Release Date: 03/05/2026 | Issue: 336
Know someone who'd find this useful? Forward this email
CloudSecList is a newsletter for busy professionals who want to keep up to date with the cloud security industry. Hand-curated by Marco Lancini.

This week's articles


How We Scaled Security Reviews Without Slowing Down Engineering
Postman is sharing the evolution of their Security Review Process (SRP). What didn't work, what they changed, and how they built SRP v2, a risk-based, automation-first security model embedded directly into their SDLC.


Proof, Not Promises: Evaluating Code Scanner Efficacy
How Block built benchmrk, a harness for measuring SAST scanner efficacy against ground truth you control.


Building an AI Ready Vulnerability Management Program After NVD Changes and Claude Mythos
NVD's April 2026 scope reduction (enriching only KEVs and critical federal software) collides with AI-accelerated vulnerability discovery (e.g., Claude Mythos), creating a dangerous gap in OSS CVE coverage.


Supply Chain Campaign Targets SAP npm Packages with Credential-Stealing Malware
A supply chain attack ("Mini Shai Hulud") trojanized SAP npm packages with malicious "preinstall" scripts that download a credential-stealing payload, harvesting GitHub, cloud, and CI/CD secrets, exfiltrating via attacker-controlled GitHub repos.


BigQuery threat model report
A report which identifies 14 BigQuery threat vectors (covering data confidentiality, integrity, and availability) including IAM privilege escalation, data exfiltration via unrestricted egress, schema tampering, cost-based DoS, insider misuse, and service account spoofing.


GitHub RCE Vulnerability: CVE-2026-3854 Breakdown
Wiz Research discovered CVE-2026-3854 (CVSS 8.7): an unsanitized semicolon injection in GitHub's X-Stat internal header allows any authenticated user to override security fields via git push -o, achieving RCE on GitHub.com and full GHES server compromise.


Copy Fail (CVE-2026-31431)
The same 732-byte Python script roots every Linux distribution shipped since 2017.


I Left Port 22 Open on the Internet for 54 Days. Here's Who Showed Up
A lone port 22, wide open, accepting every password. 269,000 connections, 7,556 unique IPs, and a few visitors who thought they'd hit the jackpot.

Tools


SharkMCP
A swiss-knife MCP server for analysing PCAP files.


terraform-provider-query
TUI to explore Terraform providers.


graphify
AI coding assistant skill that turns any folder of code, docs, papers, images, or videos into a queryable knowledge graph.


OpenShell
OpenShell is the safe, private runtime for autonomous AI agents.

Upcoming Events


CONF   OpenSSF Community Day North America
May 21, 2026 | Minneapolis, United States


CONF   Linux Security Summit North America
May 21-22, 2026 | Minneapolis, United States

Thanks for reading!

If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! ๐Ÿ‘Œ

If you have questions, comments, or feedback, let me know on Twitter (@lancinimarco / @CloudSecList), or at feedback.cloudseclist.com!

Thanks,
Marco
Forward Forward
Twitter Tweet
Share Share

How did you like this issue of CloudSecList?

1       2       3       4       5

Archives View in browser Sponsorship
ยฉ 2019-present CloudSecList ยท Marco Lancini