tldrsec.com
Resources curated from this publisher and indexed across appsec.fyi topic pages. Last item added: 2026-06-26.
| Date Added | Resource | Excerpt |
|---|---|---|
| 2026-06-26 2026 | [tl;dr sec] #334 - Thinkst's Package Proxy, OpenAI Daybreak, AI Agents & CanariesAISupply Chain | Library for preventing supply chain attacks, Thinkst's Package Proxy redirects package manager requests through Cloudflare Workers to enforce security policies, including minimum package age and upload mechanism regression checks, without requiring client-side software. It also addresses vulnerabilities found in package managers, such as path traversal, argument injection, and unsafe deserialization, as well as registry-side issues like authorization bypass and account takeover. |
| 2026-06-19 2026 | [tl;dr sec] #333 - Perplexity's Bumblebee, Evading Cloud Logging, AI Vuln Hunting SpecAI | Library for detecting malware in packages, agent configurations, and browser extensions, alongside techniques for evading cloud logging, and a specification for building custom AI security scanning systems. It details how formal methods are becoming more practical for AI-generated code, and how Microsoft's Agentic Secret Finder reduced false positives in GitHub's AI secret scanning by 75% through context extraction. The entry also covers the discovery of HTTP/2 Bomb, a DoS vulnerability affecting multiple web servers, and methods for disrupting AWS CloudTrail logging and abusing cloud logging services for defense evasion and visibility. |
| 2026-06-12 2026 | [tl;dr sec] #332 - I've Joined OpenAI, fwd:cloudsec, AWS Well Architected Supply Chain SecuritySupply ChainTalks | Library containing writeups on application security topics, including a CVE writeup for 1-Click GitHub Token Stealing via a VSCode Bug, a technique for cutting Semgrep's taint analysis time by 75%, and cloud security discussions like HazyBeacon and AWS Lambda Function URL Abuse, and Sub:jugation—a vulnerability class affecting cloud identities by recycling namespaces in global OIDC issuers. |
| 2026-06-08 2026 | [tl;dr sec] #327 - Finding Zero-days with Any Model, Practical Package Security, Measuring the AI Offense-Defense GapAISupply Chain | Library for C/C++ security challenges from Trail of Bits, featuring walkthroughs of Linux ping command injection and Windows driver kernel execution, alongside `c-review` for LLM-based code analysis. It also includes the `deepsec` scanner from Vercel, utilizing Claude and GPT coding agents to identify vulnerabilities by tracing data flows, and Jonathan Dunn's research on Client Side Path Traversal in major frontend frameworks like React Router and Next.js. |
| 2026-06-08 2026 | [tl;dr sec] #328 - Shai-Hulud's Source Code Leaked, Break Into Buildings for $, Reversing EDRs with AIAI | Library from Microsoft mitigates Server-Side Request Forgery (SSRF) in cloud-hosted .NET and NodeJS applications with secure-by-default code, including protection against HTTP redirects and DNS rebinding, complemented by the Dusseldorf testing tool. |
| 2026-06-08 2026 | [tl;dr sec] #329 - AI-powered Honeypots, GitHub Action Canaries, Microsoft’s Agentic Security ScannerAI | Library for detecting and deceiving attackers with AI honeypots, identifying supply chain attacks using GitHub Action canaries, and exploring Microsoft's "Autonomous Code Security" team. It also covers the impact of AI on bug bounties, a framework for rolling out security policies, and pre-auth RCEs against GPON OLT hardware and its Cloud EMS fleet manager, potentially exposing entire ISP networks. Additionally, it discusses detecting CI/CD supply chain attacks with canary credentials and unmasking the Docker ONBUILD supply chain attack vector. |
| 2026-06-08 2026 | [tl;dr sec] #330 - AWS Pathfinding Labs, Running Codex Safely at OpenAI, Glasswing UpdatesAIAPI Sec | Library for securing AI coding agents, Prempti, intercepts tool calls and provides allow/deny verdicts based on Falco rules, integrating with LLMs for adaptive learning. OpenAI shares how they safely deploy Codex internally using sandboxed environments, approval workflows, and an auto-review subagent, with exported logs feeding an AI-powered security triage agent. Renovate PRs are automated for dependency updates using Claude Code Routines and a structured upgrade risk matrix, incorporating a minimum release age filter to prevent supply-chain attacks. AWS Security Agent generates verification scripts for pentest findings, and Pathfinding Labs offers over 100 intentionally vulnerable AWS environments for practicing cloud attack paths and validating detections. |
| 2026-06-08 2026 | [tl;dr sec] #331 - How Adversaries Use AI, Skill Issues, Using IDEs for C2AI | Library for securing applications, this entry details adversarial techniques leveraging AI, skill issues in LLM development, and the use of IDEs for command and control. It highlights specific attack chains like the Zapier compromise, the efficiency of AI agents in data exfiltration from AWS, and methods for bypassing Claude Code's security measures. The resource also compares AI application security testing platforms and discusses proactive defense strategies against emerging threats. |
| 2023-08-11 2023 | [tl;dr sec] #194 - CNAPPGoat KubeFuzz tl;dr sec swagFuzzing | Library for deploying vulnerable-by-design cloud resources, CNAPPgoat, modularly provisions components across AWS, Azure, and GCP. Fuzzing Kubernetes Admission Controllers is enabled by KubeFuzz, a generative and mutative fuzzer designed to uncover unexpected behavior in complex admission controller setups. |
| 2021-09-17 2021 | Cloud Security OrienteeringRecon | Library for navigating unfamiliar AWS environments, this resource details a methodology for identifying risks, prioritizing remediation, and defining long-term cloud security strategies. It covers challenges in cloud security best practices, common adoption patterns, identifying ecosystem scope, and prioritizing important risks with open-source tools. The guide references the CIS benchmark for configuration, the Well-Architected Framework Security Pillar for architecture, and Scott Piper’s AWS Security Maturity Roadmap. |