Release Date: 2nd February 2026 | Issue: 57 | Subscribe
The Security Pills newsletter is a hand curated zine (delivered once per week) that highlights security related-news. 10+ hours of reading and analysis condensed into a 5-minute summary every Monday morning.
Sponsor
Would you like to become a sponsor for our newsletter? Our mission is to highlight security-related news with a focus on quality content, while we help people staying up to date with this corner of the industry.If you are interested, reach out to [email protected] with your ad idea to get started!
Application Security
Watchtowr's Piotr Bazydlo shows that ServiceDescriptionImporter, .NET's tool for generating SOAP client proxies from WSDL files, doesn't validate URL schemes. Attackers who supply a malicious WSDL can point the generated proxy at file:// paths, writing XML directly to disk to embed webshells. Barracuda, Ivanti, Microsoft, and Umbraco products were confirmed vulnerable. Microsoft has declined to patch the issue, stating that URLs passed to SoapHttpClientProtocol should never be user-controlled and input validation is the developer's responsibility.
Luke Marshall describes how he scanned ~5.6 million public GitLab Cloud repositories with TruffleHog, using an AWS Lambda + SQS pipeline to validate findings and identify more than 17,000 live secrets. He also explains how Claude Sonnet 3.7 supported triage and reporting, which ultimately led to over $9,000 in bug bounty payouts.
Sionic AI has developed a system that prevents research teams from repeating failed experiments by creating a shared knowledge registry managed through GitHub Actions and Claude Code. The solution addresses a common problem: valuable experimental insights getting lost in Slack threads and notebooks, leading to duplicate work months later.
Researchers use simple commands like /retrospective to have Claude automatically extract and document their discoveries, while /advise lets team members quickly access past learnings before starting new experiments. GitHub Actions handle the technical infrastructure by validating new contributions and automatically updating the shared registry, ensuring the system stays current and properly structured without manual maintenance.
Artificial Intelligence
Dane Schneider walks through Promptfoo Scanner, a GitHub Action that catches LLM-specific vulnerabilities in pull requests. It traces untrusted inputs into prompts, then follows LLM outputs to dangerous sinks (code execution, database queries, that sort of thing). The focus is on "capability combinations": the lethal trifecta (private data access + untrusted content + external communication) or the deadly duo (untrusted content + privileged actions). Tested against real CVEs, the scanner identifies not just vulnerable code paths but often the exact commit that introduced the problem.
Production-Ready Dockerized MCP Servers for Offensive Security Tools
A collection of 28 Dockerized MCP servers from FuzzingLabs bringing offensive security tools to AI assistants. Includes Nmap, Ghidra, Nuclei, SQLMap and 163+ total security tools across reconnaissance, web security, binary analysis, cloud security, OSINT, Active Directory, and more. Containers are production-hardened with non-root execution, minimal images, and Trivy vulnerability scanning.
A security knowledge base from 88,636 WooYun vulnerability cases (2010-2016) that enables Claude to analyze security issues with expert-level reasoning across 15 vulnerability types.
Affaan Mustafa has released a comprehensive Claude Code configuration toolkit built over 10+ months of real-world product development. The collection includes specialized agents for code review and planning, automated workflows, custom commands, and cross-platform scripts. Two guides accompany the release: a foundational guide covering setup and core concepts, and an advanced guide detailing performance optimization, memory management, testing approaches, and scaling techniques.
Blue Team
Daniel Weiss describes Amazon's Autonomous Threat Analysis (ATA) system, which uses competing AI agents to reason about and adapt security testing strategies in isolated environments. The system executes 10–30 technique variations concurrently, reducing detection-rule testing from weeks to hours while grounding all results against actual infrastructure to mitigate hallucination.
Huntress’ Andrew Schwartz explains why LDAP detections that rely on “expected” source-code or protocol syntax often miss in Active Directory: there’s a translation gap between what’s sent over the wire and what actually shows up in telemetry. AD rewrites OID-based filters before they’re logged in Event ID 1644, and 1644 preserves formatting exactly as processed, so the same query can show up in different shapes depending on the tool.
He also shares a practical approach to detection engineering: use source code to understand how tooling behaves, then validate and refine your hypotheses against real logs. The goal is to turn implementation details into repeatable signals, not exact-match rules that break when formatting changes.
Jon Hencinski argues SOC scaling breaks because analyst time is the bottleneck: as alerts and tools grow, you hit a “Human Cost Curve” where adding headcount increases cost and coordination more than results. He recommends a hybrid model where AI handles front-line triage and enrichment, escalating only the small set of alerts worth investigation, so a 10-person SOC can process ~200 alerts/day, keep utilization under ~70%, and retain capacity for deeper investigations and continuous improvements.
Cloud Security
Software Secured's Ben GoodSpeed describes how AWS privilege escalation has evolved from traditional IAM policy manipulation through service-based attacks to modern AI-driven orchestration via Bedrock and AgentCore. Testing across 16 scenarios, Ben identifies which AWS actions can be blocked with SCPs, which cannot, and provides a framework for assessing escalation risk across cloud and AI workloads.
A security auditing tool by Noah Potti for Tailscale configurations that runs 52 checks across seven categories to detect misconfigurations, weak access controls, and policy gaps. It supports OAuth or API key authentication, produces actionable findings, and can apply safe remediations with dry-run previews.
Seth Art released pathfinding.cloud, a comprehensive knowledge base documenting 60+ AWS IAM privilege escalation paths (27 uncovered by existing OSS tools). These techniques show how attackers gain administrative access after initial AWS account compromise. The library uses service-specific identifiers and YAML format, with each entry detailing required permissions, resource constraints, and exploitation prerequisites.
Container Security
Terry Franklin explains in this article how AWS Bottlerocket, a well-known minimalist operating system that provides a reliable container hosting environment, is capable of defeating established container escape techniques, including: abusing the kernel usermode helper by triggering a coredump, mounting the host filesystem and loading a custom kernel module.
Kiran Dawadi walks through a controlled “assume-breach” test on an Amazon EKS cluster using BishopFox’s BadPods to show how risky pod configurations (such as privileged containers, host namespace sharing, and host networking) can effectively remove container isolation. The write-up follows a realistic escalation from an initial compromised pod to host-level access, pivoting to other workloads on the node, and ultimately pulling AWS credentials from IMDS.
Philippe Charrière describes how to run small language models (0.5-7 billion parameters) locally for code assistance, particularly when cloud services are unavailable due to confidentiality restrictions or offline environments. The author demonstrates using a 3 billion parameter Qwen2.5-Coder model with Docker Model Runner to build a code assistance system for a custom Golang library.
Since small models don't know proprietary codebases and have limited context windows, the solution implements Retrieval Augmented Generation (RAG) to feed relevant code snippets to the model. The article emphasizes that RAG effectiveness depends on proper configuration of embedding models, chunk splitting strategies, and similarity thresholds, with practical solutions including adjusting thresholds, increasing returned results, and adding metadata keywords when retrieval fails.
Red Team
Detecting Conditional Access Payload Delivery via Cloudflare Pages
Andy Gill describes how conditional access payload delivery (CAPD) can be implemented using Cloudflare Pages and Workers to selectively deliver payloads based on request context, noting that Cloudflare’s shared infrastructure and HTTPS encryption limit detection to sparse network signals, endpoint telemetry, and TLS-terminating proxies.
SILPH: An In-Memory Credential Dumping Tool for Windows
An open-source red team tool by Haroun Al Mounayar that extracts Windows credentials (LSA secrets, SAM hashes, and DCC2) entirely in memory without disk writes or RPC services. It has been built to be integrated into the Orsted C2 framework
Sean Heelan demonstrates how current LLMs can automatically generate functional exploits for zero-day vulnerabilities when equipped with appropriate tools and iterative debugging capabilities. In experiments using Opus 4.5 and GPT-5.2, both AI agents successfully generated over 40 distinct exploits for a QuickJS zero-day across six scenarios with various modern mitigations.
Heelan argues that current AI safety tests don't accurately measure real-world hacking capabilities. Most evaluations use practice scenarios, simulated environments, or old vulnerabilities instead of testing against genuinely difficult targets with fresh zero-day flaws. He calls for AI labs and security researchers to run more realistic tests using actual zero-day vulnerabilities and to share detailed results, including costs and success rates.
You can find a technical write-up of the experiments and the results on Github
Supply Chain
Zombie Workflows: GitHub Actions Vulnerabilities That Persist Across Branches
Sonar's Paul Gerste describes a GitHub Actions vulnerability pattern (Zombie Workflows) in which older repository branches can leave exploitable workflows in place, enabling Pwn Request attacks. Their analysis identified 188 potentially vulnerable workflows across projects, including repositories associated with Microsoft, NVIDIA, and Azure.
PromptPwnd: AI Prompt Injection Vulnerabilities in GitHub Actions and GitLab CI/CD Pipelines
Aikido's Rein Daelman describes PromptPwnd, a vulnerability pattern in CI/CD pipelines where untrusted user input embedded in AI prompts causes AI agents to execute privileged operations and leak secrets. Aikido Security identified the issue across multiple AI-powered actions including Claude Code, Codex, and GitHub AI Inference, affecting at least five Fortune 500 companies and numerous high-profile repositories.
Threat Hunting
Destructive Malware Rising Across Open Source Registries with Kill Switches and Delays
Socket's Kush Pandya analyzes two malicious Chrome extensions called Phantom Shuttle, distributed since 2017, that route traffic from 170+ targeted domains through attacker-controlled MITM proxies. The extensions intercept HTTP authentication challenges using hardcoded credentials and continuously exfiltrate plaintext credentials from sites including AWS, Azure, GitHub, and adult platforms.
Pentest Laboratories explores advanced EDR Silencing techniques that attackers use to disable security monitoring without triggering alerts. When threat actors discover EDR software running, they prioritize evading detection while maintaining stealth.
The research covers four approaches that block EDR communication with cloud management consoles: Windows Filtering Platform abuse, hosts file modification, Name Resolution Policy Table manipulation, and IPSec Filter Rules. These techniques disrupt network communication rather than crashing the EDR process, which would generate obvious alerts. Attackers can avoid triggering detection rules using indirect system calls or legitimate tools, gain administrator privileges to install kernel-level bypass modules preventing malicious activity logging, or completely remove the EDR software.
Wrapping Up
If you enjoyed this newsletter and think others would too, It would mean a lot for us if you'd forward this email to other people who may enjoy it as well. You can also reply to this email, I'd love to get in touch with you.
Thanks,
Sebas