This week's articles
Hook, line, and vault: A technical deep dive into the 1Phish kit
1Phish is a phishing kit targeting 1Password users that evolved across 4 versions (Sept 2025โFeb 2026) from a basic credential harvester (~258 LoC) into a fully API-driven, MFA-aware kit with browser fingerprinting, bot scoring, JS obfuscation, OTP/recovery-code capture, enterprise targeting, and multi-language support.
Superuser Gateway: Guardrails for Privileged Command Execution
Uber's "Superuser Gateway" replaces direct superuser CLI access with a Git-backed, peer-reviewed workflow. Engineers submit commands via superuser-cli, triggering automated validation (syntax, permissions, impact estimation) and PR-based peer approval before a back-end service executes them, eliminating local credential holding and improving auditability.
How LDAP Works: An Interactive Guide
An interactive exploration of LDAP. Build a directory from a flat list, discover tree structure, distinguished names, schemas, search operations, and authentication.
|
|
Sponsor
AI Remediation Developers Will Actually Use "I've asked vendors to build this for years, and this is the first time I've actually seen it done right." โ James Berthoty, Latio Tech Every vulnerability tool tells you what's wrong. None say how to fix it. The ones that try just say "upgrade available," ignoring your environment and whether it'd actually work. Maze just launched AI remediation agents that think like your developers. They trace how vulnerabilities enter your environment, find where one remediation resolves many, and deliver fixes your team would actually choose.
See how it works
|
|
|
Tools
Aegis
Monitors what AI agents do on your computer.
Zero Day Clock
Track Time-to-Exploit (TTE) across 83,000+ CVEs from 10 sources including CISA KEV, ExploitDB, and Metasploit. Median TTE trends, year-over-year analysis, and live exploit intelligence.
|
|
AI
hackerbot-claw: An AI-Powered Bot Actively Exploiting GitHub Actions
A week-long automated attack campaign targeted CI/CD pipelines across major open source repositories, achieving remote code execution in at least 4 out of 5 targets. The attacker, an autonomous bot called hackerbot-claw, used 5 different exploitation techniques and successfully exfiltrated a GitHub token with write permissions from one of the most popular repositories on GitHub. This post breaks down each attack, shows the evidence, and explains what you can do to protect your workflows.
The Reach Pattern
The "Reach" pattern is a personal CLI that hijacks existing browser sessions to query SaaS APIs (Slack, Jira, Confluence, etc.) on your behalf, feeding structured organizational context to your AI coding assistant.
infrastructure-agents-guide
How to design, build, and operate AI agents for infrastructure teams, safely. 13 chapters covering architecture, sandboxing, credentials, change control, observability, and more.
|
|
From the cloud providers
#AWS
Inside AWS Security Agent: A multi-agent architecture for automated penetration testing
AWS Security Agent's penetration testing uses a multi-agent architecture: specialized swarm agents handle reconnaissance, managed/guided exploration, and exploit validation. The system achieves 80% attack success rate on CVE Bench under real-world conditions, with assertion-based validation reducing false positives and CVSS-scored reporting.
|
|
Thanks for reading!
|
If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! ๐ If you have questions, comments, or feedback, let me know on Twitter ( @lancinimarco / @CloudSecList), or at feedback.cloudseclist.com! Thanks, Marco
|
|
|