Jan 12 2026 Last Week in Security (LWiS) - 2026-01-12

SmarterMail Pre-auth RCE (@chudyPB + @SinSinology), Claude Code code execution (@ryotkak), VSS create (@RicardoJoseRF ), EDRStartupHinder (@TwoSevenOneT), and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2026-01-05 to 2026-01-12.

News

[X] Iran's disconnection from the Internet is now in its 5th day - Even Starlink is reportedly being jammed by the government of Iran. Reddit users are reporting issues with Starlink but still have connectivity.
Germany's foreign intelligence agency (BND) is looking to hire CTF players - "Experience in penetration testing, red team engagements or capture the flags (CTF)."
Menasha police officer accused of using license plate recognition system to track his ex - Don't build systems that can easily be abused and this won't be a problem.
Popular grocery store chain uses biometric surveillance on shoppers, raising privacy concerns - "A person does not surrender all Fourth Amendment protection by venturing into the public sphere." (CARPENTER v. UNITED STATES)
Merge branch 'antigravity' - Linus Torvalds, the maintainer of the Linux kernel, "vibe-coded" a visualization tool. The truth is Linus has been "vibe coding" for a long time. He rarely authors code for Linux, instead directing changes and reviewing code from others before merging. He just replaced "others" with Gemini for this case but people are making a big deal about it.
No, Microsoft didn’t rebrand Office to Microsoft 365 Copilot - Can't really blame people for thinking the rebrand happened. “In November 2022, we renamed only the Office ‘hub’ app for web and mobile to the Microsoft 365 app. In January 2025, we updated it to the Microsoft 365 Copilot app to reflect its role in bringing Copilot and Microsoft 365 productivity experiences together in one place.”
The Conscience of a Hacker - The "Hacker Manifesto" turned 40 years old last week. A classic part of hacker history and culture.
Thinkst Canary acquires UK-based DeceptIQ - Wow. That was fast. We reported on the launch of DeceptIQ in LWiS 2025-11-10. Congrats to Rad and the team at Thinkst!

Techniques and Write-ups

Do Smart People Ever Say They’re Smart? (SmarterTools SmarterMail Pre-Auth RCE CVE-2025-52691) - When @chudyPB and @SinSinology team up, shells are all but guaranteed. The timing of the patch vs the advisory (3 month gap) is interesting. With the rise of AI, will the patch-diff-to-exploit pipeline become commoditized? Will the AI powered EDR save us from the AI generated exploits?
Pwning Claude Code in 8 Different Ways - Some "read only" commands were allowlisted by default, and of course they could be abused to execute arbitrary code.
PatchGuard Peekaboo: Hiding Processes on Systems with PatchGuard in 2026 - This may be the most technical post I've read that also has clear AI generated parts like, "HVCI didn’t just raise the bar – it fundamentally changed the game by moving enforcement to a layer that kernel code simply cannot reach," and "the cat-and-mouse game isn’t dead – it’s just moved to a much smaller playing field." The "not x but y" pattern is appearing everywhere these days...
Clang Hardening Cheat Sheet - Ten Years Later - A recommended set of options for compiling C and C++ with Clang to improve security of the resulting binaries.
Creating Shadow Copies with VSS API - With Microsoft removing the vssadmin command to create shadow copies, you now have to use the VSS API to create them.
[PDF] Weird Generalization and Inductive Backdoors: New Ways to Corrupt LLMs - A small amount of data poisoning can cause dramatic shifts in model's behavior (i.e. from good to bad terminator based on the "current year").
Ni8mare - Unauthenticated Remote Code Execution in n8n (CVE-2026-21858) - It's really unauthenticated file access, which you can then use for token forgery and n8n has remote code execution as a feature. Patched in 1.121.0 and the 2.x versions of n8n are not affected.
Updating the Sysmon Community Guide: Lessons Learned from the Front Lines - A great resource for defenders just got a big update.

Tools and Exploits

PhantomSec | Advanced Offensive Capabilities Automated - EvadeX Sponsored - EvadeX is an evasion-as-a-service platform for red teams and pentesters who want modern, continuously-updated evasive tradecraft without turning every engagement into an R&D project. Generate highly customizable, low-signature payloads through a simple web workflow so you can tune to the target and stay focused on the engagement. Trusted by teams from small consultancies to the Fortune 10. Get callbacks past EDR today!

Barbhack CTF 2025 (Pirates - Active Directory Lab) - Originally featured in the Barbhack 2025 CTF, this lab is now available for free to everyone! In this lab, you'll explore how to use the powerful tool NetExec to efficiently compromise an Active Directory domain during an internal pentest. Build on VMware, VirtualBox, or Ludus.
watchTowr-vs-SmarterMail-CVE-2025-52691 - SmarterMail Pre-Auth RCE 1day Detection Artifact Generator Tool
ScrappyDoo - Opengraph-Compatible JSON Generator for BloodHound.
w11_shadow_copies - Create, delete or list Shadows Copies using the VSS API using C++, C# or Python.
EDRStartupHinder - A red team tool to prevent Antivirus and EDR from running (Check the blog post for more details.)
santamon - Lightweight macOS detection agent built on Santa’s Endpoint Security telemetry.
flashingestor - A TUI for Active Directory collection.
dumpguard_bof - Beacon Object File (BOF) port of DumpGuard for extracting NTLMv1 hashes from sessions on modern Windows systems.
ClipboardStealBOF - An alternative to the builtin clipboard feature in Cobalt Strike that adds the capability to enable/disable and dump the clipboard history.
AfterShell - Fast Windows post-exploitation wins after initial access.
RemoveWindowsAI - Force Remove Copilot, Recall and More in Windows 11.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

I Built a 1 Petabyte Server From Scratch - A great video of a JBOD built from scratch. The highlight is all the testing done at each step of the build. Remember what Mythbusters tought you, "the only difference between screwing around and science is writing it down."
Climbing The Ladder: What Non-Technical Attributes Make a Senior Pentester? - Underapreciated "soft skills" that make you valuable to companies.
cc-agent - Another command and control agent.
kreuzberg - A polyglot document intelligence framework with a Rust core. Extract text, metadata, and structured information from PDFs, Office documents, images, and 50+ formats. Available for Rust, Python, Ruby, Java, Go, PHP, Elixir, C#, TypeScript (Node/Bun/Wasm/Deno) — or use via CLI, REST API, or MCP server.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.