<!DOCTYPE html><html lang="en"><head><meta http-equiv="Content-Type" content="text/html charset=UTF-8"><meta charset="UTF-8"><meta name="viewport" content="width=device-width"><meta name="x-apple-disable-message-reformatting"><title>TLDR InfoSec</title><meta name="color-scheme" content="light dark"><meta name="supported-color-schemes" content="light dark"><style type="text/css">
:root {
color-scheme: light dark; supported-color-schemes: light dark;
}
*,
*:after,
*:before {
-webkit-box-sizing: border-box; -moz-box-sizing: border-box; box-sizing: border-box;
}
* {
-ms-text-size-adjust: 100%; -webkit-text-size-adjust: 100%;
}
html,
body,
.document {
width: 100% !important; height: 100% !important; margin: 0; padding: 0;
}
body {
-webkit-font-smoothing: antialiased; -moz-osx-font-smoothing: grayscale; text-rendering: optimizeLegibility;
}
div[style*="margin: 16px 0"] {
margin: 0 !important;
}
table,
td {
mso-table-lspace: 0pt; mso-table-rspace: 0pt;
}
table {
border-spacing: 0; border-collapse: collapse; table-layout: fixed; margin: 0 auto;
}
img {
-ms-interpolation-mode: bicubic; max-width: 100%; border: 0;
}
*[x-apple-data-detectors] {
color: inherit !important; text-decoration: none !important;
}
.x-gmail-data-detectors,
.x-gmail-data-detectors *,
.aBn {
border-bottom: 0 !important; cursor: default !important;
}
.btn {
-webkit-transition: all 200ms ease; transition: all 200ms ease;
}
.btn:hover {
background-color: #f67575; border-color: #f67575;
}
* {
font-family: Arial, Helvetica, sans-serif; font-size: 18px;
}
@media screen and (max-width: 600px) {
.container {
width: 100%; margin: auto;
}
.stack {
display: block!important; width: 100%!important; max-width: 100%!important;
}
.btn {
display: block; width: 100%; text-align: center;
}
}
body,
p,
td,
tr,
.body,
table,
h1,
h2,
h3,
h4,
h5,
h6,
div,
span {
background-color: #FEFEFE !important; color: #010101 !important;
}
@media (prefers-color-scheme: dark) {
body,
p,
td,
tr,
.body,
table,
h1,
h2,
h3,
h4,
h5,
h6,
div,
span {
background-color: #27292D !important; color: #FEFEFE !important;
}
}
a {
color: inherit !important; text-decoration: underline !important;
}
</style><!--[if mso | ie]>
<style type="text/css">
a {
background-color: #FEFEFE !important; color: #010101 !important;
}
@media (prefers-color-scheme: dark) {
a {
background-color: #27292D !important; color: #FEFEFE !important;
}
}
</style>
<![endif]--></head><body class="">
<div style="display: none; max-height: 0px; overflow: hidden;">TrendAI Research has exposed a solo Russian-speaking actor tracked as "bandcampro" who ran a five-year MAGA-themed influence operation </div>
<div style="display: none; max-height: 0px; overflow: hidden;">
<br>
</div>
<table align="center" class="document"><tbody><tr><td valign="top">
<table align="center" border="0" cellpadding="0" cellspacing="0" class="container" width="600"><tbody><tr class="inner-body"><td>
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr class="header"><td bgcolor="" class="container">
<table width="100%"><tbody><tr><td class="container">
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" style="margin-top: 0px;" width="100%"><tbody><tr><td style="padding: 0px;">
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div style="text-align: center;">
<span style="margin-right: 0px;"><a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Ftldr.tech%2Finfosec%3Futm_source=tldrinfosec/1/0100019e6eb10265-53930e66-d44d-4575-9c44-1cc149cbe752-000000/m-YuBQKn6wUsSrhzY7eUTLkr2y4Mtc-luNgKBeicYW0=452" rel="noopener noreferrer" target="_blank"><span>Sign Up</span></a>
|<span style="margin-right: 2px; margin-left: 2px;"><a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fadvertise.tldr.tech%2F%3Futm_source=tldrinfosec%26utm_medium=newsletter%26utm_campaign=advertisetopnav/1/0100019e6eb10265-53930e66-d44d-4575-9c44-1cc149cbe752-000000/zqXpD1iBF7gfxPXM2Oo8JyCxFlxZlRoCg9RmsCfCMuE=452" rel="noopener noreferrer" target="_blank"><span>Advertise</span></a></span>|<span style="margin-left: 2px;"><a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fa.tldrnewsletter.com%2Fweb-version%3Fep=1%26lc=156924ca-84b7-11f0-8d58-47c5c04ad337%26p=2221aefa-5a7a-11f1-bc37-f97a30e8dc51%26pt=campaign%26t=1779973554%26s=fa306b2c8ed647a4a224a5676391eabfb13c1213141f6ee57622073a0f67c1ec/1/0100019e6eb10265-53930e66-d44d-4575-9c44-1cc149cbe752-000000/2k3dTe2Ba2e-CM2HF6kXRAuD-HT5SIYct2SVHjD-PCA=452"><span>View Online</span></a></span>
<br>
</span></div>
</td></tr></tbody></table>
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="text-align: center;"><span data-darkreader-inline-color="" style="--darkreader-inline-color:#3db3ff; color: rgb(51, 175, 255) !important; font-size: 30px;">T</span><span style="font-size: 30px;"><span data-darkreader-inline-color="" style="color: rgb(232, 192, 96) !important; --darkreader-inline-color:#e8c163; font-size:30px;">L</span><span data-darkreader-inline-color="" style="color: rgb(101, 195, 173) !important; --darkreader-inline-color:#6ec7b2; font-size:30px;">D</span></span><span data-darkreader-inline-color="" style="--darkreader-inline-color:#dd6e6e; color: rgb(220, 107, 107) !important; font-size: 30px;">R</span>
<br>
</td></tr></tbody></table>
<br>
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr id="together-with"><td align="center" height="20" style="vertical-align:middle !important;" valign="middle" width="100%"><strong style="vertical-align:middle !important; height: 100%;">Together With </strong>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fgo.flashpoint-intel.com%2F2026-global-threat-intelligence-report%3Futm_source=tldrinfosec%26utm_medium=newsletter%26utm_campaign=Resource_RP_GTI_2026%26sfcampaign_id=701Rc00000dDaIXIA0_Header/1/0100019e6eb10265-53930e66-d44d-4575-9c44-1cc149cbe752-000000/TyFAco4kerUD_dH4LH5_W3ya0T2S_l9bt03sSdS0erQ=452"><img src="https://images.tldr.tech/flashpoint.png" valign="middle" style="vertical-align: middle !important; height: 100%;" alt="Flashpoint"></a></td></tr></tbody></table>
<table style="table-layout: fixed; width:100%;" width="100%"><tbody><tr><td style="padding:0;border-collapse:collapse;border-spacing:0;margin:0;">
<div style="text-align: center;">
<h1><strong>TLDR Information Security <span id="date">2026-05-28</span></strong></h1>
</div>
</td></tr></tbody></table>
<table style="table-layout: fixed; width:100%;" width="100%"><tbody><tr id="sponsy-copy"><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fgo.flashpoint-intel.com%2F2026-global-threat-intelligence-report%3Futm_source=tldrinfosec%26utm_medium=newsletter%26utm_campaign=Resource_RP_GTI_2026%26sfcampaign_id=701Rc00000dDaIXIA0_Header/2/0100019e6eb10265-53930e66-d44d-4575-9c44-1cc149cbe752-000000/pUZRI7Mo1f9TZdMuQkCLowCqli3AuI3LKjZQ9_eUrB4=452">
<span>
<strong>The 1,500% surge in AI-related threats was just the beginning (Sponsor)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
AI-powered cybercrime is scaling, but not in the way you think. Ransomware is up 53% and it's mostly identity-based extortion, not technical file encryption, that's to blame.<br><br>Flashpoint's <a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fgo.flashpoint-intel.com%2F2026-global-threat-intelligence-report%3Futm_source=tldrinfosec%26utm_medium=newsletter%26utm_campaign=Resource_RP_GTI_2026%26sfcampaign_id=701Rc00000dDaIXIA0_body1/1/0100019e6eb10265-53930e66-d44d-4575-9c44-1cc149cbe752-000000/aUB7zgeqCd24bjJIJFnfrULZn_5zF7GE-YNSeSXJA7o=452" rel="noopener noreferrer nofollow" target="_blank"><span>2026 Global Threat Intelligence Report</span></a> provides a data-driven view of the 2026 threat landscape. Readers will learn:
<p></p>
<ul>
<li>Why threat actors are <a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fgo.flashpoint-intel.com%2F2026-global-threat-intelligence-report%3Futm_source=tldrinfosec%26utm_medium=newsletter%26utm_campaign=Resource_RP_GTI_2026%26sfcampaign_id=701Rc00000dDaIXIA0_body2/1/0100019e6eb10265-53930e66-d44d-4575-9c44-1cc149cbe752-000000/SkWhmGLkk2QG9CAvOrdRlRrdkqdVpvURuU72auVB9cQ=452" rel="noopener noreferrer nofollow" target="_blank"><span>transitioning from GenAI to autonomous agents</span></a> that execute end-to-end attacks without human intervention.</li>
<li>How the professionalization of groups like RansomHub and Clop is scaling the cybercrime economy.</li>
<li>How 3.3 billion compromised credentials and cloud tokens are making identity the primary exploit vector.</li>
</ul>
<p><a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fgo.flashpoint-intel.com%2F2026-global-threat-intelligence-report%3Futm_source=tldrinfosec%26utm_medium=newsletter%26utm_campaign=Resource_RP_GTI_2026%26sfcampaign_id=701Rc00000dDaIXIA0_cta/1/0100019e6eb10265-53930e66-d44d-4575-9c44-1cc149cbe752-000000/CB8JnFh-QhM1mlbi6AxoC1mkbBalaPCa-bJjT_Taqj4=452" rel="noopener noreferrer nofollow" target="_blank"><span>Read the report</span></a>
</p>
</span></span></div>
</td></tr></tbody></table>
</td></tr></tbody></table>
</td></tr></tbody></table>
</td></tr>
<tr bgcolor=""><td class="container">
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td style="padding: 0px;">
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding-top: 0px; padding-bottom: 0px;">
<div class="text-block">
<div style="text-align: center;"><span style="font-size: 36px;">🔓</span></div></div>
</td></tr></tbody></table>
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding-top: 0px; padding-bottom: 0px;">
<div class="text-block">
<div style="text-align: center;">
<h1><strong>Attacks & Vulnerabilities</strong></h1>
</div>
</div>
</td></tr></tbody></table>
<table style="table-layout: fixed; width: 100%;" width="100%"><tbody><tr><td style="padding:0;border-collapse:collapse;border-spacing:0;margin:0;" valign="top">
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fcybersecuritynews.com%2Frussian-hacker-used-jailbroken-gemini%2F%3Futm_source=tldrinfosec/1/0100019e6eb10265-53930e66-d44d-4575-9c44-1cc149cbe752-000000/6_RPbIJU9XRDiX22Eh3u20edizjCZArrmuSSZXT4Pqc=452">
<span>
<strong>Russian Hacker Used Jailbroken Gemini to Steal Admin Credentials and Drain Crypto Wallets (3 minute read)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
TrendAI Research has exposed a solo Russian-speaking actor tracked as "bandcampro" who ran a five-year MAGA-themed influence operation by persistently jailbreaking Google Gemini CLI, planting escalating instructions in a GEMINI.md memory file that the CLI reloads every session, and reinforcing the bypass with Russian-language prompts that evade inconsistently enforced non-English guardrails. With safety controls disabled, Gemini powered a "Quantum Patriot" content pipeline generating QAnon posts, produced up to 20 password mutations per target that cracked 29 WordPress admin accounts when combined with DaisyCloud infostealer logs, and supported a trojanized StellarMonster wallet installer (actually the GoToResolve RAT) that harvested seed phrases and drained at least one victim's crypto, all funded by 73 round-robin-rotated stolen API keys with C2 nodes at 213.165.51[.]115, 34.34.57[.]141, 34.34.81[.]129, and 35.192.41[.]201. Defenders should monitor for stolen API key reuse, anomalous CLI-driven infrastructure changes, and credential-stuffing patterns consistent with LLM-assisted password mutation.
</span>
</span>
</div>
</td></tr></tbody></table>
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Forca.security%2Fresources%2Fblog%2Fkopia-backup-rce-vulnerability%2F%3Futm_source=tldrinfosec/1/0100019e6eb10265-53930e66-d44d-4575-9c44-1cc149cbe752-000000/JR8iXAvBi8OOQb0PQCfa_GgWyyw7NQo_uRbUHpu8s70=452">
<span>
<strong>Critical Unauthenticated RCE in Kopia Backup via SSH ProxyCommand Injection (2 minute read)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
Orca Security has disclosed CVE-2026-45695 (CVSS 9.8), an unauthenticated remote code execution flaw in the Kopia open-source backup tool where the /api/v1/repo/exists endpoint passes SFTP storage configuration fields directly into an SSH command line without tokenization or quote handling, letting an attacker inject -oProxyCommand= tokens in a single crafted HTTP request to force OpenSSH to run arbitrary shell commands. The bug affects Kopia HTTP server versions 0.22.3 and earlier when the server runs with --without-password and binds to non-loopback interfaces with an SFTP external-SSH backend. Although researcher Daniele Berardinelli disclosed it responsibly, with no public proof-of-concept yet, the single-request attack vector makes weaponization trivial and risks full backup data exfiltration and infrastructure pivoting. Administrators should upgrade to version 0.23.0 or later immediately, and otherwise bind Kopia to localhost only and place any externally reachable instance behind an authenticating reverse proxy.
</span>
</span>
</div>
</td></tr></tbody></table>
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fwww.theregister.com%2Fcyber-crime%2F2026%2F05%2F26%2Fmypillow-appears-on-play-ransomware-leak-site%2F5246513%3Futm_source=tldrinfosec/1/0100019e6eb10265-53930e66-d44d-4575-9c44-1cc149cbe752-000000/rVHt4krmFdKg2sEpDffe1SnBSFNy5uOIAIZi7n8z974=452">
<span>
<strong>MyPillow Appears on Play Ransomware Leak Site (2 minute read)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
The Play ransomware gang claims to have breached the MyPillow bedding company. The breached data allegedly includes private and confidential personal data, client documents, budgets, payroll, IDs, and tax and financial information.
</span>
</span>
</div>
</td></tr></tbody></table>
</td></tr></tbody></table>
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding-top: 0px; padding-bottom: 0px;">
<div class="text-block">
<div style="text-align: center;"><span style="font-size: 36px;">🧠</span></div>
</div>
</td></tr></tbody></table>
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding-top: 0px; padding-bottom: 0px;">
<div class="text-block">
<div style="text-align: center;">
<h1><strong>Strategies & Tactics</strong></h1>
</div>
</div>
</td></tr></tbody></table>
<table style="table-layout: fixed; width: 100%;" width="100%"><tbody><tr><td style="padding:0;border-collapse:collapse;border-spacing:0;margin:0;" valign="top">
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fventurebeat.com%2Fsecurity%2Fattack-dominating-financial-services-resets-mfa-steals-token%3Futm_source=tldrinfosec/1/0100019e6eb10265-53930e66-d44d-4575-9c44-1cc149cbe752-000000/r7zk89MBIwNq9TDLSMX9m1DjlK0qpg2cX0tBIzz10jM=452">
<span>
<strong>The attack dominating financial services doesn't steal passwords. It resets MFA and steals the token (6 minute read)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
Three independent reports from CrowdStrike, the FBI, and Verizon converge on the same finding: the attacks dominating financial services bypass password theft entirely, with Mutant Spider running Microsoft Teams vishing to trick help desks into resetting MFA and registering attacker devices, the $250-a-month Kali365 phishing-as-a-service platform capturing M365 OAuth tokens through the legitimate device code flow, and credential theft falling to just 13% of breach initial-access vectors behind vulnerability exploitation at 31%. MFA fires on the victim's device and not the attacker's, so captured tokens become credential-equivalent bearer artifacts granting weeks or months of silent access that traditional credential-theft monitoring never flags. Defenders should require out-of-band verification and FIDO2 keys for all MFA resets, restrict the device code flow via Entra ID conditional access, monitor OAuth refresh-token use from unfamiliar devices, and audit Graph API access for bulk operations from reset or device-code sessions.
</span>
</span>
</div>
</td></tr></tbody></table>
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Faws.amazon.com%2Fblogs%2Fsecurity%2Fgoverning-infrastructure-as-code-using-pattern-based-policy-as-code%2F%3Futm_source=tldrinfosec/1/0100019e6eb10265-53930e66-d44d-4575-9c44-1cc149cbe752-000000/0fDYio6XxBLZJjihFXcw6KD32qD2-PgInePCj4QW9zw=452">
<span>
<strong>Governing Infrastructure as Code Using Pattern-Based Policy as Code (6 minute read)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
Open Policy Agent (OPA) can be used to enforce organizational patterns in infrastructure-as-code (IaC) workflows using policy-as-code (PaC). This article proposes a workflow where a CI/CD system runs early validation checks, followed by a Terraform plan, followed by OPA checks against the generated plan, and then uploads the validation artifacts for approval decisions. The article includes example workflows that enforce secure transport over S3, restrict public ingress on sensitive ports, and enforce least privilege for IAM roles.
</span>
</span>
</div>
</td></tr></tbody></table>
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fcode.visualstudio.com%2Fdocs%2Fenterprise%2Fextensions%3Futm_source=tldrinfosec/1/0100019e6eb10265-53930e66-d44d-4575-9c44-1cc149cbe752-000000/URp9DBNtl7sWj7sD0nCfEnwcvAj-TLO_IyMaEffgsdg=452">
<span>
<strong>Managing VS Code Extensions in an Enterprise Environment (4 minute read)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
Microsoft has recently published a new documentation page for Visual Studio Code on managing extensions. Organizations can explicitly allow or deny extensions by publisher or extension, as well as pin specific versions. The documentation also covers deploying the configuration via device management solutions, using private registries, and reinstalling extensions.
</span>
</span>
</div>
</td></tr></tbody></table>
</td></tr></tbody></table>
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding-top: 0px; padding-bottom: 0px;">
<div class="text-block">
<div style="text-align: center;"><span style="font-size: 36px;">🧑💻</span></div>
</div>
</td></tr></tbody></table>
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding-top: 0px; padding-bottom: 0px;">
<div class="text-block">
<div style="text-align: center;">
<h1><strong>Launches & Tools</strong></h1>
</div>
</div>
</td></tr></tbody></table>
<table style="table-layout: fixed; width: 100%;" width="100%"><tbody><tr><td style="padding:0;border-collapse:collapse;border-spacing:0;margin:0;" valign="top">
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fgithub.com%2Fperplexityai%2Fbumblebee%3Futm_source=tldrinfosec/1/0100019e6eb10265-53930e66-d44d-4575-9c44-1cc149cbe752-000000/OPpmdS-JKmKoaclW9f5r66Y4AFETa-PuvYckPc1Ihe4=452">
<span>
<strong>Bumblebee (GitHub Repo)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
Bumblebee, released by Perplexity, is a read-only inventory collector that turns scattered on-disk developer-tool metadata into structured NDJSON component records, parsing lockfiles, package-manager install metadata, editor and browser extension manifests, and MCP host configs across npm, PyPI, Go, RubyGems, Composer, and other ecosystems on macOS and Linux endpoints. Shipping as a single static Go 1.25+ binary with zero non-stdlib dependencies and three scan profiles (baseline, project, and deep), it answers a narrow supply-chain response question by flagging exact (ecosystem, name, and version) matches against a supplied exposure catalog, making it well-suited for fast fleet-wide checks when responders already know the compromised package from an advisory. The tool deliberately avoids executing package managers or reading source files and does not emit credential values from MCP env blocks, though teams should still validate the maintained threat_intel catalogs (assembled with Perplexity Computer) before relying on them for incident response.
</span>
</span>
</div>
</td></tr></tbody></table>
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fgithub.com%2Fgadievron%2Fhoneyslop%2F%3Futm_source=tldrinfosec/1/0100019e6eb10265-53930e66-d44d-4575-9c44-1cc149cbe752-000000/D9Ika-ScuaRZb_SVMbjqyVMnrH-x1gCDJScLebUYPFY=452">
<span>
<strong>honeyslop (GitHub Repo)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
honeyslop is a collection of code canaries or decoys for open-source projects drowning in AI-hallucinated and unverified vulnerability reports.
</span>
</span>
</div>
</td></tr></tbody></table>
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fgithub.com%2FAriESQ%2Fgh-safe-repo%3Futm_source=tldrinfosec/1/0100019e6eb10265-53930e66-d44d-4575-9c44-1cc149cbe752-000000/EeXpBN_zXMZccfvzwMD76xXUhIj9ahCn04XF-BbFhLc=452">
<span>
<strong>gh-safe-repo (GitHub Repo)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
gh-safe-repo is a Python CLI that creates GitHub repos with safe defaults, including branch protection, Dependabot, secret scanning, and pre-flight security scanning.
</span>
</span>
</div>
</td></tr></tbody></table>
</td></tr></tbody></table>
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding-top: 0px; padding-bottom: 0px;">
<div class="text-block">
<div style="text-align: center;"><span style="font-size: 36px;">🎁</span></div></div>
</td></tr></tbody></table>
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding-top: 0px; padding-bottom: 0px;">
<div class="text-block">
<div style="text-align: center;"><strong><h1>Miscellaneous</h1></strong></div>
</div>
</td></tr></tbody></table>
<table bgcolor="" style="table-layout: fixed; width: 100%;" width="100%"><tbody><tr><td style="padding:0;border-collapse:collapse;border-spacing:0;margin:0;" valign="top">
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fwww.csoonline.com%2Farticle%2F4177019%2Ftrapdoor-malware-campaign-puts-developer-workstations-in-ciso-spotlight.html%3Futm_source=tldrinfosec/1/0100019e6eb10265-53930e66-d44d-4575-9c44-1cc149cbe752-000000/YxNeqkmisuRX7UE5jUCoIkJ4iAzLj9K-bDZApr_ZHiE=452">
<span>
<strong>TrapDoor malware campaign puts developer workstations in CISO spotlight (3 minute read)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
Socket researchers tracked TrapDoor, a campaign spanning 34+ malicious packages and 384+ versions across npm, PyPI, and Crates.io that abuses each ecosystem's native execution points (postinstall scripts, import-time execution, and Rust build scripts) to steal AWS credentials, GitHub tokens, SSH keys, and crypto wallets, while also tampering with AI coding assistant files like .cursorrules and CLAUDE.md via hidden Unicode instructions. Analysts frame the campaign as a shift from opportunistic package abuse toward workflow-level compromise, where a single poisoned workstation becomes an initial-access foothold into CI/CD pipelines and build infrastructure rather than a one-off credential theft. The broader takeaway for CISOs is to treat developer environments as production-adjacent infrastructure, enforcing install-time behavioral scanning, package allowlisting, scoped short-lived credentials, AI tooling governance, and zero-trust controls inside local dev workflows.
</span>
</span>
</div>
</td></tr></tbody></table>
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fwww.techradar.com%2Fpro%2Fsecurity%2Fuk-visa-portal-website-leaks-thousands-of-user-passport-data-and-photos-online%3Futm_source=tldrinfosec/1/0100019e6eb10265-53930e66-d44d-4575-9c44-1cc149cbe752-000000/5e5exkXXshjCYnN4cVsjghGWRHotwG3QTyMEbIJ5-C4=452">
<span>
<strong>UK Visa Portal Website Leaks Thousands of User Passport Data and Photos Online (2 minute read)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
UK Visa Portal, a third-party website, reportedly left at least 100k sensitive documents publicly exposed with no password protection in a cloud repository. The breached data includes passports, photos, verification selfies, and other application information. The exposed file directory also used a predictable URL, making it easily guessable by attackers.
</span>
</span>
</div>
</td></tr></tbody></table>
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fwww.theregister.com%2Fsecurity%2F2026%2F05%2F27%2Fcert-in-professes-12-hour-patching-for-ai-assisted-attacks%2F5247009%3Futm_source=tldrinfosec/1/0100019e6eb10265-53930e66-d44d-4575-9c44-1cc149cbe752-000000/5MMztnTDl9ARe_l-u5KqWd_moUKx2b_uT3B-qTWqj3I=452">
<span>
<strong>CERT-In professes 12-hour patching for AI-assisted attacks (3 minute read)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
India's CERT-In has published new guidance urging defenders to "patch, mitigate, or remove exposure within 12 hours where feasible" for known-exploited bugs on internet-facing or crown-jewel systems, with a 24-hour window for critical (CVSS 9.0+) or exploited flaws on internal systems, framing the compressed timelines as a response to AI-assisted exploitation that shrinks the time adversaries need to weaponize vulnerabilities. The agency cites agentic AI and frontier models like Anthropic's Mythos and OpenAI's GPT-5.5 as accelerants that let attackers move from recon to data theft at machine speed across interconnected supply chains. Practitioners who spoke to The Register argued 12 hours is too short to fully test and deploy a patch but praised the emphasis on temporary mitigations such as isolation, access restriction, or disablement, which turn the deadline into a feasible containment strategy rather than a literal patch-completion clock.
</span>
</span>
</div>
</td></tr></tbody></table>
</td></tr></tbody></table>
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding-top: 0px; padding-bottom: 0px;">
<div class="text-block">
<div style="text-align: center;"><span style="font-size: 36px;">⚡</span></div></div>
</td></tr></tbody></table>
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding-top: 0px; padding-bottom: 0px;">
<div class="text-block">
<div style="text-align: center;">
<h1><strong>Quick Links</strong></h1>
</div>
</div>
</td></tr></tbody></table>
<table bgcolor="" style="table-layout: fixed; width: 100%;" width="100%"><tbody><tr><td style="padding:0;border-collapse:collapse;border-spacing:0;margin:0;" valign="top">
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Flinks.tldrnewsletter.com%2Fl2QzMz/1/0100019e6eb10265-53930e66-d44d-4575-9c44-1cc149cbe752-000000/3oeqzQwsrzxOq9g7y5Hb6zeeI-drq0mJlRu74qBKZeQ=452">
<span>
<strong>Hackers Exploit GTA 6 Hype to Spread Malware Via Fake Beta Tests (2 minute read)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
NordVPN researchers have warned that attackers are leveraging GTA VI launch hype through fake beta-key sites, credential-harvesting phishing pages, and cracked-installer malware on cloned FitGirl, DODI, and ElAmigos repack sites.
</span>
</span>
</div>
</td></tr></tbody></table>
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Flinks.tldrnewsletter.com%2FNUc0CA/1/0100019e6eb10265-53930e66-d44d-4575-9c44-1cc149cbe752-000000/-jB5v8k3VKGj8x7s3gax8cZ23d0ZfxPFgJ_LrKmgDTg=452">
<span>
<strong>North Korea's Lazarus Group uses new RemotePE malware against financial targets (1 minute read)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
Fox-IT (NCC Group) has attributed RemotePE, a cross-platform in-memory RAT delivered through a two-loader chain (DPAPILoader and RemotePELoader) that uses DPAPI decryption, Hell's Gate, and ETW patching to evade detection, to North Korea's Lazarus Group, which reserves the toolset for long-term stealthy access against high-value financial and cryptocurrency targets.
</span>
</span>
</div>
</td></tr></tbody></table>
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fsecurityaffairs.com%2F192770%2Fcyber-crime%2Fromanian-hacker-gets-nearly-5-years-in-us-prison-over-network-intrusion.html%3Futm_source=tldrinfosec/1/0100019e6eb10265-53930e66-d44d-4575-9c44-1cc149cbe752-000000/SQJ0deNy3MdlkCC-G5mg0OhA1T-L7fhsMFMcJeHpkLc=452">
<span>
<strong>Romanian Hacker Gets Nearly 5 Years in US Prison Over Network Intrusion (1 minute read)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
The US DoJ has sentenced Romanian national Catalin Dragomir (45) to 56 months in federal prison plus three years of supervised release after he pleaded guilty to breaching an Oregon state emergency management network in June 2021, negotiating a $3,000 Bitcoin sale of admin access, and conducting further attacks on US victims that caused over $250,000 in losses.
</span>
</span>
</div>
</td></tr></tbody></table>
</td></tr></tbody></table>
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td align="left" style="word-break: break-word; vertical-align: top; padding: 5px 10px;">
<p style="padding: 0; margin: 0; font-size: 22px; color: #000000; line-height: 1.6; font-weight: bold;">
Love TLDR? Tell your friends and get rewards!
</p>
</td></tr>
<tr><td class="container" style="padding: 0px 10px 15px;">
<div class="text-block">
Share your referral link below with friends to get free TLDR swag!
</div>
</td></tr>
<tr><td align="left" style="padding: 10px;">
<div class="text-block">
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Frefer.tldr.tech%2F78de0e20%2F8/1/0100019e6eb10265-53930e66-d44d-4575-9c44-1cc149cbe752-000000/KOCToF-EVgY3prE0JdzcW8y0eo3uSsy3qMaalOQ8oTg=452" style="color: #464ba4; text-decoration: underline;">https://refer.tldr.tech/78de0e20/8</a>
</div>
</td></tr>
<tr></tr>
<tr><td align="left" style="padding:5px 10px;">
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fhub.sparklp.co%2Fsub_d62447d5a74a%2F8/1/0100019e6eb10265-53930e66-d44d-4575-9c44-1cc149cbe752-000000/PKXmEcc-VqHewNLq00GqrSF_pLhSHCmWMNOLPIbOxjw=452" style="font-size: 16px; line-height: 1.6; padding: 10px 0; display: inline-block; text-decoration: underline;"><span style="mso-text-raise:13pt; text-decoration: underline;">Track your referrals here.</span></a>
</td></tr></tbody></table>
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td align="left" style="word-break: break-word; vertical-align: top; padding: 5px 10px;">
<p style="padding: 0; margin: 0; font-size: 22px; color: #000000; line-height: 1.6; font-weight: bold;">
Want to advertise in TLDR? 📰
</p>
<div class="text-block" style="margin-top: 10px;">
If your company is interested in reaching an audience of cybersecurity professionals and decision makers, you may want to <a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fadvertise.tldr.tech%2F%3Futm_source=tldrinfosec%26utm_medium=newsletter%26utm_campaign=advertisecta/1/0100019e6eb10265-53930e66-d44d-4575-9c44-1cc149cbe752-000000/EVtuVWz9dKF3_1wNloorPCbA7P1sPncsa16_WgsgSXo=452"><strong><span>advertise with us</span></strong></a>.
</div>
<br>
<!-- New "Want to work at TLDR?" section -->
<p style="padding: 0; margin: 0; font-size: 22px; color: #000000; line-height: 1.6; font-weight: bold;">
Want to work at TLDR? 💼
</p>
<div class="text-block" style="margin-top: 10px;">
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fjobs.ashbyhq.com%2Ftldr.tech/1/0100019e6eb10265-53930e66-d44d-4575-9c44-1cc149cbe752-000000/m_8hHbSUUcrHiAY9nPaqXFkBYVEufS6UDwBvOt9TLRw=452" rel="noopener noreferrer" style="color: #0000EE; text-decoration: underline;" target="_blank"><strong>Apply here</strong></a>,
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fjobs.ashbyhq.com%2Ftldr.tech%2Fc227b917-a6a4-40ce-8950-d3e165357871/1/0100019e6eb10265-53930e66-d44d-4575-9c44-1cc149cbe752-000000/HQn888XG5bKB_Gp7lq_WQChvQWtr_pRAmYC9W5wYcIs=452" rel="noopener noreferrer" style="color: #0000EE; text-decoration: underline;" target="_blank"><strong>create your own role</strong></a> or send a friend's resume to <a href="mailto:jobs@tldr.tech" style="color: #0000EE; text-decoration: underline;">jobs@tldr.tech</a> and get $1k if we hire them! TLDR is one of <a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fwww.linkedin.com%2Ffeed%2Fupdate%2Furn:li:activity:7401699691039830016%2F/1/0100019e6eb10265-53930e66-d44d-4575-9c44-1cc149cbe752-000000/tRXAcbyzaKHgENehncMtUaYntaCPFKd6vyqkm1Lb0JU=452" rel="noopener noreferrer" style="color: #0000EE; text-decoration: underline;" target="_blank"><strong>Inc.'s Best Bootstrapped businesses</strong></a> of 2025.
</div>
<br>
<div class="text-block">
If you have any comments or feedback, just respond to this email!
<br>
<br> Thanks for reading,
<br>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fwww.linkedin.com%2Fin%2Fprasannagautam%2F/1/0100019e6eb10265-53930e66-d44d-4575-9c44-1cc149cbe752-000000/-YgAiftnoTokjioc1Xk0Y145XPGFZCKNz_UI1lkVXzk=452"><span>Prasanna Gautam</span></a>, <a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fwww.linkedin.com%2Fin%2Fericfernandezdelcampo%2F/1/0100019e6eb10265-53930e66-d44d-4575-9c44-1cc149cbe752-000000/GKIKkFXrehbeRL2_5dA-6LV0JM0MrERzGmwOxBLFGZE=452"><span>Eric Fernandez</span></a> & <a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fwww.linkedin.com%2Fin%2Fsammy-tbeile%2F/1/0100019e6eb10265-53930e66-d44d-4575-9c44-1cc149cbe752-000000/OjKjEhjpIXqL5oXifoGVQobq5a7IAM_dUK2isqs5zeE=452"><span>Sammy Tbeile</span></a>
<br>
<br>
</div>
<br>
</td></tr></tbody></table>
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block" id="testing-id">
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Ftldr.tech%2Finfosec%2Fmanage%3Femail=silk.theater.56%2540fwdnl.com/1/0100019e6eb10265-53930e66-d44d-4575-9c44-1cc149cbe752-000000/4Ddjqr2Pf9UG38yKEAWm2Vpg7kVIDT00A93VNQRoFow=452">Manage your subscriptions</a> to our other newsletters on tech, startups, and programming. Or if TLDR Information Security isn't for you, please <a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fa.tldrnewsletter.com%2Funsubscribe%3Fep=1%26l=8d9cea11-3e94-11ed-9a32-0241b9615763%26lc=156924ca-84b7-11f0-8d58-47c5c04ad337%26p=2221aefa-5a7a-11f1-bc37-f97a30e8dc51%26pt=campaign%26pv=4%26spa=1779973239%26t=1779973554%26s=d688ff643eca4f17943df82865a08970c0e941e79b9150b81096341c89ec1cda/1/0100019e6eb10265-53930e66-d44d-4575-9c44-1cc149cbe752-000000/j64NPcgVbByD_9rTUk6-ZgNNcv32UZIgW6nr_JOomAQ=452">unsubscribe</a>.
<br>
</div>
</td></tr></tbody></table>
</td></tr></tbody></table>
</td></tr></tbody></table>
</td></tr></tbody></table>
</td></tr></tbody></table>
<img alt="" src="http://tracking.tldrnewsletter.com/CI0/0100019e6eb10265-53930e66-d44d-4575-9c44-1cc149cbe752-000000/8pyIexgPzBQPxKtGx3fHZ7oYmeARi1zlCLTl7cR_GO0=452" style="display: none; width: 1px; height: 1px;">
</body></html>