"Nowhere can I think so happily as in a train."

On my way south to Vienna for OWASP Global AppSec EU 2026 – say hi if you're going to be there!

Security, General:

libssh2 CVEs CVE-2026-55200 and CVE-2026-55199, patches haven’t made it to all vulnerable distributions yet: https://www.heise.de/en/news/Security-vulnerabilities-endanger-connections-via-libssh2-11339594.html

Security, Apple Platforms:

New macOS ClickFix attack silently mounts DMGs to push infostealer: https://www.bleepingcomputer.com/news/security/new-macos-clickfix-attack-silently-mounts-dmgs-to-push-infostealer/

Ideally, the user who frequently uses Terminal isn't susceptible to ClickFix, and the user who uses it rarely will get a warning from the Terminal anti-paste measure: https://support.apple.com/en-us/127377

Interesting Paper:

How Your Credentials Are Leaked by LLM Agent Skills: An Empirical Study (upcoming in ASE 2026, the 41st IEEE/ACM International Conference on Automated Software Engineering), by Zhihao Chen, Ying Zhang, Yi Liu, Gelei Deng, Yuekang Li, Yanjun Zhang, Jianting Ning, Leo Yu Zhang, Lei Ma, and Zhiqiang Li: https://arxiv.org/html/2604.03070v2

Interesting Tool:

Very excitingly, the 1.0 of the OWASP AI Security Verification Standard will be launching as you're reading this: https://github.com/OWASP/AISVS

Apple Platforms Security Concept of the Week:

Secure your apps with App Attest (WWDC 2026): https://developer.apple.com/videos/play/wwdc2026/201/

"Establishing your app’s integrity":
https://developer.apple.com/documentation/devicecheck/establishing-your-app-s-integrity