defensive.works scan
> WEEKLY RECON

The defensive engineering brief.

One attack. One detection. One fix worth shipping.

> For engineers who own AWS, Kubernetes, agents, CI/CD, and the 02:00 alert.

> 01

Latest briefings

Weekly Recon #7: Machine Speed
2026-06-02 · ISSUE 007

Machine Speed.

Sysdig AI agent drives a 4-pivot intrusion. Megalodon backdoors 5,561 repos via id-token: write. Nx Console extension harvests Claude Code credentials. Kubernetes corrects three unfixable CVE records.

Read briefing
Weekly Recon #6: False Assurance
2026-05-26 · ISSUE 006

False Assurance.

Laravel-Lang Composer tag rewrite. AWS LeaveOrganization SCP escape. Sysdig Azure VMAccess detection gaps. Wiz Fragnesia kernel LPE. Langflow returns to CISA KEV.

Read briefing
Weekly Recon #5: Hijacked Execution Context
2026-05-19 · ISSUE 005

Hijacked Execution Context.

Mini Shai-Hulud + TanStack worm + OpenAI breach. Microsoft MCP misconfigs. Datadog malicious coding-agent skills. SpecterOps Dev Tunnels as C2. Fog Security Amazon Quick bypass.

Read briefing
Weekly Recon #4: The patch window closed. The registry pushed back.
2026-05-12 · ISSUE 004

The patch window closed. The registry pushed back.

Sysdig LiteLLM 36-hour weaponization. pnpm 11 supply-chain defaults. Push Vercel OAuth chain. GitGuardian Markov LLM passwords.

Read briefing

See all briefings

> 02

What lands in your inbox

// attack of the week

What broke. How it breaks.

One attack walked end to end. The exact surface that fails, not the headline summary.

// rule of the week

What to detect.

A buildable detection idea you can stand up this week. Catches the class, not just this week's incident.

// defender's corner

What to ship.

One defender move worth a PR before Friday. Concrete enough to land in a PR, not a roadmap.

> 03

Who writes this

R.K. Chidambaram
Cloud security engineer · Toronto

15+ years building and securing production systems on AWS and Kubernetes. I work on IAM, detection engineering, CI/CD security, software supply chain, and the agent-identity problems the industry is still figuring out. Weekly Recon is the brief I'd want in my own inbox: one attack worth knowing, one rule worth building, one defender move worth shipping.

Written for engineers with a terminal open.

Proof of work:

scan.defensive.works // GHA security scanner teampcp-goat // cloud supply-chain CTF raajhe.sh // engineering notes LinkedIn
> 04

Labs

Hands-on supply-chain security labs. Free. Run in a browser. Walk out with defender artifacts you can ship to your real repo on Monday.

// cloud supply-chain CTF

TeamPCP Goat.

A vulnerable AWS environment with 6 supply-chain flags across 2 modules. Capture the keys, learn the patterns. Free, self-hosted in your own AWS account.

// live on github
// npm supply-chain workshop

The Tanstack Attack.

Comic walkthrough of the May 11 TanStack supply-chain attack in 8 panels. The hands-on Codespace lab and 5-artifact Defender Pack land after founder review.

// read the comic edition first · hands-on lab ships after founder review
> 05

More from defensive.works

// cloud security thrillers

Books.

Cloud security thrillers where every CloudTrail event is real. Two books out: Assumed Role and Signed & Sealed. Free PDFs.
// the teampcp files

Comics.

Visual narrative explainers on real cloud-security attacks. Episode 01: The TanStack Heist. Script edition live.

Get the next briefing in your inbox.

Reply-friendly.