Attacks & Vulnerabilities
|
Google API Keys Weren't Secrets. But then Gemini Changed the Rules (10 minute read)
Truffle Security discovered that enabling the Gemini API on a Google Cloud project silently grants existing API keys, including those publicly embedded in client-side JavaScript for services like Maps and Firebase, access to sensitive Gemini endpoints (CWE-1188, CWE-269). A scan of the November 2025 Common Crawl dataset identified 2,863 live Google API keys vulnerable to this privilege escalation, affecting major financial institutions, security companies, and Google itself. Organizations should audit all GCP projects for the Generative Language API, restrict or rotate any unrestricted or publicly exposed keys, and verify that no Gemini-capable keys are embedded in client-side code or public repositories.
|
Malicious Next.js Repos Target Developers Via Fake Job Interviews (3 minute read)
Microsoft discovered Trojanized Next.js repositories linked to North Korea's Lazarus APT that deliver backdoors through fake job-recruitment coding challenges, achieving RCE and persistent C2 access on developer machines. The repositories exploit VS Code workspace automation via malicious .vscode/tasks.json files or embed obfuscated loaders in build assets that fetch attacker-controlled JavaScript at runtime. Security teams should enforce strict IDE trust policies, monitor for anomalous Node.js outbound connections, and treat developer workflows as a privileged attack surface.
|
|
Abusing Cortex XDR Live Terminal as a C2 - InfoGuard Labs (7 minute read)
InfoGuard researchers demonstrated that Palo Alto's Cortex XDR Live Terminal feature can be abused as a pre-installed, EDR-trusted C2 channel, offering command execution, file transfer, and evasion capabilities through traffic that blends natively into enterprise network flows. The attack exploits a trivial URL validation flaw in cortex-xdr-payload.exe and the absence of mutual authentication or cryptographic command signing, allowing attackers to redirect connections to their own infrastructure via cross-tenant hijacking or a custom WebSocket server. Defenders should monitor for cortex-xdr-payload.exe spawned by any parent process other than cyserver.exe, while Palo Alto's claimed fix in versions 8.7-8.9 was not confirmed effective as of February.
|
New AirSnitch attack breaks Wi-Fi encryption in homes, offices, and enterprises (9 minute read)
AirSnitch exploits low-level Wi-Fi behavior to bypass client isolation, enabling bidirectional MitM from any SSID on the same AP against popular consumer and enterprise gear. Attackers can steal cookies, credentials, and RADIUS secrets, pivot between guest and corporate networks, and poison DNS, challenging assumptions about guest Wi-Fi safety and pushing networks toward stricter zero‑trust segmentation and careful AP/VLAN design.
|
The Post-RAMP Era: Allegations, Fragmentation, and the Rebuilding of the Ransomware Underground (9 minute read)
In January 2026, the FBI-led seizure of the RAMP forum dismantled a central hub for ransomware coordination but mainly shattered trust and pushed actors into more fragmented spaces, such as the closed, pay-to-enter T1erOne and the open forum Rehub. Competing narratives about leaked RAMP data and possible insider abuse have reinforced fears of honeypots, driving a shift toward smaller, tightly vetted communities and parallel use of low-barrier platforms.
|
|
AutoPiff (GitHub Repo)
AutoPiff is a semantic analysis engine that automates the detection of security-relevant changes in Windows kernel driver patches using 58 YAML-based rules across 22 vulnerability categories, including use-after-free fixes, bounds check additions, and IOCTL input validation. The framework runs as a Karton microservice pipeline integrating Ghidra decompilation, function matching, call-graph reachability analysis, and exploitability scoring to reduce manual driver pair analysis from 4-12 hours to under 5 minutes. Designed for silent patch detection and 1-day vulnerability research, it tracks 50+ dangerous API sinks and alerts on high-scoring findings via Telegram.
|
Gambit Security (Product Launch)
Gambit Security's AI-powered resilience platform, Balens, maps environments, security products, and backups to uncover gaps, validate recovery paths in real-time, and ensure business continuity against ransomware and disruptions.
|
TheNewOil (GitHub Repo)
A project dedicated to teaching beginners and non-tech-savvy people about digital privacy and cybersecurity.
|
|
Never Buy A .online Domain (4 minute read)
A developer's .online domain was suspended via serverHold by registry operator Radix after Google Safe Browsing flagged the site, with no prior notification or grace period. The suspension created a Catch-22 where Google required DNS-based domain verification to review the flag, but the registry refused to reactivate DNS until Google removed it. The incident highlights the risks of non-.com TLDs with aggressive abuse policies and reinforces the importance of pre-registering domains in Google Search Console and adding uptime monitoring even for simple landing pages.
|
Google catches Beijing spies using Sheets to spread espionage across 4 continents (3 minute read)
Google Threat Intelligence disrupted UNC2814, a China-linked espionage group that compromised 53 victims across 42 countries by targeting telecoms and government organizations with a novel backdoor called Gridtide that abuses Google Sheets API for C2 communication. The group, tracked since 2017, escalated privileges via SSH lateral movement and deployed SoftEther VPN Bridge for persistent encrypted connections, with infrastructure dating back to July 2018. Google terminated all attacker-controlled Cloud Projects, disabled known infrastructure, and revoked the Sheets API access used for C2 operations.
|
|
|
Love TLDR? Tell your friends and get rewards!
|
|
Share your referral link below with friends to get free TLDR swag!
|
|
|
|
|
Track your referrals here.
|
|
|
|
