Newsletter 2026-06-22
Another week, nother round
A VirtualBox escape through a use-after-free vulnerability, compiled by Luca Ginex.
FIFA apparently was busy awarding peace prizes and didn’t have time to test their central systems. For many football fans, probably a happy outcome.
Niels Provos versus frontier models.
I have to agree with Justin Bollinger here. I’ve always taken a detour around jq and maybe used Python’s json.tool or awk and cut to prepare and filter data.
A second interesting analysis from Bobdahacker right away. What data is hidden in an airline’s barcode and the resulting data leakage is pretty alarming, and I just hope that other airlines have it better secured.
SpecterOps has established a workflow for indirect prompt injection.
- https://specterops.io/blog/2026/06/11/building-an-indirect-prompt-injection-workflow/#h-introduction
A write-up on a GRU-affiliated TA, complete with MITRE ATT&CK mapping.
Synacktiv shows quite a bit about AWS forensics in the article. A useful article, in my opinion. As reading out and understanding “events” is a good way to learn how attacks actually work and what artifacts/traces they leave behind.
Elastic found an infostealer in GoogleAds with very low detection rates. The whole thing is attributed to Russia-affiliated TAs. Elastic particularly examines the obfuscation techniques.
I don’t want to claim I understood everything OtterSec wrote there, but it sounds like an interesting problem in Web3 mobile apps with the use of WebViews and dApps.
That’s all for this week. Read you next week.