<!DOCTYPE html><html lang="en"><head><meta http-equiv="Content-Type" content="text/html charset=UTF-8"><meta charset="UTF-8"><meta name="viewport" content="width=device-width"><meta name="x-apple-disable-message-reformatting"><title>TLDR InfoSec</title><meta name="color-scheme" content="light dark"><meta name="supported-color-schemes" content="light dark"><style type="text/css">
:root {
color-scheme: light dark; supported-color-schemes: light dark;
}
*,
*:after,
*:before {
-webkit-box-sizing: border-box; -moz-box-sizing: border-box; box-sizing: border-box;
}
* {
-ms-text-size-adjust: 100%; -webkit-text-size-adjust: 100%;
}
html,
body,
.document {
width: 100% !important; height: 100% !important; margin: 0; padding: 0;
}
body {
-webkit-font-smoothing: antialiased; -moz-osx-font-smoothing: grayscale; text-rendering: optimizeLegibility;
}
div[style*="margin: 16px 0"] {
margin: 0 !important;
}
table,
td {
mso-table-lspace: 0pt; mso-table-rspace: 0pt;
}
table {
border-spacing: 0; border-collapse: collapse; table-layout: fixed; margin: 0 auto;
}
img {
-ms-interpolation-mode: bicubic; max-width: 100%; border: 0;
}
*[x-apple-data-detectors] {
color: inherit !important; text-decoration: none !important;
}
.x-gmail-data-detectors,
.x-gmail-data-detectors *,
.aBn {
border-bottom: 0 !important; cursor: default !important;
}
.btn {
-webkit-transition: all 200ms ease; transition: all 200ms ease;
}
.btn:hover {
background-color: #f67575; border-color: #f67575;
}
* {
font-family: Arial, Helvetica, sans-serif; font-size: 18px;
}
@media screen and (max-width: 600px) {
.container {
width: 100%; margin: auto;
}
.stack {
display: block!important; width: 100%!important; max-width: 100%!important;
}
.btn {
display: block; width: 100%; text-align: center;
}
}
body,
p,
td,
tr,
.body,
table,
h1,
h2,
h3,
h4,
h5,
h6,
div,
span {
background-color: #FEFEFE !important; color: #010101 !important;
}
@media (prefers-color-scheme: dark) {
body,
p,
td,
tr,
.body,
table,
h1,
h2,
h3,
h4,
h5,
h6,
div,
span {
background-color: #27292D !important; color: #FEFEFE !important;
}
}
a {
color: inherit !important; text-decoration: underline !important;
}
</style><!--[if mso | ie]>
<style type="text/css">
a {
background-color: #FEFEFE !important; color: #010101 !important;
}
@media (prefers-color-scheme: dark) {
a {
background-color: #27292D !important; color: #FEFEFE !important;
}
}
</style>
<![endif]--></head><body class="">
<div style="display: none; max-height: 0px; overflow: hidden;">An automated campaign pushed 5,718 malicious commits to 5,561 GitHub repositories in a six-hour window, injecting GitHub Actions workflows β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β </div>
<div style="display: none; max-height: 0px; overflow: hidden;">
<br>
</div>
<table align="center" class="document"><tbody><tr><td valign="top">
<table align="center" border="0" cellpadding="0" cellspacing="0" class="container" width="600"><tbody><tr class="inner-body"><td>
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr class="header"><td bgcolor="" class="container">
<table width="100%"><tbody><tr><td class="container">
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" style="margin-top: 0px;" width="100%"><tbody><tr><td style="padding: 0px;">
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div style="text-align: center;">
<span style="margin-right: 0px;"><a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Ftldr.tech%2Finfosec%3Futm_source=tldrinfosec/1/0100019e4fcdf59c-41ec78ad-c0bf-42e6-b5e5-00bd7b87774e-000000/mriw5_rnaEhzlpDESKIgIhlfhIlau-1AR_icNLarJjQ=452" rel="noopener noreferrer" target="_blank"><span>Sign Up</span></a>
|<span style="margin-right: 2px; margin-left: 2px;"><a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fadvertise.tldr.tech%2F%3Futm_source=tldrinfosec%26utm_medium=newsletter%26utm_campaign=advertisetopnav/1/0100019e4fcdf59c-41ec78ad-c0bf-42e6-b5e5-00bd7b87774e-000000/6wae3c0iic4wg1GghoQcQ9N6SAYWkKnAG8HRX5_NdgA=452" rel="noopener noreferrer" target="_blank"><span>Advertise</span></a></span>|<span style="margin-left: 2px;"><a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fa.tldrnewsletter.com%2Fweb-version%3Fep=1%26lc=156924ca-84b7-11f0-8d58-47c5c04ad337%26p=f4ee1128-55cc-11f1-8c20-25a703a04251%26pt=campaign%26t=1779455358%26s=2082b0f530165f2b326e2cf6708db40b996d718fb3e6b35d0a5f9d1f2060376f/1/0100019e4fcdf59c-41ec78ad-c0bf-42e6-b5e5-00bd7b87774e-000000/or3fo1tBpwNgBWnDkImifTUNPl12cIprZyii89HwYTQ=452"><span>View Online</span></a></span>
<br>
</span></div>
</td></tr></tbody></table>
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="text-align: center;"><span data-darkreader-inline-color="" style="--darkreader-inline-color:#3db3ff; color: rgb(51, 175, 255) !important; font-size: 30px;">T</span><span style="font-size: 30px;"><span data-darkreader-inline-color="" style="color: rgb(232, 192, 96) !important; --darkreader-inline-color:#e8c163; font-size:30px;">L</span><span data-darkreader-inline-color="" style="color: rgb(101, 195, 173) !important; --darkreader-inline-color:#6ec7b2; font-size:30px;">D</span></span><span data-darkreader-inline-color="" style="--darkreader-inline-color:#dd6e6e; color: rgb(220, 107, 107) !important; font-size: 30px;">R</span>
<br>
</td></tr></tbody></table>
<br>
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr id="together-with"><td align="center" height="20" style="vertical-align:middle !important;" valign="middle" width="100%"><strong style="vertical-align:middle !important; height: 100%;">Together With </strong>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fluma.com%2Fk5ja8mkq%3Futm_source=TLDR%26utm_medium=newsletter%26utm_campaign=2026-05-22_Primary_Luma%26utm_content=header_management_wants_everyone_header_management_wants_everyone/1/0100019e4fcdf59c-41ec78ad-c0bf-42e6-b5e5-00bd7b87774e-000000/hGsj8qNBfIPlEH00dZNerwjHrAf7AEIWrmQ-EWGKSHU=452"><img src="https://images.tldr.tech/mcptotal3.png" valign="middle" style="vertical-align: middle !important; height: 100%;" alt="MCPTotal"></a></td></tr></tbody></table>
<table style="table-layout: fixed; width:100%;" width="100%"><tbody><tr><td style="padding:0;border-collapse:collapse;border-spacing:0;margin:0;">
<div style="text-align: center;">
<h1><strong>TLDR Information Security <span id="date">2026-05-22</span></strong></h1>
</div>
</td></tr></tbody></table>
<table style="table-layout: fixed; width:100%;" width="100%"><tbody><tr id="sponsy-copy"><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fluma.com%2Fk5ja8mkq%3Futm_source=TLDR%26utm_medium=newsletter%26utm_campaign=2026-05-22_Primary_Luma%26utm_content=header_management_wants_everyone_header_management_wants_everyone/2/0100019e4fcdf59c-41ec78ad-c0bf-42e6-b5e5-00bd7b87774e-000000/lhoMYIrNKHp8-B1nWJJC_hPjktc5fXuqZ1N7uGbZzJo=452">
<span>
<strong>Management wants everyone using AI. But is Security ready? (Sponsor)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
Organizations everywhere are rapidly adopting powerful AI agents like Cursor, Claude Code, OpenClaw, and others.<p></p><p>Unlike traditional software tools, these agents are privileged, connected, and semi-autonomous, creating real risks.</p><p>Join the AI security practitioners at <em>Autonomous Security</em> for a <strong>live technical webinar on June 9th</strong>.</p><p>You'll learn:</p><ul><li>How agents, MCP servers, skills, and plugins introduce new attack surfaces.</li><li>The real risks behind prompt injection, credential exposure, and over-permissioned AI systems.</li><li>How <em>Autonomous</em> helps organizations secure AI adoption with real-time controls and visibility.</li></ul><p>π <a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fluma.com%2Fk5ja8mkq%3Futm_source=TLDR%26utm_medium=newsletter%26utm_campaign=2026-05-22_Primary_Luma%26utm_content=cta_register_here_cta_register_here/1/0100019e4fcdf59c-41ec78ad-c0bf-42e6-b5e5-00bd7b87774e-000000/g46aCHwZd4szfRAnrzd9zx8aMDHv0EfdH3OvAB5zMqI=452" rel="noopener noreferrer nofollow" target="_blank"><span>Register here</span></a> or <a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fa16y.ai%2Fmeeting-scan%3Futm_source=newsletter%26utm_medium=email%26utm_campaign=tldr_webinar%26utm_content=cta_schedule_assessment_cta_schedule_assessment/1/0100019e4fcdf59c-41ec78ad-c0bf-42e6-b5e5-00bd7b87774e-000000/-6I2I-1wmCzrz95hYDE8yNVsmGl2uadrAeBWHJyO-Zo=452" rel="noopener noreferrer nofollow" target="_blank"><span>schedule a free assessment</span></a>
</p>
</span></span></div>
</td></tr></tbody></table>
</td></tr></tbody></table>
</td></tr></tbody></table>
</td></tr>
<tr bgcolor=""><td class="container">
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td style="padding: 0px;">
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding-top: 0px; padding-bottom: 0px;">
<div class="text-block">
<div style="text-align: center;"><span style="font-size: 36px;">π</span></div></div>
</td></tr></tbody></table>
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding-top: 0px; padding-bottom: 0px;">
<div class="text-block">
<div style="text-align: center;">
<h1><strong>Attacks & Vulnerabilities</strong></h1>
</div>
</div>
</td></tr></tbody></table>
<table style="table-layout: fixed; width: 100%;" width="100%"><tbody><tr><td style="padding:0;border-collapse:collapse;border-spacing:0;margin:0;" valign="top">
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fwww.theregister.com%2Fsecurity%2F2026%2F05%2F21%2F46k-plaintext-passwords-pwned-in-myspace93-breach%2F5244024%3Futm_source=tldrinfosec/1/0100019e4fcdf59c-41ec78ad-c0bf-42e6-b5e5-00bd7b87774e-000000/W7esZ63DSttJga-y_hh5QkZdi82EXBE64aKjpFXxoJs=452">
<span>
<strong>Attackers spill plaintext passwords of 46k Myspace93 users after 2021 breach (2 minute read)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
A 2021 breach at parody social network Myspace93 exposed more than 46,000 usernames, plaintext passwords, email addresses, and IPs after a beta app shared with trusted Discord members was abused to pull server files and an unencrypted credential store. The site has since closed its registration and social features, and users are urged to stop reusing passwords and enable 2FA.
</span>
</span>
</div>
</td></tr></tbody></table>
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fthehackernews.com%2F2026%2F05%2Ftrapdoor-android-ad-fraud-scheme-hit.html%3Futm_source=tldrinfosec/1/0100019e4fcdf59c-41ec78ad-c0bf-42e6-b5e5-00bd7b87774e-000000/pkW14PI2t1vM4up2ayGuutnXoOcmMEcOqT16VhoTaIc=452">
<span>
<strong>Trapdoor Android Ad Fraud Scheme Hit 659 Million Daily Bid Requests Using 455 Apps (4 minute read)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
Trapdoor uses utility-style Android apps as initial lures, then pushes second-stage apps that open hidden WebViews to hit HTML5 cashout domains and request ads at scale. It abused install attribution tools to enable fraud only for ad-driven installs, peaking at 659 million daily bid requests across 455 apps, and prompted Google to pull all identified apps from Play.
</span>
</span>
</div>
</td></tr></tbody></table>
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fsafedep.io%2Fmegalodon-mass-github-repo-backdooring-ci-workflows%2F%3Futm_source=tldrinfosec/1/0100019e4fcdf59c-41ec78ad-c0bf-42e6-b5e5-00bd7b87774e-000000/3gXNXhvyBDnrkn7WlcG-QN8MTU9DgIiNdcf_7nt1txA=452">
<span>
<strong>Megalodon: Mass GitHub Repo Backdooring via CI Workflows (11 minute read)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
An automated campaign pushed 5,718 malicious commits to 5,561 GitHub repositories in a six-hour window, injecting GitHub Actions workflows with base64-encoded bash payloads that exfiltrate CI secrets, cloud credentials, SSH keys, and OIDC tokens to a C2 at [216.126.225.129]:8443. The targeted variant replaces existing workflows with workflow_dispatch triggers and id-token: write permissions, creating dormant backdoors that produce no visible CI runs and can be fired on demand once an attacker obtains a GITHUB_TOKEN, with the compromise cascading to npm via poisoned publishes of @tiledesk/tiledesk-server 2.18.6 through 2.18.12. Defenders should revert any May 18 commits from build-system@noreply.dev or ci-bot@automated.dev, audit workflow files, rotate all secrets exposed to Actions runners, and review cloud audit logs for OIDC token requests from unknown workflow runs.
</span>
</span>
</div>
</td></tr></tbody></table>
</td></tr></tbody></table>
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding-top: 0px; padding-bottom: 0px;">
<div class="text-block">
<div style="text-align: center;"><span style="font-size: 36px;">π§ </span></div>
</div>
</td></tr></tbody></table>
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding-top: 0px; padding-bottom: 0px;">
<div class="text-block">
<div style="text-align: center;">
<h1><strong>Strategies & Tactics</strong></h1>
</div>
</div>
</td></tr></tbody></table>
<table style="table-layout: fixed; width: 100%;" width="100%"><tbody><tr><td style="padding:0;border-collapse:collapse;border-spacing:0;margin:0;" valign="top">
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fneciudan.dev%2Fgithub-actions-poisoning%3Futm_source=tldrinfosec/1/0100019e4fcdf59c-41ec78ad-c0bf-42e6-b5e5-00bd7b87774e-000000/irCmdTMUsfn3S6AkvvajT6AUGvMQLBooWoI3VYl_5Bo=452">
<span>
<strong>GitHub Actions Cache Poisoning is eating open source (18 minute read)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
GitHub Actions cache poisoning lets attackers write poisoned dependency caches that later run inside highβprivilege publish workflows, as seen in the Angular, tj-actions, Cline, and TanStack incidents. Attackers either get a privileged workflow to write a malicious cache entry directly or evict and replace legitimate entries using tools like Cacheract. The recommendation is to audit everything related to pull requests, then disable or isolate caches in release jobs, pin actions to SHAs, gate workflow edits with CODEOWNERS, enforce nonβSMS 2FA, enable install cooldowns, and treat AI agent configs as executable code. If a compromised package has already run, remove the gh-token-monitor watcher on Linux and macOS before rotating any credentials, then reimage the affected hosts and rotate all secrets those machines can access.
</span>
</span>
</div>
</td></tr></tbody></table>
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fwww.netspi.com%2Fblog%2Ftechnical-blog%2Fhardware-and-embedded-systems-penetration-testing%2Femulating-and-exploiting-uefi%2F%3Futm_source=tldrinfosec/1/0100019e4fcdf59c-41ec78ad-c0bf-42e6-b5e5-00bd7b87774e-000000/8eU_DWTIju-0yF8KD4xes3qO-wZUrVq4y0FH-nlEMv8=452">
<span>
<strong>Emulating & Exploiting UEFI: Unveiling Vulnerabilities in Firmware Security (9 minute read)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
NetSPI discovered a buffer over-read in a UEFI PngDecoderDxe module during a LogoFail audit: the decoder validates total allocation size against 0x7fffffff but never bounds-checks reads against actual compressed data, so spoofing the PNG IDAT chunk length to 0x90000000 causes the decompressor loop (mov al, byte ptr [r13+rcx] at RIP 0x104106) to read past the input buffer at 0x9000000 into adjacent pre-OS memory containing cryptographic keys and assembly code. NetSPI demonstrated the over-read using a Qiling harness with hooked AllocatePool/FreePool calls and 0x10000000-spaced heap regions to cleanly observe the UC_MEM_READ_UNMAPPED fault, with leaked data theoretically exfiltrable via HDMI/VGA capture of the boot display. Defenders should audit UEFI image parsers for missing read-side bounds checks, independent of allocation-size guards, and apply the Qiling harness technique to fuzz other firmware image-handling modules.
</span>
</span>
</div>
</td></tr></tbody></table>
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fwww.derp.ca%2Fresearch%2Fcrystalx-go-rat%2F%3Futm_source=tldrinfosec/1/0100019e4fcdf59c-41ec78ad-c0bf-42e6-b5e5-00bd7b87774e-000000/w40JdGiVN3CoLKXUE3Um7frXOEKJkrcmnk7_N1D_QNk=452">
<span>
<strong>CrystalX: unpacking a Go RAT through three encrypted layers (11 minute read)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
CrystalX, a MaaS RAT first reported by Kaspersky in March, hides a 6.9 MB Go payload inside a compact Windows loader using three sequential transforms: position-dependent XOR, ChaCha20, then raw DEFLATE, with the unpacked payload adding a fourth layer of AES-GCM encryption over all runtime strings. Once peeled, the RAT establishes a WebSocket C2 over TLS to crystalxrat[.]net, authenticating via a hardcoded builder token, and supports 40+ commands spanning remote desktop, webcam streaming, keylogging, credential theft from browsers and messaging apps (Discord, Telegram, and Steam), and destructive toggles including BSOD and display rotation. Defenders should hunt for the build-ID-seeded persistence artifacts (NvContainerTask_YBFZUW1U32, SecurityHealthSystray.exe under DeviceMetadataStore, Global\WinSecMutex_YBFZUW1U32) and apply the published YARA rule targeting the loader's ChaCha20 key and XOR transform pattern.
</span>
</span>
</div>
</td></tr></tbody></table>
</td></tr></tbody></table>
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding-top: 0px; padding-bottom: 0px;">
<div class="text-block">
<div style="text-align: center;"><span style="font-size: 36px;">π§βπ»</span></div>
</div>
</td></tr></tbody></table>
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding-top: 0px; padding-bottom: 0px;">
<div class="text-block">
<div style="text-align: center;">
<h1><strong>Launches & Tools</strong></h1>
</div>
</div>
</td></tr></tbody></table>
<table style="table-layout: fixed; width: 100%;" width="100%"><tbody><tr><td style="padding:0;border-collapse:collapse;border-spacing:0;margin:0;" valign="top">
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fgithub.com%2FMykytaStel%2Frepopilot%3Futm_source=tldrinfosec/1/0100019e4fcdf59c-41ec78ad-c0bf-42e6-b5e5-00bd7b87774e-000000/xWzH5yNPeBRk7FsHHANOR8GecBblVivDp5O40hvOpAg=452">
<span>
<strong>Repopilot (GitHub Repo)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
Local-first CLI for repository audits, architecture risk detection, SARIF, CI gates, and AI-ready remediation context.
</span>
</span>
</div>
</td></tr></tbody></table>
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fgithub.com%2Fgit-pkgs%2Fproxy%3Futm_source=tldrinfosec/1/0100019e4fcdf59c-41ec78ad-c0bf-42e6-b5e5-00bd7b87774e-000000/afU6gDDL-rur0IxMG4HHI5t4QXJiXmT0GPNEjllaZPQ=452">
<span>
<strong>git-pkgs proxy (GitHub Repo)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
A caching proxy that sits in front of npm, PyPI, crates.io, RubyGems, and 20+ other registries, its standout feature being a configurable version cooldown that strips newly published versions from metadata responses until they age past a threshold, directly countering the speed-based supply chain attacks that consume malicious releases within minutes of publication. The cooldown resolves per-package, per-ecosystem, or globally, and pairs with an enrichment API that surfaces OSV vulnerability data, outdated-version checks, and license categorization, though cooldown only works for the 13 registries that expose publish timestamps and Hex support requires disabling signature verification.
</span>
</span>
</div>
</td></tr></tbody></table>
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fgithub.com%2FC0axx%2FCanaryHunter%3Futm_source=tldrinfosec/1/0100019e4fcdf59c-41ec78ad-c0bf-42e6-b5e5-00bd7b87774e-000000/58tKoLmc2NCNrrWzgBZToZW69-lkakYkZoXGQ0LlDNU=452">
<span>
<strong>CanaryHunter (GitHub Repo)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
A PowerShell module aimed at red teamers that scans an environment for Thinkst Canary tokens before they fire, detecting tokens embedded in Docx, Xlsx, and PDF files, Windows SilentProcessExit registry entries, and AWS, WireGuard, Kube, and MySQL dump configs by regex-matching known canarytokens.org domains and IP addresses. It also ships an Invoke-BlockCanaries function that creates an outbound firewall rule against known canary IPs, so operators should confirm that their engagement rules permit suppressing defender telemetry before using it.
</span>
</span>
</div>
</td></tr></tbody></table>
</td></tr></tbody></table>
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding-top: 0px; padding-bottom: 0px;">
<div class="text-block">
<div style="text-align: center;"><span style="font-size: 36px;">π</span></div></div>
</td></tr></tbody></table>
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding-top: 0px; padding-bottom: 0px;">
<div class="text-block">
<div style="text-align: center;"><strong><h1>Miscellaneous</h1></strong></div>
</div>
</td></tr></tbody></table>
<table bgcolor="" style="table-layout: fixed; width: 100%;" width="100%"><tbody><tr><td style="padding:0;border-collapse:collapse;border-spacing:0;margin:0;" valign="top">
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Flinks.tldrnewsletter.com%2F7BSK8y/1/0100019e4fcdf59c-41ec78ad-c0bf-42e6-b5e5-00bd7b87774e-000000/Wwom3epu1nRnb6VnZQbZB5xcye0Hz-UxjXY4o7VOsBA=452">
<span>
<strong>Apple Rejected 2 Million App Store Submissions in 2025 for Security and Fraud Prevention (2 minute read)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
Apple reports rejecting over 2 million App Store submissions in 2025 and blocking 1.1 million fraudulent account creations, stopping more than 2.2 billion dollars in suspect transactions and over 5.4 million stolen credit cards. It deactivated 40.4 million user accounts, terminated 193,000 developer accounts, and blocked 28,000 pirated or malicious apps, using AI plus human review to spot bait-and-switch, hidden features, and cloned apps.
</span>
</span>
</div>
</td></tr></tbody></table>
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Flinks.tldrnewsletter.com%2FL1olu1/1/0100019e4fcdf59c-41ec78ad-c0bf-42e6-b5e5-00bd7b87774e-000000/d0m5kUElyy1N5T08T-hp7YcqmMVXxw7OMwKz8gUxUpA=452">
<span>
<strong>Cyber Pros Can't Decide If AI Is a Good or a Bad Thing (4 minute read)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
ISC2 surveyed 16,029 security staff and found AI ranked both the biggest help and biggest risk for defense work, especially around phishing, deepfakes, and broader social engineering. Many teams already test or use AI in workflows and report faster analysis and higher productivity. Respondents expect more jobs, with low-value tasks offloaded and communication and decision skills gaining value.
</span>
</span>
</div>
</td></tr></tbody></table>
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fkrebsonsecurity.com%2F2026%2F05%2Falleged-kimwolf-botmaster-dort-arrested-charged-in-u-s-and-canada%2F%3Futm_source=tldrinfosec/1/0100019e4fcdf59c-41ec78ad-c0bf-42e6-b5e5-00bd7b87774e-000000/V0nnqN-5bzukZhVoCfUdEWNNhzCVwh9VfXccM3vxTqY=452">
<span>
<strong>Alleged Kimwolf Botmaster 'Dort' Arrested, Charged in US and Canada (4 minute read)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
Jacob Butler (a.k.a. "Dort"), 23, was arrested in Ottawa on US extradition warrant for operating Kimwolf IoT botnet targeting firewalled devices (photo frames and webcams) that issued 25,000+ attack commands including DDoS strikes reaching 30 Tbps (record volume) and DoD targeting, causing $1M+ losses per victim, with Butler also orchestrating swatting attacks against Synthient founder Ben Brundage in retaliation for disclosing the critical IoT vulnerability Kimwolf exploited. He is facing 10 years of federal prison in the US and concurrent Canadian charges (unauthorized computer use and mischief to computer data). Law enforcement seized Kimwolf infrastructure on March 19 alongside three competing botnets (Aisuru, JackSkid, and Mossad) and in April seized domain names for nearly 50 DDoS-for-hire services including at least one collaborator with Kimwolf.
</span>
</span>
</div>
</td></tr></tbody></table>
</td></tr></tbody></table>
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding-top: 0px; padding-bottom: 0px;">
<div class="text-block">
<div style="text-align: center;"><span style="font-size: 36px;">β‘</span></div></div>
</td></tr></tbody></table>
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding-top: 0px; padding-bottom: 0px;">
<div class="text-block">
<div style="text-align: center;">
<h1><strong>Quick Links</strong></h1>
</div>
</div>
</td></tr></tbody></table>
<table bgcolor="" style="table-layout: fixed; width: 100%;" width="100%"><tbody><tr><td style="padding:0;border-collapse:collapse;border-spacing:0;margin:0;" valign="top">
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Flinks.tldrnewsletter.com%2FZ7kC8R/1/0100019e4fcdf59c-41ec78ad-c0bf-42e6-b5e5-00bd7b87774e-000000/KjvLAIcvoXR6isfRPxovnupy4RfS6xBahEHMIew2RDc=452">
<span>
<strong>Senator urges classified briefing after CISA data leak on GitHub (3 minute read)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
Sen. Maggie Hassan called for a classified briefing after a Nightwing contractor employee accidentally uploaded 844MB of CISA data to a public GitHub repo on May 14, exposing plain-text passwords, AWS tokens, and Entra ID SAML certificates.
</span>
</span>
</div>
</td></tr></tbody></table>
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Flinks.tldrnewsletter.com%2FUpEL4j/1/0100019e4fcdf59c-41ec78ad-c0bf-42e6-b5e5-00bd7b87774e-000000/zyl5LQ3NyPGJqoWYdQJQOMng-nyqqpaKoJMHMDZ-LSw=452">
<span>
<strong>Flipper One project needs community help to build open Linux platform (3 minute read)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
Flipper Devices has opened development of Flipper One, a modular ARM Linux platform pairing a Rockchip RK3576 SoC (8GB RAM, 6 TOPS NPU) with an RP2350 MCU and supporting M.2, PCIe, USB 3.1, SDR, and 5G/satellite expansion, to community contributors.
</span>
</span>
</div>
</td></tr></tbody></table>
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Flinks.tldrnewsletter.com%2FeT0E3h/1/0100019e4fcdf59c-41ec78ad-c0bf-42e6-b5e5-00bd7b87774e-000000/JPXHRHnauk0uhmdA0r7Ketml7_Rw6Wb6J_BGbO38nPA=452">
<span>
<strong>Google's Surge in Chrome Vulnerability Discoveries Likely Driven by AI (2 minute read)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
Chrome vulnerabilities reported by Google jumped from a handful in late March to 16 on April 15, 21 on April 28, and 100 in the May 5 advisory.
</span>
</span>
</div>
</td></tr></tbody></table>
</td></tr></tbody></table>
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td align="left" style="word-break: break-word; vertical-align: top; padding: 5px 10px;">
<p style="padding: 0; margin: 0; font-size: 22px; color: #000000; line-height: 1.6; font-weight: bold;">
Love TLDR? Tell your friends and get rewards!
</p>
</td></tr>
<tr><td class="container" style="padding: 0px 10px 15px;">
<div class="text-block">
Share your referral link below with friends to get free TLDR swag!
</div>
</td></tr>
<tr><td align="left" style="padding: 10px;">
<div class="text-block">
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Frefer.tldr.tech%2F78de0e20%2F8/1/0100019e4fcdf59c-41ec78ad-c0bf-42e6-b5e5-00bd7b87774e-000000/V8Jb9vVh-qGaKWOdLDQ3tfPDcfc2CjFr4w9CyrE5vLg=452" style="color: #464ba4; text-decoration: underline;">https://refer.tldr.tech/78de0e20/8</a>
</div>
</td></tr>
<tr></tr>
<tr><td align="left" style="padding:5px 10px;">
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fhub.sparklp.co%2Fsub_d62447d5a74a%2F8/1/0100019e4fcdf59c-41ec78ad-c0bf-42e6-b5e5-00bd7b87774e-000000/_8oKmfWei72MvdfMS3ffIBIbXeyOtQkayw3HrSvgVoE=452" style="font-size: 16px; line-height: 1.6; padding: 10px 0; display: inline-block; text-decoration: underline;"><span style="mso-text-raise:13pt; text-decoration: underline;">Track your referrals here.</span></a>
</td></tr></tbody></table>
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td align="left" style="word-break: break-word; vertical-align: top; padding: 5px 10px;">
<p style="padding: 0; margin: 0; font-size: 22px; color: #000000; line-height: 1.6; font-weight: bold;">
Want to advertise in TLDR? π°
</p>
<div class="text-block" style="margin-top: 10px;">
If your company is interested in reaching an audience of cybersecurity professionals and decision makers, you may want to <a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fadvertise.tldr.tech%2F%3Futm_source=tldrinfosec%26utm_medium=newsletter%26utm_campaign=advertisecta/1/0100019e4fcdf59c-41ec78ad-c0bf-42e6-b5e5-00bd7b87774e-000000/1NUWYmSuhfowLvfYd5p08HDaoaxPg0sE5R2dFTJXFIc=452"><strong><span>advertise with us</span></strong></a>.
</div>
<br>
<!-- New "Want to work at TLDR?" section -->
<p style="padding: 0; margin: 0; font-size: 22px; color: #000000; line-height: 1.6; font-weight: bold;">
Want to work at TLDR? πΌ
</p>
<div class="text-block" style="margin-top: 10px;">
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fjobs.ashbyhq.com%2Ftldr.tech/1/0100019e4fcdf59c-41ec78ad-c0bf-42e6-b5e5-00bd7b87774e-000000/yfKJK1RWYPUbV40WYlzwh38A5UfL-Px51cNmIgyLKvQ=452" rel="noopener noreferrer" style="color: #0000EE; text-decoration: underline;" target="_blank"><strong>Apply here</strong></a>,
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fjobs.ashbyhq.com%2Ftldr.tech%2Fc227b917-a6a4-40ce-8950-d3e165357871/1/0100019e4fcdf59c-41ec78ad-c0bf-42e6-b5e5-00bd7b87774e-000000/9bw0v0NUnK-ZGLTe780mmNHcQwRPEXHUo5m-cfz1ikg=452" rel="noopener noreferrer" style="color: #0000EE; text-decoration: underline;" target="_blank"><strong>create your own role</strong></a> or send a friend's resume to <a href="mailto:jobs@tldr.tech" style="color: #0000EE; text-decoration: underline;">jobs@tldr.tech</a> and get $1k if we hire them! TLDR is one of <a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fwww.linkedin.com%2Ffeed%2Fupdate%2Furn:li:activity:7401699691039830016%2F/1/0100019e4fcdf59c-41ec78ad-c0bf-42e6-b5e5-00bd7b87774e-000000/3JPyfp4QY0RwgPg-eGocC9l9O0v-5iNEv6E5oOUGMTM=452" rel="noopener noreferrer" style="color: #0000EE; text-decoration: underline;" target="_blank"><strong>Inc.'s Best Bootstrapped businesses</strong></a> of 2025.
</div>
<br>
<div class="text-block">
If you have any comments or feedback, just respond to this email!
<br>
<br> Thanks for reading,
<br>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fwww.linkedin.com%2Fin%2Fprasannagautam%2F/1/0100019e4fcdf59c-41ec78ad-c0bf-42e6-b5e5-00bd7b87774e-000000/LtQs_aq3QCvu-ilqCAGROaM6nUyf9_26MKBwZPaBnZc=452"><span>Prasanna Gautam</span></a>, <a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fwww.linkedin.com%2Fin%2Fericfernandezdelcampo%2F/1/0100019e4fcdf59c-41ec78ad-c0bf-42e6-b5e5-00bd7b87774e-000000/Ohh3YFiAaTaDG1OmdLjybX6Zmt7N0OHIXYYNhu9bAkM=452"><span>Eric Fernandez</span></a> & <a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fwww.linkedin.com%2Fin%2Fsammy-tbeile%2F/1/0100019e4fcdf59c-41ec78ad-c0bf-42e6-b5e5-00bd7b87774e-000000/G8c2Vhjs3wO-DNJOWN64t2cTcjwuYHumvVA9OsXAAkE=452"><span>Sammy Tbeile</span></a>
<br>
<br>
</div>
<br>
</td></tr></tbody></table>
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block" id="testing-id">
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Ftldr.tech%2Finfosec%2Fmanage%3Femail=silk.theater.56%2540fwdnl.com/1/0100019e4fcdf59c-41ec78ad-c0bf-42e6-b5e5-00bd7b87774e-000000/uYPcoGD4_M_XhsqTtRxdx9NWZgBhJMMiTtNgaOewiE0=452">Manage your subscriptions</a> to our other newsletters on tech, startups, and programming. Or if TLDR Information Security isn't for you, please <a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fa.tldrnewsletter.com%2Funsubscribe%3Fep=1%26l=8d9cea11-3e94-11ed-9a32-0241b9615763%26lc=156924ca-84b7-11f0-8d58-47c5c04ad337%26p=f4ee1128-55cc-11f1-8c20-25a703a04251%26pt=campaign%26pv=4%26spa=1779455040%26t=1779455358%26s=a38ff3dc3efb675b705598a2ed896245463ae1a5b7680d156ab6338e973d3f59/1/0100019e4fcdf59c-41ec78ad-c0bf-42e6-b5e5-00bd7b87774e-000000/lMNJyY2RI8JMbd4AuCUrPM_51i8n9CvAWbdev73Vs40=452">unsubscribe</a>.
<br>
</div>
</td></tr></tbody></table>
</td></tr></tbody></table>
</td></tr></tbody></table>
</td></tr></tbody></table>
</td></tr></tbody></table>
<img alt="" src="http://tracking.tldrnewsletter.com/CI0/0100019e4fcdf59c-41ec78ad-c0bf-42e6-b5e5-00bd7b87774e-000000/8Q1Pnx7RFCLuv-3hb7_iWfjVqwULrtozKHkuXTDI688=452" style="display: none; width: 1px; height: 1px;">
</body></html>