Newsletter 2026-05-19

Posted on May 19, 2026

Another week, another round.


Datadog has looked at malicious agent skills and lists indicators to watch out for.


Synacktiv looked at the Tesla Wall Connector in 2025 and has now published a second part to the first article.


Trail of Bits introduces a new Go fuzzer.


Hacktron found an RCE in Github Copilot.


Daniel Stenberg explains “named globbing” in curl. Very practical and I just wasn’t aware that curl can do that.


After TeamPCP published the source code of Shai-Hulud on GitHub [1], there are now first copycats [2]. The whole thing took place as part of a competition about supply chain attacks on BreachForum [3].

  1. https://securitylabs.datadoghq.com/articles/shai-hulud-open-source-framework-static-analysis/
  2. https://www.ox.security/blog/new-actors-deploy-shai-hulud-clones-teampcp-copycats-are-here/
  3. https://socket.dev/blog/teampcp-supply-chain-attack-contest?utm_medium=feed

Meta is removing the option for E2E encryption in Instagram again. The reason is supposedly too little usage.


tmctmt looked at Mullvad’s public IP address assignment and found that with a certain probability, user IP addresses can be correlated if only the IP is rotated without also changing the public key (for example by logging out in the app).


Infoguard found and analyzed malware very similar to VIPERTUNNEL during an incident response engagement involving the DragonForce threat actor.


Adam Chester took a closer look at DevTunnels as a C2 option and wrote up in detail what he found. This resulted in a new tool Ouroboros to execute commands on DevTunnels.


Read you next week