<!DOCTYPE html><html lang="en"><head><meta http-equiv="Content-Type" content="text/html charset=UTF-8"><meta charset="UTF-8"><meta name="viewport" content="width=device-width"><meta name="x-apple-disable-message-reformatting"><title>TLDR InfoSec</title><meta name="color-scheme" content="light dark"><meta name="supported-color-schemes" content="light dark"><style type="text/css">
:root {
color-scheme: light dark; supported-color-schemes: light dark;
}
*,
*:after,
*:before {
-webkit-box-sizing: border-box; -moz-box-sizing: border-box; box-sizing: border-box;
}
* {
-ms-text-size-adjust: 100%; -webkit-text-size-adjust: 100%;
}
html,
body,
.document {
width: 100% !important; height: 100% !important; margin: 0; padding: 0;
}
body {
-webkit-font-smoothing: antialiased; -moz-osx-font-smoothing: grayscale; text-rendering: optimizeLegibility;
}
div[style*="margin: 16px 0"] {
margin: 0 !important;
}
table,
td {
mso-table-lspace: 0pt; mso-table-rspace: 0pt;
}
table {
border-spacing: 0; border-collapse: collapse; table-layout: fixed; margin: 0 auto;
}
img {
-ms-interpolation-mode: bicubic; max-width: 100%; border: 0;
}
*[x-apple-data-detectors] {
color: inherit !important; text-decoration: none !important;
}
.x-gmail-data-detectors,
.x-gmail-data-detectors *,
.aBn {
border-bottom: 0 !important; cursor: default !important;
}
.btn {
-webkit-transition: all 200ms ease; transition: all 200ms ease;
}
.btn:hover {
background-color: #f67575; border-color: #f67575;
}
* {
font-family: Arial, Helvetica, sans-serif; font-size: 18px;
}
@media screen and (max-width: 600px) {
.container {
width: 100%; margin: auto;
}
.stack {
display: block!important; width: 100%!important; max-width: 100%!important;
}
.btn {
display: block; width: 100%; text-align: center;
}
}
body,
p,
td,
tr,
.body,
table,
h1,
h2,
h3,
h4,
h5,
h6,
div,
span {
background-color: #FEFEFE !important; color: #010101 !important;
}
@media (prefers-color-scheme: dark) {
body,
p,
td,
tr,
.body,
table,
h1,
h2,
h3,
h4,
h5,
h6,
div,
span {
background-color: #27292D !important; color: #FEFEFE !important;
}
}
a {
color: inherit !important; text-decoration: underline !important;
}
</style><!--[if mso | ie]>
<style type="text/css">
a {
background-color: #FEFEFE !important; color: #010101 !important;
}
@media (prefers-color-scheme: dark) {
a {
background-color: #27292D !important; color: #FEFEFE !important;
}
}
</style>
<![endif]--></head><body class="">
<div style="display: none; max-height: 0px; overflow: hidden;">The "DarkSword" exploit chain, active since at least November 2025, chained six flaws across JavaScriptCore (CVE-2025-31277, CVE-2025-43529) β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β </div>
<div style="display: none; max-height: 0px; overflow: hidden;">
<br>
</div>
<table align="center" class="document"><tbody><tr><td valign="top">
<table align="center" border="0" cellpadding="0" cellspacing="0" class="container" width="600"><tbody><tr class="inner-body"><td>
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr class="header"><td bgcolor="" class="container">
<table width="100%"><tbody><tr><td class="container">
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" style="margin-top: 0px;" width="100%"><tbody><tr><td style="padding: 0px;">
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div style="text-align: center;">
<span style="margin-right: 0px;"><a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Ftldr.tech%2Finfosec%3Futm_source=tldrinfosec/1/0100019d0b5c5ce6-715f8b70-5dd7-4efd-9d1d-59ea0a05eaf0-000000/XhhtqAZ8PngSEn1Pil8E-K9F7aFVCYfd4FDPx2ThokY=449" rel="noopener noreferrer" target="_blank"><span>Sign Up</span></a>
|<span style="margin-right: 2px; margin-left: 2px;"><a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fadvertise.tldr.tech%2F%3Futm_source=tldrinfosec%26utm_medium=newsletter%26utm_campaign=advertisetopnav/1/0100019d0b5c5ce6-715f8b70-5dd7-4efd-9d1d-59ea0a05eaf0-000000/JAcZdQhyxK7HFYIj8_maYzp1Xo_jS0Kg94BOUnZuPeo=449" rel="noopener noreferrer" target="_blank"><span>Advertise</span></a></span>|<span style="margin-left: 2px;"><a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fa.tldrnewsletter.com%2Fweb-version%3Fep=1%26lc=156924ca-84b7-11f0-8d58-47c5c04ad337%26p=ae083170-2422-11f1-8908-83a884136b4b%26pt=campaign%26t=1774012095%26s=84dde83e796f0e08da00e4da6bea81b8db928fc8b55d48dfce3b8199689c10a9/1/0100019d0b5c5ce6-715f8b70-5dd7-4efd-9d1d-59ea0a05eaf0-000000/1RmGMZYuaYPRSi8geoBx5Y5QCpL_qMfez5iXFk7qbY4=449"><span>View Online</span></a></span>
<br>
</span></div>
</td></tr></tbody></table>
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="text-align: center;"><span data-darkreader-inline-color="" style="--darkreader-inline-color:#3db3ff; color: rgb(51, 175, 255) !important; font-size: 30px;">T</span><span style="font-size: 30px;"><span data-darkreader-inline-color="" style="color: rgb(232, 192, 96) !important; --darkreader-inline-color:#e8c163; font-size:30px;">L</span><span data-darkreader-inline-color="" style="color: rgb(101, 195, 173) !important; --darkreader-inline-color:#6ec7b2; font-size:30px;">D</span></span><span data-darkreader-inline-color="" style="--darkreader-inline-color:#dd6e6e; color: rgb(220, 107, 107) !important; font-size: 30px;">R</span>
<br>
</td></tr></tbody></table>
<br>
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr id="together-with"><td align="center" height="20" style="vertical-align:middle !important;" valign="middle" width="100%"><strong style="vertical-align:middle !important; height: 100%;">Together With </strong>
<a href="http://tracking.tldrnewsletter.com/CL0/http:%2F%2Fvanta.com%2Flp%2Frsa%3Futm_medium=newsletter%26utm_source=tldr-infosec%26utm_campaign=fy27q1_conference_rsa_namer/1/0100019d0b5c5ce6-715f8b70-5dd7-4efd-9d1d-59ea0a05eaf0-000000/rqfSA4WaiO7mrlcxtMeqNyGI2ifg21qg_3DlpM8RHao=449"><img src="https://images.tldr.tech/vanta.png" valign="middle" style="vertical-align: middle !important; height: 100%;" alt="Vanta"></a></td></tr></tbody></table>
<table style="table-layout: fixed; width:100%;" width="100%"><tbody><tr><td style="padding:0;border-collapse:collapse;border-spacing:0;margin:0;">
<div style="text-align: center;">
<h1><strong>TLDR Information Security <span id="date">2026-03-20</span></strong></h1>
</div>
</td></tr></tbody></table>
<table style="table-layout: fixed; width:100%;" width="100%"><tbody><tr id="sponsy-copy"><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="http://tracking.tldrnewsletter.com/CL0/http:%2F%2Fvanta.com%2Flp%2Frsa%3Futm_medium=newsletter%26utm_source=tldr-infosec%26utm_campaign=fy27q1_conference_rsa_namer/2/0100019d0b5c5ce6-715f8b70-5dd7-4efd-9d1d-59ea0a05eaf0-000000/uYh5OIL2pCDvMlLm5-NE7omUCIDTGtnVa1CeNCBZceg=449">
<span>
<strong>Heading to RSAC? Find your Calm-pliance with Vanta π (Sponsor)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
Stop by Vanta's booth (S-1827) for <a href="http://tracking.tldrnewsletter.com/CL0/http:%2F%2Fvanta.com%2Flp%2Frsa%3Futm_medium=newsletter%26utm_source=tldr-infosec%26utm_campaign=fy27q1_conference_rsa_namer/3/0100019d0b5c5ce6-715f8b70-5dd7-4efd-9d1d-59ea0a05eaf0-000000/eLGsyn_cy5Sz2HoR7ArLXlELed0rd2GFcPkqyi_kXYY=449" rel="noopener noreferrer nofollow" target="_blank"><span>a rare moment of calm</span></a> in the chaos of RSAC, and find out how to bring the calm to your own program.
<p></p>
<p>Vanta is the leading Agentic Trust Platform - combining compliance, risk, and proof, with 400+ integrations and 1,400+ automated tests that keep you audit-ready all year round.</p>
<p>π₯ Join Vanta's <a href="http://tracking.tldrnewsletter.com/CL0/http:%2F%2Fvanta.com%2Flp%2Frsa%3Futm_medium=newsletter%26utm_source=tldr-infosec%26utm_campaign=fy27q1_conference_rsa_namer/4/0100019d0b5c5ce6-715f8b70-5dd7-4efd-9d1d-59ea0a05eaf0-000000/teG9wf3vJ95xfXtI8PwY_TW0A8VcO5Y_Y2LYIOFS-pY=449" rel="noopener noreferrer nofollow" target="_blank"><span>uniquely chill kickoff to RSAC</span></a> for free food and drinks, good music, and a curated space where the GRC community gets the spotlight it deserves.</p>
<p>πͺ Hear firsthand how companies like Ramp, Writer, and Atlassian save hundreds of hours and prove trust continuously.</p>
<p><a href="http://tracking.tldrnewsletter.com/CL0/http:%2F%2Fvanta.com%2Flp%2Frsa%3Futm_medium=newsletter%26utm_source=tldr-infosec%26utm_campaign=fy27q1_conference_rsa_namer/5/0100019d0b5c5ce6-715f8b70-5dd7-4efd-9d1d-59ea0a05eaf0-000000/BrJvG5B5m24tcw--UPG_Updme2v81nbDPI1zJMrteHM=449" rel="noopener noreferrer nofollow" target="_blank"><span>Sign up for exclusive events and experiences at RSAC β</span></a>
</p>
</span></span></div>
</td></tr></tbody></table>
</td></tr></tbody></table>
</td></tr></tbody></table>
</td></tr>
<tr bgcolor=""><td class="container">
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td style="padding: 0px;">
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding-top: 0px; padding-bottom: 0px;">
<div class="text-block">
<div style="text-align: center;"><span style="font-size: 36px;">π</span></div></div>
</td></tr></tbody></table>
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding-top: 0px; padding-bottom: 0px;">
<div class="text-block">
<div style="text-align: center;">
<h1><strong>Attacks & Vulnerabilities</strong></h1>
</div>
</div>
</td></tr></tbody></table>
<table style="table-layout: fixed; width: 100%;" width="100%"><tbody><tr><td style="padding:0;border-collapse:collapse;border-spacing:0;margin:0;" valign="top">
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Flinks.tldrnewsletter.com%2FOGdkPb/1/0100019d0b5c5ce6-715f8b70-5dd7-4efd-9d1d-59ea0a05eaf0-000000/M_Wgf6TbQeUlZNpElVRsTggLYcLQdITAeTqap-dfsJg=449">
<span>
<strong>This severe and international iPhone hack is the best reason to update to iOS 26.3 yet (2 minute read)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
The "DarkSword" exploit chain, active since at least November 2025, chained six flaws across JavaScriptCore (CVE-2025-31277, CVE-2025-43529), dyld PAC bypass (CVE-2026-20700), WebContent sandbox escape (CVE-2025-14174), GPU sandbox escape (CVE-2025-43810), and a local privilege escalation (CVE-2025-43520) to achieve full kernel control on iOS 18.4 through 18.7 via a malicious Safari webpage. Multiple threat actors reused the same core chain across separate campaigns in Saudi Arabia, Turkey, Malaysia, and Ukraine, with delivery methods ranging from Snapchat-themed lures to compromised watering-hole sites, with PARS Defense linked to the Turkey and Malaysia activity. Apple patched all underlying flaws in stages through iOS 26.3 by February 11. Users should update immediately to close the fully patched chain.
</span>
</span>
</div>
</td></tr></tbody></table>
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fwww.aura.com%2Fpress%2Frelease%2Fstatement-on-exposure-of-customer-information%3Futm_source=tldrinfosec/1/0100019d0b5c5ce6-715f8b70-5dd7-4efd-9d1d-59ea0a05eaf0-000000/x0knsoysp8Z7wo2rAFMRz8LdLf3YZM_bhDU1EvIoJPM=449">
<span>
<strong>Aura Statement on Exposure of Limited Customer Information (2 minute read)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
Aura, an identity theft protection company, announced that one of its employees was targeted in a vishing attack. The attacker accessed 900,000 records, mostly containing only names and email addresses, with contact details like home addresses and phone numbers also accessed for up to 20,000 active customers and 15,000 former customers. Aura confirmed that no sensitive information such as SSNs or financial details was compromised.
</span>
</span>
</div>
</td></tr></tbody></table>
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fsan.com%2Fcc%2Fmillions-of-anonymous-crime-tips-exposed-in-massive-crime-stoppers-hack-exclusive%2F%3Futm_source=tldrinfosec/1/0100019d0b5c5ce6-715f8b70-5dd7-4efd-9d1d-59ea0a05eaf0-000000/eJu_xQ4kKNl51CpWMTMfeY1UXZNYsPbJTezc6uVTwjo=449">
<span>
<strong>Millions of Anonymous Crime Tips Exposed in Massive Crime Stoppers Hack (3 minute read)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
A hacker going by the alias βTHE INTERNET YIFF MACHINEβ leaked more than 8.3M highly sensitive records from the tip and intelligence management company P3 Global Intel. The leak contains extensive personal data on those accused by tipsters, including names, email addresses, dates of birth, phone numbers, home addresses, license plate numbers, SSNs, and criminal histories. The hacker also disclosed that the company enables clients to collect a wealth of tracking data on βanonymousβ tipsters.
</span>
</span>
</div>
</td></tr></tbody></table>
</td></tr></tbody></table>
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding-top: 0px; padding-bottom: 0px;">
<div class="text-block">
<div style="text-align: center;"><span style="font-size: 36px;">π§ </span></div>
</div>
</td></tr></tbody></table>
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding-top: 0px; padding-bottom: 0px;">
<div class="text-block">
<div style="text-align: center;">
<h1><strong>Strategies & Tactics</strong></h1>
</div>
</div>
</td></tr></tbody></table>
<table style="table-layout: fixed; width: 100%;" width="100%"><tbody><tr><td style="padding:0;border-collapse:collapse;border-spacing:0;margin:0;" valign="top">
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fwww.huntress.com%2Fblog%2Fdaisy-chaining-rogue-rmm-tools%3Futm_source=tldrinfosec/1/0100019d0b5c5ce6-715f8b70-5dd7-4efd-9d1d-59ea0a05eaf0-000000/IzTtoY-O4UHpTxFvcohmtevlg2WKaTCtDfbIMheGyzM=449">
<span>
<strong>Daisy-Chaining Rogue RMM Tools: How Threat Actors Abuse Remote Management Software for Initial Access (10 minute read)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
Huntress documented a 277% surge in RMM abuse, with threat actors daisy-chaining tools like Action1 and ScreenConnect via MSI installers, wscript, and LLM-generated infostealer scripts to fragment telemetry, distribute persistence, and complicate attribution across campaigns targeting financial accounts and SSA-themed lures. Post-access tradecraft included pin.exe masquerading as Windows Security to harvest login PINs to ScreenConnect\Temp\output.txt, Sordum's HideUL.exe to conceal RMM installs from Add/Remove Programs, and WebBrowserPassView to harvest credentials, with C2 notifications routed through Telegram bots. Defenders should allowlist approved RMM tools explicitly, treat unrecognized RMM activity as suspicious by default, monitor for unexpected MSI installations from user-writable paths, and reference lolrmm.io for visibility into commonly abused platforms.
</span>
</span>
</div>
</td></tr></tbody></table>
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Feclypsium.com%2Fblog%2Fcondibot-monaco-malware-network-infrastructure%2F%3Futm_source=tldrinfosec/1/0100019d0b5c5ce6-715f8b70-5dd7-4efd-9d1d-59ea0a05eaf0-000000/DdqP2GhIG9sOM80eaQBEfuGFrLmvQfdS_jHORgsBzy8=449">
<span>
<strong>New Malware Highlights Increased Systematic Targeting of Network Infrastructure (5 minute read)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
Eclypsium captured two previously undocumented malware variants on March 6: CondiBot, a Mirai-derived multi-architecture DDoS botnet (arm, mips, x86) with 32 registered attack handlers, competitive botnet killing, and C2 beaconing via port 20480 (0x5000) to 65.222.202.53; and Monaco, a Go 1.24.0 SSH scanner and XMRig-based Monero cryptominer attributed to a likely Chinese-speaking actor hosted on Alibaba Cloud (8.222.206.6), brute-forcing ~3.6 billion IPs with 50+ hardcoded credentials and reporting stolen creds back over raw TCP. Both variants exploit the EDR/XDR visibility gap on network appliances by operating below the OS layer. Defenders should monitor for /tmp/monaco, unauthorized chmod 777 operations, unexpected XMRig processes, and apply YARA rules from Eclypsium's full report to detect CondiBot artifacts including the "QTXBOT" string identifier.
</span>
</span>
</div>
</td></tr></tbody></table>
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Flinks.tldrnewsletter.com%2FF9Dm0Z/1/0100019d0b5c5ce6-715f8b70-5dd7-4efd-9d1d-59ea0a05eaf0-000000/TqRo5-_NmwuuDuFWQxOFWSHV4Ktt9ooVXUN2ZTnZ1NE=449">
<span>
<strong>AWS Security Agent - Penetration Testing Overview (6 minute read)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
AWS Security Agent allows customers to launch automated, agentic penetration tests on sites that they own. This post walks through the process of setting it up to scan DVWA running on an EC2 instance. The author was impressed by the presentation of the findings, such as including PoCs and verification, and felt that it can definitely augment penetration tests and reduce time to test, but felt that improvements are still needed, such as the ability to export results as a PDF.
</span>
</span>
</div>
</td></tr></tbody></table>
</td></tr></tbody></table>
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding-top: 0px; padding-bottom: 0px;">
<div class="text-block">
<div style="text-align: center;"><span style="font-size: 36px;">π§βπ»</span></div>
</div>
</td></tr></tbody></table>
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding-top: 0px; padding-bottom: 0px;">
<div class="text-block">
<div style="text-align: center;">
<h1><strong>Launches & Tools</strong></h1>
</div>
</div>
</td></tr></tbody></table>
<table style="table-layout: fixed; width: 100%;" width="100%"><tbody><tr><td style="padding:0;border-collapse:collapse;border-spacing:0;margin:0;" valign="top">
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fchronosphere.io%2Fresource%2Fthe-security-teams-guide-to-reducing-siem-costs%2F%3Futm_source=tldr-infosec%26utm_medium=newsletter/1/0100019d0b5c5ce6-715f8b70-5dd7-4efd-9d1d-59ea0a05eaf0-000000/RysIfqADd2iJkGLJGvA8kvpVJQM8szjOEbfIvSrEB2c=449">
<span>
<strong>Log volumes are up 250%, but your SIEM bill doesn't have to go in the same direction (Sponsor)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
The math on centralizing every log in your SIEM stopped working a while ago. In this webinar, Chronosphere, a Palo Alto Networks Company, and Google Cloud break down how to <a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fchronosphere.io%2Fresource%2Fthe-security-teams-guide-to-reducing-siem-costs%2F%3Futm_source=tldr-infosec%26utm_medium=newsletter/2/0100019d0b5c5ce6-715f8b70-5dd7-4efd-9d1d-59ea0a05eaf0-000000/u-wqR6oje8XNUDwXlTTS0k_LW-Zkd9Wrlu21_aCuKqU=449" rel="noopener noreferrer nofollow" target="_blank"><span>build a telemetry pipeline</span></a> that cuts ingestion costs without sacrificing detection coverage β covering filtering strategies, field reduction, and common architectural pitfalls. <a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fchronosphere.io%2Fresource%2Fthe-security-teams-guide-to-reducing-siem-costs%2F%3Futm_source=tldr-infosec%26utm_medium=newsletter/3/0100019d0b5c5ce6-715f8b70-5dd7-4efd-9d1d-59ea0a05eaf0-000000/i8tyExd6pR76HG5Qug39P1OfCrm1Wu2ZRvSaee5Gwoo=449" rel="noopener noreferrer nofollow" target="_blank"><span>Watch the on-demand webinar.</span></a>
</span>
</span>
</div>
</td></tr></tbody></table>
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fgithub.com%2Fpompelmi%2Fpompelmi%3Futm_source=tldrinfosec/1/0100019d0b5c5ce6-715f8b70-5dd7-4efd-9d1d-59ea0a05eaf0-000000/NR9qVZ3SNg3hCSeu2XKtDd7VVN5uCC6uTg4Ym359ew0=449">
<span>
<strong>Pompelmi (GitHub Repo)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
Pompelmi is an open-source Node.js upload security library that performs local, in-process scanning for spoofed files, archive bombs (ZIP traversal and nesting), polyglots, and script-bearing document structures without requiring a cloud API or daemon. It exposes typed verdicts with structured reasons for allow, quarantine, and reject flows, and ships framework adapters for Express, Next.js, NestJS, Koa, and Fastify with optional YARA and ClamAV integration.
</span>
</span>
</div>
</td></tr></tbody></table>
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fgithub.com%2Fsublime-security%2Fics-phishing-toolkit%3Futm_source=tldrinfosec/1/0100019d0b5c5ce6-715f8b70-5dd7-4efd-9d1d-59ea0a05eaf0-000000/5lK8Gge1IJAQ9wEQ-a4J-yZH3meRpQRzDgEH0x6a_zw=449">
<span>
<strong>ics-phishing-toolkit (GitHub Repo)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
ics-phishing-toolkit is a toolkit for remediating malicious calendar invites for teams using email solutions that don't natively remediate these issues.
</span>
</span>
</div>
</td></tr></tbody></table>
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fgithub.com%2F0xjet%2Ftuxid%3Futm_source=tldrinfosec/1/0100019d0b5c5ce6-715f8b70-5dd7-4efd-9d1d-59ea0a05eaf0-000000/h37aDW5tbWgaqyXdkcswSw4C3aPhcByNz91YD7-rhNg=449">
<span>
<strong>tuxid (GitHub Repo)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
tuxid is a lightweight, POSIX-compliant shell script that collects hardware, system, and network signals to generate a unique, reproducible fingerprint for a Linux machine.
</span>
</span>
</div>
</td></tr></tbody></table>
</td></tr></tbody></table>
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding-top: 0px; padding-bottom: 0px;">
<div class="text-block">
<div style="text-align: center;"><span style="font-size: 36px;">π</span></div></div>
</td></tr></tbody></table>
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding-top: 0px; padding-bottom: 0px;">
<div class="text-block">
<div style="text-align: center;"><strong><h1>Miscellaneous</h1></strong></div>
</div>
</td></tr></tbody></table>
<table bgcolor="" style="table-layout: fixed; width: 100%;" width="100%"><tbody><tr><td style="padding:0;border-collapse:collapse;border-spacing:0;margin:0;" valign="top">
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fthehackernews.com%2F2026%2F03%2Fofac-sanctions-dprk-it-worker-network.html%3Futm_source=tldrinfosec/1/0100019d0b5c5ce6-715f8b70-5dd7-4efd-9d1d-59ea0a05eaf0-000000/tEt8xNedmv3TsB5LosyZChnNcuvy1zsDFAIDdGQJwj8=449">
<span>
<strong>OFAC Sanctions DPRK IT Worker Network Funding WMD Programs Through Fake Remote Jobs (4 minute read)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
OFAC sanctioned six individuals and two entities tied to the DPRK IT worker scheme (Coral Sleet/Jasper Sleet/Wagemole), which uses stolen identities, AI-generated personas, and Faceswap-altered documents to place North Korean operatives at Western companies, funneling salaries back to fund WMD programs. The operation runs through a multi-tiered structure of recruiters, facilitators, and western collaborators sourced via LinkedIn and GitHub, with operators tunneling traffic through Astrill VPN's US exit nodes from China-based infrastructure to masquerade as domestic employees. Post-access activity included proprietary data theft, extortion, and the use of agentic AI to generate and refine malware components. Microsoft has advised defenders to treat these intrusions as insider-risk scenarios and to monitor for abnormal credential use and low-and-slow access patterns.
</span>
</span>
</div>
</td></tr></tbody></table>
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Farstechnica.com%2Finformation-technology%2F2026%2F03%2Ffederal-cyber-experts-called-microsofts-cloud-a-pile-of-shit-approved-it-anyway%2F%3Futm_source=tldrinfosec/1/0100019d0b5c5ce6-715f8b70-5dd7-4efd-9d1d-59ea0a05eaf0-000000/K7oVbhdf-WffLYk0g3oz8O9POR-sDFQntm_pTdDpux8=449">
<span>
<strong>Federal cyber experts called Microsoft's cloud a "pile of shit," approved it anyway (7 minute read)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
FedRAMP spent nearly five years, 480 hours of review time, and 18 technical deep-dive sessions attempting to obtain basic data flow diagrams from Microsoft for its Government Community Cloud High (GCC High) offering, used by the Justice and Energy departments to protect information whose exposure "could be expected to have a severe or catastrophic adverse effect" on government operations. Microsoft's third-party assessors, Coalfire and Kratos, privately back-channeled to FedRAMP that it was "difficult to impossible" to obtain sufficient documentation, while a 2024 review team found fundamental issues with vulnerability remediation and scanning in Exchange Online and Teams alone, yet FedRAMP authorized GCC High on December 26, 2024, solely because widespread federal and defense-sector deployment made rejection impractical. DOGE has since gutted FedRAMP to a $10M annual budget with a skeleton staff, effectively reducing the program to a rubber stamp. At the same time, agencies are being pushed to adopt cloud-based AI tools handling reams of sensitive government data.
</span>
</span>
</div>
</td></tr></tbody></table>
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Ftechcrunch.com%2F2026%2F03%2F18%2Fmeta-is-having-trouble-with-rogue-ai-agents%2F%3Futm_source=tldrinfosec/1/0100019d0b5c5ce6-715f8b70-5dd7-4efd-9d1d-59ea0a05eaf0-000000/oXb4eFoeqr30aOE_f2qujoEiN-I08sw6T-nIGM4xqzY=449">
<span>
<strong>Meta is Having Trouble with Rogue AI Agents (2 minute read)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
After a Meta employee posted a question on an internal forum, another engineer asked an AI agent to analyze the question, and the agent posted a response without the engineer's approval. The original poster took action on this advice and inadvertently exposed massive amounts of company and user data to engineers who were not authorized to have access to it. This follows a post last month by a safety and alignment director at Meta Superintelligence that an OpenClaw agent deleted her entire inbox despite being instructed to request confirmation before acting.
</span>
</span>
</div>
</td></tr></tbody></table>
</td></tr></tbody></table>
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding-top: 0px; padding-bottom: 0px;">
<div class="text-block">
<div style="text-align: center;"><span style="font-size: 36px;">β‘</span></div></div>
</td></tr></tbody></table>
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding-top: 0px; padding-bottom: 0px;">
<div class="text-block">
<div style="text-align: center;">
<h1><strong>Quick Links</strong></h1>
</div>
</div>
</td></tr></tbody></table>
<table bgcolor="" style="table-layout: fixed; width: 100%;" width="100%"><tbody><tr><td style="padding:0;border-collapse:collapse;border-spacing:0;margin:0;" valign="top">
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fwww.theregister.com%2F2026%2F03%2F18%2Fresearchers_lift_the_lid_on%2F%3Futm_source=tldrinfosec/1/0100019d0b5c5ce6-715f8b70-5dd7-4efd-9d1d-59ea0a05eaf0-000000/vV145XsWt0mY-Qp7YrMSEyI1eAOwP9_32gZ4XEtEQjg=449">
<span>
<strong>North Korea's 100,000-strong fake IT worker army rake in $500M a year for Kim Jong Un (2 minute read)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
IBM X-Force and Flare Research mapped the full org chart of North Korea's fake IT worker operation, revealing 100,000+ workers across 40 countries earning $500M annually for Pyongyang via a structured hierarchy of recruiters, facilitators, and Western collaborators using tools like OConnect VPN and IP Messenger to secure and maintain remote IT roles at Western companies.
</span>
</span>
</div>
</td></tr></tbody></table>
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fwww.csoonline.com%2Farticle%2F4147874%2Fthat-cheap-kvm-device-could-expose-your-network-to-remote-compromise.html%3Futm_source=tldrinfosec/1/0100019d0b5c5ce6-715f8b70-5dd7-4efd-9d1d-59ea0a05eaf0-000000/jFugHhRRC3WMun1kOI2lPoUJZePA_QqW-z61Az7Qy4A=449">
<span>
<strong>That cheap KVM device could expose your network to remote compromise (2 minute read)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
Eclypsium disclosed nine vulnerabilities across four low-cost KVM-over-IP devices from GL-iNet, Angeet/Yeeso, Sipeed, and JetKVM, including a CVSS 9.8 pre-auth RCE chain in the Angeet/Yeeso ES3 and unsigned firmware update mechanisms that could allow backdoored images.
</span>
</span>
</div>
</td></tr></tbody></table>
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fsecurityaffairs.com%2F189689%2Fsecurity%2Fcritical-ubiquiti-unifi-unifi-security-flaw-allows-potential-account-hijacking.html%3Futm_source=tldrinfosec/1/0100019d0b5c5ce6-715f8b70-5dd7-4efd-9d1d-59ea0a05eaf0-000000/JehOv3N9SFLQThEThpGAHftEyUD_tX_7yUCZbAlNQnM=449">
<span>
<strong>Critical Ubiquiti UniFi UniFi security flaw allows potential account hijacking (1 minute read)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
Ubiquiti patched CVE-2026-22557 (CVSS 10.0), a path traversal flaw in UniFi Network Application v10.1.85 and earlier enabling account takeover, alongside CVE-2026-22558 (CVSS 7.7), an authenticated NoSQL injection enabling privilege escalation.
</span>
</span>
</div>
</td></tr></tbody></table>
</td></tr></tbody></table>
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td align="left" style="word-break: break-word; vertical-align: top; padding: 5px 10px;">
<p style="padding: 0; margin: 0; font-size: 22px; color: #000000; line-height: 1.6; font-weight: bold;">
Love TLDR? Tell your friends and get rewards!
</p>
</td></tr>
<tr><td class="container" style="padding: 0px 10px 15px;">
<div class="text-block">
Share your referral link below with friends to get free TLDR swag!
</div>
</td></tr>
<tr><td align="left" style="padding: 10px;">
<div class="text-block">
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Frefer.tldr.tech%2F78de0e20%2F8/1/0100019d0b5c5ce6-715f8b70-5dd7-4efd-9d1d-59ea0a05eaf0-000000/6TXeWiBcU_FNI_WUpnA7-hJIogMCyrsLRu6GFw2pZmE=449" style="color: #464ba4; text-decoration: underline;">https://refer.tldr.tech/78de0e20/8</a>
</div>
</td></tr>
<tr></tr>
<tr><td align="left" style="padding:5px 10px;">
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fhub.sparklp.co%2Fsub_d62447d5a74a%2F8/1/0100019d0b5c5ce6-715f8b70-5dd7-4efd-9d1d-59ea0a05eaf0-000000/rvRC0uNy7uCHpKoJm-1pITZ0gEmgwHogQqCpZmWSFI0=449" style="font-size: 16px; line-height: 1.6; padding: 10px 0; display: inline-block; text-decoration: underline;"><span style="mso-text-raise:13pt; text-decoration: underline;">Track your referrals here.</span></a>
</td></tr></tbody></table>
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td align="left" style="word-break: break-word; vertical-align: top; padding: 5px 10px;">
<p style="padding: 0; margin: 0; font-size: 22px; color: #000000; line-height: 1.6; font-weight: bold;">
Want to advertise in TLDR? π°
</p>
<div class="text-block" style="margin-top: 10px;">
If your company is interested in reaching an audience of cybersecurity professionals and decision makers, you may want to <a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fadvertise.tldr.tech%2F%3Futm_source=tldrinfosec%26utm_medium=newsletter%26utm_campaign=advertisecta/1/0100019d0b5c5ce6-715f8b70-5dd7-4efd-9d1d-59ea0a05eaf0-000000/pVvusawI7df9Ib0gIJ6UJKTkdX7d0672sjEjbsObToc=449"><strong><span>advertise with us</span></strong></a>.
</div>
<br>
<!-- New "Want to work at TLDR?" section -->
<p style="padding: 0; margin: 0; font-size: 22px; color: #000000; line-height: 1.6; font-weight: bold;">
Want to work at TLDR? πΌ
</p>
<div class="text-block" style="margin-top: 10px;">
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fjobs.ashbyhq.com%2Ftldr.tech/1/0100019d0b5c5ce6-715f8b70-5dd7-4efd-9d1d-59ea0a05eaf0-000000/8UFbYpaUP6Zy4kJg_UvCSl2n-MRdlB8PPO2o1NdeSeg=449" rel="noopener noreferrer" style="color: #0000EE; text-decoration: underline;" target="_blank"><strong>Apply here</strong></a>,
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fjobs.ashbyhq.com%2Ftldr.tech%2Fc227b917-a6a4-40ce-8950-d3e165357871/1/0100019d0b5c5ce6-715f8b70-5dd7-4efd-9d1d-59ea0a05eaf0-000000/KvXWR7lNNn_ynk-sfntmuak5Cucc5AyHogpyLdak1EY=449" rel="noopener noreferrer" style="color: #0000EE; text-decoration: underline;" target="_blank"><strong>create your own role</strong></a> or send a friend's resume to <a href="mailto:jobs@tldr.tech" style="color: #0000EE; text-decoration: underline;">jobs@tldr.tech</a> and get $1k if we hire them! TLDR is one of <a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fwww.linkedin.com%2Ffeed%2Fupdate%2Furn:li:activity:7401699691039830016%2F/1/0100019d0b5c5ce6-715f8b70-5dd7-4efd-9d1d-59ea0a05eaf0-000000/pSmThhLahA3m5jn2kYViIN_z83fCsGRB7bRLn7gnZvE=449" rel="noopener noreferrer" style="color: #0000EE; text-decoration: underline;" target="_blank"><strong>Inc.'s Best Bootstrapped businesses</strong></a> of 2025.
</div>
<br>
<div class="text-block">
If you have any comments or feedback, just respond to this email!
<br>
<br> Thanks for reading,
<br>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fwww.linkedin.com%2Fin%2Fprasannagautam%2F/1/0100019d0b5c5ce6-715f8b70-5dd7-4efd-9d1d-59ea0a05eaf0-000000/PWmZ9yNOLtta2xL7f8axde-3VJ-O9sHHCu5dRcRXlvA=449"><span>Prasanna Gautam</span></a>, <a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fwww.linkedin.com%2Fin%2Fericfernandezdelcampo%2F/1/0100019d0b5c5ce6-715f8b70-5dd7-4efd-9d1d-59ea0a05eaf0-000000/fQrl2v1Y2utr_7x2Cn5J_BAxNeimTbzS6K7qwIpc0Cs=449"><span>Eric Fernandez</span></a> & <a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fwww.linkedin.com%2Fin%2Fsammy-tbeile%2F/1/0100019d0b5c5ce6-715f8b70-5dd7-4efd-9d1d-59ea0a05eaf0-000000/6Gos0sZ1BhPZeOe_uO_Hp4Eq5Hlg2imMTEZoaVGtQAM=449"><span>Sammy Tbeile</span></a>
<br>
<br>
</div>
<br>
</td></tr></tbody></table>
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block" id="testing-id">
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Ftldr.tech%2Finfosec%2Fmanage%3Femail=silk.theater.56%2540fwdnl.com/1/0100019d0b5c5ce6-715f8b70-5dd7-4efd-9d1d-59ea0a05eaf0-000000/KP1o6rvmDFISK_A6X-vf8be289W30D2q9buwvdZQ9pA=449">Manage your subscriptions</a> to our other newsletters on tech, startups, and programming. Or if TLDR Information Security isn't for you, please <a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fa.tldrnewsletter.com%2Funsubscribe%3Fep=1%26l=8d9cea11-3e94-11ed-9a32-0241b9615763%26lc=156924ca-84b7-11f0-8d58-47c5c04ad337%26p=ae083170-2422-11f1-8908-83a884136b4b%26pt=campaign%26pv=4%26spa=1774011776%26t=1774012095%26s=79336bcac0594b7711f2255c5e3ff10e2491f5c9f1f5bda348568103c91a2e82/1/0100019d0b5c5ce6-715f8b70-5dd7-4efd-9d1d-59ea0a05eaf0-000000/KfrETEmrc1esBLITYWHzAUnHr5I-qSTNFHmMWUZ_xl8=449">unsubscribe</a>.
<br>
</div>
</td></tr></tbody></table>
</td></tr></tbody></table>
</td></tr></tbody></table>
</td></tr></tbody></table>
</td></tr></tbody></table>
<img alt="" src="http://tracking.tldrnewsletter.com/CI0/0100019d0b5c5ce6-715f8b70-5dd7-4efd-9d1d-59ea0a05eaf0-000000/-t9GZlcDHpwyUzm4lqhNECwHrdPsUeP3nD7XZgpFd2Q=449" style="display: none; width: 1px; height: 1px;">
</body></html>