<!DOCTYPE html><html lang="en"><head><meta http-equiv="Content-Type" content="text/html charset=UTF-8"><meta charset="UTF-8"><meta name="viewport" content="width=device-width"><meta name="x-apple-disable-message-reformatting"><title>TLDR InfoSec</title><meta name="color-scheme" content="light dark"><meta name="supported-color-schemes" content="light dark"><style type="text/css">
:root {
color-scheme: light dark; supported-color-schemes: light dark;
}
*,
*:after,
*:before {
-webkit-box-sizing: border-box; -moz-box-sizing: border-box; box-sizing: border-box;
}
* {
-ms-text-size-adjust: 100%; -webkit-text-size-adjust: 100%;
}
html,
body,
.document {
width: 100% !important; height: 100% !important; margin: 0; padding: 0;
}
body {
-webkit-font-smoothing: antialiased; -moz-osx-font-smoothing: grayscale; text-rendering: optimizeLegibility;
}
div[style*="margin: 16px 0"] {
margin: 0 !important;
}
table,
td {
mso-table-lspace: 0pt; mso-table-rspace: 0pt;
}
table {
border-spacing: 0; border-collapse: collapse; table-layout: fixed; margin: 0 auto;
}
img {
-ms-interpolation-mode: bicubic; max-width: 100%; border: 0;
}
*[x-apple-data-detectors] {
color: inherit !important; text-decoration: none !important;
}
.x-gmail-data-detectors,
.x-gmail-data-detectors *,
.aBn {
border-bottom: 0 !important; cursor: default !important;
}
.btn {
-webkit-transition: all 200ms ease; transition: all 200ms ease;
}
.btn:hover {
background-color: #f67575; border-color: #f67575;
}
* {
font-family: Arial, Helvetica, sans-serif; font-size: 18px;
}
@media screen and (max-width: 600px) {
.container {
width: 100%; margin: auto;
}
.stack {
display: block!important; width: 100%!important; max-width: 100%!important;
}
.btn {
display: block; width: 100%; text-align: center;
}
}
body,
p,
td,
tr,
.body,
table,
h1,
h2,
h3,
h4,
h5,
h6,
div,
span {
background-color: #FEFEFE !important; color: #010101 !important;
}
@media (prefers-color-scheme: dark) {
body,
p,
td,
tr,
.body,
table,
h1,
h2,
h3,
h4,
h5,
h6,
div,
span {
background-color: #27292D !important; color: #FEFEFE !important;
}
}
a {
color: inherit !important; text-decoration: underline !important;
}
</style><!--[if mso | ie]>
<style type="text/css">
a {
background-color: #FEFEFE !important; color: #010101 !important;
}
@media (prefers-color-scheme: dark) {
a {
background-color: #27292D !important; color: #FEFEFE !important;
}
}
</style>
<![endif]--></head><body class="">
<div style="display: none; max-height: 0px; overflow: hidden;">A disgruntled security researcher going by Chaotic Eclipse publicly released details of a new Windows zero-day called BlueHammer β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β β </div>
<div style="display: none; max-height: 0px; overflow: hidden;">
<br>
</div>
<table align="center" class="document"><tbody><tr><td valign="top">
<table align="center" border="0" cellpadding="0" cellspacing="0" class="container" width="600"><tbody><tr class="inner-body"><td>
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr class="header"><td bgcolor="" class="container">
<table width="100%"><tbody><tr><td class="container">
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" style="margin-top: 0px;" width="100%"><tbody><tr><td style="padding: 0px;">
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div style="text-align: center;">
<span style="margin-right: 0px;"><a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Ftldr.tech%2Finfosec%3Futm_source=tldrinfosec/1/0100019d680d739d-2c5cb41e-9ac2-491f-a5d7-41b401484440-000000/e15smVjHJddnNRGW0cu5aLklS-XpHVgKdrx0D4Gk1n8=451" rel="noopener noreferrer" target="_blank"><span>Sign Up</span></a>
|<span style="margin-right: 2px; margin-left: 2px;"><a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fadvertise.tldr.tech%2F%3Futm_source=tldrinfosec%26utm_medium=newsletter%26utm_campaign=advertisetopnav/1/0100019d680d739d-2c5cb41e-9ac2-491f-a5d7-41b401484440-000000/YZDT8k6V4BCqAlrdPLZ2m7DcTeUcoqrcNeQbMJVT3CQ=451" rel="noopener noreferrer" target="_blank"><span>Advertise</span></a></span>|<span style="margin-left: 2px;"><a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fa.tldrnewsletter.com%2Fweb-version%3Fep=1%26lc=156924ca-84b7-11f0-8d58-47c5c04ad337%26p=4e89ccf0-325e-11f1-8c23-ffc3fb6399b3%26pt=campaign%26t=1775567205%26s=34fbd29695eba8fddb246b613ba8d34e455c6c014a749294a655a8a63410b95d/1/0100019d680d739d-2c5cb41e-9ac2-491f-a5d7-41b401484440-000000/E_XQikDIptMjQlOqbpbYPXcpvnaEBDl5uZ8MLMVDKaw=451"><span>View Online</span></a></span>
<br>
</span></div>
</td></tr></tbody></table>
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="text-align: center;"><span data-darkreader-inline-color="" style="--darkreader-inline-color:#3db3ff; color: rgb(51, 175, 255) !important; font-size: 30px;">T</span><span style="font-size: 30px;"><span data-darkreader-inline-color="" style="color: rgb(232, 192, 96) !important; --darkreader-inline-color:#e8c163; font-size:30px;">L</span><span data-darkreader-inline-color="" style="color: rgb(101, 195, 173) !important; --darkreader-inline-color:#6ec7b2; font-size:30px;">D</span></span><span data-darkreader-inline-color="" style="--darkreader-inline-color:#dd6e6e; color: rgb(220, 107, 107) !important; font-size: 30px;">R</span>
<br>
</td></tr></tbody></table>
<br>
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr id="together-with"><td align="center" height="20" style="vertical-align:middle !important;" valign="middle" width="100%"><strong style="vertical-align:middle !important; height: 100%;">Together With </strong>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2F1password.com%2Fwebinars%2Fsolving-the-access-trust-gap-in-the-age-of-ai-and-automation%3Futm_medium=paid_newsletter%26utm_source=tldr%26utm_campaign=2026q1_unified-access_wb_solving-the-access-trust-gap-in-the-age-of-ai-and-automation_sa%26utm_content=newsletter_040726/1/0100019d680d739d-2c5cb41e-9ac2-491f-a5d7-41b401484440-000000/ZT2KLwrn1fDW7kEiamun3GVxI1U7Ab6cptB_O_Gnz1U=451"><img src="https://images.tldr.tech/1password-2.png" valign="middle" style="vertical-align: middle !important; height: 100%;" alt="1Password"></a></td></tr></tbody></table>
<table style="table-layout: fixed; width:100%;" width="100%"><tbody><tr><td style="padding:0;border-collapse:collapse;border-spacing:0;margin:0;">
<div style="text-align: center;">
<h1><strong>TLDR Information Security <span id="date">2026-04-07</span></strong></h1>
</div>
</td></tr></tbody></table>
<table style="table-layout: fixed; width:100%;" width="100%"><tbody><tr id="sponsy-copy"><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2F1password.com%2Fwebinars%2Fsolving-the-access-trust-gap-in-the-age-of-ai-and-automation%3Futm_medium=paid_newsletter%26utm_source=tldr%26utm_campaign=2026q1_unified-access_wb_solving-the-access-trust-gap-in-the-age-of-ai-and-automation_sa%26utm_content=newsletter_040726/2/0100019d680d739d-2c5cb41e-9ac2-491f-a5d7-41b401484440-000000/DVc8WHwHC5W-Aipn9kKU0mpE8aMZZCYx4kAP4H5i91w=451">
<span>
<strong>Webinar: Access management for AI agents (Sponsor)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
AI agents and automation are reshaping access management. They use API tokens and service accounts across IDEs, scripts, and CI pipelines. These credentials are created on developer machines and used by machine workflows.<p></p><p>As AI adoption increases, security teams face growing secret sprawl outside the visibility of traditional controls.</p><p>In this webinar, we'll explore how organizations can adopt AI and automation without expanding credential risk.<br><br>Key Takeaways: </p><ul><li>Why AI agents and machine identities expand access risk</li><li>Where non-human credential blind spots emerge</li><li>How to secure credentials at time of use</li></ul><p><a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2F1password.com%2Fwebinars%2Fsolving-the-access-trust-gap-in-the-age-of-ai-and-automation%3Futm_medium=paid_newsletter%26utm_source=tldr%26utm_campaign=2026q1_unified-access_wb_solving-the-access-trust-gap-in-the-age-of-ai-and-automation_sa%26utm_content=newsletter_040726/3/0100019d680d739d-2c5cb41e-9ac2-491f-a5d7-41b401484440-000000/HoXw5xBlf__ntKQJhg5vAUuoLXo8OJutvPs7hAzfeX4=451" rel="noopener noreferrer nofollow" target="_blank"><span>Register now</span></a>
</p>
</span></span></div>
</td></tr></tbody></table>
</td></tr></tbody></table>
</td></tr></tbody></table>
</td></tr>
<tr bgcolor=""><td class="container">
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td style="padding: 0px;">
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding-top: 0px; padding-bottom: 0px;">
<div class="text-block">
<div style="text-align: center;"><span style="font-size: 36px;">π</span></div></div>
</td></tr></tbody></table>
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding-top: 0px; padding-bottom: 0px;">
<div class="text-block">
<div style="text-align: center;">
<h1><strong>Attacks & Vulnerabilities</strong></h1>
</div>
</div>
</td></tr></tbody></table>
<table style="table-layout: fixed; width: 100%;" width="100%"><tbody><tr><td style="padding:0;border-collapse:collapse;border-spacing:0;margin:0;" valign="top">
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fthehackernews.com%2F2026%2F04%2F36-malicious-npm-packages-exploited.html%3Futm_source=tldrinfosec/1/0100019d680d739d-2c5cb41e-9ac2-491f-a5d7-41b401484440-000000/yOx0rdyqQEUdPl8ezTMgAz2NPKHgPtEryQEe_FeEslU=451">
<span>
<strong>36 Malicious npm Packages Exploited Redis, PostgreSQL to Deploy Persistent Implants (4 minute read)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
SafeDep discovered 36 typosquatting npm packages posing as Strapi CMS plugins, uploaded by four sock puppet accounts over 13 hours, with malicious code embedded in postinstall hooks that execute automatically on npm install. The payloads evolved across eight stages, progressing from Redis-based RCE and Docker container escapes to PostgreSQL credential harvesting, environment variable exfiltration, and a persistent implant targeting a specific hostname, suggesting a focused attack against a cryptocurrency platform. Developers using any of the flagged strapi-plugin-* packages should assume full compromise, rotate all credentials, and audit CI/CD pipelines for unauthorized reverse shell activity.
</span>
</span>
</div>
</td></tr></tbody></table>
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fwww.businessinsider.com%2Fmeta-pauses-work-mercor-ai-training-investigating-data-breach-2026-4%3Futm_source=tldrinfosec/1/0100019d680d739d-2c5cb41e-9ac2-491f-a5d7-41b401484440-000000/gUQ2BKBMpGJ2LhRkhN23Z70upJnaFKaOQ3797338c3U=451">
<span>
<strong>Meta Paused its Work With AI Training Startup Mercor After a Data Breach (2 minute read)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
Meta has announced that they paused all work with Mercor, which uses thousands of human contractors and experts to help companies train models. Mercor separately confirmed that they suffered a breach due to the LiteLLM supply chain attack. The Lapsus$ hacking group has claimed to have stolen 4TB of data from Mercor.
</span>
</span>
</div>
</td></tr></tbody></table>
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Flinks.tldrnewsletter.com%2F0cMWF1/1/0100019d680d739d-2c5cb41e-9ac2-491f-a5d7-41b401484440-000000/Q2Nw2QYzOK_Y0IyzsJ4EsgIi5oJX2GPO1w_sJfKlvME=451">
<span>
<strong>Disgruntled Researcher Leaks βBlueHammerβ Windows Zero-Day Exploit (2 minute read)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
A disgruntled security researcher going by Chaotic Eclipse publicly released details of a new Windows zero-day called BlueHammer. The vulnerability is a local privilege escalation vulnerability that combines a time-of-check to time-of-use (TOCTOU) and a path confusion to grant a local user access to the Security Account Manager (SAM) database. Chaotic Eclipse expressed frustration with how Microsoft Security Response Center (MSRC) handled the report, but didn't provide details.
</span>
</span>
</div>
</td></tr></tbody></table>
</td></tr></tbody></table>
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding-top: 0px; padding-bottom: 0px;">
<div class="text-block">
<div style="text-align: center;"><span style="font-size: 36px;">π§ </span></div>
</div>
</td></tr></tbody></table>
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding-top: 0px; padding-bottom: 0px;">
<div class="text-block">
<div style="text-align: center;">
<h1><strong>Strategies & Tactics</strong></h1>
</div>
</div>
</td></tr></tbody></table>
<table style="table-layout: fixed; width: 100%;" width="100%"><tbody><tr><td style="padding:0;border-collapse:collapse;border-spacing:0;margin:0;" valign="top">
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fandywgrant.substack.com%2Fp%2Fits-more-than-saying-no%3Futm_source=tldrinfosec/1/0100019d680d739d-2c5cb41e-9ac2-491f-a5d7-41b401484440-000000/dIaNhbC0biRB151KMRpw99E8hRSacfcx_2IyYp3G1HM=451">
<span>
<strong>It's More Than Saying No (4 minute read)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
Offensive security teams degrade not through single bad decisions but through accumulated scope creep, shifting from discovering unknown unknowns to validating known knowns as reactive inbound requests gradually replace intuition-driven exploration. The prescribed countermeasure is proactive rather than defensive: get ahead of leadership's concerns by tracking upcoming releases and new trust boundaries, form an initial point of view before the request arrives, and reframe incoming asks from task execution into risk investigation so the team retains control of the problem framing. The core operational principle is that the work a team repeatedly accepts determines what that team becomes, making scope discipline a capability preservation strategy rather than a management preference.
</span>
</span>
</div>
</td></tr></tbody></table>
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fwww.buchodi.com%2Fcracking-a-malvertising-dga-from-the-device-side%2F%3Futm_source=tldrinfosec/1/0100019d680d739d-2c5cb41e-9ac2-491f-a5d7-41b401484440-000000/9qONYSJT7p91zPVhq9xDRF6yyF_YZ7nchzIfOyO20Ms=451">
<span>
<strong>Cracking a Malvertising DGA From the Device Side (8 minute read)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
Piracy streaming sites load cross-site JavaScript from rapidly rotating Domain Generating Algorithm (DGA) domains on .cfd, .rest, and .cyou, injected via embeds on stream.sanction.tv with anti-debugging scripts to block browser analysis. By recovering the obfuscated DGA config from the embedded HTML, documenting the 3βhour timeβbucketed SHAβ256 scheme, and validating it against observed traffic, we now have the tools to defend ourselves against this threat. With the seeds and a custom base32 alphabet, defenders can now precompute and block current and future campaign domains, tying them back to specific piracy referrers.
</span>
</span>
</div>
</td></tr></tbody></table>
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fwww.detectionengineering.net%2Fp%2Fwhat-are-composite-detections%3Futm_source=tldrinfosec/1/0100019d680d739d-2c5cb41e-9ac2-491f-a5d7-41b401484440-000000/qdJYG0HqeLRmPCR4QSvI1T1-esF5z3XvYQ2HEWhADNU=451">
<span>
<strong>What are Composite Detections? (5 minute read)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
Composite detection rules attempt to address false positives in atomic detections by adding context to alerts. Composite detections attempt to correlate multiple actions to build a story of an incident. The tradeoff of these detections is that they require more complex logic and tuning.
</span>
</span>
</div>
</td></tr></tbody></table>
</td></tr></tbody></table>
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding-top: 0px; padding-bottom: 0px;">
<div class="text-block">
<div style="text-align: center;"><span style="font-size: 36px;">π§βπ»</span></div>
</div>
</td></tr></tbody></table>
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding-top: 0px; padding-bottom: 0px;">
<div class="text-block">
<div style="text-align: center;">
<h1><strong>Launches & Tools</strong></h1>
</div>
</div>
</td></tr></tbody></table>
<table style="table-layout: fixed; width: 100%;" width="100%"><tbody><tr><td style="padding:0;border-collapse:collapse;border-spacing:0;margin:0;" valign="top">
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fgithub.com%2Fsimonw%2Fscan-for-secrets%3Futm_source=tldrinfosec/1/0100019d680d739d-2c5cb41e-9ac2-491f-a5d7-41b401484440-000000/kOXfWy7FcX4TeyAbz6yfgQf1jagvZ8VZNxlVVIwtwDQ=451">
<span>
<strong>scan-for-secrets (GitHub Repo)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
A focused Python CLI and library from Simon Willison designed to audit files and directories for known secrets before sharing them, checking each secret across five encoding variants (literal, JSON, URL percent-encoding, HTML entities, and Unicode escape) to catch values that would survive a naive string match. The tool ships with a --redact flag that rewrites matches in-place across all encoded forms after confirmation, a shell-based config file for pulling secrets from 1Password, AWS credentials, or llm keys, and a streaming Python API suitable for CI integration. This is not a pattern-based or entropy scanner and will not detect secrets that were not explicitly given, so it complements rather than replaces tools like truffleHog or gitleaks and is best positioned as a pre-publish sanity check for agentic coding session logs.
</span>
</span>
</div>
</td></tr></tbody></table>
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fgithub.com%2Ftheogbrand%2Fyoink%3Futm_source=tldrinfosec/1/0100019d680d739d-2c5cb41e-9ac2-491f-a5d7-41b401484440-000000/yT2S-4j6wL6Jqw9ozPqkB9v9-J5J-v2hKQEdsAK_KyA=451">
<span>
<strong>YOINK (GitHub Repo)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
YOINK is a Claude Code plugin that reduces supply chain attack surface by AI-decomposing third-party Python packages into minimal, dependency-free internal replacements, running a three-phase pipeline: scaffolding the target repo, curating and validating tests against the original library's test suite, then iteratively reimplementing only the functionality actually used. The README explicitly excludes cryptographic implementations from scope (correct call) and is currently Python-only, with JavaScript support planned. Repo is very early-stage (1 star, 0 forks, and no releases), so validate AI-generated reimplementations independently before production use, but the supply chain reduction premise is sound.
</span>
</span>
</div>
</td></tr></tbody></table>
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fwww.manifold.security%2F%3Futm_source=tldrinfosec/1/0100019d680d739d-2c5cb41e-9ac2-491f-a5d7-41b401484440-000000/b7t0Vn9Va3mos51BLtLoNaxQG--cuafop3hlOsL_6YQ=451">
<span>
<strong>Manifold (Product Launch)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
Manifold maps AI agents on endpoints, watches what they touch, flags risky behavior in real time, and gives security teams one place to shut down or quarantine suspicious AI activity.
</span>
</span>
</div>
</td></tr></tbody></table>
</td></tr></tbody></table>
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding-top: 0px; padding-bottom: 0px;">
<div class="text-block">
<div style="text-align: center;"><span style="font-size: 36px;">π</span></div></div>
</td></tr></tbody></table>
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding-top: 0px; padding-bottom: 0px;">
<div class="text-block">
<div style="text-align: center;"><strong><h1>Miscellaneous</h1></strong></div>
</div>
</td></tr></tbody></table>
<table bgcolor="" style="table-layout: fixed; width: 100%;" width="100%"><tbody><tr><td style="padding:0;border-collapse:collapse;border-spacing:0;margin:0;" valign="top">
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fthehackernews.com%2F2026%2F04%2Fchina-linked-ta416-targets-european.html%3Futm_source=tldrinfosec/1/0100019d680d739d-2c5cb41e-9ac2-491f-a5d7-41b401484440-000000/DNzJJmjmxHwUmoNlUhwrsTm0EHnI3PEiDZq1Y5RB3fQ=451">
<span>
<strong>China-Linked TA416 Targets European Governments with PlugX and OAuth-Based Phishing (4 minute read)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
TA416 (overlapping with RedDelta, Mustang Panda, and Twill Typhoon) resumed targeting EU and NATO diplomatic entities in mid-2025 after a two-year focus on Southeast Asia, and its expansion into Middle Eastern government targets in early 2026 tracked closely with the US-Israel-Iran conflict. The campaign iterated through multiple delivery mechanisms, including Cloudflare Turnstile abuse, Microsoft OAuth redirect hijacking, and MSBuild-based C# project file downloaders, all converging on DLL side-loading to deploy a continually updated PlugX variant with encrypted C2 communications. The pattern reflects a broader shift in Chinese-nexus operations toward identity-centric, long-dwell intrusions, with Darktrace documenting a case in which an actor resurfaced over 600 days after the initial compromise.
</span>
</span>
</div>
</td></tr></tbody></table>
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fkrebsonsecurity.com%2F2026%2F04%2Fgermany-doxes-unkn-head-of-ru-ransomware-gangs-revil-gandcrab%2F%3Futm_source=tldrinfosec/1/0100019d680d739d-2c5cb41e-9ac2-491f-a5d7-41b401484440-000000/SLCcRQz52Ml3hR75diNH4H2x7oJE33Tbg0erdb3SqtY=451">
<span>
<strong>Germany Doxes "UNKN," Head of RU Ransomware Gangs REvil, GandCrab (4 minute read)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
Germany's BKA publicly identified 31-year-old Russian Daniil Maksimovich Shchukin as "UNKN," the operator behind GandCrab and REvil, two ransomware groups that pioneered double extortion and collectively caused over 35 million euros in economic damage across at least 130 attacks in Germany between 2019 and 2021. REvil, widely regarded as a GandCrab rebrand, became one of the most prolific big-game hunting operations of its era before the FBI covertly compromised its servers ahead of the 2021 Kaseya attack. Shchukin is believed to remain in Krasnodar, Russia, with extradition considered unlikely due to the absence of a US-Russia extradition treaty.
</span>
</span>
</div>
</td></tr></tbody></table>
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Farstechnica.com%2Ftech-policy%2F2026%2F04%2Fperplexitys-incognito-mode-is-a-sham-lawsuit-says%2F%3Futm_source=tldrinfosec/1/0100019d680d739d-2c5cb41e-9ac2-491f-a5d7-41b401484440-000000/9I_Y_zdUtCQ2i3MpmqaA2bnWN_BJ4pyoEQ6ToK1BVD8=451">
<span>
<strong>Perplexity's "Incognito Mode" is a "sham," lawsuit says (5 minute read)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
A proposed class action filed on March 31 by an anonymous user accuses Perplexity, Google, and Meta of sharing full chat transcripts, including PII, with third-party ad trackers such as Meta Pixel and Google Ads. Perplexity's "Incognito Mode" does not prevent this, and non-subscribed users are hit even harder: their prompts are shared via a URL that gives Meta and Google access to entire conversations. Potential statutory damages exceed $5,000 per violation, and millions of chat logs may be involved.
</span>
</span>
</div>
</td></tr></tbody></table>
</td></tr></tbody></table>
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding-top: 0px; padding-bottom: 0px;">
<div class="text-block">
<div style="text-align: center;"><span style="font-size: 36px;">β‘</span></div></div>
</td></tr></tbody></table>
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding-top: 0px; padding-bottom: 0px;">
<div class="text-block">
<div style="text-align: center;">
<h1><strong>Quick Links</strong></h1>
</div>
</div>
</td></tr></tbody></table>
<table bgcolor="" style="table-layout: fixed; width: 100%;" width="100%"><tbody><tr><td style="padding:0;border-collapse:collapse;border-spacing:0;margin:0;" valign="top">
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fwww.csoonline.com%2Farticle%2F4154204%2Fa-core-infrastructure-engineer-pleads-guilty-to-federal-charges-in-insider-attack.html%3Futm_source=tldrinfosec/1/0100019d680d739d-2c5cb41e-9ac2-491f-a5d7-41b401484440-000000/CwcZqOQFiXQSAvb-YpG0mmzQSTwnzDpyO7biT3ygiws=451">
<span>
<strong>A core infrastructure engineer pleads guilty to federal charges in insider attack (1 minute read)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
Infrastructure engineer Daniel Rhyne pleaded guilty to federal extortion and computer damage charges after using RDP sessions, scheduled tasks, and credential manipulation to shut down employer systems and demand $750,000 in bitcoin.
</span>
</span>
</div>
</td></tr></tbody></table>
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Flinks.tldrnewsletter.com%2FglgW44/1/0100019d680d739d-2c5cb41e-9ac2-491f-a5d7-41b401484440-000000/0itNODkWr_6qJdyGzXwd15y_VTTZ24sdjOoW6PRi1JI=451">
<span>
<strong>Qilin and Warlock Ransomware Use Vulnerable Drivers to Disable 300+ EDR Tools (3 minute read)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
Qilin and Warlock ransomware are using Bring Your Own Vulnerable Driver (BYOVD) tactics to disable over 300 EDR tools, with Qilin specifically dropping a malicious DLL ("msimg32.xml") that loads two signed-but-vulnerable drivers to access physical memory and terminate EDR drivers before deploying their payloads.
</span>
</span>
</div>
</td></tr></tbody></table>
<table align="center" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block">
<span>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Flinks.tldrnewsletter.com%2FSpmE8W/1/0100019d680d739d-2c5cb41e-9ac2-491f-a5d7-41b401484440-000000/QPMLe2fT5MQPZPZunwBeWHZleyAzbaWl4n9liLNJhcI=451">
<span>
<strong>OWASP GenAI Security Project Gets Update, New Tools Matrix (4 minute read)</strong>
</span>
</a>
<br>
<br>
<span style="font-family: "Helvetica Neue", Helvetica, Arial, Verdana, sans-serif;">
OWASP split its GenAI security guidance into two tracks, one for LLMs and GenAI apps, one for agentic AI, and published a third document covering 21 data security risks, including sensitive data leakage (DSGAI-01), training data poisoning (DSGAI-04), and third-party tool compromise (DSGAI-06).
</span>
</span>
</div>
</td></tr></tbody></table>
</td></tr></tbody></table>
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td align="left" style="word-break: break-word; vertical-align: top; padding: 5px 10px;">
<p style="padding: 0; margin: 0; font-size: 22px; color: #000000; line-height: 1.6; font-weight: bold;">
Love TLDR? Tell your friends and get rewards!
</p>
</td></tr>
<tr><td class="container" style="padding: 0px 10px 15px;">
<div class="text-block">
Share your referral link below with friends to get free TLDR swag!
</div>
</td></tr>
<tr><td align="left" style="padding: 10px;">
<div class="text-block">
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Frefer.tldr.tech%2F78de0e20%2F8/1/0100019d680d739d-2c5cb41e-9ac2-491f-a5d7-41b401484440-000000/mS9pwESquzFz_xTeAnNzOQn0UDx8Oh5GG34ttc7py-o=451" style="color: #464ba4; text-decoration: underline;">https://refer.tldr.tech/78de0e20/8</a>
</div>
</td></tr>
<tr></tr>
<tr><td align="left" style="padding:5px 10px;">
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fhub.sparklp.co%2Fsub_d62447d5a74a%2F8/1/0100019d680d739d-2c5cb41e-9ac2-491f-a5d7-41b401484440-000000/awNYeAfWZsIL57OETdOaIdiD5cKJeZq9p8Z2XmyZCdY=451" style="font-size: 16px; line-height: 1.6; padding: 10px 0; display: inline-block; text-decoration: underline;"><span style="mso-text-raise:13pt; text-decoration: underline;">Track your referrals here.</span></a>
</td></tr></tbody></table>
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td align="left" style="word-break: break-word; vertical-align: top; padding: 5px 10px;">
<p style="padding: 0; margin: 0; font-size: 22px; color: #000000; line-height: 1.6; font-weight: bold;">
Want to advertise in TLDR? π°
</p>
<div class="text-block" style="margin-top: 10px;">
If your company is interested in reaching an audience of cybersecurity professionals and decision makers, you may want to <a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fadvertise.tldr.tech%2F%3Futm_source=tldrinfosec%26utm_medium=newsletter%26utm_campaign=advertisecta/1/0100019d680d739d-2c5cb41e-9ac2-491f-a5d7-41b401484440-000000/NObEgFDUfGpm6DpsomYfdMUmTb_A12TPK_AVHfgjWYg=451"><strong><span>advertise with us</span></strong></a>.
</div>
<br>
<!-- New "Want to work at TLDR?" section -->
<p style="padding: 0; margin: 0; font-size: 22px; color: #000000; line-height: 1.6; font-weight: bold;">
Want to work at TLDR? πΌ
</p>
<div class="text-block" style="margin-top: 10px;">
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fjobs.ashbyhq.com%2Ftldr.tech/1/0100019d680d739d-2c5cb41e-9ac2-491f-a5d7-41b401484440-000000/4TVqa8QPojgXR1BN-cAAN_z0hFuWqGJfEhVRSGvJxLg=451" rel="noopener noreferrer" style="color: #0000EE; text-decoration: underline;" target="_blank"><strong>Apply here</strong></a>,
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fjobs.ashbyhq.com%2Ftldr.tech%2Fc227b917-a6a4-40ce-8950-d3e165357871/1/0100019d680d739d-2c5cb41e-9ac2-491f-a5d7-41b401484440-000000/fkITWgdQ5ZHP7QbYncj4IRog4pmWXOrq4CF87Gsztbo=451" rel="noopener noreferrer" style="color: #0000EE; text-decoration: underline;" target="_blank"><strong>create your own role</strong></a> or send a friend's resume to <a href="mailto:jobs@tldr.tech" style="color: #0000EE; text-decoration: underline;">jobs@tldr.tech</a> and get $1k if we hire them! TLDR is one of <a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fwww.linkedin.com%2Ffeed%2Fupdate%2Furn:li:activity:7401699691039830016%2F/1/0100019d680d739d-2c5cb41e-9ac2-491f-a5d7-41b401484440-000000/8E2MJbHQY1VUis2wBamcMpjC5M-K4WE6GzFshK3zeX4=451" rel="noopener noreferrer" style="color: #0000EE; text-decoration: underline;" target="_blank"><strong>Inc.'s Best Bootstrapped businesses</strong></a> of 2025.
</div>
<br>
<div class="text-block">
If you have any comments or feedback, just respond to this email!
<br>
<br> Thanks for reading,
<br>
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fwww.linkedin.com%2Fin%2Fprasannagautam%2F/1/0100019d680d739d-2c5cb41e-9ac2-491f-a5d7-41b401484440-000000/33tKDdsGrBEBBU3M6zn2IetdriROTfLo6oUuLKkQiTo=451"><span>Prasanna Gautam</span></a>, <a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fwww.linkedin.com%2Fin%2Fericfernandezdelcampo%2F/1/0100019d680d739d-2c5cb41e-9ac2-491f-a5d7-41b401484440-000000/IF3frjcL0QUAGn7nAYo79uEQE98_ID01P8w0vAeoSTk=451"><span>Eric Fernandez</span></a> & <a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fwww.linkedin.com%2Fin%2Fsammy-tbeile%2F/1/0100019d680d739d-2c5cb41e-9ac2-491f-a5d7-41b401484440-000000/IWmzsHyTyMyQ6EAzy_lzjpzG3wrbvMZ_ngzTpMw6Weo=451"><span>Sammy Tbeile</span></a>
<br>
<br>
</div>
<br>
</td></tr></tbody></table>
<table align="center" bgcolor="" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="container" style="padding: 15px 15px;">
<div class="text-block" id="testing-id">
<a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Ftldr.tech%2Finfosec%2Fmanage%3Femail=silk.theater.56%2540fwdnl.com/1/0100019d680d739d-2c5cb41e-9ac2-491f-a5d7-41b401484440-000000/jF21RMAh8L4SSxJMlomTAKrXAhHZAcyd0zrXVibg6Jk=451">Manage your subscriptions</a> to our other newsletters on tech, startups, and programming. Or if TLDR Information Security isn't for you, please <a href="https://tracking.tldrnewsletter.com/CL0/https:%2F%2Fa.tldrnewsletter.com%2Funsubscribe%3Fep=1%26l=8d9cea11-3e94-11ed-9a32-0241b9615763%26lc=156924ca-84b7-11f0-8d58-47c5c04ad337%26p=4e89ccf0-325e-11f1-8c23-ffc3fb6399b3%26pt=campaign%26pv=4%26spa=1775566884%26t=1775567205%26s=8833041e1fe67015efed950cf04526527c4f0f586e8cfb995045d4d9903af4c6/1/0100019d680d739d-2c5cb41e-9ac2-491f-a5d7-41b401484440-000000/vwkd_DIIFmrpT51R7LkjDS7GQlh1UTIJGnQavRCimzQ=451">unsubscribe</a>.
<br>
</div>
</td></tr></tbody></table>
</td></tr></tbody></table>
</td></tr></tbody></table>
</td></tr></tbody></table>
</td></tr></tbody></table>
<img alt="" src="http://tracking.tldrnewsletter.com/CI0/0100019d680d739d-2c5cb41e-9ac2-491f-a5d7-41b401484440-000000/4ZIZxyn8aYvtCALHUv14n78MzzM8xETAie9C05iq6EM=451" style="display: none; width: 1px; height: 1px;">
</body></html>