19M French IDs Breached 🇫🇷, Defender Turned Malware 🪟, Claude 4.7 Self-Pwned 🤖

France’s Interior Ministry confirmed a security incident at the ants.gouv.fr portal, which manages passports, ID cards, and licenses ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌  ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ 

Sign Up |Advertise|View Online TLDR TLDR Information Security 2026-04-23 🔓 Attacks & Vulnerabilities Critical Spring Authorization Server Issue Exposes Systems to XSS and SSRF Attacks (1 minute read) CVE-2026-22752 in Spring Security Authorization Server allows attackers holding a valid Initial Access Token to register malicious OAuth clients through Dynamic Client Registration endpoints, triggering Stored XSS, privilege escalation, and SSRF against internal infrastructure. The flaw carries a network-exploitable, low-complexity CVSS vector and affects Spring Security 7.0.0–7.0.4, as well as Spring Authorization Server 1.3.0–1.3.10, 1.4.0–1.4.9, and 1.5.0–1.5.6. Administrators should immediately upgrade to 7.0.5, 1.3.11, 1.4.10, or 1.5.7, or disable Dynamic Client Registration as a temporary mitigation, given the cascading account-takeover risk in OAuth-fronted microservice environments. Unauthorized Group Has Gained Access to Anthropic's Exclusive Cyber Tool Mythos (2 minute read) An unauthorized group gained access to Anthropic's Mythos model. The group in question gained access to the tool through a third party with the intention of playing around with the model as opposed to causing havoc. The group made an “educated guess” about the model's online location based on knowledge about the format Anthropic has used for other models. France's 'Secure' ID agency probes breach as crooks claim 19M records (3 minute read) France's Interior Ministry confirmed a security incident at the ants.gouv.fr portal, which manages passports, ID cards, and licenses, that exposed user identifiers, contact details, and dates of birth, but not document attachments. A threat actor, known as breach3d/ExtaseHunters, claims to have access to 18–19 million records from the agency's internal systems and is selling the data on criminal forums. The government is still investigating with ANTS and other services, has not validated the volume, and has shared no details on the intrusion vector. 🧠 Strategies & Tactics Exploits Turn Windows Defender into Attacker Tool (5 minute read) Researcher Nightmare-Eclipse publicly released three PoCs: BlueHammer (CVE-2026-33825), a Time of Check Time Of Use (TOCTOU) race in Defender's signature update workflow patched in April; RedSun, an unpatched flaw abusing EICAR-triggered remediation against TieringEngineService.exe to land attacker binaries as SYSTEM on fully patched Windows 10/11 and Server 2019+; and UnDefend, a post-SYSTEM tool that starves Defender of threat intelligence while falsifying health reporting. Huntress observed hands-on intrusions staging binaries in the Downloads and Pictures subfolders, renaming them with variants to suppress VirusTotal detections, with initial access consistently traced to SSL VPN accounts lacking MFA. Defenders should apply the April 2026 updates and verify Antimalware Platform v4.18.26050.3011 directly (UnDefend can spoof the dashboard), enforce MFA on all remote access, block execution from Downloads/Pictures/Temp, and baseline the TieringEngineService.exe hash from an out-of-band detection layer. I watched all 11 main stage keynotes at RSAC 2026 (9 minute read) Adrian Sanabria recapped RSAC 2026's main stage, finding broad consensus that AI agents require asset management, user-patterned data permissions, observability, output validation, and integrity checks against fabricated data. However, no speaker claimed a working solution, and an AI governance startup founder confirmed that customers remain in monitor-only mode without enforcement. Disagreements surfaced on human-in-the-loop versus fully autonomous detect-and-respond, ephemeral task-scoped agents versus persistent “digital co-workers,” and the plausibility of thousands of agents per person, while speakers pushed a return to fundamentals, hardening, and attack surface reduction under the assumption that every system has an unpatched zero-day. Standout sessions included Tomer Weingarten (SentinelOne) warning of cognitive atrophy from outsourcing judgment to AI, Sandra Joyce (Google Security) detailing civil legal action and public attribution as working techniques to disrupt attacker infrastructure, and Jeetu Patel (Cisco) releasing OSS agent-defense tools, including AI BOM, MCP Scanner, A2A Scanner, CodeGuard, and DefenseClaw. Are SBOMs Failing? Supply Chain Attacks Rise as Security Teams Struggle With SBOM Data (3 minute read) Software Bill of Materials (SBOMs) and Vulnerability Exploitability eXchange (VEX) were introduced to give buyers clear visibility into software components and exploitability. Still, supply chain attacks keep climbing, with recent Trivy and Axios compromises hitting tens of thousands of organizations. Datta argues that teams drown in inconsistent SBOMs, VEX, vulnerability intelligence, and legal inputs, then fall back on raw severity scores. She proposes a governance-driven decision layer that tracks SBOM changes over time, treats VEX as contextual, pulls in third-party disclosures, and produces auditable, defensible decisions, especially as regulations tighten and exploit time shrinks to hours. 🧑‍💻 Launches & Tools New IT and security field guide to AI adoption (Sponsor) AI is everywhere right now. But for many teams, reality hasn't matched the promise. What's actually working? Tines just released a guide that takes a more practical look at AI adoption for security and IT teams. If you're thinking about AI beyond experimentation, this is a useful place to start. Pearcer (GitHub Repo) Pearcer is a GPLv3 Python packet analyzer pitched as a Wireshark alternative, bundling live multi-interface and Android/ADB capture, deep per-layer dissection, built-in detection for SQLi, XSS, C2 beaconing, and ARP/DNS spoofing, NVD CVE lookup, and an active attack suite covering packet edit-and-resend, monitor-mode toggling, and 802.11 deauth flooding. At 19 stars, 1 fork, 9 commits, no tagged releases, and a single contributor, the claimed feature surface substantially outpaces codebase maturity and the offensive tooling warrants scrutiny before any non-lab use. IronClaw (GitHub Repo) IronClaw is an OpenClaw-inspired AI assistant focused on privacy and security. Outtake (Product Launch) Outtake builds software that scans the internet for fake company identities, flags impersonation accounts, malicious domains, rogue apps, and fraudulent ads, and automates takedown so security teams spend less time on manual investigations. 🎁 Miscellaneous Quantum Computers Are Not a Threat to 128-bit Symmetric Keys (8 minute read) The widespread belief that Grover's algorithm halves symmetric key strength is wrong because parallelizing Grover dilutes the quadratic speedup (partitioning the search space only saves the square root of the reduction factor) and the attack cannot be meaningfully distributed. Using Liao and Luo's (2025) AES-128 Grover oracle of depth 232 T-gates and width 724 logical qubits, breaking AES-128 in a decade would require roughly 140 trillion parallel quantum circuits at a DW cost of ~2^104.5, about 2^78.5 times more expensive than Shor's attack on 256-bit elliptic curves. NIST, BSI TR-02102-1, and researcher Samuel Jaques all concur that AES-128 and SHA-256 remain safe post-quantum and that no symmetric key sizes need to change, so engineers should redirect migration effort toward the urgent asymmetric PQC transition instead of doubling symmetric keys. Mozilla: Anthropic's Mythos Found 271 Security Vulnerabilities in Firefox 150 (2 minute read) Mythos found 271 vulnerabilities in the pre-release code for Firefox 150, compared to the 22 vulnerabilities found by Opus 4.6 in Firefox 148. The model marks a turning point for defenders. Many of the vulnerabilities could have been found by fuzzing or human analysis. Malicious KICS Docker Images and VS Code Extensions Hit Checkmarx Supply Chain (2 minute read) Unknown attackers pushed modified images to the official checkmarx/kics Docker Hub repo, overwriting tags like v2.1.20 and alpine and adding a fake v2.1.21 release. The trojanized KICS binary can create uncensored IaC scan reports, encrypt them, and exfiltrate them to an external endpoint, exposing credentials in Terraform, CloudFormation, or Kubernetes configs. ⚡ Quick Links Anthropic Self-Pwned (1 minute read) Prolific model jailbreaker, Pliny the Liberator, utilized an agent running Claude Opus 4.7 to develop a universal jailbreak against Claude Opus 4.7 in less than 20 minutes. UK intelligence: 100 nations have spyware that can hack Britain (2 minute read) UK intelligence estimates that around 100 countries have bought cyber intrusion tools that could target British infrastructure, companies, and private networks. Love TLDR? Tell your friends and get rewards! Share your referral link below with friends to get free TLDR swag! https://refer.tldr.tech/dc263000/8 Track your referrals here. Want to advertise in TLDR? 📰 If your company is interested in reaching an audience of cybersecurity professionals and decision makers, you may want to advertise with us. Want to work at TLDR? 💼 Apply here, create your own role or send a friend's resume to jobs@tldr.tech and get $1k if we hire them! TLDR is one of Inc.'s Best Bootstrapped businesses of 2025. If you have any comments or feedback, just respond to this email! Thanks for reading, Prasanna Gautam, Eric Fernandez & Sammy Tbeile Manage your subscriptions to our other newsletters on tech, startups, and programming. Or if TLDR Information Security isn't for you, please unsubscribe.