Cursor AI RCE on macOS 🖥️, QEMU VMs Evade Defender 🥷, Claude Writes Chrome Exploit 💥

Straiker found a NomShub attack chain in Cursor that abuses indirect prompt injection and a sandbox escape to overwrite .zshenv ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌  ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ 

Sign Up |Advertise|View Online TLDR Together With TLDR Information Security 2026-04-20 Manual GRC doesn't scale -- move to Agentic Trust Management with Drata (Sponsor) Compliance doesn't end when you get your SOC 2 certificate. Security reviews, audits, and vendor questionnaires demand constant attention -- and leave GRC teams too overwhelmed to actually think about security strategy. Drata's Agentic Trust Management Platform automates the most time-consuming tasks, from security questionnaires to continuous evidence collection, saving teams hundreds of hours each year. Drata's AI chases down documents, so you can focus on outcomes. With Drata's built-in Trust Center, you can streamline security reviews, share your security posture, and build trust faster throughout the deal process. ⚡️ Automate and accelerate trust with Drata ⚡️ 🔓 Attacks & Vulnerabilities Cursor AI Vulnerability Exposed Developer Devices (3 minute read) Straiker found a NomShub attack chain in Cursor that abuses indirect prompt injection and a sandbox escape to overwrite .zshenv and run attacker-controlled code on macOS. Malicious prompts in a repository README prompt the AI agent to open a remote tunnel, register a device code, and authorize the attacker's GitHub account for shell access, which persists until the process stops and the tunnel registration is removed. Vercel Confirms Breach as Hackers Claim to be Selling Stolen Data (2 minute read) Cloud development platform Vercel has disclosed a security incident after attackers claiming to be affiliated with ShinyHunters are attempting to sell stolen data. The attacker claims to be selling access keys, source code, and database data, as well as access to internal deployments and API keys. Vercel has stated that they are in contact with a limited number of affected customers. $13.74M Hack Shuts Down Sanctioned Grinex Exchange After Intelligence Claims (2 minute read) Grinex, a Russia-based cryptocurrency exchange, is shutting down operations after a $13.74M hack. Grinex and its predecessor, Garantex, have been sanctioned by the US and UK for processing funds for ransomware and Darknet organizations. The exchange claims that foreign intelligence agencies orchestrated the attack to undermine Russian financial sovereignty. 🧠 Strategies & Tactics MAD Bugs: "cat readme.txt" is not safe in iTerm2 (5 minute read) iTerm2's SSH integration uses a “conductor” script and escape‑sequence protocol over PTY, but it will accept that protocol from any terminal output, not just a trusted remote session. A crafted readme file can print fake DCS 2000p and OSC 135 sequences, impersonate the conductor, walk the state machine, and push iTerm2 into sending a base64‑encoded run command back into the local shell. An attacker bundles a helper binary named to match the final base64 chunk, so simply running cat readme.txt in that directory triggers arbitrary command execution until users install the still‑unstable patch. Hackers Dodging Security Tools by Dropping Secret QEMU Virtual Machines Inside Windows (3 minute read) Sophos is warning users about two active campaigns abusing QEMU to launch Linux VMs within Windows to evade detection. The threat actors bundle their malware inside Alpine Linux VMs, which Windows Defender and other tools cannot analyze. Six Accounts, One Actor: Inside the prt-scan Supply Chain Campaign (9 minute read) Wiz Research linked a prt-scan campaign to March 11, three weeks before disclosure, involving six GitHub accounts and over 500 malicious PRs exploiting pull_request_target with AI payloads targeting Python, Node.js, Rust, and Go. The five-phase payload had a sub-10% success rate but compromised 106 versions in @codfish/eslint-config and @codfish/actions, stealing AWS, Cloudflare, and Netlify credentials via a /proc/*/environ scanner that exfiltrated secrets through PR comments. Search for prt-scan-[12-hex] branch, PR title "ci: update build configuration," user agent python-requests/2.32.5, and log markers PRT_EXFIL/RECON/DELAYED; enforce first-time contributor approval and actor-restricted workflows on repos using pull_request_target. 🧑‍💻 Launches & Tools Wardgate (GitHub Repo) Wardgate is a security gateway that sits between AI agents and the outside world, manages API credentials, isolates SSH keys for remote command execution, and enforces access controls for command execution in remote enclaves. This is a relatively new tool with an AGPL license and was first released in February. The Ultimate iOS Hardening Guide (GitHub Repo) A comprehensive hardening guide for enhancing security and privacy on iOS and iPadOS devices. Claude Code in a devcontainer (GitHub Repo) A sandboxed development environment for running Claude Code with bypassPermissions safely. This devcontainer provides filesystem isolation, so you get the productivity benefits of unrestricted Claude without risking your host system. This tool was built by TrailOfBits for Security Audit workflows. 🎁 Miscellaneous Claude Opus wrote a Chrome exploit for $2,283 (2 minute read) Claude Opus 4.6 can be used to build a working exploit chain for Chrome's V8 engine, targeting Discord's outdated Chrome 138 base and spending about $2,283 in API calls plus 20 hours of guidance. Patch notes and public commits now act as exploit roadmaps. Any patient attacker with an API key can weaponize these bugs. Developers should use earlier-in-life-lifecycle security, faster dependency updates, automatic patching, and tighter handling of public vulnerability details in projects like V8. Man with @ihackedthegovernment Instagram account tells judge, “I made a mistake” (4 minute read) Nicholas Moore, 25, used stolen credentials to access accounts in the US Supreme Court filing system, AmeriCorps, and VA My HealtheVet, then posted victims' personal and some medical details via @ihackedthegovernment on Instagram. He pled guilty, expressed remorse, and received 12 months' probation with tight computer and Internet monitoring conditions instead of prison. Hackers are abusing unpatched Windows security flaws to hack into organizations (2 minute read) Hackers are using three Windows Defender vulnerabilities, BlueHammer, UnDefend, and RedSun, to gain admin access in real attacks. A researcher called Chaotic Eclipse published working exploit code on a blog and GitHub after a dispute with Microsoft. Only BlueHammer is patched so far, so defenders need to move fast to find and lock down exposed Windows Defender deployments. ⚡ Quick Links €5 gadget tracks down Dutch Navy's stealth warship while on mission (2 minute read) Dutch broadcaster Omroep Gelderland located the Dutch Navy stealth frigate Zr. Ms. Evertsen during an active mission by mailing a cheap Bluetooth tracker through the military postal system, which passed security checks unnoticed. Apple account change alerts abused to send phishing emails (2 minute read) Threat actors are exploiting Apple ID name fields to bypass email security protections and embed callback-phishing lures in legitimate Apple notifications. 4 new Android malware families target 800+ apps (1 minute read) Zimperium zLabs discovered four new Android malware families (RecruitRat, SaferRat, Astrinox, and Massiv) that are distributed via phishing/smishing APKs and abuse Accessibility Services to perform overlay attacks, keylogging, and data exfiltration against over 800 banking and crypto apps. Love TLDR? Tell your friends and get rewards! Share your referral link below with friends to get free TLDR swag! https://refer.tldr.tech/dc263000/8 Track your referrals here. Want to advertise in TLDR? 📰 If your company is interested in reaching an audience of cybersecurity professionals and decision makers, you may want to advertise with us. Want to work at TLDR? 💼 Apply here, create your own role or send a friend's resume to jobs@tldr.tech and get $1k if we hire them! TLDR is one of Inc.'s Best Bootstrapped businesses of 2025. If you have any comments or feedback, just respond to this email! Thanks for reading, Prasanna Gautam, Eric Fernandez & Sammy Tbeile Manage your subscriptions to our other newsletters on tech, startups, and programming. Or if TLDR Information Security isn't for you, please unsubscribe.