Insights
Engenharia, segurança e infraestrutura — do ponto de vista de quem vive isso.
Operation Escaneo: CloudSEK Exposes APT-Level Threat Against LATAM
CloudSEK discovered Operation Escaneo in June 2026: Kimera framework, 15 CVEs, Cisco router persistence and SAP/Oracle exploitation. LATAM has graduated to APT-level threats.
Autoguardrails: Karpathy's Autoresearch Transposed to AI Safety
Santander AI Lab turned Karpathy's autoresearch into autoguardrails: an agent that searches over policy.md to minimize Attack Success Rate without destroying benign pass. Same turnstile, different metric.
Backdoor.Turn: The Ransomware That Hid Inside Microsoft Teams for 2 Months
DragonForce used the Turn backdoor to abuse Microsoft Teams TURN relay infrastructure as C2. The first malware in the wild to turn collaboration traffic into a command and control channel.
The Honest Mistake: Lateral Movement via WMI That Bypassed 47 Micro-Segmentation Policies
We almost missed a lateral movement attack via WMI during an incident response. The lesson that changed our IR methodology at Tech86.
Dual Attacker: When a Cryptominer is a Smoke Screen for PIX Exfiltration
Real incident response case at a Brazilian payment processor where an XMRig cryptominer hid a second actor exfiltrating digital certificates and PIX transaction data.
Mythos 5, Fable 5 and the Kill-Switch: One Letter Turned Off AI in 100+ Countries
A Friday letter shut down Mythos 5 and Fable 5 in 100+ countries. The first export control on a commercial AI model via API — and what it means for your infrastructure sovereignty.
Brazil-EU: AI Sovereignty and the R$ 2 Billion Supercomputer
Brazil joins the EU Digital Partnership and announces R$ 2 billion for a sovereign supercomputer. We analyze the two moves and the three bottlenecks that remain.
GLM-5.2 Z.AI: The First Open-Weight Frontier at Parity with Claude and GPT
Z.AI's GLM-5.2 is the first open-weights model that sustains production at parity with Claude and GPT, charging a tenth per token. MoE architecture, benchmarks, and deployment.
WhatsApp Usernames: The Privacy Win That Opens New Attack Surfaces
WhatsApp launched usernames on June 29, 2026, hiding phone numbers but creating squatting, visual similarity phishing, and cross-platform linking. Technical analysis from Tech86.
Dígitro: The Leak That Exposed the Blueprint of State Surveillance
3.39 TB of source code and data from Dígitro leaked on DDoSecrets. Guardião, the lawful interception platform used by 150+ institutions, had its blueprint exposed. Analysis of the technical and legal impact.
FortiBleed: The Attack That Turned 430K Firewalls Into Network Sniffers
FortiBleed compromised 86K+ FortiGate firewalls and turned 19K+ into active traffic sniffers. The industrialized operation that abuses legitimate FortiOS commands to capture credentials in real time.
Private Cyber Armies: When AI Becomes a Weapon of War
The US government spends $1B on cyberattacks while cutting $1.2B from defense. Two cybersecurity startups reveal the privatization of cyber warfare — and the governance vacuum that comes with it.
Mechanical Governance for LLMs: The mech-gov-framework and the EU AI Act
27% of LLM deferrals carry zero decision-relevant information. Santander's mech-gov-framework solves this with 4 mechanical primitives — with direct implications for the EU AI Act.
Miasma and IronWorm: When the Supply Chain Learns to Infect Your AI Agent
Two supply chain worms in June 2026 rewrote AI agent instructions and installed eBPF rootkits. Technical analysis of Miasma and IronWorm — and how to protect your agents.
Agentjacking: Hijacking AI Coding Agents via Sentry MCP
Attack discovered by Tenet Security hijacks AI agents via Sentry MCP with 85% success rate. 2,388 orgs with exposed DSNs. Open-source mitigation available.
Metered Token Billing: Why Flat-Rate Pricing for AI Coding Is Dead
Between March and June 2026, every AI coding tool migrated to metered token billing. The real numbers, Jevons Paradox, and what it means for engineering organizations.
NVIDIA SkillSpector: The Scanner That Proved AI Skills Security Needs More Than Static Analysis
26% of AI skills contain vulnerabilities and 5% are likely malicious, according to Liu et al. NVIDIA launched SkillSpector — but Trail of Bits proved static scanners can be bypassed in under 1 hour.
Xiaomi MiMo Code: The Open-Source Coding Agent That Challenges Claude Code
Xiaomi released MiMo Code, an open-source coding agent under MIT license that outperforms Claude Code on self-reported benchmarks. But the caveats matter as much as the numbers.
Brazil Civil Defense Hack: Cell Broadcast Compromised, 200 Million Without Alerts
Brazil's IDAP platform was hacked on June 19, 2026. Attacker sent false Extreme-level alerts to millions of phones. System remains offline — and Cell Broadcast by design lacks cryptographic authentication.
SantanderAI: The Bank That Open-Sourced Its AI Stack
Santander published 14 repositories on GitHub — including a mechanical governance framework, synthetic fraud graph generator, and vendor-agnostic LLM bridge. Zero real customer data. The European playbook for banking AI.
AI Writes 8× More Code — and Review Time Jumps 441%
Data from Anthropic, Faros AI, and GitClear shows AI accelerates code output but creates a review bottleneck. Code churn +861%, defects +54%. How to redesign the pipeline.
Claude Code: 6 Disclosures, 1 Real Attack, and the Architectural Disease
A structural vulnerability in the Claude Code GitHub Action produced 6 separate disclosures, 1 source code leak, and 1 real supply chain attack. The patch covers a symptom — the disease is architectural.
SearchLeak: P2P Injection + Bing SSRF Exfiltrates M365 Copilot Data
CVE-2026-42824 discovered by Varonis enables data exfiltration from M365 Copilot Enterprise via prompt injection in the search parameter and SSRF through Bing. One click is enough.
Gentlemen Ransomware: FortiGate Worm, 478 Victims in 10 Months
The Gentlemen RaaS exploits CVE-2024-55591 in FortiGate for worm propagation with 21 lateral movement techniques. 478+ victims, 66 countries, and an encryptor that makes decryption functionally impossible.
Google GTIG: The First AI-Developed Zero-Day in the Wild
Google GTIG identified the first AI-developed zero-day used by criminals. A 2FA bypass via semantic logic flaw — the vulnerability class LLMs find and fuzzers cannot.
GREYVIBE: First Forensic Case of Commercial AI Across the Entire Kill Chain
WithSecure documented the first forensic case of a threat group using commercial AI across every phase of the kill chain against Ukraine. What it means for cyber defense.
n8n-mcp: CVSS 9.9 IDOR Exposes All Tenants' Credentials
CVE-2026-54052 (assigned by Manifold Security; pending NVD publication) in n8n-mcp lets any authenticated tenant read every other tenant's credentials. Fifth multi-tenant security issue in 2026 — the persistence layer was never isolated.
Tech86 Partner Program: Sell Complex Projects Without Hiring a Team
The Tech86 partner program enables consultancies, agencies, and integrators to sell complex engineering projects without a senior technical team. Recurring revenue share, engineering as a service, and account protection.
SHEETCREEP: APT Uses Google Sheets as Network-Invisible C2
SHEETCREEP, a RAT linked to APT36, uses Google Sheets as command-and-control infrastructure. Traffic indistinguishable from legitimate Google Workspace requires endpoint-level detection.
Foxconn vs Nitrogen: Encryptor Bug Makes Ransom Payment Futile
Coveware reverse-engineered the Nitrogen ESXi encryptor and found a bug that corrupts the public key. Decryption is mathematically impossible. Foxconn was hit in May — approximately 3 months after disclosure. Paying does not help.
Tchap: Infrastructure Sovereignty Doesn't Protect Against Compromised Credentials
France's sovereign messenger exposed data of 73,467 public agents after a single account was compromised via social engineering. Why infrastructure sovereignty is not a substitute for credential security.
LangGraph: From SQL Injection to RCE Through AI Agent Memory
Check Point Research documented an exploitation chain from SQL injection to remote code execution through the LangGraph checkpointer — the persistence layer that gives the agent memory is the same one that gives the attacker persistence.
Sophos CTU: AI-Powered Ransomware Lab Tests EDR Evasion at Scale
Sophos discovered a ransomware development lab using AI to accelerate development and test EDR evasion. Nearly 80 modules, 70+ techniques. What changes for your defense.
CISA BOD 26-04 and EO 14409: AI in Federal Cyberdefense
CISA replaced CVSS with 4 binary patching factors. EO 14409 mandated AI-powered defense acceleration. What changes for security operations in practice.
Ivanti Sentry CVSS 10.0: Unauthenticated RCE as Root
CVE-2026-10520 in Ivanti Sentry enables unauthenticated command injection with root execution. CVSS 10.0, public PoC, CISA KEV. Real timeline and data.
Nightmare Eclipse: 8 Zero-Days Against Microsoft in 10 Weeks
A solo researcher exploited 8 vulnerabilities in the Microsoft ecosystem — including SYSTEM LPE, BitLocker bypass, and Defender TOCTOU. What this means for your defense.
ShinyHunters Exploited PeopleSoft Zero-Day for 13 Days Before Advisory
CVE-2026-35273: unauthenticated RCE in Oracle PeopleSoft exploited for 13 days before Oracle published an advisory. 454K sensitive records leaked. What this reveals about the patch cycle.
N-day Became N-hour — The Myth of the Safe Patch Window
Anthropic demonstrated that Mythos Preview generates functional exploits in hours, not weeks. Cost per privilege escalation chain dropped to $2K. The monthly patch cycle has become structurally inadequate.
Miasma Worm: When Trust Infrastructure Becomes the Attack Itself
How the Miasma Worm exploited SLSA, Sigstore, and legitimate credentials to compromise npm, PyPI, and Microsoft repositories in 7 days — without a single CVE.
BigQuery LIMIT 100: The Illusion Draining Your OPEX
SELECT * with LIMIT 100 in BigQuery scans the entire table and charges by bytes read. TABLESAMPLE SYSTEM cuts processing by 95%. Real FinOps data.
Google Cloud Next 2026: Infrastructure the Agentic Enterprise Needs
From TPU v8 to Agent Gateway, Virgo Network to Agentic Defense — what Google Cloud Next 2026 means for teams running agents at scale and why governance beats building.
AI Compressed the Vulnerability Window — Microsoft Says So
Microsoft declared that AI can autonomously discover, chain, and exploit vulnerabilities. The discovery-to-exploitation window collapsed. What this means for your security operations.
AI Inference FinOps Playbook: 5 Levers in the Right Order
80-90% of AI cost goes to inference. Five measurable levers, in priority order, to cut 50-90% of waste without sacrificing quality.
Claude Code in Your Pipeline: The Structural Hole and Rule of Two
Claude Code GitHub Action exposes credentials via unsandboxed Read tool. Microsoft steals keys in two steps. RyotaK: 50 bypasses. The Rule of Two you need to adopt.
Malicious LLM API Routers: The Invisible Threat Inside Your AI Agents
428 routers tested, 9 injecting code, 1 draining Ethereum. How malicious LLM API routers compromise AI agents without detection.
State of FinOps 2026: 73% Blew Their AI Budget
State of FinOps 2026 data: 73% of organizations exceeded AI budget, only 20% predicted spend within ±10%. FinOps is now technology value management.
iFood Data Breach: 1.2M vs 43M and the Risk They Denied
iFood leaked CPF of 1.2 million users, failed to notify Brazil's ANPD, and claimed no relevant risk. The 36x discrepancy and what it reveals about LGPD enforcement.
Chrome DBSC: session cookie theft is finally over
DBSC binds session cookies to hardware via TPM. Stolen cookies expire without the key. The most significant browser security improvement in years — but it's one layer.
LLM Agent Worms: Zero-Click Propagation Across Frameworks
The first autonomous worm propagating between LLM agents without human interaction. Zero-click, cross-platform, 3 hops. Defense requires a formal theorem.
MemPoison + MCFA: The Memory Attack Surface in LLM Agents
Memory attacks on LLM agents reach 95% success. MemPoison poisons memory, MCFA hijacks control flow. Current defenses are insufficient.
PoisonedSkills: Skill Docs That Make AI Agents Run Malware
PoisonedSkills uses skill documentation to execute payloads in AI coding agents via DDIPE. 33.5% bypass rate. 4 CVEs. Skill registries are the new supply chain.
CVE-2026-41089: One UDP Packet Takes Down Your DC
CVE-2026-41089 in Windows Netlogon allows unauthenticated DoS via UDP 389. CVSS 9.8, active exploitation confirmed. Learn how to protect your DCs.
WP Maps Pro: Backdoor by Design and Full Admin Takeover
CVE-2026-8732 in WP Maps Pro enables unauthenticated admin takeover. CVSS 9.8, 15,800 sites exposed. A frontend nonce is not authentication.
CIFSwitch: 19-Year Kernel Bug Gives Root in 1 Syscall
19-year Linux kernel vulnerability lets any unprivileged user get root via request_key and cifs.upcall. Public PoC. Enterprise servers exposed.
Vercel Bill Shock: Why Headless Without FinOps Fails
38% of headless merchants lost revenue in 90 days. Vercel Pro jumps from $20 to $2,000. FinOps is what separates scale from loss.
GlobalProtect Auth Bypass: Your VPN Perimeter Just Broke
CVE-2026-0257 in PAN-OS GlobalProtect enables authentication bypass with CVSS 9.1. Active exploitation, CISA KEV. Real data from Rapid7 MDR.
CVE-2026-46230: Windows Kernel RCE with SYSTEM via SMB/RDP
CVE-2026-46230 in the Windows kernel enables unauthenticated RCE with SYSTEM via SMB and RDP. CVSS 9.8, public PoC. Learn how to protect your infrastructure.
FortiClient EMS: When Your Antivirus Becomes the Attack
CVE-2026-35616 in FortiClient EMS enables pre-auth API bypass, CVSS 9.1. Attackers push EKZ Stealer via EMS and steal session cookies, bypassing MFA.
PoolSlip and Gogs: Two Zero-Days Exposing Your Infra
CVE-2026-9256 (CVSS 9.2) in NGINX and Gogs zero-day CVSS 9.4 with no patch for 2+ months. Two entry points no one can afford to ignore.
CVE-2026-48172: LiteSpeed CVSS 10.0 and Shared Hosting Risk
CVE-2026-48172 in LiteSpeed cPanel Plugin scores CVSS 10.0 — any tenant becomes root. Why shared hosting breaks by design with this class of vulnerability.
TrapDoor, TanStack and npm: When AI and Registry Become the Attack
TrapDoor plants invisible instructions in .cursorrules. TanStack steals OIDC tokens. 33 npm packages impersonate corporate namespaces. Three vectors, same result.
FinOps for AI: Cost-per-Token and the GPU You Don't Use
73% of AI projects blow their budget. GPU utilization sits at 15-30%. Learn to measure cost-per-token and recover up to half your inference budget.
LLM Self-Replication Worm: From 6% to 81% in One Year
Palisade Research documented the first LLM self-replication worm: 4 hops, 3 continents, zero human intervention. Success rates jumped from 6% to 81% in 12 months.
Prompt Injection Is the New SQL Injection — Now It Leads to RCE
73% of AI deployments have prompt injection. Chatbots leak data via markdown rendering. Semantic Kernel enables RCE via Startup folder. Data and defenses.
WordPress Security Crisis: 11,334 Flaws and the Headless Exit
WordPress hit 11,334 new vulnerabilities in 2025 (+42% YoY). Headless architecture removes the attack surface structurally and cuts LCP by 75%.
Dirty Frag: Deterministic LPE to Root via Container Escape
CVE-2026-43284 + CVE-2026-43500 chain two kernel bugs into a deterministic root shell. AI inference nodes with GPU access are the highest-value targets.
Prompt Injection Is State Poisoning — Your Agent Is Exposed
CoT Forgery and Trojan Hippo prove prompt injection poisons internal model state. The security boundary is in the wrong place. Here is what changes.
SGLang: 4 unpatched RCEs in the AI inference server
Four RCE vulnerabilities in SGLang, the AI inference server running on 400K GPUs — three unpatched and the maintainer ignores CERT/CC.
Defender Zero-Days: When the Protector Becomes the Attack Vector
SYSTEM-privilege CVEs and Microsoft-signed malware prove that blind trust in Defender is the real vulnerability your organization faces.
AI Writes Zero-Days Now — and the Window Collapsed
How AI moved from finding vulnerabilities to writing exploits and self-replicating through them — and why the discovery-to-exploitation window collapsed in 2026.
Supply Chain 2026: When Trust Became the Attack Vector
How SLSA provenance, code signing, and CI/CD became the attack vectors for supply chain attacks in 2026 — and what your company must do now.
Infrastructure AI Needs: Co-Design Is the New Paradigm
NVIDIA invested $40B in infrastructure and Vera Rubin proves it: the AI bottleneck isn't silicon — it's energy, fiber, and orchestration. The data center is the unit of compute.
Drupal SQL Injection: When the Abstraction Fails
CVE-2026-9082 exposed SQL injection in Drupal's abstraction API. 15K attacks in 48h. The patch was one line. Lessons on blind trust in frameworks.
NGINX Rift: 18-Year Bug Found by AI in 6 Hours
CVE-2026-42945: heap overflow in NGINX since 2008. AI found it in hours; patching thousands of instances takes weeks. The asymmetry that changes everything.
SEO for AI: Google's Official Guide That Changes Everything
Google published the definitive SEO guide for AI search. The message: there is no AEO or GEO. The same fundamentals that worked in 2020 work in AI Mode today.
PROMPTSPY: the Android malware that uses AI to operate your phone
The first Android malware powered by generative AI reads your screen, thinks, and acts autonomously. Technical analysis and defense strategies.
NATS as C2: When Your Infrastructure Becomes the Weapon
Attackers use NATS pub/sub as an invisible C2 channel. Learn how to detect and block malicious traffic disguised as legitimate microservice communication.
Containers Don't Isolate Workloads: CopyFail & DirtyFrag
Page cache CVEs collapse container isolation in Kubernetes. Why patches aren't enough and which architecture actually solves it.
AI FinOps: Model Selection Is Unit Economics
Paying 21x more for 0.6% better benchmarks is capital waste. Learn how to select AI models based on real cost and throughput per dollar.
The Harness Beats the Model — Claude Code Architecture
Claude Code has 1,900 TS files. Only 1.6% is AI logic. The other 98.4% is control infrastructure — and that's what separates reliable agents from demos.