<!DOCTYPE html><html lang="en"><head><meta http-equiv="Content-Type" content="text/html charset=UTF-8"><meta charset="UTF-8"><meta name="viewport" content="width=device-width"><meta name="x-apple-disable-message-reformatting"><title>TLDR InfoSec</title><meta name="color-scheme" content="light dark"><meta name="supported-color-schemes" content="light dark"><style type="text/css">
:root {
color-scheme: light dark; supported-color-schemes: light dark;
}
*,
*:after,
*:before {
-webkit-box-sizing: border-box; -moz-box-sizing: border-box; box-sizing: border-box;
}
* {
-ms-text-size-adjust: 100%; -webkit-text-size-adjust: 100%;
}
html,
body,
.document {
width: 100% !important; height: 100% !important; margin: 0; padding: 0;
}
body {
-webkit-font-smoothing: antialiased; -moz-osx-font-smoothing: grayscale; text-rendering: optimizeLegibility;
}
div[style*="margin: 16px 0"] {
margin: 0 !important;
}
table,
td {
mso-table-lspace: 0pt; mso-table-rspace: 0pt;
}
table {
border-spacing: 0; border-collapse: collapse; table-layout: fixed; margin: 0 auto;
}
img {
-ms-interpolation-mode: bicubic; max-width: 100%; border: 0;
}
*[x-apple-data-detectors] {
color: inherit !important; text-decoration: none !important;
}
.x-gmail-data-detectors,
.x-gmail-data-detectors *,
.aBn {
border-bottom: 0 !important; cursor: default !important;
}
.btn {
-webkit-transition: all 200ms ease; transition: all 200ms ease;
}
.btn:hover {
background-color: #f67575; border-color: #f67575;
}
* {
font-family: Arial, Helvetica, sans-serif; font-size: 18px;
}
@media screen and (max-width: 600px) {
.container {
width: 100%; margin: auto;
}
.stack {
display: block!important; width: 100%!important; max-width: 100%!important;
}
.btn {
display: block; width: 100%; text-align: center;
}
}
body,
p,
td,
tr,
.body,
table,
h1,
h2,
h3,
h4,
h5,
h6,
div,
span {
background-color: #FEFEFE !important; color: #010101 !important;
}
@media (prefers-color-scheme: dark) {
body,
p,
td,
tr,
.body,
table,
h1,
h2,
h3,
h4,
h5,
h6,
div,
span {
background-color: #27292D !important; color: #FEFEFE !important;
}
}
a {
color: inherit !important; text-decoration: underline !important;
}
</style><!--[if mso | ie]>
<style type="text/css">
a {
background-color: #FEFEFE !important; color: #010101 !important;
}
@media (prefers-color-scheme: dark) {
a {
background-color: #27292D !important; color: #FEFEFE !important;
}
}
</style>
<![endif]--></head><body class="">
<div style="display: none; max-height: 0px; overflow: hidden;">GlassWASM is a TinyGo-compiled WebAssembly payload hidden in two trojanized Open VSX extensions published by impersonation account zaitoona43 β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β </div>
<div style="display: none; max-height: 0px; overflow: hidden;">
<br>
</div>
<table align="center" class="document"><tbody><tr><td valign="top">
<table align="center" border="0" cellpadding="0" cellspacing="0" class="container" width="600"><tbody><tr class="inner-body"><td>
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr class="header"><td bgcolor="" class="container">
<table width="100%"><tbody><tr><td class="container">
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" style="margin-top: 0px;" width="100%"><tbody><tr><td style="padding: 0px;">
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div style="text-align: center;">
<span style="margin-right: 0px;"><a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Ftldr.tech%2Finfosec%3Futm_source=tldrinfosec/1/0100019edffef068-864d4db7-2f0c-462a-b752-86474b746503-000000/kR-PsXKlpl3R6EIo3BZeu7JySLaY6qC_70fMtjyZxvg=452" rel="noopener noreferrer" target="_blank"><span>Sign Up</span></a>
|<span style="margin-right: 2px; margin-left: 2px;"><a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fadvertise.tldr.tech%2F%3Futm_source=tldrinfosec%26utm_medium=newsletter%26utm_campaign=advertisetopnav/1/0100019edffef068-864d4db7-2f0c-462a-b752-86474b746503-000000/4ApHanyZiQBr4fJBrwXivi6AZlGwH6IgcYA6q0GgYOg=452" rel="noopener noreferrer" target="_blank"><span>Advertise</span></a></span>|<span style="margin-left: 2px;"><a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fa.tldrnewsletter.com%2Fweb-version%3Fep=1%26lc=156924ca-84b7-11f0-8d58-47c5c04ad337%26p=8496d8d2-6bc6-11f1-ad9d-736a87872967%26pt=campaign%26t=1781874487%26s=d3eb6637d531d22bbe64ad483ce02b9d427588c2393bd556e523e0c25b5568a4/1/0100019edffef068-864d4db7-2f0c-462a-b752-86474b746503-000000/-jsBlNl4nfkHtl9Yup--5H62rB71HOWpkW5L1eGek9g=452"><span>View Online</span></a></span>
<br>
</span></div>
</td></tr></tbody></table>
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="text-align: center;"><span data-darkreader-inline-color="" style="--darkreader-inline-color:#3db3ff; color: rgb(51, 175, 255) !important; font-size: 30px;">T</span><span style="font-size: 30px;"><span data-darkreader-inline-color="" style="color: rgb(232, 192, 96) !important; --darkreader-inline-color:#e8c163; font-size:30px;">L</span><span data-darkreader-inline-color="" style="color: rgb(101, 195, 173) !important; --darkreader-inline-color:#6ec7b2; font-size:30px;">D</span></span><span data-darkreader-inline-color="" style="--darkreader-inline-color:#dd6e6e; color: rgb(220, 107, 107) !important; font-size: 30px;">R</span>
<br>
</td></tr></tbody></table>
<br>
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr id="together-with"><td align="center" height="20" style="vertical-align:middle !important;" valign="middle" width="100%"><strong style="vertical-align:middle !important; height: 100%;">Together With </strong>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fwww.backplanes.com%2F%3Futm_source=TLDR%26utm_medium=newsletter%26utm_campaign=2026-06-19_Primary_Backplanes%26utm_content=header_whats_actually_happening/1/0100019edffef068-864d4db7-2f0c-462a-b752-86474b746503-000000/FNWO861ATiRwSr-em8b5uRjHQokpjDA4CupoemOWipk=452"><img src="https://images.tldr.tech/backplanes.png" valign="middle" style="vertical-align: middle !important; height: 100%;" alt="BackPlanes"></a></td></tr></tbody></table>
<table style="table-layout: fixed; width:100%;" width="100%"><tbody><tr><td style="padding:0;border-collapse:collapse;border-spacing:0;margin:0;">
<div style="text-align: center;">
<h1><strong>TLDR Information Security <span id="date">2026-06-19</span></strong></h1>
</div>
</td></tr></tbody></table>
<table style="table-layout: fixed; width:100%;" width="100%"><tbody><tr id="sponsy-copy"><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fwww.backplanes.com%2F%3Futm_source=TLDR%26utm_medium=newsletter%26utm_campaign=2026-06-19_Primary_Backplanes%26utm_content=header_whats_actually_happening/2/0100019edffef068-864d4db7-2f0c-462a-b752-86474b746503-000000/IVPFGAamlXAGd_Vgy5Q3h2yzM3L9Gv-iitdF1FyvObQ=452">
<span>
<strong>π€ What's actually happening in your team's Claude Code and Codex sessions? (Sponsor)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
It's not just engineers anymore. Your whole company is vibing with Claude Code and Codex, and security can't see what's actually happening. You don't want to kill the vibe... but you need to secure it.<p></p><p><a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fwww.backplanes.com%2F%3Futm_source=TLDR%26utm_medium=newsletter%26utm_campaign=2026-06-19_Primary_Backplanes%26utm_content=Body_spotlight_backplanes/1/0100019edffef068-864d4db7-2f0c-462a-b752-86474b746503-000000/r8saB2lzwFaRKbTMSK0pRv0htUENgFVWsRELFTYCe8I=452" rel="noopener noreferrer nofollow" target="_blank"><span>Spotlight by Backplanes</span></a> reads your Claude Code and Codex sessions and gives you reports that make your agents recursively more secure, including:</p>
<p>β
Risks to prioritize</p>
<p>β
Which security practices to adopt</p>
<p>β
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fwww.backplanes.com%2F%3Futm_source=TLDR%26utm_medium=newsletter%26utm_campaign=2026-06-19_Primary_Backplanes%26utm_content=Body_live_picture/1/0100019edffef068-864d4db7-2f0c-462a-b752-86474b746503-000000/0f9Wm_-AvTxLPyckBhxQKSsh_zlP4jAWZzXVgvnNaJo=452" rel="noopener noreferrer nofollow" target="_blank"><span> A live picture</span></a> of every tool, skill, and external service your agents reach</p>
<p>Let sales, finance, ops, and everyone across the business keep shipping with AI agents. Securely and at full speed.</p>
<p><a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fwww.backplanes.com%2F%3Futm_source=TLDR%26utm_medium=newsletter%26utm_campaign=2026-06-19_Primary_Backplanes%26utm_content=cta_started/1/0100019edffef068-864d4db7-2f0c-462a-b752-86474b746503-000000/29Bk4EYjAC6nR7DwqmoTi5FTrkdtTgAX92n-UStCrJU=452" rel="noopener noreferrer nofollow" target="_blank"><span>Get started for free β</span></a>
</p>
</span></span></div>
</td></tr></tbody></table>
</td></tr></tbody></table>
</td></tr></tbody></table>
</td></tr>
<tr bgcolor=""><td class="container">
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td style="padding: 0px;">
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding-top: 0px; padding-bottom: 0px;">
<div class="text-block">
<div style="text-align: center;"><span style="font-size: 36px;">π</span></div></div>
</td></tr></tbody></table>
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding-top: 0px; padding-bottom: 0px;">
<div class="text-block">
<div style="text-align: center;">
<h1><strong>Attacks & Vulnerabilities</strong></h1>
</div>
</div>
</td></tr></tbody></table>
<table style="table-layout: fixed; width: 100%;" width="100%"><tbody><tr><td style="padding:0;border-collapse:collapse;border-spacing:0;margin:0;" valign="top">
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fsocket.dev%2Fblog%2Fglasswasm-malware-open-vsx-extensions%3Futm_source=tldrinfosec/1/0100019edffef068-864d4db7-2f0c-462a-b752-86474b746503-000000/TGFh-T1UR8HVTBZ0_8vR9fZVutpFYcBIQVshLAekOt4=452">
<span>
<strong>GlassWASM: WebAssembly Malware Found in Trojanized Open VSX Extensions (9 minute read)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
GlassWASM is a TinyGo-compiled WebAssembly payload hidden in two trojanized Open VSX extensions (ExarGD.vsblack@0.0.1 and noellee-doc/flint-debug@0.1.1) published by impersonation account zaitoona43 and attributed with medium confidence to the GlassWorm operator. The module ships zero plaintext IOCs, decrypting strings via an embedded ChaCha20 routine at runtime and polling a Solana wallet for SPL Memo dead-drops that resolve a rotating C2 host before running a cross-platform curl/PowerShell download-and-execute through Node child_process. Remove both packages from Open VSX-default editors, treat any host that activated them as having run an unknown second stage, and detect on the execution chain rather than the rotating host.
</span>
</span>
</div>
</td></tr></tbody></table>
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Flinks.tldrnewsletter.com%2FtIMcQk/1/0100019edffef068-864d4db7-2f0c-462a-b752-86474b746503-000000/thxGYg149ykWninp4Z3rP_v9gbmNiz6wf8QVnKrIOl4=452">
<span>
<strong>Salesforce Data Thefts Continue via Klue App Compromise (3 minute read)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
Attackers used a compromised Klue integration account to mint OAuth tokens, query Salesforce REST APIs, and pull CRM data over about 24 hours, including bursts of nearly 1,000 queries in 15 minutes. Huntress reports copied contacts, quotes, and messaging, and ties the incident to a longβunused Klue credential and the Icarus extortion group using a Session ID and hijacked Australian mail domains. Recommended actions include revoking all Klueβrelated secrets, reviewing API query patterns, and enforcing IP allowlists on integration accounts.
</span>
</span>
</div>
</td></tr></tbody></table>
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fwww.scworld.com%2Fbrief%2Ffake-boots-emails-target-millions-in-large-phishing-campaign%3Futm_source=tldrinfosec/1/0100019edffef068-864d4db7-2f0c-462a-b752-86474b746503-000000/-xx2q4PDPzq5BZJaKCGQ5iQLmgfP1icLzuw-GsJyOag=452">
<span>
<strong>Fake Boots Emails Target Millions in Phishing Campaign (2 minute read)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
Nearly 8.9M users received an email supposedly from the UK health and beauty retailer Boots as part of a phishing campaign linked to Romanian threat actors. The emails offered users a free beauty sample pack and directed them to a fraudulent checkout process and a customer survey, which the threat actors used to harvest information. The threat actors hosted the checkout page on a compromised Bolivian government web page and installed a bulk mailing service on a compromised UK business terminal server.
</span>
</span>
</div>
</td></tr></tbody></table>
</td></tr></tbody></table>
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding-top: 0px; padding-bottom: 0px;">
<div class="text-block">
<div style="text-align: center;"><span style="font-size: 36px;">π§ </span></div>
</div>
</td></tr></tbody></table>
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding-top: 0px; padding-bottom: 0px;">
<div class="text-block">
<div style="text-align: center;">
<h1><strong>Strategies & Tactics</strong></h1>
</div>
</div>
</td></tr></tbody></table>
<table style="table-layout: fixed; width: 100%;" width="100%"><tbody><tr><td style="padding:0;border-collapse:collapse;border-spacing:0;margin:0;" valign="top">
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fwww.rapid7.com%2Fblog%2Fpost%2Ftr-malware-tracking-dropping-elephant-tradecraft-china-themed-loader-chain%2F%3Futm_source=tldrinfosec/1/0100019edffef068-864d4db7-2f0c-462a-b752-86474b746503-000000/7MSFm4ingAZop0ny1DT3XIfrex2QL5rjJDxzFFqEM18=452">
<span>
<strong>Malware Γ la Mode: Tracking Dropping Elephant Tradecraft Through a China-Themed Loader Chain (9 minute read)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
Rapid7 traced a Dropping Elephant campaign that opens with a China energy-sector lure (GRES3001.lnk) spawning obfuscated PowerShell, stages renamed payloads in C:\Users\Public, and abuses the legitimate Microsoft binary Fondue.exe to side-load APPWIZ.cpl (RunFODW), which AES-256-CBC-decrypts editor.dat into a Donut loader that maps a 32-bit RAT entirely in memory while patching AMSI, WLDP, and ETW. The reworked implant hardens C2 to gcl-power[.]org over HTTPS with Salsa20-protected fields, control-flow flattening, and runtime API reconstruction, yet Diaphora confirmed lineage through shared command-handler, screenshot (BitBlt/WIC), and WININET patterns. Defenders should hunt the durable behaviors over IOCs: an LNK spawning PowerShell, the GoogleErrorReport scheduled task running every minute, Fondue.exe loading APPWIZ.cpl from C:\Users\Public, and in-memory AMSI/WLDP/ETW tampering, while blocking chinagreenenergy[.]org and gcl-power[.]org.
</span>
</span>
</div>
</td></tr></tbody></table>
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Foffsec.cypfer.com%2Fblog%2FHoneypot-detection%3Futm_source=tldrinfosec/1/0100019edffef068-864d4db7-2f0c-462a-b752-86474b746503-000000/LDOPbO-mieJIxywsPYax3ntwioEikJOvKdWoJjiTdf4=452">
<span>
<strong>Hunting Honey Pots as Red Teamers (6 minute read)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
This post details how red teamers can fingerprint Active Directory honeytoken and decoy-computer accounts without ever authenticating against them, reading account metadata through quiet MS-SAMR and LSA calls (SamConnect/SamEnumerateUsersInDomain, LsaLookupNames2, NetUserEnum over RPC port 445) instead of high-signal LDAP sweeps that defenders baseline and alert on. The tell is behavioral rather than structural: a decoy can forge an attractive name and Tier 0 membership but cannot fake history, so a lastLogon of zero (often rendered cosmetically as 12/31/1600 or 1/1/1601) next to a populated logonCount and pwdLastSet exposes the bait, a signal even sharper on dollar-sign machine accounts since domain enrollment forces at least one Netlogon authentication. Defenders should not treat a single tripwire as sufficient and instead layer honeypots with directory-query monitoring, authentication-anomaly detection, and tight control over who can read activity attributes, while confirming non-replicated lastLogon across multiple controllers before trusting it.
</span>
</span>
</div>
</td></tr></tbody></table>
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fwww.credrelay.com%2Fp%2Fgetting-a-cve-without-shipping-slop%3Futm_source=tldrinfosec/1/0100019edffef068-864d4db7-2f0c-462a-b752-86474b746503-000000/KpF74npLV-nS5IBQb3WVLQhOBxxOEmph2F5hygj4LKc=452">
<span>
<strong>Getting a CVE Without Shipping Slop (4 minute read)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
Jeff Barron describes how he used Claude Code integrated with Ghidra MCP to analyze ASUS Windows drivers on his gaming laptop and turn two findings into validated CVEs without dumping lowβquality reports on the vendor. He walks through CVE-2026-3508, an out-of-bounds read in AsusWmiAcpi.sys triggered by trusting a bogus internal size field in a buffered IOCTL, and CVE-2026-6737, where AsusPTPFilter.sys exposes IOCTLs to standard users because device objects are created without secure descriptors, leaving several named devices reachable. He stresses always proving bugs with working PoCs, understanding driver behavior instead of trusting model output, and heavily editing or rewriting AI-generated reports to avoid noisy, hype-driven writeups.
</span>
</span>
</div>
</td></tr></tbody></table>
</td></tr></tbody></table>
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding-top: 0px; padding-bottom: 0px;">
<div class="text-block">
<div style="text-align: center;"><span style="font-size: 36px;">π§βπ»</span></div>
</div>
</td></tr></tbody></table>
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding-top: 0px; padding-bottom: 0px;">
<div class="text-block">
<div style="text-align: center;">
<h1><strong>Launches & Tools</strong></h1>
</div>
</div>
</td></tr></tbody></table>
<table style="table-layout: fixed; width: 100%;" width="100%"><tbody><tr><td style="padding:0;border-collapse:collapse;border-spacing:0;margin:0;" valign="top">
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fwww.theregister.com%2Fdevops%2F2026%2F06%2F17%2Fhomebrew-60-released-with-new-security-mechanism-linux-sandbox-and-more%2F5257570%3Futm_source=tldrinfosec/1/0100019edffef068-864d4db7-2f0c-462a-b752-86474b746503-000000/SvKto_NwM5n4M6H8cja09cw-NSaI_Gwv3LkXCOkCM38=452">
<span>
<strong>Homebrew 6.0 released with new security mechanism, Linux sandbox, and more (4 minute read)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
Homebrew 6.0 adds tap trust, requiring explicit user agreement before third-party taps (which can run arbitrary Ruby) install or execute code, alongside Bubblewrap-based build sandboxing on Linux (on by default, matching macOS), a brew vulns command that checks installed packages against the OSV database, and an ask-mode confirmation prompt for brew install/upgrade. Project lead Mike McQuaid argues Homebrew's maintainer-curated naming, sha256-pinned downloads, and build-from-source model left it βless vulnerable 10-15 years ago than npm is today,β citing protection from this year's Trivy binary-replacement incident. Notably, the release leaned heavily on AI coding under a disclosure-and-human-review policy, and flags aggressive Intel macOS deprecation, with no new Intel bottles after September 2026 and full removal by September 2027.
</span>
</span>
</div>
</td></tr></tbody></table>
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Ftenetsecurity.ai%2F%3Futm_source=tldrinfosec/1/0100019edffef068-864d4db7-2f0c-462a-b752-86474b746503-000000/YavDoye6StvJFxGonIYJ6YHV3zFrPU-2_5tqcoT_KkM=452">
<span>
<strong>Tenet (Product Launch)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
Tenet provides runtime security for AI agents. It uses a lightweight sensor to watch operating system activity, network traffic, API calls, and model reasoning to stop risky or hijacked agents before they execute harmful actions.
</span>
</span>
</div>
</td></tr></tbody></table>
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fgithub.com%2Fwarp-tech%2Fwarpgate%3Futm_source=tldrinfosec/1/0100019edffef068-864d4db7-2f0c-462a-b752-86474b746503-000000/Qs0zPUjmXc9fqvXBHXhMuG57raRBLH0Z0MZ2NbzT9bc=452">
<span>
<strong>Warpgate (GitHub Repo)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
Warpgate is a smart and fully transparent SSH, HTTPS, Kubernetes, MySQL, and PostgreSQL bastion host that does not require a client app or SSH wrapper.
</span>
</span>
</div>
</td></tr></tbody></table>
</td></tr></tbody></table>
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding-top: 0px; padding-bottom: 0px;">
<div class="text-block">
<div style="text-align: center;"><span style="font-size: 36px;">π</span></div></div>
</td></tr></tbody></table>
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding-top: 0px; padding-bottom: 0px;">
<div class="text-block">
<div style="text-align: center;"><strong><h1>Miscellaneous</h1></strong></div>
</div>
</td></tr></tbody></table>
<table bgcolor="" style="table-layout: fixed; width: 100%;" width="100%"><tbody><tr><td style="padding:0;border-collapse:collapse;border-spacing:0;margin:0;" valign="top">
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fwww.cloudsek.com%2Fblog%2Foperation-escaneo-mexican-government-financial-institutions-cyberattack%3Futm_source=tldrinfosec/1/0100019edffef068-864d4db7-2f0c-462a-b752-86474b746503-000000/X4aumiU-XmzxP_jqar5q1z6-c4oFmRi_fi-RCrOpH8Y=452">
<span>
<strong>Operation Escaneo: Infrastructure Exposure, TTP Analysis, and Attribution Assessment of an Advanced Intrusion Campaign Against Mexican Federal Agencies and Financial Institutions (9 minute read)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
An exposed open directory on 62.171.185[.]97 let CloudSEK reconstruct the full toolchain of Operation Escaneo, attributed with medium confidence to MexicanMafia (aka PanchoVilla): a custom distributed recon engine (Kimera), a stability-tuned exploit armory against Fortinet/Ivanti/Cisco perimeter gear, and layered persistence via Neo-reGeorg webshells, Chisel tunnels (3,708 sessions over 13 days), and GRE tunnels on compromised Cisco routers invisible to host-based detection. The strategic lesson is that a financially motivated criminal crew has assembled APT-grade operational discipline, including on-premise credential cracking to avoid exfiltrating hashes, per-target proxychains documentation, and network-layer footholds that survive credential rotation. The campaign mirrors the same playbook as the separately reported AI-assisted breaches of Mexican agencies, signaling that LATAM's public sector now faces espionage-caliber tradecraft from actors whose primary aim is profit.
</span>
</span>
</div>
</td></tr></tbody></table>
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fgbhackers.com%2Fai-generated-youtube-narrators%2F%3Futm_source=tldrinfosec/1/0100019edffef068-864d4db7-2f0c-462a-b752-86474b746503-000000/ECp88loVwq1lAmtYeSBysRhJRVDfURA5yQDdz6wsM28=452">
<span>
<strong>Hackers Use AI-Generated YouTube Narrators to Promote Crypto Clipper Malware (4 minute read)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
Checkpoint researchers uncovered a coordinated malware distribution campaign that utilizes a sophisticated advertising campaign to deploy a Rust-based clipboard hijacker. The attackers distributed the software via GitHub and SourceForge, using ghost accounts to increase downloads and contributor numbers, YouTube accounts that create tutorials and feature positive comments, and crypto forum posts advertising the tool. The malware itself monitors the user's clipboard for crypto wallet addresses and replaces them with attacker-controlled wallets.
</span>
</span>
</div>
</td></tr></tbody></table>
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fwww.bcs.org%2Farticles-opinion-and-research%2Fnew-legal-questions-agentic-pen-testing%2F%3Futm_source=tldrinfosec/1/0100019edffef068-864d4db7-2f0c-462a-b752-86474b746503-000000/gk724_F9pA5BAwIhJeJaW6ecjPlisSgY-4G7sbt2ugg=452">
<span>
<strong>New Legal Questions: Agentic Pentesting (4 minute read)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
Many of the risks that come with agentic pentesting may already be covered by protections similar to those in current contracts. However, a fundamental difference is that an agent may not have a human pentester's intuition regarding rate limiting and when to stop testing. Some problems don't have clear precedents, such as prompt injection via the target, authorization, cross-engagement contamination, and non-determinism. The issue of agentic identity undercuts these concerns as multi-agent workflows may complicate attribution and auditing.
</span>
</span>
</div>
</td></tr></tbody></table>
</td></tr></tbody></table>
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding-top: 0px; padding-bottom: 0px;">
<div class="text-block">
<div style="text-align: center;"><span style="font-size: 36px;">β‘</span></div></div>
</td></tr></tbody></table>
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding-top: 0px; padding-bottom: 0px;">
<div class="text-block">
<div style="text-align: center;">
<h1><strong>Quick Links</strong></h1>
</div>
</div>
</td></tr></tbody></table>
<table bgcolor="" style="table-layout: fixed; width: 100%;" width="100%"><tbody><tr><td style="padding:0;border-collapse:collapse;border-spacing:0;margin:0;" valign="top">
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fwww.altusintel.com%2Fpublic-yyr53j%3Futm_source=tldrinfosec/1/0100019edffef068-864d4db7-2f0c-462a-b752-86474b746503-000000/kN5qDTRC1llsj7EgejWHwW2K2d-DJZ3hcvBxKOnLNqU=452">
<span>
<strong>GlobalSign Revokes EV Certificates From Sanctioned Firms (2 minute read)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
Belgian CA GlobalSign (owned by GMO Group) began phased revocation of EV TLS certificates issued to EU-sanctioned Russian companies on June 13 at 04:10 MSK, citing CA/Browser Forum rules barring sanctioned entities.
</span>
</span>
</div>
</td></tr></tbody></table>
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Flinks.tldrnewsletter.com%2Fv3hUTS/1/0100019edffef068-864d4db7-2f0c-462a-b752-86474b746503-000000/bZK-f1mPD_NQgrhabvhiG-4m2AGXKbk2WYAkKSDNsQo=452">
<span>
<strong>Kodak Admits Data Breach After ShinyHunters Hack Claims (1 minute read)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
ShinyHunters says it stole over 2.2 million Kodak customer records and corporate data and threatened to leak it unless paid by June 18.
</span>
</span>
</div>
</td></tr></tbody></table>
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fthehackernews.com%2F2026%2F06%2Fdragonforce-hackers-abuse-microsoft.html%3Futm_source=tldrinfosec/1/0100019edffef068-864d4db7-2f0c-462a-b752-86474b746503-000000/JWdjb_tslcUFlr9gk8W6mjiQMiQXho_9PROOrrG60es=452">
<span>
<strong>DragonForce Hackers Abuse Microsoft Teams Relays to Hide Backdoor.Turn C2 Traffic (2 minute read)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
DragonForce deployed a Go-based RAT called Backdoor.Turn against a major US services firm, hiding C2 traffic inside legitimate Microsoft Teams TURN relays and maintaining access for one to two months with a QUIC session to their real server.
</span>
</span>
</div>
</td></tr></tbody></table>
</td></tr></tbody></table>
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td align="left" style="word-break: break-word; vertical-align: top; padding: 5px 10px;">
<p style="padding: 0; margin: 0; font-size: 22px; color: #000000; line-height: 1.6; font-weight: bold;">
Love TLDR? Tell your friends and get rewards!
</p>
</td></tr>
<tr><td class="container" style="padding: 0px 10px 15px;">
<div class="text-block">
Share your referral link below with friends to get free TLDR swag!
</div>
</td></tr>
<tr><td align="left" style="padding: 10px;">
<div class="text-block">
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Frefer.tldr.tech%2F78de0e20%2F8/1/0100019edffef068-864d4db7-2f0c-462a-b752-86474b746503-000000/JRhrifL_E09PW8zwxHZsQfKnyth_zu6wzSEQW7tM5uE=452" style="color: #464ba4; text-decoration: underline;">https://refer.tldr.tech/78de0e20/8</a>
</div>
</td></tr>
<tr></tr>
<tr><td align="left" style="padding:5px 10px;">
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fhub.sparklp.co%2Fsub_d62447d5a74a%2F8/1/0100019edffef068-864d4db7-2f0c-462a-b752-86474b746503-000000/hEdzmeHLbsP2xOBOY-XfXrsNRYy9tTjVhZPo_d-F5dw=452" style="font-size: 16px; line-height: 1.6; padding: 10px 0; display: inline-block; text-decoration: underline;"><span style="mso-text-raise:13pt; text-decoration: underline;">Track your referrals here.</span></a>
</td></tr></tbody></table>
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td align="left" style="word-break: break-word; vertical-align: top; padding: 5px 10px;">
<p style="padding: 0; margin: 0; font-size: 22px; color: #000000; line-height: 1.6; font-weight: bold;">
Want to advertise in TLDR? π°
</p>
<div class="text-block" style="margin-top: 10px;">
If your company is interested in reaching an audience of cybersecurity professionals and decision makers, you may want to <a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fadvertise.tldr.tech%2F%3Futm_source=tldrinfosec%26utm_medium=newsletter%26utm_campaign=advertisecta/1/0100019edffef068-864d4db7-2f0c-462a-b752-86474b746503-000000/CP5SzKiWpZyt2ivuOTHsha3TGLtJbojr4jIIfKj569w=452"><strong><span>advertise with us</span></strong></a>.
</div>
<br>
<!-- New "Want to work at TLDR?" section -->
<p style="padding: 0; margin: 0; font-size: 22px; color: #000000; line-height: 1.6; font-weight: bold;">
Want to work at TLDR? πΌ
</p>
<div class="text-block" style="margin-top: 10px;">
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fjobs.ashbyhq.com%2Ftldr.tech/1/0100019edffef068-864d4db7-2f0c-462a-b752-86474b746503-000000/zti9nzMGkPLiqO26uBZvOXSQb_tuGK58ERmivCuAWAM=452" rel="noopener noreferrer" style="color: #0000EE; text-decoration: underline;" target="_blank"><strong>Apply here</strong></a>,
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fjobs.ashbyhq.com%2Ftldr.tech%2Fc227b917-a6a4-40ce-8950-d3e165357871/1/0100019edffef068-864d4db7-2f0c-462a-b752-86474b746503-000000/vHG334fmzL7TUNrLz3SvaAXPXpfH_y6r0Wm9w4giTVE=452" rel="noopener noreferrer" style="color: #0000EE; text-decoration: underline;" target="_blank"><strong>create your own role</strong></a> or send a friend's resume to <a href="mailto:jobs@tldr.tech" style="color: #0000EE; text-decoration: underline;">jobs@tldr.tech</a> and get $1k if we hire them! TLDR is one of <a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fwww.linkedin.com%2Ffeed%2Fupdate%2Furn:li:activity:7401699691039830016%2F/1/0100019edffef068-864d4db7-2f0c-462a-b752-86474b746503-000000/4DN7ETv3Yn975vbDQVd3bPjsz1CeUHB68no5eJKbFYg=452" rel="noopener noreferrer" style="color: #0000EE; text-decoration: underline;" target="_blank"><strong>Inc.'s Best Bootstrapped businesses</strong></a> of 2025.
</div>
<br>
<div class="text-block">
If you have any comments or feedback, just respond to this email!
<br>
<br> Thanks for reading,
<br>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fwww.linkedin.com%2Fin%2Fprasannagautam%2F/1/0100019edffef068-864d4db7-2f0c-462a-b752-86474b746503-000000/dxUYoS9rRicm6I3QuO4CRLwSWeFLzm4QjO-39AM7o4I=452"><span>Prasanna Gautam</span></a>, <a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fwww.linkedin.com%2Fin%2Fericfernandezdelcampo%2F/1/0100019edffef068-864d4db7-2f0c-462a-b752-86474b746503-000000/rMqPu7P6LF7bfXi1kDgti6DLjShvc53cUsWcvgouzdA=452"><span>Eric Fernandez</span></a> & <a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fwww.linkedin.com%2Fin%2Fsammy-tbeile%2F/1/0100019edffef068-864d4db7-2f0c-462a-b752-86474b746503-000000/53opLlZCW2BOpZ_krZPSuCUuw9QfFsAWcCBYQ-uNt64=452"><span>Sammy Tbeile</span></a>
<br>
<br>
</div>
<br>
</td></tr></tbody></table>
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block" id="testing-id">
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Ftldr.tech%2Finfosec%2Fmanage%3Femail=silk.theater.56%2540fwdnl.com/1/0100019edffef068-864d4db7-2f0c-462a-b752-86474b746503-000000/yMtAHT9ugcC_YvrZE2pHv2zcBgoLSW9c30qk6kXRNe8=452">Manage your subscriptions</a> to our other newsletters on tech, startups, and programming. Or if TLDR Information Security isn't for you, please <a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fa.tldrnewsletter.com%2Funsubscribe%3Fep=1%26l=8d9cea11-3e94-11ed-9a32-0241b9615763%26lc=156924ca-84b7-11f0-8d58-47c5c04ad337%26p=8496d8d2-6bc6-11f1-ad9d-736a87872967%26pt=campaign%26pv=4%26spa=1781874172%26t=1781874487%26s=4926408f0b7e8c301d2e59818c431ccffeebd29d6cfbc445fe7862b580bddb75/1/0100019edffef068-864d4db7-2f0c-462a-b752-86474b746503-000000/Q9ATdFh1ThoE7gbY4fEVll21RfBNWWpAsbYptj-ne1A=452">unsubscribe</a>.
<br>
</div>
</td></tr></tbody></table>
</td></tr></tbody></table>
</td></tr></tbody></table>
</td></tr></tbody></table>
</td></tr></tbody></table>
<img alt="" src="http://tracking.tldrnewsletter.com/CI0/0100019edffef068-864d4db7-2f0c-462a-b752-86474b746503-000000/ZZlul83Sc1jvDkMXEMfClozqOXF7VNKDVUvdPl5peBE=452" style="display: none; width: 1px; height: 1px;">
</body></html>