Newsletter 2026-06-16

Posted on Jun 16, 2026

Another week with new articles.


Zoltan Madarassy and Alex Brown wrote another article for Elttam on what to watch out for in Go reviews.


Matthew Green looked at the reasoning blocks in LLMs and was able to derive secrets from the systems (with a bit of luck). Additionally, neither Claude nor GPT5x seem to use system prompts in API mode.


A comprehensive write-up of CVE-2026-23111. This is a use-after-free vulnerability caused by incorrect use of the exclamation mark.


StarLabs discovered a problem under Ubuntu. Ubuntu apparently automatically adds new accounts to the lxd group, which has root-like privileges, even if lxd is not installed. At the same time, the lxd-installer socket can be used to install lxd without root privileges as long as you’re in the lxd group. The whole thing is classified as intentional and wont-fix.


MS-SQL 2025 apparently comes with new AI features and SpecterOps wrote up what they did with them.


Device code phishing has seemingly increased considerably recently. LevelBlue provides an overview.


Nihanshu Katkar wrote a complete initial access chain for Point Wild, from the first click to the execution of the final payload. The entry point is an email attachment.


A Microsoft PyPi repository has also been compromised by TeamPCP.


The company Sygnia shows in their blog post why it makes sense not to connect critical infrastructure to the internal network if possible. Chinese TA Velvet Ant systematically spread across internal, internet-disconnected systems and networks for over 10 years. Modified standard tools were used in the process. For example, an scp variant was used that could disable SELinux when executed under root. OpenSSH server and PAM modules were also modified. Very much worth reading.


There are already first analyses of the attack on Arch’s AUR.


Read you next time.