<!DOCTYPE html><html lang="en"><head><meta http-equiv="Content-Type" content="text/html charset=UTF-8"><meta charset="UTF-8"><meta name="viewport" content="width=device-width"><meta name="x-apple-disable-message-reformatting"><title>TLDR InfoSec</title><meta name="color-scheme" content="light dark"><meta name="supported-color-schemes" content="light dark"><style type="text/css">
:root {
color-scheme: light dark; supported-color-schemes: light dark;
}
*,
*:after,
*:before {
-webkit-box-sizing: border-box; -moz-box-sizing: border-box; box-sizing: border-box;
}
* {
-ms-text-size-adjust: 100%; -webkit-text-size-adjust: 100%;
}
html,
body,
.document {
width: 100% !important; height: 100% !important; margin: 0; padding: 0;
}
body {
-webkit-font-smoothing: antialiased; -moz-osx-font-smoothing: grayscale; text-rendering: optimizeLegibility;
}
div[style*="margin: 16px 0"] {
margin: 0 !important;
}
table,
td {
mso-table-lspace: 0pt; mso-table-rspace: 0pt;
}
table {
border-spacing: 0; border-collapse: collapse; table-layout: fixed; margin: 0 auto;
}
img {
-ms-interpolation-mode: bicubic; max-width: 100%; border: 0;
}
*[x-apple-data-detectors] {
color: inherit !important; text-decoration: none !important;
}
.x-gmail-data-detectors,
.x-gmail-data-detectors *,
.aBn {
border-bottom: 0 !important; cursor: default !important;
}
.btn {
-webkit-transition: all 200ms ease; transition: all 200ms ease;
}
.btn:hover {
background-color: #f67575; border-color: #f67575;
}
* {
font-family: Arial, Helvetica, sans-serif; font-size: 18px;
}
@media screen and (max-width: 600px) {
.container {
width: 100%; margin: auto;
}
.stack {
display: block!important; width: 100%!important; max-width: 100%!important;
}
.btn {
display: block; width: 100%; text-align: center;
}
}
body,
p,
td,
tr,
.body,
table,
h1,
h2,
h3,
h4,
h5,
h6,
div,
span {
background-color: #FEFEFE !important; color: #010101 !important;
}
@media (prefers-color-scheme: dark) {
body,
p,
td,
tr,
.body,
table,
h1,
h2,
h3,
h4,
h5,
h6,
div,
span {
background-color: #27292D !important; color: #FEFEFE !important;
}
}
a {
color: inherit !important; text-decoration: underline !important;
}
</style><!--[if mso | ie]>
<style type="text/css">
a {
background-color: #FEFEFE !important; color: #010101 !important;
}
@media (prefers-color-scheme: dark) {
a {
background-color: #27292D !important; color: #FEFEFE !important;
}
}
</style>
<![endif]--></head><body class="">
<div style="display: none; max-height: 0px; overflow: hidden;">A logic flaw in the LiteSpeed User-End cPanel plugin's lsws.redisAble JSON-API endpoint, tracked as CVE-2026-48172 (CVSS 10.0) β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β </div>
<div style="display: none; max-height: 0px; overflow: hidden;">
<br>
</div>
<table align="center" class="document"><tbody><tr><td valign="top">
<table align="center" border="0" cellpadding="0" cellspacing="0" class="container" width="600"><tbody><tr class="inner-body"><td>
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr class="header"><td bgcolor="" class="container">
<table width="100%"><tbody><tr><td class="container">
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" style="margin-top: 0px;" width="100%"><tbody><tr><td style="padding: 0px;">
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div style="text-align: center;">
<span style="margin-right: 0px;"><a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Ftldr.tech%2Finfosec%3Futm_source=tldrinfosec/1/0100019e5f3ecebc-74184aba-beb3-4a75-90e4-dba909603181-000000/yX5JkJOWtU_V11FwufqI3iqfYi9aadZWpPumKwNTOdw=452" rel="noopener noreferrer" target="_blank"><span>Sign Up</span></a>
|<span style="margin-right: 2px; margin-left: 2px;"><a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fadvertise.tldr.tech%2F%3Futm_source=tldrinfosec%26utm_medium=newsletter%26utm_campaign=advertisetopnav/1/0100019e5f3ecebc-74184aba-beb3-4a75-90e4-dba909603181-000000/b0PDwwHSYNv8pIt-tYbDFcFEwJQbT1SfyZWCsNATWsM=452" rel="noopener noreferrer" target="_blank"><span>Advertise</span></a></span>|<span style="margin-left: 2px;"><a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fa.tldrnewsletter.com%2Fweb-version%3Fep=1%26lc=156924ca-84b7-11f0-8d58-47c5c04ad337%26p=59b40c16-5825-11f1-afbb-2b3b680873f7%26pt=campaign%26t=1779714412%26s=bceb3048ca6fe38fa1c2c841bcf1555aaa2210e388284bf072bdbcaa4d827442/1/0100019e5f3ecebc-74184aba-beb3-4a75-90e4-dba909603181-000000/5wVJosh2C4KEJTDzBx8xiEKsKDM343NaGo5uD-R4S7U=452"><span>View Online</span></a></span>
<br>
</span></div>
</td></tr></tbody></table>
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="text-align: center;"><span data-darkreader-inline-color="" style="--darkreader-inline-color:#3db3ff; color: rgb(51, 175, 255) !important; font-size: 30px;">T</span><span style="font-size: 30px;"><span data-darkreader-inline-color="" style="color: rgb(232, 192, 96) !important; --darkreader-inline-color:#e8c163; font-size:30px;">L</span><span data-darkreader-inline-color="" style="color: rgb(101, 195, 173) !important; --darkreader-inline-color:#6ec7b2; font-size:30px;">D</span></span><span data-darkreader-inline-color="" style="--darkreader-inline-color:#dd6e6e; color: rgb(220, 107, 107) !important; font-size: 30px;">R</span>
<br>
</td></tr></tbody></table>
<br>
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody></tbody></table>
<table style="table-layout: fixed; width:100%;" width="100%"><tbody><tr><td style="padding:0;border-collapse:collapse;border-spacing:0;margin:0;">
<div style="text-align: center;">
<h1><strong>TLDR Information Security <span id="date">2026-05-25</span></strong></h1>
</div>
</td></tr></tbody></table>
<table style="table-layout: fixed; width:100%;" width="100%"><tbody></tbody></table>
</td></tr></tbody></table>
</td></tr></tbody></table>
</td></tr>
<tr bgcolor=""><td class="container">
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td style="padding: 0px;">
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding-top: 0px; padding-bottom: 0px;">
<div class="text-block">
<div style="text-align: center;"><span style="font-size: 36px;">π</span></div></div>
</td></tr></tbody></table>
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding-top: 0px; padding-bottom: 0px;">
<div class="text-block">
<div style="text-align: center;">
<h1><strong>Attacks & Vulnerabilities</strong></h1>
</div>
</div>
</td></tr></tbody></table>
<table style="table-layout: fixed; width: 100%;" width="100%"><tbody><tr><td style="padding:0;border-collapse:collapse;border-spacing:0;margin:0;" valign="top">
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fgbhackers.com%2Flitespeed-cpanel-plugin-0-day-exploited%2F%3Futm_source=tldrinfosec/1/0100019e5f3ecebc-74184aba-beb3-4a75-90e4-dba909603181-000000/jODZdtQaEihrLKwseZQUWaWfHuKbCKr56SReiYnJWuo=452">
<span>
<strong>LiteSpeed cPanel Plugin 0-Day Exploited for Server Root Access (2 minute read)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
A logic flaw in the LiteSpeed User-End cPanel plugin's lsws.redisAble JSON-API endpoint, tracked as CVE-2026-48172 (CVSS 10.0), allows any authenticated cPanel user to escalate to root with a single malformed API call, with no race condition or auth gap to exploit. The flaw is under active exploitation and especially dangerous on shared hosting, where every tenant already holds a valid cPanel session, enabling full system compromise, data exfiltration, and lateral movement. cPanel forced a fleet-wide uninstall five hours ahead of its scheduled TSR window. Administrators should upgrade to LiteSpeed WHM Plugin v5.3.1.0 (bundled with cPanel Plugin v2.4.7), grep /var/cpanel/logs and /usr/local/cpanel/logs/ for cpanel_jsonapi_func=redisAble, and treat any host with matching output as compromised by rotating all credentials and auditing cron jobs and authorized_keys.
</span>
</span>
</div>
</td></tr></tbody></table>
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fwww.csoonline.com%2Farticle%2F4176504%2Fgoogle-leaks-details-for-chromium-bug-that-can-turn-browsers-into-bots.html%3Futm_source=tldrinfosec/1/0100019e5f3ecebc-74184aba-beb3-4a75-90e4-dba909603181-000000/Mf32Snd3yLoIow174_zfQ-ZSuRKariZhZiiyVbITSo0=452">
<span>
<strong>Google leaks details for Chromium bug that can turn browsers into bots (2 minute read)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
A flaw in Chromium, reported over three years ago by researcher Lyra Rebane, allows malicious sites to keep a Service Worker alive indefinitely by repeatedly creating and aborting Background Fetch downloads every 20 seconds, remaining hidden in the browser and persisting across restarts. While UI symptoms were patched in January 2023, the core issue of lifespan abuse remains because fixing it requires a hard service-worker time limit in the API spec. Administrators should monitor for unusual outbound requests and resource use from idle tabs.
</span>
</span>
</div>
</td></tr></tbody></table>
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Flinks.tldrnewsletter.com%2Fi2w0sF/1/0100019e5f3ecebc-74184aba-beb3-4a75-90e4-dba909603181-000000/Mla1-lmzZ36zspdGCyD8QG9Ryz8HSbpLN1PrPeZ2V5Y=452">
<span>
<strong>'Underminr' Vulnerability Lets Attackers Hide Malicious Connections Behind Trusted Domains (2 minute read)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
Underminr abuses shared CDN infrastructure to send HTTPS traffic to one tenant's IP while presenting the SNI and Host of another domain, breaking assumptions used by DNS filtering and PDNS controls. Attackers can hide C2, VPN, and proxy traffic over TCP 443 and have already used the technique against large hosting providers. Roughly 88 million domains may be exposed, with the US, UK, and Canadian infrastructure most at risk.
</span>
</span>
</div>
</td></tr></tbody></table>
</td></tr></tbody></table>
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding-top: 0px; padding-bottom: 0px;">
<div class="text-block">
<div style="text-align: center;"><span style="font-size: 36px;">π§ </span></div>
</div>
</td></tr></tbody></table>
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding-top: 0px; padding-bottom: 0px;">
<div class="text-block">
<div style="text-align: center;">
<h1><strong>Strategies & Tactics</strong></h1>
</div>
</div>
</td></tr></tbody></table>
<table style="table-layout: fixed; width: 100%;" width="100%"><tbody><tr><td style="padding:0;border-collapse:collapse;border-spacing:0;margin:0;" valign="top">
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Flinks.tldrnewsletter.com%2FGfnSxA/1/0100019e5f3ecebc-74184aba-beb3-4a75-90e4-dba909603181-000000/z-pRhtASGoZPbT1Whh3Xd0cgkg8ClL6AZ_nr-ZIMQ9o=452">
<span>
<strong>Malicious Postinstall Hook Found Across 700+ GitHub Repositories, Including Packagist and Node.js Projects (6 minute read)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
A coordinated campaign tied to the parikhpreyash4 GitHub account inserted an identical package.json postinstall hook into upstream repositories that curl -skL downloads a binary named gvfsd-network with TLS verification disabled, drops it to /tmp/.sshd to mimic an SSH daemon, and runs it backgrounded with errors suppressed. The payload landed in package.json rather than composer.json to evade PHP defenders reviewing only Composer metadata, confirmed across eight branch-tracking Packagist packages (notably the ~6,400-star devdojo/wave and devdojo/genesis starter kits, where the hook fires at project root) and also planted in GitHub Actions workflow files as a step named Dependency Cache Sync to hit CI/CD paths. Defenders should inspect bundled package.json lifecycle scripts in branch-tracking Composer dependencies, pin artifacts to observed commit states rather than mutable dev-* labels, and hunt for the parikhpreyash4 payload URL, the /tmp/.sshd drop path, and curl -skL command fragments.
</span>
</span>
</div>
</td></tr></tbody></table>
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fironpeak.be%2Fblog%2Fbypassing-apple-mie%2F%3Futm_source=tldrinfosec/1/0100019e5f3ecebc-74184aba-beb3-4a75-90e4-dba909603181-000000/QmCzHOCVqpTuJpC9-l-Wu2yqZZA7d0b8hU-8tKK0G34=452">
<span>
<strong>Pardon MIE? (4 minute read)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
A three-person team at Calif, working with Anthropic's restricted Mythos Preview model, produced the first public macOS kernel exploit defeating Apple's Memory Integrity Enforcement on M5 silicon in just five days, chaining CVE-2026-28952 with an info leak to reach a root shell. The root cause was an integer overflow in the bounds check of _zalloc_ro_mut, the single trusted writer for read-only kernel zones, which let attacker-controlled bytes spill across slot boundaries and flip a victim process's cr_uid to zero without ever corrupting a pointer, tag, or page table. The episode reframes hardware memory tagging as a shift rather than a fix, since it pushes exploitation onto the small set of privileged writers whose argument validation now becomes the highest-value attack surface, with more bypasses of this exact shape expected as the curve from bug to working exploit collapses to days.
</span>
</span>
</div>
</td></tr></tbody></table>
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fwww.anthropic.com%2Fresearch%2Fglasswing-initial-update%3Futm_source=tldrinfosec/1/0100019e5f3ecebc-74184aba-beb3-4a75-90e4-dba909603181-000000/NvKm1fgBZSQvgVhMjp6DoW44Uy88jjKOK7W7EVbt_l4=452">
<span>
<strong>Project Glasswing: An initial update (9 minute read)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
Anthropic's Project Glasswing has worked with about 50 partners using Claude Mythos Preview to uncover over ten thousand high- and criticalβseverity vulnerabilities in critical software, including thousands across more than 1,000 openβsource projects, with trueβpositive rates above 90% for vetted highβrisk findings. Partners like Cloudflare, Mozilla, Palo Alto Networks, Microsoft, Oracle, and major banks are using these capabilities to harden core systems, accelerate patching, and even catch live fraud.
</span>
</span>
</div>
</td></tr></tbody></table>
</td></tr></tbody></table>
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding-top: 0px; padding-bottom: 0px;">
<div class="text-block">
<div style="text-align: center;"><span style="font-size: 36px;">π§βπ»</span></div>
</div>
</td></tr></tbody></table>
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding-top: 0px; padding-bottom: 0px;">
<div class="text-block">
<div style="text-align: center;">
<h1><strong>Launches & Tools</strong></h1>
</div>
</div>
</td></tr></tbody></table>
<table style="table-layout: fixed; width: 100%;" width="100%"><tbody><tr><td style="padding:0;border-collapse:collapse;border-spacing:0;margin:0;" valign="top">
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fgithub.com%2Fsfr-development%2FWonderSuite-Ai-Bug-Bounty%3Futm_source=tldrinfosec/1/0100019e5f3ecebc-74184aba-beb3-4a75-90e4-dba909603181-000000/ilGy6TSVR6zaBSSNyRwB3iXEt0d-_b_mk7VCmHu6c18=452">
<span>
<strong>WonderSuite AI Bug Bunty (GitHub Repo)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
WonderSuite is a desktop-native offensive security engine that combines Burp Suite-class tooling with autonomous AI agent capabilities. It provides a fully integrated environment for web application security testing, network reconnaissance, and exploit development β all orchestrated through an MCP-compatible AI interface.
</span>
</span>
</div>
</td></tr></tbody></table>
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fgithub.blog%2Fchangelog%2F2026-05-22-staged-publishing-and-new-install-time-controls-for-npm%2F%3Futm_source=tldrinfosec/1/0100019e5f3ecebc-74184aba-beb3-4a75-90e4-dba909603181-000000/7PBUd6Tz6_ndnxZrIGn7GWFJ2Yq-2ItIRUNPiVlWVNk=452">
<span>
<strong>Staged publishing and new install-time controls for npm (2 minute read)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
GitHub is adding staged publishing to npm, so maintainers must pass 2FA and explicitly approve a prebuilt tarball before a new package version becomes installable, including from CI/CD and OIDC-based trusted publishing. npm CLI 11.15.0 introduces the npm stage publish flow, plus new --allow-file, --allow-remote, and --allow-directory flags, so teams can allowlist non-registry install sources and reduce exposure to supply chain abuse seen in recent TeamPCP package-poisoning campaigns.
</span>
</span>
</div>
</td></tr></tbody></table>
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fgithub.com%2Fgoogle%2Fax%3Futm_source=tldrinfosec/1/0100019e5f3ecebc-74184aba-beb3-4a75-90e4-dba909603181-000000/9-Xs3UzsFd_aJFTgIc5z5Ey3Y1PAIEN7CX_1vn8bgMQ=452">
<span>
<strong>Agent Executor (GitHub Repo)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
Agent Executor (AX) is Google's distributed agent runtime. It provides a runtime that coordinates agentic loops, manages executions with event logging, and communicates with both local and remote actors.
</span>
</span>
</div>
</td></tr></tbody></table>
</td></tr></tbody></table>
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding-top: 0px; padding-bottom: 0px;">
<div class="text-block">
<div style="text-align: center;"><span style="font-size: 36px;">π</span></div></div>
</td></tr></tbody></table>
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding-top: 0px; padding-bottom: 0px;">
<div class="text-block">
<div style="text-align: center;"><strong><h1>Miscellaneous</h1></strong></div>
</div>
</td></tr></tbody></table>
<table bgcolor="" style="table-layout: fixed; width: 100%;" width="100%"><tbody><tr><td style="padding:0;border-collapse:collapse;border-spacing:0;margin:0;" valign="top">
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fcyberinsider.com%2Fcharter-communications-confirms-data-breach-as-hackers-threaten-leak-of-42-million-records%2F%3Futm_source=tldrinfosec/1/0100019e5f3ecebc-74184aba-beb3-4a75-90e4-dba909603181-000000/CgZdgDZM749ayHDn5T2AStvCjlEhiEq-q74zpxzHoec=452">
<span>
<strong>Charter Communications confirms data breach as hackers threaten leak of 42 million records (2 minute read)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
Charter Communications confirmed a cybersecurity incident after ShinyHunters added the Spectrum-brand telecom to its leak site, claiming over 42 million PII records and threatening to publish unless negotiations open before May 27. Charter disputes the scope, stating no sensitive PI or customer proprietary network information (CPNI) was exfiltrated, while declining to disclose the intrusion vector or affected-customer count, leaving the attacker's unverified claims and the company's narrow denial in direct tension. The incident fits ShinyHunters' broader Salesforce-focused extortion campaign that has hit hundreds of organizations via exposed cloud credentials and misconfigured SaaS integrations, a pattern that reframes individual breach headlines as downstream symptoms of a single sprawling operation against enterprise cloud environments.
</span>
</span>
</div>
</td></tr></tbody></table>
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fwww.theregister.com%2Fdevops%2F2026%2F05%2F21%2Fthreat-hunters-find-google-api-keys-still-usable-23-minutes-after-deletion%2F5244504%3Futm_source=tldrinfosec/1/0100019e5f3ecebc-74184aba-beb3-4a75-90e4-dba909603181-000000/vw1ufZwJcHomlnq3GwCiTBcLO_EoO66rjBHnYSRfwSU=452">
<span>
<strong>Threat hunters find Google API keys still usable 23 minutes after deletion (4 minute read)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
Aikido researchers found deleted Google API keys remain usable for up to 23 minutes, with success rates fluctuating as requests hit lagging servers. Attackers can run high-volume calls, rack up large Gemini compute bills, and pull uploaded files and cached context during that window. Tests across regions showed similar behavior for other GCP APIs. Google labeled the revocation delay βworking as intendedβ and will not fix it.
</span>
</span>
</div>
</td></tr></tbody></table>
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fthehackernews.com%2F2026%2F05%2Ffirst-vpn-dismantled-in-global-takedown.html%3Futm_source=tldrinfosec/1/0100019e5f3ecebc-74184aba-beb3-4a75-90e4-dba909603181-000000/28ENdKQ6GSw3vHzHBLDmvWXjWA3zDdXZj8MXDmuJiHc=452">
<span>
<strong>First VPN Dismantled in Global Takedown Over Use by 25 Ransomware Groups (3 minute read)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
Authorities from Europe and North America shut down First VPN after a joint probe dating back to 2021, seizing 33 servers and related domains tied to ransomware, fraud, and data theft. Investigators identified at least 25 ransomware groups using the service, which took anonymous payments in crypto and e-money. The FBI listed 32 exit nodes in 27 countries and detailed supported protocols like OpenConnect, WireGuard, and VLESS with Reality obfuscation.
</span>
</span>
</div>
</td></tr></tbody></table>
</td></tr></tbody></table>
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding-top: 0px; padding-bottom: 0px;">
<div class="text-block">
<div style="text-align: center;"><span style="font-size: 36px;">β‘</span></div></div>
</td></tr></tbody></table>
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding-top: 0px; padding-bottom: 0px;">
<div class="text-block">
<div style="text-align: center;">
<h1><strong>Quick Links</strong></h1>
</div>
</div>
</td></tr></tbody></table>
<table bgcolor="" style="table-layout: fixed; width: 100%;" width="100%"><tbody><tr><td style="padding:0;border-collapse:collapse;border-spacing:0;margin:0;" valign="top">
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fblog.checkpoint.com%2Fresearch%2Fai-attacks-are-no-longer-experimental-key-findings-from-the-march-april-2026-ai-threat-landscape%2F%3Futm_source=tldrinfosec/1/0100019e5f3ecebc-74184aba-beb3-4a75-90e4-dba909603181-000000/_-I0WZ17o9tUiEgQJFHD7A_E7U-Ny6euzegqucYpvhw=452">
<span>
<strong>AI Attacks Are No Longer Experimental: Key Findings from the March-April 2026 AI Threat Landscape (3 minute read)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
Check Point Research's March-April 2026 Threat Landscape Digest documents AI's shift from experimental to routine criminal use.
</span>
</span>
</div>
</td></tr></tbody></table>
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fgbhackers.com%2Fseo-poisoning-gemini-cli-claude-installers%2F%3Futm_source=tldrinfosec/1/0100019e5f3ecebc-74184aba-beb3-4a75-90e4-dba909603181-000000/hxaTREno3VYBB_Kjp6-xjeZL6W3gBb1m-z0Ny3pB1-E=452">
<span>
<strong>Hackers Use SEO Poisoning to Fake Gemini CLI, Claude Installers (3 minute read)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
EclecticIQ uncovered a financially motivated campaign that uses SEO poisoning and Google Ads (the latter tracked separately as InstallFix) to push typosquatted Gemini CLI and Claude Code installers serving a fileless PowerShell infostealer.
</span>
</span>
</div>
</td></tr></tbody></table>
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fhackread.com%2Ffbi-kali365-phishing-service-microsoft-365-account%2F%3Futm_source=tldrinfosec/1/0100019e5f3ecebc-74184aba-beb3-4a75-90e4-dba909603181-000000/PsAOlaOnX6dJ8AKh174iG3253-PYEGlL91O79NbWWpM=452">
<span>
<strong>FBI Warns of Kali365 Phishing Service Targeting Microsoft 365 Account (2 minute read)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
Kali365 is a Telegram-sold Phishing-as-a-Service platform first detected in April that uses device code phishing with lures like "SharePoint β Document Shared" to steal Microsoft 365 OAuth access and refresh tokens.
</span>
</span>
</div>
</td></tr></tbody></table>
</td></tr></tbody></table>
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td align="left" style="word-break: break-word; vertical-align: top; padding: 5px 10px;">
<p style="padding: 0; margin: 0; font-size: 22px; color: #000000; line-height: 1.6; font-weight: bold;">
Love TLDR? Tell your friends and get rewards!
</p>
</td></tr>
<tr><td class="container" style="padding: 0px 10px 15px;">
<div class="text-block">
Share your referral link below with friends to get free TLDR swag!
</div>
</td></tr>
<tr><td align="left" style="padding: 10px;">
<div class="text-block">
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Frefer.tldr.tech%2F78de0e20%2F8/1/0100019e5f3ecebc-74184aba-beb3-4a75-90e4-dba909603181-000000/yiip6aDtOPwGu1DmW4VeUNuARinG_dg0DekhfllBezE=452" style="color: #464ba4; text-decoration: underline;">https://refer.tldr.tech/78de0e20/8</a>
</div>
</td></tr>
<tr></tr>
<tr><td align="left" style="padding:5px 10px;">
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fhub.sparklp.co%2Fsub_d62447d5a74a%2F8/1/0100019e5f3ecebc-74184aba-beb3-4a75-90e4-dba909603181-000000/EqhohR3ZfmCr2PXXFQF3yqThOYiwicoX7PdrLn__YPQ=452" style="font-size: 16px; line-height: 1.6; padding: 10px 0; display: inline-block; text-decoration: underline;"><span style="mso-text-raise:13pt; text-decoration: underline;">Track your referrals here.</span></a>
</td></tr></tbody></table>
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td align="left" style="word-break: break-word; vertical-align: top; padding: 5px 10px;">
<p style="padding: 0; margin: 0; font-size: 22px; color: #000000; line-height: 1.6; font-weight: bold;">
Want to advertise in TLDR? π°
</p>
<div class="text-block" style="margin-top: 10px;">
If your company is interested in reaching an audience of cybersecurity professionals and decision makers, you may want to <a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fadvertise.tldr.tech%2F%3Futm_source=tldrinfosec%26utm_medium=newsletter%26utm_campaign=advertisecta/1/0100019e5f3ecebc-74184aba-beb3-4a75-90e4-dba909603181-000000/TtfFf_t56IvFpjUIIZ-fOGv0WKl2JhVMhJFcu8EPQ6s=452"><strong><span>advertise with us</span></strong></a>.
</div>
<br>
<!-- New "Want to work at TLDR?" section -->
<p style="padding: 0; margin: 0; font-size: 22px; color: #000000; line-height: 1.6; font-weight: bold;">
Want to work at TLDR? πΌ
</p>
<div class="text-block" style="margin-top: 10px;">
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fjobs.ashbyhq.com%2Ftldr.tech/1/0100019e5f3ecebc-74184aba-beb3-4a75-90e4-dba909603181-000000/4HLgFNmvsT9kJ3jjo-DS80_BzCw9_O9K5Zp6QL13tE4=452" rel="noopener noreferrer" style="color: #0000EE; text-decoration: underline;" target="_blank"><strong>Apply here</strong></a>,
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fjobs.ashbyhq.com%2Ftldr.tech%2Fc227b917-a6a4-40ce-8950-d3e165357871/1/0100019e5f3ecebc-74184aba-beb3-4a75-90e4-dba909603181-000000/Fv1bzUansmPvEXNfruSO5WBfnZeS-4LC2HCQFDyHLaI=452" rel="noopener noreferrer" style="color: #0000EE; text-decoration: underline;" target="_blank"><strong>create your own role</strong></a> or send a friend's resume to <a href="mailto:jobs@tldr.tech" style="color: #0000EE; text-decoration: underline;">jobs@tldr.tech</a> and get $1k if we hire them! TLDR is one of <a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fwww.linkedin.com%2Ffeed%2Fupdate%2Furn:li:activity:7401699691039830016%2F/1/0100019e5f3ecebc-74184aba-beb3-4a75-90e4-dba909603181-000000/M_7YD1FSurRHfqUyrUQe9esgxSD9welaDOTBUd9kYpg=452" rel="noopener noreferrer" style="color: #0000EE; text-decoration: underline;" target="_blank"><strong>Inc.'s Best Bootstrapped businesses</strong></a> of 2025.
</div>
<br>
<div class="text-block">
If you have any comments or feedback, just respond to this email!
<br>
<br> Thanks for reading,
<br>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fwww.linkedin.com%2Fin%2Fprasannagautam%2F/1/0100019e5f3ecebc-74184aba-beb3-4a75-90e4-dba909603181-000000/grNs1GYAy6MZWnQqjFvIuVzt2JsaFS2spw3T1TpYpS4=452"><span>Prasanna Gautam</span></a>, <a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fwww.linkedin.com%2Fin%2Fericfernandezdelcampo%2F/1/0100019e5f3ecebc-74184aba-beb3-4a75-90e4-dba909603181-000000/3dmZK1wNgCq3G-T8s_6S03PwYSBzQlOWU2lZMS4KZfA=452"><span>Eric Fernandez</span></a> & <a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fwww.linkedin.com%2Fin%2Fsammy-tbeile%2F/1/0100019e5f3ecebc-74184aba-beb3-4a75-90e4-dba909603181-000000/3RrDiSDSInh-VAht_0Pjo8Jq6cLrr2z2Q0YbMVW0S8g=452"><span>Sammy Tbeile</span></a>
<br>
<br>
</div>
<br>
</td></tr></tbody></table>
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block" id="testing-id">
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Ftldr.tech%2Finfosec%2Fmanage%3Femail=silk.theater.56%2540fwdnl.com/1/0100019e5f3ecebc-74184aba-beb3-4a75-90e4-dba909603181-000000/hBk2IQJDcYLVw6vEzEsQo22ig4avqN1sZJHDo4qOlBM=452">Manage your subscriptions</a> to our other newsletters on tech, startups, and programming. Or if TLDR Information Security isn't for you, please <a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fa.tldrnewsletter.com%2Funsubscribe%3Fep=1%26l=8d9cea11-3e94-11ed-9a32-0241b9615763%26lc=156924ca-84b7-11f0-8d58-47c5c04ad337%26p=59b40c16-5825-11f1-afbb-2b3b680873f7%26pt=campaign%26pv=4%26spa=1779714078%26t=1779714412%26s=3fef0b577fc03817c074e9ef735d7ff6fd6414a6bdf8a07697e452db48ea3dec/1/0100019e5f3ecebc-74184aba-beb3-4a75-90e4-dba909603181-000000/kc2oZ8tyfX-zJFSVBbXMskOj2fVpI6RENHl_qvjaHSM=452">unsubscribe</a>.
<br>
</div>
</td></tr></tbody></table>
</td></tr></tbody></table>
</td></tr></tbody></table>
</td></tr></tbody></table>
</td></tr></tbody></table>
<img alt="" src="http://tracking.tldrnewsletter.com/CI0/0100019e5f3ecebc-74184aba-beb3-4a75-90e4-dba909603181-000000/B8mmZjoBF3sLh0FGE5ROBWRwP5ZgnYdXBkBaoWHQ5Xk=452" style="display: none; width: 1px; height: 1px;">
</body></html>