Release Date: 2nd March 2026 | Issue: 61 | Subscribe
The Security Pills newsletter is a hand curated zine (delivered once per week) that highlights security related-news. 10+ hours of reading and analysis condensed into a 5-minute summary every Monday morning.
Sponsor
Would you like to become a sponsor for our newsletter? Our mission is to highlight security-related news with a focus on quality content, while we help people staying up to date with this corner of the industry.If you are interested, reach out to [email protected] with your ad idea to get started!
Application Security
Arts Council of Pakistan Database Exposed with 20k+ Attendee Records
The Arts Council of Pakistan's event management database was found sitting wide open, exposing over 20,000 attendees including names, emails, phone numbers, payment details, and event tickets. Supabase security controls had been disabled and an API key had been left public since September 2025. Beyond the data exposure, image URL fields could also be pointed at an external server, quietly pulling visitor IP addresses, timestamps, and device info without anyone knowing.
This is becoming a familiar pattern with Supabase-backed apps, the tooling makes it easy to ship fast, but also easy to ignore every security warning on the way out the door.
How a single typo led to RCE in Firefox
Alessio Ghidini found a remote code execution vulnerability in Firefox's SpiderMonkey JavaScript engine caused by a single character typo in the source code. A bitwise AND operator used instead of OR when setting WebAssembly array forwarding pointers causes the engine to store 0 instead of a valid address, which eventually leads to a use-after-free condition during garbage collection. From there, heap spraying turns the corrupted pointer into arbitrary read/write access and code execution.
BLE Scanner with Resolvable Private Address Resolution Using Identity Resolving Keys
btrpa-scan is a Bluetooth Low Energy scanner that can resolve privacy-randomized device addresses using Identity Resolving Keys in real time. It comes with a live terminal view sorted by signal strength, a browser-based radar GUI with an animated sweep display, and batch export with optional CSV streaming. You can filter by signal strength, estimate distance based on environment, set proximity alerts, and run multiple adapters at once, with optional GPS tagging for each detection.
Artificial Intelligence
Unrolling the Codex Agent Loop
OpenAI's Michael Bolin explains how Codex CLI handles long-running agent sessions by building prompts turn by turn, appending tool outputs and user inputs using Server-Sent Events from the Responses API. The design ensures every new prompt is an exact extension of the previous one, keeping caching efficient throughout the session. Configuration changes follow the same logic, getting appended as new messages rather than restructuring what came before.
When the context gets too long, Codex compresses it automatically through a dedicated endpoint that hands back a smaller list with an encrypted item that preserves the model's context without eating up the context window.
Nightwire: A Signal-Based Bot for Remote Code Development and Autonomous Tasks
David Kennedy released Nightwire, a Signal-based bot that lets you manage your development workflow through Claude from anywhere. You send messages through Signal, it handles the coding tasks, maintains project context across sessions, and keeps everything organized into stories and parallel workstreams. Basically a dev environment you can drive from your phone.
IronCurtain: A Personal AI Assistant Built Secure from the Ground Up
Niels Provos walks through IronCurtain, a personal AI assistant architecture built on the premise that you cannot trust agents to stay in their lane. A trusted MCP proxy sits between agents and everything else, and agents never touch real credentials since a MITM proxy handles authentication behind the scenes. The system supports two sandbox modes: Code Mode runs LLM-generated TypeScript in V8 isolates, while Docker Mode puts autonomous agents in network-restricted containers. Security policies are described in plain text and enforced deterministically, so prompt injection or model drift gets contained without relying on the model to stay honest.
How Aikido Secures AI Pentesting Agents and Prevents Scope Drift
Aikido's Sooraj Shah walks through how the team built scope enforcement into their AI pentesting agents by design rather than relying on prompts or human discipline. At the architectural level, the control plane is fully separated from isolated execution sandboxes, meaning agents have no access to Aikido's infrastructure or other active sessions. From there, network restrictions block any domain not on an allowlist by default, which handles both accidental scope drift and data exfiltration in one shot. On top of that, production is never assumed in scope, pre-flight checks catch misconfigurations before tests start, and every agent action is visible in real time with the ability to pause immediately.
If you are building or experimenting with your own agents, this is an interesting blueprint for thinking through the guardrails
Blue Team
Microsoft researchers caught companies embedding hidden instructions in "Summarize with AI" buttons that, when clicked, open your AI assistant with a pre-filled prompt that saves itself to memory. The result is that your AI starts favoring whoever planted it in future responses, with no indication anything changed. They found over 50 of these prompts from 31 companies across industries like finance, health, and security. Microsoft has added protections on their end, but opening your AI assistant's memory settings to see what's in there is worth doing.
This reverse engineering reference maps out Microsoft Defender's full scan pipeline inside mpengine.dll, the core engine that processes files, scripts, and memory on Windows systems. It covers each stage from trusted file whitelisting through signature scanning, PE emulation, script deobfuscation, recursive content extraction, and cloud escalation.
ASPA is a new cryptographic standard that prevents BGP route leaks by validating the full path network traffic takes, not just its destination. While RPKI already handles origin verification through ROA records, ASPA lets networks publish their authorized upstream providers so anyone receiving traffic can check it came through the right hands. Cloudflare's Mingwei Zhang and Bryton Herdes break down how it works and introduce a new Radar feature for tracking ASPA adoption across regional internet registries.
Cloud Security
Google API Keys Weren't Secrets. But then Gemini Changed the Rules
Truffle Security's Joe Leon found that Google's API key design left publicly committed credentials exposed to Gemini API access when the Generative Language API was enabled on projects. A scan of publicly archived pages turned up 2,863 vulnerable keys from major institutions, many deployed years before Gemini existed as nothing more than project identifiers.
New keys get unrestricted access to all enabled APIs by default, so old keys sitting in public repos suddenly became a way to access uploaded files, cached data, and charge LLM usage to someone else's account. Google has since committed to scoped defaults for new keys and proactive notification when breaches are identified.
Cloud Credential Misuse: Detection and Prevention Guide 2026
Qualys' Sayali Warekar looks at how attackers are repurposing legitimate secret-scanning tools like TruffleHog to find and validate leaked cloud credentials, often turning a discovery into active access within minutes. The article covers what to look for in CloudTrail logs to catch this behavior early, and makes the case that short-lived keys and tighter IAM scope are what actually limit the damage when credentials leak.
Building an AI-powered defense-in-depth security architecture for serverless microservices
AWS's Roger Nem walks through a defense-in-depth architecture for serverless microservices that layers independent controls across seven security tiers, from edge protection down to data access. The setup splits traffic across public, private, and data subnets, with GuardDuty using generative AI for threat detection and Lambda pulling secrets at runtime so credentials never touch the codebase. On top of that, Amazon Bedrock monitors DynamoDB Streams and CloudTrail to catch anomalous access patterns and insider threats before they go unnoticed.
Container Security
OpenWebUI + Model Runner: Zero-Config Local AI Integration
Docker's Ignacio Lopez walks through how Docker Model Runner and Open WebUI now work together out of the box. Open WebUI automatically picks up Docker Model Runner running at localhost:12434 with no manual configuration, so you can go from nothing to chatting with a local model through a web interface in a few minutes. Both projects stay independent but connect cleanly through well-defined interfaces, which means you can run the setup on a laptop, a remote machine, or an internal server without changing anything.
Red Team
100+ Kernel Bugs in 30 Days: High-Scale Driver Vulnerability Research with Agent Swarms
Yaron Dinkin and Eyal Kraft built an automated platform that uses AI agent swarms to audit Windows kernel drivers for memory corruption vulnerabilities at scale, running the entire thing for around $600. From a dataset of over 1,800 binaries, they selected 202 high-risk drivers for full analysis, validating 15 vulnerabilities requiring only unprivileged user access. They estimate over 100 exploitable local privilege escalation paths exist across mainstream vendor drivers from AMD, Intel, NVIDIA, Dell, Lenovo, and IBM.
LLM-Powered AMSI Provider vs. Red Team Agent
Dreadnode's Max Harley built a system that runs a Claude Sonnet powered red team agent against an LLM-based AMSI provider to see what gets through. The agent generates PowerShell attack code for user-defined objectives, running scripts in-memory via UnmanagedPowerShell to make sure AMSI actually sees them. When the provider blocks a script, the error goes back to the agent for another evasion attempt, up to ten rounds. The result is AMSI-Eval, a dataset of scripts verified to run on real systems, mixed with clean samples to keep classifier training honest.
186 Jailbreaks: Applying MLOps to AI Red Teaming
Dreadnode's Raja Sekhar documents a systematic red teaming assessment of Llama Maverick using MLOps principles, producing 186 different jailbreaks across eight harm categories in just over two hours.
Three attack methodologies were tested, and across all of them the pattern was consistent: safety training breaks down under sustained pressure and rephrasing, with Crescendo hitting 97.5% success just by gradually escalating across multiple turns. Multi-modal attacks follow the same logic, slipping through defenses that evaluate each component in isolation rather than looking at intent as a whole. Something to keep in mind as multi-modal models become harder to evaluate at scale.
GOAD: Game of Active Directory - Pentest Lab Project
GOAD is a pentest training lab that spins up intentionally vulnerable Active Directory environments in multiple configurations, from basic single-domain setups to complex multi-forest deployments. It also includes specialized configurations for SCCM and challenge-based scenarios.
Supply Chain
Malicious Extension Database
Malicious Extension Sentry is an automated database of Chrome extensions removed for malicious behavior. It pulls removal data from multiple sources and comes with a cross-platform scanning tool that checks installed extensions against the database locally. Useful for anyone doing extension vetting or security research.
How we rebuilt Next.js with AI in one week
Cloudflare's Steve Faulkner rebuilt Next.js as a Vite-based alternative called vinext in under a week with AI, getting to 4x faster builds and 57% smaller bundles that deploy directly to Cloudflare Workers. The interesting part is Traffic-aware Pre-Rendering, which pulls Cloudflare analytics to only pre-render pages that actually get traffic and leaves the rest to on-demand SSR.
Total cost was around $1,100 in tokens, though it took constant human oversight to stop the agents from going off track. Impressive scope for a solo week-long project.
Harness engineering: leveraging Codex in an agent-first world
OpenAI's Ryan Lopopolo shares how his team built a production software product entirely through Codex agents over five months, generating one million lines of code at roughly 10x typical development speed. Engineers stopped writing code and started designing environments, specifying intent, and building feedback loops while agents handled everything from coding to PR reviews to merging. Keeping things consistent required strict structural rules enforced through custom linters and tests, with agents escalating to humans only when judgment was needed.
Worth reading if you're thinking seriously about how software engineering actually changes when agents are doing most of the work.
StegaBin: 26 Malicious npm Packages Use Pastebin Steganography for Credential Theft
Socket's Philipp Burckhardt and Peter van der Zee uncovered a 26-package npm supply chain campaign attributed to North Korean threat actor FAMOUS CHOLLIMA. The packages hide C2 addresses inside Pastebin images using steganography, pull platform-specific payloads from 31 Vercel domains, and deploy a RAT that phones home to a hardcoded IP. Once in, nine infostealer modules go after everything a developer would have on their machine: VSCode persistence, keylogging, SSH keys, git credentials, crypto wallet data across 86 browser extensions, and a weaponized TruffleHog binary scanning the filesystem for secrets.
Threat Hunting
Disrupting the GRIDTIDE Global Cyber Espionage Campaign
Google Threat Intelligence Group and Mandiant disrupted a global espionage campaign by UNC2814, a suspected China-nexus group with confirmed intrusions across 42 countries targeting telecommunications and government organizations. The group deployed GRIDTIDE, a backdoor that abuses Google Sheets as a C2 channel, using cell-based polling with AES-128 encryption to stay under the radar while pulling names, phone numbers, and national IDs. Google shut down the attacker-controlled Cloud Projects, revoked Sheets API access, and published indicators of compromise from activity dating back to at least 2023.
Toxic combinations: when small signals add up to a security incident
Cloudflare's Bashyam Anant and Himanshu Anand look at how small misconfigurations turn into real problems once automated scanners find them. They walk through three patterns they see regularly: exposed monitoring endpoints leaking infrastructure details, unauthenticated search enabling bulk data scraping, and payment fraud that shows up as suspicious spikes in transaction volume and IP density. For each one they cover what to look for and how to shut it down.
Starkiller Phishing Service Proxies Real Login Pages and MFA Credentials
Brian Krebs covers Starkiller, a phishing-as-a-service platform that proxies real login pages to intercept credentials and MFA codes in real time. It removes the usual setup friction of configuring domains and certificates, and sidesteps domain blocklisting by design. Attackers with minimal skills can now run credential theft campaigns with session hijacking and analytics capabilities that used to take real expertise to pull off.
Wrapping Up
If you enjoyed this newsletter and think others would too, It would mean a lot for us if you'd forward this email to other people who may enjoy it as well. You can also reply to this email, I'd love to get in touch with you.
Thanks,
Sebas