<!DOCTYPE html><html lang="en"><head><meta http-equiv="Content-Type" content="text/html charset=UTF-8"><meta charset="UTF-8"><meta name="viewport" content="width=device-width"><meta name="x-apple-disable-message-reformatting"><title>TLDR InfoSec</title><meta name="color-scheme" content="light dark"><meta name="supported-color-schemes" content="light dark"><style type="text/css">
:root {
color-scheme: light dark; supported-color-schemes: light dark;
}
*,
*:after,
*:before {
-webkit-box-sizing: border-box; -moz-box-sizing: border-box; box-sizing: border-box;
}
* {
-ms-text-size-adjust: 100%; -webkit-text-size-adjust: 100%;
}
html,
body,
.document {
width: 100% !important; height: 100% !important; margin: 0; padding: 0;
}
body {
-webkit-font-smoothing: antialiased; -moz-osx-font-smoothing: grayscale; text-rendering: optimizeLegibility;
}
div[style*="margin: 16px 0"] {
margin: 0 !important;
}
table,
td {
mso-table-lspace: 0pt; mso-table-rspace: 0pt;
}
table {
border-spacing: 0; border-collapse: collapse; table-layout: fixed; margin: 0 auto;
}
img {
-ms-interpolation-mode: bicubic; max-width: 100%; border: 0;
}
*[x-apple-data-detectors] {
color: inherit !important; text-decoration: none !important;
}
.x-gmail-data-detectors,
.x-gmail-data-detectors *,
.aBn {
border-bottom: 0 !important; cursor: default !important;
}
.btn {
-webkit-transition: all 200ms ease; transition: all 200ms ease;
}
.btn:hover {
background-color: #f67575; border-color: #f67575;
}
* {
font-family: Arial, Helvetica, sans-serif; font-size: 18px;
}
@media screen and (max-width: 600px) {
.container {
width: 100%; margin: auto;
}
.stack {
display: block!important; width: 100%!important; max-width: 100%!important;
}
.btn {
display: block; width: 100%; text-align: center;
}
}
body,
p,
td,
tr,
.body,
table,
h1,
h2,
h3,
h4,
h5,
h6,
div,
span {
background-color: #FEFEFE !important; color: #010101 !important;
}
@media (prefers-color-scheme: dark) {
body,
p,
td,
tr,
.body,
table,
h1,
h2,
h3,
h4,
h5,
h6,
div,
span {
background-color: #27292D !important; color: #FEFEFE !important;
}
}
a {
color: inherit !important; text-decoration: underline !important;
}
</style><!--[if mso | ie]>
<style type="text/css">
a {
background-color: #FEFEFE !important; color: #010101 !important;
}
@media (prefers-color-scheme: dark) {
a {
background-color: #27292D !important; color: #FEFEFE !important;
}
}
</style>
<![endif]--></head><body class="">
<div style="display: none; max-height: 0px; overflow: hidden;">TeamPCP claims access to around 3,800 internal GitHub repositories after compromising an employee device with a poisoned VS Code extension </div>
<div style="display: none; max-height: 0px; overflow: hidden;">
<br>
</div>
<table align="center" class="document"><tbody><tr><td valign="top">
<table align="center" border="0" cellpadding="0" cellspacing="0" class="container" width="600"><tbody><tr class="inner-body"><td>
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr class="header"><td bgcolor="" class="container">
<table width="100%"><tbody><tr><td class="container">
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" style="margin-top: 0px;" width="100%"><tbody><tr><td style="padding: 0px;">
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div style="text-align: center;">
<span style="margin-right: 0px;"><a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Ftldr.tech%2Finfosec%3Futm_source=tldrinfosec/1/0100019e4aa93483-ad204014-8cca-4997-8c1e-cbd9d0d53914-000000/AXn0AwkC5UMhfDHYgvxja6-4MYgNUQKZADri8vXq9v4=452" rel="noopener noreferrer" target="_blank"><span>Sign Up</span></a>
|<span style="margin-right: 2px; margin-left: 2px;"><a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fadvertise.tldr.tech%2F%3Futm_source=tldrinfosec%26utm_medium=newsletter%26utm_campaign=advertisetopnav/1/0100019e4aa93483-ad204014-8cca-4997-8c1e-cbd9d0d53914-000000/a30taqZ041um6NaSRJxSXAyAEvqUCN5gBCyASUryIMA=452" rel="noopener noreferrer" target="_blank"><span>Advertise</span></a></span>|<span style="margin-left: 2px;"><a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fa.tldrnewsletter.com%2Fweb-version%3Fep=1%26lc=156924ca-84b7-11f0-8d58-47c5c04ad337%26p=dba836ac-54f6-11f1-9e7b-bf372ec47c43%26pt=campaign%26t=1779369063%26s=edcd39b6a1cb5fe4b793a3d29f54f08fd0e57a2b56908dcaa9d5dc6c6b0b053c/1/0100019e4aa93483-ad204014-8cca-4997-8c1e-cbd9d0d53914-000000/BujF41sqA2a4pBZvWUjum46vhAizALczPaoVE1vLYwU=452"><span>View Online</span></a></span>
<br>
</span></div>
</td></tr></tbody></table>
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="text-align: center;"><span data-darkreader-inline-color="" style="--darkreader-inline-color:#3db3ff; color: rgb(51, 175, 255) !important; font-size: 30px;">T</span><span style="font-size: 30px;"><span data-darkreader-inline-color="" style="color: rgb(232, 192, 96) !important; --darkreader-inline-color:#e8c163; font-size:30px;">L</span><span data-darkreader-inline-color="" style="color: rgb(101, 195, 173) !important; --darkreader-inline-color:#6ec7b2; font-size:30px;">D</span></span><span data-darkreader-inline-color="" style="--darkreader-inline-color:#dd6e6e; color: rgb(220, 107, 107) !important; font-size: 30px;">R</span>
<br>
</td></tr></tbody></table>
<br>
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr id="together-with"><td align="center" height="20" style="vertical-align:middle !important;" valign="middle" width="100%"><strong style="vertical-align:middle !important; height: 100%;">Together With </strong>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fdelinea.com%2Fresources%2Fai-and-identity-security-report-pdf%3Futm_medium=paid-newsletter%26utm_source=TLDR%26utm_campaign=FF-FY26Q2_TLDR_*VisIP%26utm_content=TLDR%2520Send%25204%26utm_term=Primary/1/0100019e4aa93483-ad204014-8cca-4997-8c1e-cbd9d0d53914-000000/sVQm6Z-dHHAlB_TcMx9x2AGYR3vVLeSNequDRTx_88M=452"><img src="https://images.tldr.tech/delinea.png" valign="middle" style="vertical-align: middle !important; height: 100%;" alt="Delinea"></a></td></tr></tbody></table>
<table style="table-layout: fixed; width:100%;" width="100%"><tbody><tr><td style="padding:0;border-collapse:collapse;border-spacing:0;margin:0;">
<div style="text-align: center;">
<h1><strong>TLDR Information Security <span id="date">2026-05-21</span></strong></h1>
</div>
</td></tr></tbody></table>
<table style="table-layout: fixed; width:100%;" width="100%"><tbody><tr id="sponsy-copy"><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fdelinea.com%2Fresources%2Fai-and-identity-security-report-pdf%3Futm_medium=paid-newsletter%26utm_source=TLDR%26utm_campaign=FF-FY26Q2_TLDR_*VisIP%26utm_content=TLDR%2520Send%25204%26utm_term=Primary/2/0100019e4aa93483-ad204014-8cca-4997-8c1e-cbd9d0d53914-000000/7t0TsPtVJVX7dA8U9nL6Cv_36ArsC1_hDp-Obrwx1Yk=452">
<span>
<strong>IT leads are overconfident about AI security. Here are the receipts (Sponsor)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
Security systems have too many AI blind spots to justify the current level of confidence. In their survey of 2,000 IT decision makers, <a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fdelinea.com%2Fresources%2Fai-and-identity-security-report-pdf%3Futm_medium=paid-newsletter%26utm_source=TLDR%26utm_campaign=FF-FY26Q2_TLDR_*VisIP%26utm_content=TLDR%2520Send%25204%26utm_term=Primary/3/0100019e4aa93483-ad204014-8cca-4997-8c1e-cbd9d0d53914-000000/fPVRj2EMpAHBEhPLcgOOfBVGsxHQiiNM_H-TxmG6Q4Q=452" rel="noopener noreferrer nofollow" target="_blank"><span>Delinea found</span></a> that most think they're ready for AI, and yet:
<p></p>
<ul>
<li>Non-human identity visibility is minimal</li>
<li>Traditional controls haven't <a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fdelinea.com%2Fresources%2Fai-and-identity-security-report-pdf%3Futm_medium=paid-newsletter%26utm_source=TLDR%26utm_campaign=FF-FY26Q2_TLDR_*VisIP%26utm_content=TLDR%2520Send%25204%26utm_term=Primary/4/0100019e4aa93483-ad204014-8cca-4997-8c1e-cbd9d0d53914-000000/hBAQeTPmrobgY3ws42RUm2qOQV2vyUl1WzrFnk4mfh8=452" rel="noopener noreferrer nofollow" target="_blank"><span>evolved for LLMs or agents</span></a></li>
<li>Strategic debt is just as widespread as technical debt</li>
</ul>
<p>Download the free report and get the practical steps you need to <a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fdelinea.com%2Fresources%2Fai-and-identity-security-report-pdf%3Futm_medium=paid-newsletter%26utm_source=TLDR%26utm_campaign=FF-FY26Q2_TLDR_*VisIP%26utm_content=TLDR%2520Send%25204%26utm_term=Primary/5/0100019e4aa93483-ad204014-8cca-4997-8c1e-cbd9d0d53914-000000/aKS8EU-oGsEiZ16Vk2hB1n8Rw4f9m3BuFokDpb2pWrY=452" rel="noopener noreferrer nofollow" target="_blank"><span>harden identity security for the AI era</span></a>
</p>
</span></span></div>
</td></tr></tbody></table>
</td></tr></tbody></table>
</td></tr></tbody></table>
</td></tr>
<tr bgcolor=""><td class="container">
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td style="padding: 0px;">
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding-top: 0px; padding-bottom: 0px;">
<div class="text-block">
<div style="text-align: center;"><span style="font-size: 36px;">🔓</span></div></div>
</td></tr></tbody></table>
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding-top: 0px; padding-bottom: 0px;">
<div class="text-block">
<div style="text-align: center;">
<h1><strong>Attacks & Vulnerabilities</strong></h1>
</div>
</div>
</td></tr></tbody></table>
<table style="table-layout: fixed; width: 100%;" width="100%"><tbody><tr><td style="padding:0;border-collapse:collapse;border-spacing:0;margin:0;" valign="top">
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fthehackernews.com%2F2026%2F05%2Fgithub-investigating-teampcp-claimed.html%3Futm_source=tldrinfosec/1/0100019e4aa93483-ad204014-8cca-4997-8c1e-cbd9d0d53914-000000/c2rbfizpLGQHiOemPiguUzVkS-jFyu4NQ2pGnxMdNzY=452">
<span>
<strong>GitHub Breached — Employee Device Hack Led to Exfiltration of 3,800+ Internal Repos (4 minute read)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
TeamPCP claims access to around 3,800 internal GitHub repositories after compromising an employee device with a poisoned VS Code extension, leading GitHub to rotate secrets and investigate scope. The same group trojanized Microsoft's durabletask PyPI package to drop a Linux-only infostealer that steals cloud, vault, SSH, and Kubernetes credentials and propagates across AWS and clusters. LAPSUS$ is now co-selling the leaked internal projects, including Actions, Copilot, CodeQL, and Dependabot components, raising concern over source exposure and supply chain abuse.
</span>
</span>
</div>
</td></tr></tbody></table>
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fsecurelist.com%2Fexiftool-compromise-mac%2F119866%2F%3Futm_source=tldrinfosec/1/0100019e4aa93483-ad204014-8cca-4997-8c1e-cbd9d0d53914-000000/samBlc_jUFL6snFJKkOnkVPnzNnNf4QPg0eWqNTM9qU=452">
<span>
<strong>How an image could compromise your Mac: understanding an ExifTool vulnerability (CVE-2026-3102) (7 minute read)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
GReAT discovered CVE-2026-3102 in ExifTool ≤13.49 on macOS where unsanitized date values in the SetMacOSTags function flow into a system() sink, allowing arbitrary command execution via metadata injection when the -n flag is used with -tagsFromFile to copy a crafted DateTimeOriginal tag into FileCreateDate. Attack chain: inject single quotes into DateTimeOriginal using -n flag (which bypasses PrintConvInv validation), then copy via -tagsFromFile to trigger SetMacOSTags with unescaped $val concatenated into /usr/bin/setfile -d 'PAYLOAD' 'FILE' enabling command substitution. Fix in 13.50 replaced string concatenation with list-form system() calls, eliminating manual escaping. Defenders must verify all photo-processing workflows, asset management tools, and bulk image scripts use ExifTool ≥13.50, isolate untrusted file processing on air-gapped machines, and enforce macOS endpoint protection on BYOD and contractor devices.
</span>
</span>
</div>
</td></tr></tbody></table>
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Flinks.tldrnewsletter.com%2FNCZHE5/1/0100019e4aa93483-ad204014-8cca-4997-8c1e-cbd9d0d53914-000000/8S6cug1sB2d60ar5kggP2yRrZI9lVZ9a8H0ySp4ED4g=452">
<span>
<strong>Exploit Released for New PinTheft Arch Linux root Escalation Flaw (2 minute read)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
Researchers from V12 uncovered a new local privilege escalation vulnerability in Linux systems. The vulnerability stems from a double free flaw in the Reliable Datagram System (RDS)'s handling of user pages. The RDS kernel module that is required by the vulnerability is only enabled by default on Arch Linux.
</span>
</span>
</div>
</td></tr></tbody></table>
</td></tr></tbody></table>
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding-top: 0px; padding-bottom: 0px;">
<div class="text-block">
<div style="text-align: center;"><span style="font-size: 36px;">🧠</span></div>
</div>
</td></tr></tbody></table>
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding-top: 0px; padding-bottom: 0px;">
<div class="text-block">
<div style="text-align: center;">
<h1><strong>Strategies & Tactics</strong></h1>
</div>
</div>
</td></tr></tbody></table>
<table style="table-layout: fixed; width: 100%;" width="100%"><tbody><tr><td style="padding:0;border-collapse:collapse;border-spacing:0;margin:0;" valign="top">
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Funit42.paloaltonetworks.com%2Ftracking-tampered-chef-clusters%2F%3Futm_source=tldrinfosec/1/0100019e4aa93483-ad204014-8cca-4997-8c1e-cbd9d0d53914-000000/Kg1mFd9hjLYlabGs-VK2Qi0Q7r3fykqBvzcLXKgwIuQ=452">
<span>
<strong>Tracking TamperedChef Clusters via Certificate and Code Reuse (23 minute read)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
Unit 42 mapped three TamperedChef (aka EvilAI) clusters distributing trojanized productivity apps (PDF editors, calendars, and ZIP tools) that stay dormant for weeks before pulling second-stage stealers, RATs, or proxy malware, identifying over 4,000 samples across 100 variants by pivoting on code-signing certificate reuse, code overlap, and ad-transparency data. Operators function as advertising and logistics specialists rather than malware experts, registering shell corporations for OV/EV certificates (CL-CRI-1089 burned 34 certs costing $10,000+), running 20,000+ malvertisements, and using LLM-generated distribution sites with visually similar pages but distinct DOM structures. Defenders should deploy updated EDR/XDR and enterprise browsers, harden endpoints against untrusted software installs, hunt for persistence via scheduled tasks and registry Run keys, and revoke tokens plus reset browser-stored credentials on any confirmed infection.
</span>
</span>
</div>
</td></tr></tbody></table>
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fblog.himanshuanand.com%2F2026%2F05%2Fscore-by-collisions-patch-by-panic%2F%3Futm_source=tldrinfosec/1/0100019e4aa93483-ad204014-8cca-4997-8c1e-cbd9d0d53914-000000/i0EjpabkqQXTuZuZghvjMvNCJ5YXjsPeZuESyaD8b3g=452">
<span>
<strong>Score By Collisions, Patch By Panic (9 minute read)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
Severity should track how many independent researchers and attackers hit the same bug, with collision counts shrinking patch windows from weeks to hours. Vendors need solo researchers to push for shorter disclosure windows and ship patches, not just reports, while bug hunters move up the stack toward logic bugs and deep system understanding. Corporate teams should lock down egress, recycle infrastructure aggressively, sandbox runtimes, and add automated circuit breakers and feature flags to contain zero-days and keep production running under constant incident pressure.
</span>
</span>
</div>
</td></tr></tbody></table>
</td></tr></tbody></table>
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding-top: 0px; padding-bottom: 0px;">
<div class="text-block">
<div style="text-align: center;"><span style="font-size: 36px;">🧑💻</span></div>
</div>
</td></tr></tbody></table>
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding-top: 0px; padding-bottom: 0px;">
<div class="text-block">
<div style="text-align: center;">
<h1><strong>Launches & Tools</strong></h1>
</div>
</div>
</td></tr></tbody></table>
<table style="table-layout: fixed; width: 100%;" width="100%"><tbody><tr><td style="padding:0;border-collapse:collapse;border-spacing:0;margin:0;" valign="top">
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fthehackernews.com%2F2026%2F05%2Fmicrosoft-open-sources-rampart-and.html%3Futm_source=tldrinfosec/1/0100019e4aa93483-ad204014-8cca-4997-8c1e-cbd9d0d53914-000000/yUdjewr2TMz-rns5z7Nog-NTBCsufqfC-tpoPgWgw6I=452">
<span>
<strong>Microsoft Open-Sources RAMPART and Clarity to Secure AI Agents During Development (1 minute read)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
Microsoft has released two open-source tools for testing AI agent security during development: RAMPART (Risk Assessment and Measurement Platform for Agentic Red Teaming), a Pytest-native framework for writing adversarial and benign safety tests covering harm categories like cross-prompt injection and data exfiltration, and Clarity, a "structured sounding board" that pressure-tests design assumptions before code is written. RAMPART builds on Microsoft's PyRIT and connects to an agent through a single adapter, evaluating test outcomes and reporting results. Where PyRIT targets black-box discovery after a system is built, RAMPART runs during development and Clarity captures design intent, turning red-team findings into reusable engineering assets across the agent lifecycle.
</span>
</span>
</div>
</td></tr></tbody></table>
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fwww.ocean.security%2F%3Futm_source=tldrinfosec/1/0100019e4aa93483-ad204014-8cca-4997-8c1e-cbd9d0d53914-000000/zi5pMIwVhsv7TwbfG5sWe0CFuwEJ_2aUl5K_LqV6Gk4=452">
<span>
<strong>Ocean (Product Launch)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
Ocean is an email security platform that scans every incoming message with a custom language model, checks sender intent against company context, and flags fraud and impersonation.
</span>
</span>
</div>
</td></tr></tbody></table>
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fgithub.com%2Fgoogleprojectzero%2FJackalope%3Futm_source=tldrinfosec/1/0100019e4aa93483-ad204014-8cca-4997-8c1e-cbd9d0d53914-000000/1qPHurV2MsmyWZREP-wh5lg8_at3Owg0qEkcxWyDLa0=452">
<span>
<strong>Jackalope (GitHub Repo)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
Jackalope is a customizable, distributed, coverage-guided fuzzer that works in black-box binaries.
</span>
</span>
</div>
</td></tr></tbody></table>
</td></tr></tbody></table>
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding-top: 0px; padding-bottom: 0px;">
<div class="text-block">
<div style="text-align: center;"><span style="font-size: 36px;">🎁</span></div></div>
</td></tr></tbody></table>
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding-top: 0px; padding-bottom: 0px;">
<div class="text-block">
<div style="text-align: center;"><strong><h1>Miscellaneous</h1></strong></div>
</div>
</td></tr></tbody></table>
<table bgcolor="" style="table-layout: fixed; width: 100%;" width="100%"><tbody><tr><td style="padding:0;border-collapse:collapse;border-spacing:0;margin:0;" valign="top">
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fwww.csoonline.com%2Farticle%2F4173417%2Fmicrosoft-disrupts-malware-code-signing-service-used-by-ransomware-gangs.html%3Futm_source=tldrinfosec/1/0100019e4aa93483-ad204014-8cca-4997-8c1e-cbd9d0d53914-000000/cmPVIriGietovngF1MLPX5P9EGXlHZARxykYFX75uxY=452">
<span>
<strong>Microsoft disrupts malware code-signing service used by ransomware gangs (3 minute read)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
Microsoft disrupted Fox Tempest's malware-signing-as-a-service (MSaaS) operation by seizing signspace[.]cloud, revoking 1,000+ code-signing certificates obtained via stolen identities and abused Azure Artifact Signing subscriptions, and taking offline hundreds of attacker-controlled VMs, with cybercriminals paying $5,000–$9,000 per deployment to bypass SmartScreen warnings and evade detection. Vanilla Tempest and affiliates of INC, Qilin, Akira, and Rhysida used signed fake installers (AnyDesk, Teams, PuTTY, and Webex) distributed through SEO poisoning and malvertising to deploy backdoors, infostealers, and ransomware. The shift reflects cybercrime's modularization: specialized high-friction services like code-signing are now commoditized and sold interchangeably, replacing monolithic attack chains and enabling rapid scaling across ransomware campaigns since at least May 2025.
</span>
</span>
</div>
</td></tr></tbody></table>
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fwww.theregister.com%2Fdatabases%2F2026%2F05%2F20%2Flondons-police-asked-big-tech-for-comms-data-over-700000-times-last-year%2F5242590%3Futm_source=tldrinfosec/1/0100019e4aa93483-ad204014-8cca-4997-8c1e-cbd9d0d53914-000000/r9Pc2LAmdUWG6Vcm5DFxpmoRWdn40tMSZPXfDRdS4Ys=452">
<span>
<strong>London's police asked Big Tech for comms data over 700,000 times last year (4 minute read)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
London's Met made over 700,000 requests for communications metadata in 2025, including data from Proton services, Signal, MVNO LycaMobile, and gig platforms like Uber and Deliveroo. Proton and Signal dispute claims about data handed over, highlighting reliance on metadata and legal channels. Requests targeting LycaMobile and delivery riders intersect with immigration enforcement and source-identification efforts involving journalists and migrants.
</span>
</span>
</div>
</td></tr></tbody></table>
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Farstechnica.com%2Fsecurity%2F2026%2F05%2Fgoogle-publishes-exploit-code-threatening-millions-of-chromium-users%2F%3Futm_source=tldrinfosec/1/0100019e4aa93483-ad204014-8cca-4997-8c1e-cbd9d0d53914-000000/FuePub1JsG2lRSYuI1F2i6C1Yu_e4nDak5YpN4rdNQU=452">
<span>
<strong>Google publishes exploit code threatening millions of Chromium users (2 minute read)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
Google accidentally exposed proof-of-concept code for a still-unpatched Browser Fetch API bug that can turn Chromium-based browsers into limited bots for proxying traffic, DDoS, and activity monitoring. Any visited site can trigger a persistent service worker, with behavior particularly stealthy on Edge. Chrome, Edge, Brave, Opera, Vivaldi, and Arc are affected. Firefox and Safari are not.
</span>
</span>
</div>
</td></tr></tbody></table>
</td></tr></tbody></table>
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding-top: 0px; padding-bottom: 0px;">
<div class="text-block">
<div style="text-align: center;"><span style="font-size: 36px;">⚡</span></div></div>
</td></tr></tbody></table>
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding-top: 0px; padding-bottom: 0px;">
<div class="text-block">
<div style="text-align: center;">
<h1><strong>Quick Links</strong></h1>
</div>
</div>
</td></tr></tbody></table>
<table bgcolor="" style="table-layout: fixed; width: 100%;" width="100%"><tbody><tr><td style="padding:0;border-collapse:collapse;border-spacing:0;margin:0;" valign="top">
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Flinks.tldrnewsletter.com%2F3iBYrE/1/0100019e4aa93483-ad204014-8cca-4997-8c1e-cbd9d0d53914-000000/1GD5PQVvaizWY6_3jhYsOZ3bCG5M6GLfoh1CyecGy7s=452">
<span>
<strong>Grafana breach caused by missed token rotation after TanStack attack (1 minute read)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
Grafana's breach traces to a single GitHub workflow token missed during incident-response rotation after the Shai-Hulud campaign (attributed to TeamPCP) poisoned dozens of TanStack npm packages with credential-stealing code that Grafana's CI/CD consumed on May 1, letting attackers reach private repositories and steal source code plus business contact data, though Grafana confirms no customer production systems were affected and its codebase was not modified.
</span>
</span>
</div>
</td></tr></tbody></table>
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fdiscord.com%2Fblog%2Fevery-voice-and-video-call-on-discord-is-now-end-to-end-encrypted%3Futm_source=tldrinfosec/1/0100019e4aa93483-ad204014-8cca-4997-8c1e-cbd9d0d53914-000000/o8txcGq3-KhEH29LEbRrQFuH3LsoI-Up60FjLiZ8fa8=452">
<span>
<strong>Every Voice and Video Call on Discord Is Now End-to-End Encrypted (4 minute read)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
Discord has finished migrating all one-to-one, group, channel, and Go Live calls to the DAVE end-to-end encryption protocol.
</span>
</span>
</div>
</td></tr></tbody></table>
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Flinks.tldrnewsletter.com%2FgljyMu/1/0100019e4aa93483-ad204014-8cca-4997-8c1e-cbd9d0d53914-000000/DKUlPRieFQrmFVxezrJG9L7ZWbwqi1JID-OeastxEME=452">
<span>
<strong>Anthropic Silently Patches Claude Code Sandbox Bypass (2 minute read)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
Researcher Aonan Guan found a SOCKS5 null-byte injection flaw in Claude Code's network sandbox that let attackers bypass hostname filtering.
</span>
</span>
</div>
</td></tr></tbody></table>
</td></tr></tbody></table>
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td align="left" style="word-break: break-word; vertical-align: top; padding: 5px 10px;">
<p style="padding: 0; margin: 0; font-size: 22px; color: #000000; line-height: 1.6; font-weight: bold;">
Love TLDR? Tell your friends and get rewards!
</p>
</td></tr>
<tr><td class="container" style="padding: 0px 10px 15px;">
<div class="text-block">
Share your referral link below with friends to get free TLDR swag!
</div>
</td></tr>
<tr><td align="left" style="padding: 10px;">
<div class="text-block">
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Frefer.tldr.tech%2F78de0e20%2F8/1/0100019e4aa93483-ad204014-8cca-4997-8c1e-cbd9d0d53914-000000/l3cyHnMlIK56GwHbxmgf1XZZjhoYz6yJOTIT6gGaRcw=452" style="color: #464ba4; text-decoration: underline;">https://refer.tldr.tech/78de0e20/8</a>
</div>
</td></tr>
<tr></tr>
<tr><td align="left" style="padding:5px 10px;">
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fhub.sparklp.co%2Fsub_d62447d5a74a%2F8/1/0100019e4aa93483-ad204014-8cca-4997-8c1e-cbd9d0d53914-000000/3S1D43o05dSKABGAS3nn4nIkmK165ixYxgZb8aTjjog=452" style="font-size: 16px; line-height: 1.6; padding: 10px 0; display: inline-block; text-decoration: underline;"><span style="mso-text-raise:13pt; text-decoration: underline;">Track your referrals here.</span></a>
</td></tr></tbody></table>
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td align="left" style="word-break: break-word; vertical-align: top; padding: 5px 10px;">
<p style="padding: 0; margin: 0; font-size: 22px; color: #000000; line-height: 1.6; font-weight: bold;">
Want to advertise in TLDR? 📰
</p>
<div class="text-block" style="margin-top: 10px;">
If your company is interested in reaching an audience of cybersecurity professionals and decision makers, you may want to <a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fadvertise.tldr.tech%2F%3Futm_source=tldrinfosec%26utm_medium=newsletter%26utm_campaign=advertisecta/1/0100019e4aa93483-ad204014-8cca-4997-8c1e-cbd9d0d53914-000000/uwJDXkqd2WTsJR0ss7iExpJMXHB6nikQEdw8M4jlofU=452"><strong><span>advertise with us</span></strong></a>.
</div>
<br>
<!-- New "Want to work at TLDR?" section -->
<p style="padding: 0; margin: 0; font-size: 22px; color: #000000; line-height: 1.6; font-weight: bold;">
Want to work at TLDR? 💼
</p>
<div class="text-block" style="margin-top: 10px;">
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fjobs.ashbyhq.com%2Ftldr.tech/1/0100019e4aa93483-ad204014-8cca-4997-8c1e-cbd9d0d53914-000000/1QjkFT6EwHSCG_l1NeGT4YffAxxy_s8DlxYXVJOVQoM=452" rel="noopener noreferrer" style="color: #0000EE; text-decoration: underline;" target="_blank"><strong>Apply here</strong></a>,
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fjobs.ashbyhq.com%2Ftldr.tech%2Fc227b917-a6a4-40ce-8950-d3e165357871/1/0100019e4aa93483-ad204014-8cca-4997-8c1e-cbd9d0d53914-000000/cQOUDUTK4Uty7kr5DQ4DzmGbsqhmZZR_bODDnpBrs20=452" rel="noopener noreferrer" style="color: #0000EE; text-decoration: underline;" target="_blank"><strong>create your own role</strong></a> or send a friend's resume to <a href="mailto:jobs@tldr.tech" style="color: #0000EE; text-decoration: underline;">jobs@tldr.tech</a> and get $1k if we hire them! TLDR is one of <a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fwww.linkedin.com%2Ffeed%2Fupdate%2Furn:li:activity:7401699691039830016%2F/1/0100019e4aa93483-ad204014-8cca-4997-8c1e-cbd9d0d53914-000000/Vk8R9oQp8dRy1mbhXkIGcmC-zep4RfvgIw_-IiJIh2A=452" rel="noopener noreferrer" style="color: #0000EE; text-decoration: underline;" target="_blank"><strong>Inc.'s Best Bootstrapped businesses</strong></a> of 2025.
</div>
<br>
<div class="text-block">
If you have any comments or feedback, just respond to this email!
<br>
<br> Thanks for reading,
<br>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fwww.linkedin.com%2Fin%2Fprasannagautam%2F/1/0100019e4aa93483-ad204014-8cca-4997-8c1e-cbd9d0d53914-000000/2DNa7JeAdvb6-KtHEL9FOtEgxmGQe4cYSa4RcTkE5ss=452"><span>Prasanna Gautam</span></a>, <a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fwww.linkedin.com%2Fin%2Fericfernandezdelcampo%2F/1/0100019e4aa93483-ad204014-8cca-4997-8c1e-cbd9d0d53914-000000/wgIgzK5RSSkbmaJ75bGKwsEau3yWxZX4Vnw8tVxaARU=452"><span>Eric Fernandez</span></a> & <a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fwww.linkedin.com%2Fin%2Fsammy-tbeile%2F/1/0100019e4aa93483-ad204014-8cca-4997-8c1e-cbd9d0d53914-000000/HE1N-HRNOC1rBpAvEV5Cg9lWXldj8-NHUnjKr1wyrY0=452"><span>Sammy Tbeile</span></a>
<br>
<br>
</div>
<br>
</td></tr></tbody></table>
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block" id="testing-id">
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Ftldr.tech%2Finfosec%2Fmanage%3Femail=silk.theater.56%2540fwdnl.com/1/0100019e4aa93483-ad204014-8cca-4997-8c1e-cbd9d0d53914-000000/DeplsspKtfUyXP_YS_8SsE0pGSBxlFD9V9Uaj2mCAcc=452">Manage your subscriptions</a> to our other newsletters on tech, startups, and programming. Or if TLDR Information Security isn't for you, please <a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fa.tldrnewsletter.com%2Funsubscribe%3Fep=1%26l=8d9cea11-3e94-11ed-9a32-0241b9615763%26lc=156924ca-84b7-11f0-8d58-47c5c04ad337%26p=dba836ac-54f6-11f1-9e7b-bf372ec47c43%26pt=campaign%26pv=4%26spa=1779368709%26t=1779369063%26s=d61587ebc606d5280e462891ae38be374c997f29a73b49b6c5ff26afeaf2757d/1/0100019e4aa93483-ad204014-8cca-4997-8c1e-cbd9d0d53914-000000/jZ5VcYtNgSRv9Wj4upgVSjbPwKO6S1uLg3mPbyZo99Y=452">unsubscribe</a>.
<br>
</div>
</td></tr></tbody></table>
</td></tr></tbody></table>
</td></tr></tbody></table>
</td></tr></tbody></table>
</td></tr></tbody></table>
<img alt="" src="http://tracking.tldrnewsletter.com/CI0/0100019e4aa93483-ad204014-8cca-4997-8c1e-cbd9d0d53914-000000/t4Rh4KugSbRQWmOzuZXOnEolMAoY4vfvagPnme8UNCA=452" style="display: none; width: 1px; height: 1px;">
</body></html>