness lifecycle, from simulated attacks to employee training to threat triage. Its simulation module generates personalized phishing, voice, and video deepfake scenarios tailored to each employee's role and communication patterns.
</span>
</span>
</div>
</td></tr></tbody></table>
</td></tr></tbody></table>
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding-top: 0px; padding-bottom: 0px;">
<div class="text-block">
<div style="text-align: center;"><span style="font-size: 36px;">π</span></div></div>
</td></tr></tbody></table>
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding-top: 0px; padding-bottom: 0px;">
<div class="text-block">
<div style="text-align: center;"><strong><h1>Miscellaneous</h1></strong></div>
</div>
</td></tr></tbody></table>
<table bgcolor="" style="table-layout: fixed; width: 100%;" width="100%"><tbody><tr><td style="padding:0;border-collapse:collapse;border-spacing:0;margin:0;" valign="top">
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fdaniel.haxx.se%2Fblog%2F2026%2F05%2F11%2Fmythos-finds-a-curl-vulnerability%2F%3Futm_source=tldrinfosec/1/0100019e2171c2e6-35edacd7-79a0-4205-a8ad-ab93a1d714ae-000000/oVOTCwgegUfTXTiI8qQTcrQm91L2anR6Eu4Z5AmByus=452">
<span>
<strong>Mythos finds a curl vulnerability (5 minute read)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
Daniel Stenberg reported that Anthropic's heavily hyped Mythos model, run against curl's 178K-line codebase via the Linux Foundation's Alpha Omega program, produced five "confirmed" findings that the curl security team triaged down to a single low-severity CVE (slated for 8.21.0 in late June), plus ~20 non-vulnerability bugs β three were false positives flagging documented API behavior, and one was deemed "just a bug." Stenberg noted that prior AI scanners (AISLE, Zeropath, and OpenAI Codex Security) drove 200β300 merged bugfixes over 8β10 months, so Mythos's lighter haul reflects diminishing returns on a heavily fuzzed, audited codebase rather than weakness β and that AI tools still surface only known bug classes, not novel ones. Practitioners should treat AI code analyzers as now table-stakes (any project that hasn't run one likely has a backlog of findings waiting), pair them with traditional defenses, and discount vendor "dangerously good" framing until independent results land.
</span>
</span>
</div>
</td></tr></tbody></table>
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Ftechcommunity.microsoft.com%2Fblog%2Fazureinfrastructureblog%2Fcheriot-ibex-closing-the-door-on-memory-safety-vulnerabilities-with-hardware-enf%2F4517904%3Futm_source=tldrinfosec/1/0100019e2171c2e6-35edacd7-79a0-4205-a8ad-ab93a1d714ae-000000/BrlO1BaY4vaeakJQh6-hFxMgk6gY4sj5dg7RCFg8cN0=452">
<span>
<strong>CHERIoT-Ibex: Closing the door on memory safety vulnerabilities with hardware-enforced protection (3 minute read)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
Microsoft's CHERIoT-Ibex became the first open-source production-quality implementation of the CHERIoT ISA certified by the CHERI Alliance, extending LowRISC's 32-bit RISC-V Ibex core with capability-based hardware-enforced spatial and temporal memory safety plus fine-grained compartmentalization. The core targets embedded and IoT workloads where roughly 70 percent of Microsoft-assigned CVEs stem from memory safety defects in C/C++, and achieves its guarantees at power and area parity with low-cost microcontrollers. For defenders building tightly integrated firmware, the design constrains blast radius so a compromise in an exposed networking stack cannot pivot into privileged init or telemetry components on the same die.
</span>
</span>
</div>
</td></tr></tbody></table>
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fsecurityaffairs.com%2F192038%2Fdata-breach%2Fhackers-accessed-bwh-hotels-reservation-system-for-months.html%3Futm_source=tldrinfosec/1/0100019e2171c2e6-35edacd7-79a0-4205-a8ad-ab93a1d714ae-000000/F5LAutYSJjd1cSzZApKRdY6KKrUdXHSmGhrteK5lRLI=452">
<span>
<strong>Hackers accessed BWH Hotels reservation system for months (2 minute read)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
BWH Hotels, the 4,000-property parent of Best Western, WorldHotels, and Sure Hotels, disclosed that an unauthorized third party maintained access to a guest reservation web application from October 14, 2025, until detection on April 22, 2026, exposing names, email addresses, phone numbers, home addresses, reservation numbers, stay dates, and special requests. Payment data was not stored in the affected system and remains uncompromised, and BWH has taken the application offline, revoked access, and engaged external responders. No group has claimed the intrusion, and affected guests should treat any inbound booking-related email, SMS, or call as likely phishing given the high-fidelity reservation context attackers now hold.
</span>
</span>
</div>
</td></tr></tbody></table>
</td></tr></tbody></table>
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding-top: 0px; padding-bottom: 0px;">
<div class="text-block">
<div style="text-align: center;"><span style="font-size: 36px;">β‘</span></div></div>
</td></tr></tbody></table>
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding-top: 0px; padding-bottom: 0px;">
<div class="text-block">
<div style="text-align: center;">
<h1><strong>Quick Links</strong></h1>
</div>
</div>
</td></tr></tbody></table>
<table bgcolor="" style="table-layout: fixed; width: 100%;" width="100%"><tbody><tr><td style="padding:0;border-collapse:collapse;border-spacing:0;margin:0;" valign="top">
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fwww.theregister.com%2Fsecurity%2F2026%2F05%2F12%2Fjapans-pm-orders-cybersecurity-review-to-defend-against-anthropic-mythos%2F5238501%3Futm_source=tldrinfosec/1/0100019e2171c2e6-35edacd7-79a0-4205-a8ad-ab93a1d714ae-000000/XL45hcJhc3l0paNoji7-MEKREaHE6Db1mEybuSyr9Q4=452">
<span>
<strong>Japan's PM orders cybersecurity review to stop Mythos going full CyberZilla (1 minute read)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
Japan's prime minister Sanae Takaichi has told cybersecurity minister Hisashi Matsumoto to audit government systems and critical infrastructure for vulnerabilities in light of Anthropic's Mythos bug-hunting model.
</span>
</span>
</div>
</td></tr></tbody></table>
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Ftechcrunch.com%2F2026%2F05%2F11%2Ffinally-texts-between-android-and-iphone-users-can-be-end-to-end-encrypted%2F%3Futm_source=tldrinfosec/1/0100019e2171c2e6-35edacd7-79a0-4205-a8ad-ab93a1d714ae-000000/7Wh3HLyLIJyv40Doe2pSbUIXJW8ec_fGicXRb0VZYlU=452">
<span>
<strong>Finally, texts between Android and iPhone users can be end-to-end encrypted (2 minute read)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
End-to-end encrypted RCS messaging started rolling out Monday in beta for iPhone and Android users with the current software.
</span>
</span>
</div>
</td></tr></tbody></table>
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Flinks.tldrnewsletter.com%2FqMTV2L/1/0100019e2171c2e6-35edacd7-79a0-4205-a8ad-ab93a1d714ae-000000/rsZsHkMDCazl170d6mGNVJaBCVMrd3qwCFGtpfrbMYk=452">
<span>
<strong>US govt seeks Instructure testimony on massive Canvas cyberattack (2 minute read)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
The House Committee on Homeland Security has summoned Instructure CEO Steve Daly to a May 21 briefing after ShinyHunters breached Canvas twice in one week.
</span>
</span>
</div>
</td></tr></tbody></table>
</td></tr></tbody></table>
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td align="left" style="word-break: break-word; vertical-align: top; padding: 5px 10px;">
<p style="padding: 0; margin: 0; font-size: 22px; color: #000000; line-height: 1.6; font-weight: bold;">
Love TLDR? Tell your friends and get rewards!
</p>
</td></tr>
<tr><td class="container" style="padding: 0px 10px 15px;">
<div class="text-block">
Share your referral link below with friends to get free TLDR swag!
</div>
</td></tr>
<tr><td align="left" style="padding: 10px;">
<div class="text-block">
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Frefer.tldr.tech%2F78de0e20%2F8/1/0100019e2171c2e6-35edacd7-79a0-4205-a8ad-ab93a1d714ae-000000/ssMTvNgknMMNzeyl7MEsNkCQm95lJ7M7gS8VNZ6S0SI=452" style="color: #464ba4; text-decoration: underline;">https://refer.tldr.tech/78de0e20/8</a>
</div>
</td></tr>
<tr></tr>
<tr><td align="left" style="padding:5px 10px;">
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fhub.sparklp.co%2Fsub_d62447d5a74a%2F8/1/0100019e2171c2e6-35edacd7-79a0-4205-a8ad-ab93a1d714ae-000000/dRLGXlKrMgU-pENK2RhdnSgalnQM-F_TDa9IlgppuX4=452" style="font-size: 16px; line-height: 1.6; padding: 10px 0; display: inline-block; text-decoration: underline;"><span style="mso-text-raise:13pt; text-decoration: underline;">Track your referrals here.</span></a>
</td></tr></tbody></table>
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td align="left" style="word-break: break-word; vertical-align: top; padding: 5px 10px;">
<p style="padding: 0; margin: 0; font-size: 22px; color: #000000; line-height: 1.6; font-weight: bold;">
Want to advertise in TLDR? π°
</p>
<div class="text-block" style="margin-top: 10px;">
If your company is interested in reaching an audience of cybersecurity professionals and decision makers, you may want to <a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fadvertise.tldr.tech%2F%3Futm_source=tldrinfosec%26utm_medium=newsletter%26utm_campaign=advertisecta/1/0100019e2171c2e6-35edacd7-79a0-4205-a8ad-ab93a1d714ae-000000/2ewVA86qFHhiGVwWxHe9dGJ6WrQlrmfjK4riqGtCIS0=452"><strong><span>advertise with us</span></strong></a>.
</div>
<br>
<!-- New "Want to work at TLDR?" section -->
<p style="padding: 0; margin: 0; font-size: 22px; color: #000000; line-height: 1.6; font-weight: bold;">
Want to work at TLDR? πΌ
</p>
<div class="text-block" style="margin-top: 10px;">
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fjobs.ashbyhq.com%2Ftldr.tech/1/0100019e2171c2e6-35edacd7-79a0-4205-a8ad-ab93a1d714ae-000000/5HIxkJac52ruJ5EvuZ9rvfs_2WBO8Gj0pomsjAC9EwI=452" rel="noopener noreferrer" style="color: #0000EE; text-decoration: underline;" target="_blank"><strong>Apply here</strong></a>,
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fjobs.ashbyhq.com%2Ftldr.tech%2Fc227b917-a6a4-40ce-8950-d3e165357871/1/0100019e2171c2e6-35edacd7-79a0-4205-a8ad-ab93a1d714ae-000000/mPFNjlfWkp26QhlnVmPqBrLXWdnPRMqodMBUdaQkjxo=452" rel="noopener noreferrer" style="color: #0000EE; text-decoration: underline;" target="_blank"><strong>create your own role</strong></a> or send a friend's resume to <a href="mailto:jobs@tldr.tech" style="color: #0000EE; text-decoration: underline;">jobs@tldr.tech</a> and get $1k if we hire them! TLDR is one of <a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fwww.linkedin.com%2Ffeed%2Fupdate%2Furn:li:activity:7401699691039830016%2F/1/0100019e2171c2e6-35edacd7-79a0-4205-a8ad-ab93a1d714ae-000000/kHGSNm9tDeyuy46al3VV1YvoGBhIAYPx7MfX2YO8f_c=452" rel="noopener noreferrer" style="color: #0000EE; text-decoration: underline;" target="_blank"><strong>Inc.'s Best Bootstrapped businesses</strong></a> of 2025.
</div>
<br>
<div class="text-block">
If you have any comments or feedback, just respond to this email!
<br>
<br> Thanks for reading,
<br>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fwww.linkedin.com%2Fin%2Fprasannagautam%2F/1/0100019e2171c2e6-35edacd7-79a0-4205-a8ad-ab93a1d714ae-000000/ByPJSUNyvQ-vP8TYBoOf1UWid34yLhto6ZLh-Q8DXQI=452"><span>Prasanna Gautam</span></a>, <a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fwww.linkedin.com%2Fin%2Fericfernandezdelcampo%2F/1/0100019e2171c2e6-35edacd7-79a0-4205-a8ad-ab93a1d714ae-000000/pW38d5hPl0DvijqhTn5H2jJmWhye04mc-Ifv0I5uqYw=452"><span>Eric Fernandez</span></a> & <a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fwww.linkedin.com%2Fin%2Fsammy-tbeile%2F/1/0100019e2171c2e6-35edacd7-79a0-4205-a8ad-ab93a1d714ae-000000/E3K9w88m0d1galg9JLyaTAEQ6WRKgLkKyskbNX-TY6I=452"><span>Sammy Tbeile</span></a>
<br>
<br>
</div>
<br>
</td></tr></tbody></table>
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block" id="testing-id">
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Ftldr.tech%2Finfosec%2Fmanage%3Femail=silk.theater.56%2540fwdnl.com/1/0100019e2171c2e6-35edacd7-79a0-4205-a8ad-ab93a1d714ae-000000/eVpAAo30MzqT2qySnst1fl93cGKoe_SOv8SpcNuruR4=452">Manage your subscriptions</a> to our other newsletters on tech, startups, and programming. Or if TLDR Information Security isn't for you, please <a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fa.tldrnewsletter.com%2Funsubscribe%3Fep=1%26l=8d9cea11-3e94-11ed-9a32-0241b9615763%26lc=156924ca-84b7-11f0-8d58-47c5c04ad337%26p=16926f58-4ea8-11f1-9176-b1bc346ef36d%26pt=campaign%26pv=4%26spa=1778677252%26t=1778677564%26s=85e014fdbf13e2a2b87146ea2f42c9ad5ef41f763c58a39c382ac19f5a6d1306/1/0100019e2171c2e6-35edacd7-79a0-4205-a8ad-ab93a1d714ae-000000/ozLKEeziEzu_w0YA34P0L7zaGJ_-SSkCE6JXwBX8pCc=452">unsubscribe</a>.
<br>
</div>
</td></tr></tbody></table>
</td></tr></tbody></table>
</td></tr></tbody></table>
</td></tr></tbody></table>
</td></tr></tbody></table>
<img alt="" src="http://tracking.tldrnewsletter.com/CI0/0100019e2171c2e6-35edacd7-79a0-4205-a8ad-ab93a1d714ae-000000/gOt1pmrz2IJX5P9mCULtPHsRLNfe7Nf9bnAZmUcT-p0=452" style="display: none; width: 1px; height: 1px;">
</body></html>