Linux Flaws, Defender 0-Days, Router Botnets, and Provide Chain Chaos

Monday recap. Identical mess, new week.

A sketchy dev software acquired individuals pwned, previous bugs got here again from the lifeless, and security merchandise one way or the other wanted defending from themselves. A bunch of firms spent the week checking previous bins and forgotten servers they need to’ve patched years in the past. Good instances.

Phishing crews are getting smarter too – much less apparent rip-off junk, extra focused stuff that truly seems to be actual. In the meantime, botnets are grabbing something uncovered to the web prefer it’s free sweet. The Web’s nonetheless a dumpster hearth.

Let’s get into it.

⚡ Menace of the Week

GitHub Breached by way of Nx Console VS Code Extension—GitHub formally confirmed that the breach of its inner repositories was the results of a compromise of an worker system involving a poisoned model of the Nx Console Microsoft Visible Studio Code (VS Code) extension. The assault is alleged to have allowed the risk actor, a cybercriminal group referred to as TeamPCP, to exfiltrate about 3,800 repositories. GitHub mentioned it has taken steps to include the incident and rotated vital secrets and techniques, including it is persevering with to observe the state of affairs for follow-on exercise. The Nx staff revealed that the extension, nrwl.angular-console, was breached after certainly one of its builders’ techniques was hacked within the wake of the latest TanStack provide chain assault. Different firms that had been impacted by the TanStack compromise embrace OpenAI, Mistral AI, and Grafana Labs. Grafana Labs was additionally the goal of an extortion try, however the firm mentioned it refused to pay the hackers who had threatened to launch the corporate’s codebase. The incidents are just a few examples of the lengthy tail of downstream victims rising from the Mini Shai-Hulud marketing campaign. This, coupled with TeamPCP’s public launch of the Shai-Hulud code, marks a major evolution in software program provide chain threats, because it offers attackers a ready-made blueprint for fleshing out comparable worms focusing on open-source repositories and developer environments.

🔔 Prime Information

• Microsoft Took Down Fox Tempest—Microsoft has cracked down on Fox Tempest, a cyber risk actor that fueled Rhysida ransomware assaults and different infections involving Oyster, Lumma Stealer, and Vidar. The group operates upstream within the malware and ransomware provide chain, performing as an enabler and offering instruments for different risk actors to hold out assaults. This included a fraudulent code-signing service that allow cybercriminals deploy malware “via the entrance door” with out being detected. Whereas dangerous actors have been recognized to resell code-signing certificates for at the least a decade, Fox Tempest’s operation stood out as a result of it supplied a scalable service for extortion, phishing, search engine marketing poisoning, or malware-laced promoting.
• 9-12 months-Previous Linux Kernel Flaw Allows Root Command Execution—A brand new vulnerability disclosed within the Linux kernel remained undetected for 9 years. The vulnerability, tracked as CVE-2026-46333 (CVSS rating: 5.5), is a case of improper privilege administration that would allow an unprivileged native person to reveal delicate information and execute arbitrary instructions as root on default installations of a number of main distributions like Debian, Fedora, and Ubuntu. The problem was launched in November 2016.
• Microsoft Warned of Two Actively Exploited Defender Vulnerabilities—Microsoft has disclosed {that a} privilege escalation and a denial-of-service flaw in Defender have come below energetic exploitation within the wild. Whereas CVE-2026-41091 might permit an attacker to achieve SYSTEM privileges, CVE-2026-45498 pertains to a case of denial-of-service. Though Microsoft has not formally confirmed, the vulnerability descriptions for CVE-2026-41091 and CVE-2026-45498 overlap with these of RedSun and UnDefend, two Defender zero-days that had been disclosed by Chaotic Eclipse (aka Nightmare-Eclipse) final month.
• Newly Disclosed Drupal Core Flaw Underneath Attack—A vital security flaw impacting Drupal Core has come below energetic exploitation inside days of public disclosure. The vulnerability in query is CVE-2026-9082 (CVSS rating: 6.5), an SQL injection vulnerability affecting all supported variations of Drupal Core. Drupal acknowledged that “exploit makes an attempt are actually being detected within the wild.” Thales-owned Imperva mentioned it has noticed over 15,000 assault makes an attempt focusing on nearly 6,000 particular person websites throughout 65 international locations.
• Claude Mythos AI Finds 10K Excessive-Severity Flaws in Widespread Software program—Anthropic revealed that Undertaking Glasswing has helped uncover greater than 10,000 high- or critical-severity vulnerabilities throughout among the most “systemically” essential software program the world over because the cybersecurity initiative went stay final month. Of those vulnerabilities, 6,202 have been categorised as high- or critical-severity flaws impacting greater than 1,000 open-source tasks. Subsequent evaluation of those vulnerability candidates has recognized that 1,726 are legitimate true positives. As many as 1,094 flaws are assessed to be both high- or critical-severity. In whole, these efforts have led to 97 findings being patched upstream and 88 advisories being issued.
• Cisco Patched CVSS 10.0 Safe Workload Flaw—Cisco rolled out updates for a maximum-severity security flaw impacting Safe Workload that would permit an unauthenticated, distant attacker to entry delicate information. Tracked as CVE-2026-20223 (CVSS rating: 10.0), the vulnerability arises from inadequate validation and authentication when accessing REST API endpoints. “An attacker might exploit this vulnerability if they’re able to ship a crafted API request to an affected endpoint,” Cisco mentioned. “A profitable exploit might permit the attacker to learn delicate data and make configuration adjustments throughout tenant boundaries with the privileges of the Web site Admin person.”
• Microsoft Launched Mitigations for YellowKey—Microsoft launched a mitigation for a BitLocker bypass vulnerability named YellowKey following its public disclosure final week. The zero-day flaw, now tracked as CVE-2026-45585, carries a CVSS rating of 6.8. It has been described as a BitLocker security function bypass. The problem impacts Home windows 11 model 26H1 for x64-based Programs, Home windows 11 Model 24H2 for x64-based Programs, Home windows 11 Model 25H2 for x64-based Programs, Home windows Server 2025, and Home windows Server 2025 (Server Core set up). Microsoft famous that profitable exploitation might allow an attacker with bodily entry to sidestep the BitLocker Gadget Encryption function on the system storage system and achieve entry to encrypted information.

🔥 Trending CVEs

Bugs drop weekly, and the hole between a patch and an exploit is shrinking quick. These are the heavy hitters for the week: high-severity, broadly used, or already being poked at within the wild.

Examine the record, patch what you may have, and hit those marked pressing first — CVE-2026-48172 (LiteSpeed Person-Finish cPanel Plugin), CVE-2026-34926 (Development Micro Apex One), CVE-2026-20223 (Cisco Safe Workload), CVE-2026-41091, CVE-2026-45498, CVE-2026-45584 (Microsoft Defender), CVE-2026-46333 (Linux Kernel), CVE-2026-9082 (Drupal Core), CVE-2026-45585 (Microsoft Home windows BitLocker), CVE-2026-2743 (SEPPMail), CVE-2026-7301, CVE-2026-7302, CVE-2026-7304 (SGLang), CVE-2026-29205 (cPanel), CVE-2026-8178 (Amazon Redshift JDBC driver), CVE-2026-8053 (MongoDB), CVE-2026-45829 aka ChromaToast (ChromaDB), CVE-2026-8153 (Common Robots PolyScope 5), CVE-2026-3102 (ExifTool), CVE-2026-9110, CVE-2026-9111, from CVE-2026-8511 via CVE-2026-8522 (Google Chrome), CVE-2026-45434 (Apache OFBiz), CVE-2026-33000, CVE-2026-34908, CVE-2026-34909, CVE-2026-34910, CVE-2026-34911 (UniFi OS), CVE-2026-45401 (Open WebUI), CVE-2026-9256, CVE‑2026‑8711 (F5 NGINX Plus and NGINX Open Supply), CVE-2026-20239 (Splunk Enterprise and Splunk Cloud Platform), CVE-2026-46376 (FreePBX), CVE‑2026‑6637 (PostgreSQL), and CVE-2026-35194 (Apache Flink).

🎥 Cybersecurity Webinars

• Be taught How Attackers Use AI to Supercharge DDoS Effectivity (and Find out how to Cease It) → Adversaries are weaponizing AI to use community blind spots, auto-generate evasion scripts, and bypass conventional defenses with surgical precision. This webinar bridges the hole between AI-driven exploitation and cloud resilience, providing data-driven insights into how attackers maximize DDoS success charges. Be a part of us to maneuver past idea, leverage AI for non-disruptive security testing (CTEM), and transition your staff from reactive mitigation to automated, steady resilience.
• Past the Zero-Day: Trying to find Threats That Do not Want an Exploit → Zero-day exploits are now not the final word metric of cyber threat. Right now, subtle adversaries bypass conventional defenses totally by leveraging identification flaws, living-off-the-land methods, and AI automation that do not depend on unpatched software program. This session strikes past the zero-day obsession to show how attackers operationalize fashionable post-compromise techniques—and the way security groups can pivot from reactive patching to proactive, behavioral risk looking.

📰 Across the Cyber World

• Vulnerability Exploitation Overtakes Compromised Credentials in a Lengthy Time —Vulnerability exploitation has overtaken compromised credentials for the primary time in practically twenty years as the most typical preliminary entry vector for data breaches, per Verizon. Almost a 3rd (31%) of data breaches over the previous 12 months began with vulnerability exploitation, up from 20% in 2024. Credential abuse declined from 22% to 13%. What’s extra, solely 26% of vital vulnerabilities listed within the U.S. Cybersecurity Infrastructure and Safety Company Recognized Exploited Vulnerabilities (KEV) catalog had been absolutely remediated by organizations in 2025, a drop from 38% the earlier 12 months. “The median time for full decision went as much as 43 days, nearly two weeks greater than the earlier 12 months’s 32 days,” the report mentioned. “Within the median case, organizations had 50% extra vital vulnerabilities to patch on this 12 months’s reporting dataset in comparison with the earlier 12 months.” Ransomware accounted for 48% of all breaches final 12 months, up from 44% in 2024. However in a constructive growth, ransom funds have continued to say no, with the median cost sliding from $150,000 in 2024 to nearly $140,000.
• Attackers Go After India’s Training Ecosystem —Menace actors are abusing scholar information inside India’s training ecosystem, spanning academic establishments, third-party distributors, and on-line companies, for phishing, impersonation, social engineering, and financially motivated fraud operations. “Attackers generally leverage uncovered or misused scholar data to create extremely convincing scams associated to admissions, scholarships, internships, charge funds, and tutorial companies,” CYFIRMA mentioned. “In a number of situations, risk actors exploited trusted academic branding, fraudulent portals, and insider entry to acquire credentials, monetary data, or direct funds. Moreover, some circumstances indicated the misuse of student-linked financial institution accounts inside broader fraud and mule account operations.”
• RondoDox Provides ASUS Router Flaw to its Arsenal —The operators of the RondoDox botnet have included CVE-2018-5999 (CVSS rating: 9.8), a vital ASUS router flaw, to their arsenal, marking the primary commentary of in-the-wild exploitation of the vulnerability. The exercise was first detected on Might 17, 2026, towards its honeypots. “The assault sample: payloads that set the ateCommand_flag to 1, enabling the infosvr interface to just accept arbitrary configuration adjustments,” VulnCheck CTO Jacob Baines mentioned in a submit on LinkedIn.
• Pretend Microsoft Groups Websites Ship ValleyRAT —Pretend Microsoft Groups distribution websites shared on X are getting used to trick unsuspecting customers into downloading a trojanized installer packaged as a ZIP archive, in the end resulting in the deployment of ValleyRAT, a malware related to a Chinese language cybercrime group known as Silver Fox. “The delivered payload leverages a DLL sideloading chain by way of a authentic executable (GameBox.exe) developed by Tencent, in the end deploying a ValleyRAT variant,” K7 Labs mentioned. “This malware marketing campaign stands out for its clear execution chain, combining social engineering with staged payload supply, in-memory decryption, and stealthy persistence mechanisms.”

• Malicious Exercise Concentrating on Malaysian Entities —An attacker-controlled infrastructure hosted on Microsoft Azure infrastructure within the Malaysia West area has been used to conduct a focused intrusion marketing campaign towards a number of Malaysian organizations, per Oasis Safety. “The operation demonstrates a excessive diploma of operational planning, with the attacker growing purpose-built Python tooling for every goal — protecting inner community enumeration, database entry, and exterior information exfiltration,” the corporate mentioned. The infrastructure hosts target-specific Python scripts, webshell deployment instruments, a Laravel distant code execution exploit chain, and supply code for customized command-and-control (C2) elements.
• Texas Lawyer Normal Sues Meta Over WhatsApp Encryption Claims —The Texas Lawyer Normal has sued Meta over allegations that the corporate’s WhatsApp messenger would not present the end-to-end encryption (E2EE) it has lengthy claimed. “Reviews counsel that workers of WhatsApp have been capable of entry person communications,” the Workplace of the Texas Lawyer Normal mentioned. “Extra reporting and investigations point out that message content material could be pulled and seen after the message has been despatched. It is a full and whole misrepresentation of Meta’s privateness insurance policies.” The lawsuit hinges on a report from Bloomberg from final month about how the U.S. Commerce Division’s Bureau of Trade and Safety had abruptly closed an investigation into allegations that Meta might entry encrypted WhatsApp messages. Preliminary findings from the division claimed that “there isn’t a restrict to the kind of WhatsApp message that may be seen by Meta.” Meta has known as the allegations “baseless.”
• FIOD Arrests Two in Reference to Stark Industries —The Netherlands Fiscal Intelligence and Investigation Service (FIOD) arrested two males and seized 800 servers in reference to a webhosting firm that enabled cyber assaults, interference operations, and disinformation campaigns. The arrested people included a 57-year-old man from Amsterdam and a 39-year-old man from The Hague. Though the identify of the corporate was not explicitly talked about, it’s assessed to be Stark Industries, which was sanctioned by the E.U. in Might 2025. Following the sanctions, a major chunk of the technical infrastructure was transferred to a Dutch-based entity referred to as THE.Hostingaka WorkTitans. “This new firm really acts as a canopy for the sanctioned entities,” FIOD mentioned. “The director and (oblique) sole shareholder of this firm is the 57-year-old suspect.” A second unnamed Dutch firm is alleged to have performed a facilitating function. “This firm, of which the 39-year-old is a suspected director and sole shareholder, ensures that the servers of the previous new firm are related to the web,” FIOD added.
• UNG0002 Targets Chinese language Instructional Sector —The Chinese language academic sector has grow to be the goal of a brand new marketing campaign performed by UNG0002 as a part of a spear-phishing marketing campaign codenamed Operation Dragon Whistle. “What makes this marketing campaign notably efficient is the precision of its social engineering,” Seqrite Labs mentioned. “The risk actor didn’t use a generic lure — they particularly recognized that Changzhou College conducts obligatory annual health assessments the place failure straight impacts commencement eligibility. This creates an surroundings of urgency and compliance that considerably will increase the chance of sufferer engagement.” The emails have been discovered to distribute ZIP archives that in the end result in the deployment of Cobalt Strike Beacon.
• Void Botnet Makes use of Ethereum Good Contracts for C2 —A brand new botnet malware known as Void Botnet makes use of Ethereum sensible contracts for seizure-resistant command-and-control (C2). It is a Rust-based malware that is marketed on cybercrime boards by a developer working below the deal with TheVoidStl. “Primarily based on the vendor’s documentation and panel screenshots, Void Botnet is a Rust-native loader with two command-and-control modes in the identical binary,” Qrator Labs mentioned. “The primary mode routes instructions via Ethereum sensible contracts: the operator writes directions to a contract, and contaminated machines examine it at common intervals, choosing up new duties inside three to 5 minutes. The second mode connects machines on to the operator’s internet panel, with duties finishing in below thirty seconds. The operator switches between them at any time by updating the contract.” The botnet works by writing instructions to sensible contracts, bots polling public RPC endpoints, and C2 infrastructure that’s arduous to take down.
• Proton Debuts AI Entry Tokens in Proton Move —Proton Move, a safe, end-to-end encrypted (E2EE) password supervisor, has added credential sharing via AI entry tokens, permitting customers to present AI brokers entry to objects it is permissioned to and monitor their exercise. “AI entry tokens are our latest safe sharing choice to carry password administration into the age of agentic AI,” Proton mentioned. “Each time an AI agent makes use of an entry token, that is logged, and a purpose for the entry should be supplied. For further security, you may as well set an expiration for every token, from one hour to 1 12 months, after which it could possibly now not be used.”
• DevilNFC and NFCMultiPay Android NFC Relay Malware Noticed —Two new Android NFC relay malware households named DevilNFC and NFCMultiPay have been noticed focusing on European and LATAM banking clients. “These two NFC relay toolkits are being developed and operated outdoors the Chinese language-speaking MaaS ecosystem: DevilNFC carries an completely Spanish-speaking attribution, whereas NFCMultiPay’s developer fingerprint is Portuguese (Brazilian),” Cleafy mentioned. “Native teams are now not shopping for entry to Chinese language platforms; they’re constructing their very own.” It is assessed that the malware households could have been developed with help utilizing generative synthetic intelligence (AI). Each malware households are designed to gather the sufferer’s card PIN. “DevilNFC additional locks the sufferer contained in the malicious interface by way of Kiosk Mode, stopping any escape whereas the relay completes,” the Italian firm mentioned. “DevilNFC employs an uneven structure by which a single APK serves each roles in a relay assault: a passive reader on the sufferer’s system and a system-level card emulator on the attacker’s rooted system, achieved by way of a hooking framework that intercepts NFC site visitors under the Android API layer.” DevilNFC overlaps with an NGate variant documented by ESET final month. The malicious apps are distributed by way of SMS or WhatsApp messages, directing victims to pretend touchdown pages impersonating Google Play Retailer listings. 
• TAX#TRIDENT Makes use of Indian Revenue Tax Lures —A brand new marketing campaign dubbed TAX#TRIDENT is utilizing Indian Revenue Tax-themed lures to focus on Home windows endpoints by way of three supply paths. The marketing campaign begins with pretend tax evaluation lures after which strikes victims towards ZIP information, VBScript downloaders, or PHP-looking internet endpoints that truly return script content material,” Securonix mentioned. “The primary department makes use of a ZIP file and a signed ClientSetup installer. As soon as executed, the installer creates a hidden shopper tree, provides service and driver persistence, and begins community communication. The second department makes use of ‘Assessment_Order.vbs.’ The script reveals a tax evaluation decoy picture, downloads the identical ClientSetup payload, writes a brand new ‘YTSysConfig.ini,’ and runs the payload hidden. The third department makes use of a PHP-looking endpoint that returns VBScript. That script downloads extra phases from S3, disguises a VBS file as a PNG picture, adjustments UAC immediate habits, and silently installs a signed ManageEngine UEMS / Endpoint Central agent.” 
• CISA Launches KEV Nomination Kind to Report Exploited Bugs —The U.S. Cybersecurity and Infrastructure Safety Company (CISA) has launched a web-based Nomination Kind that lets researchers, distributors, and business companions submit recognized exploited vulnerabilities (KEVs) straight in order to “shortly establish, validate, and share KEVs, vital risk data.”
• Exploitation of 4-Religion Router Flaw —Attackers are exploiting CVE-2024-9643 (CVSS rating: 9.8), a vital authentication bypass flaw in 4-Religion F3x36 industrial mobile routers, as a part of a large-scale marketing campaign since mid-Might 2026 to show fold compromised gadgets into botnets for additional campaigns. CrowdSec mentioned it has noticed 139 attacking IP addresses via Might 18, 2026. “Exploitation was first noticed on April 20 and escalated to the purpose of being reclassified as mass exploitation on Might 12, a powerful sign that attackers are operationalizing this flaw at scale,” it added.
• Chinese language-Language PhaaS Ecosystem Detailed —An evaluation of a dozen present phishing-as-a-service (PhaaS) choices within the Chinese language underground has discovered that they’ve shifted away from static password harvesting in the direction of real-time interception and tokenization by way of stay administration panels, permitting attackers to seize one-time passcodes (OTPs) and bypass multifactor authentication (MFA) immediately. The companies, similar to YY Lai Yu, primarily goal non-Chinese language entities, with ads recurrently posted to Telegram somewhat than channels similar to WeChat (Weixin) or Tencent QQ. A vital side of those operations is their exploitation of digital pockets provisioning to monetize stolen cost particulars. Attackers have been discovered to leverage captured credentials and OTPs to provision the sufferer’s card right into a digital pockets on an attacker-controlled system. As soon as tokenized, the cardboard can be utilized for high-value transactions, contactless funds, and ATM withdrawals. “As a substitute of merely gaining account entry, these operations deal with exploiting digital pockets provisioning to rework stolen cost information into tokenized belongings inside ecosystems,” Google mentioned. “This shift—mixed with using encrypted supply channels like RCS and iMessage to bypass conventional service security filters on SMS messages—represents an rising growth the place the purpose is now not only a login, however securing direct, unauthorized management over a sufferer’s monetary accounts.”

🔧 Cybersecurity Instruments

• Bumblebee → It’s an open-source security software for macOS and Linux designed to search out software program supply-chain vulnerabilities on developer computer systems. It acts as a light-weight, read-only scanner that audits metadata information, manifests, and configurations somewhat than executing code. This permits it to soundly examine native language packages, internet browser extensions, textual content editor add-ons, and AI software configurations for recognized security exposures with out operating probably malicious set up scripts.
• Claude-BugHunter → It’s an open-source add-on that configures Anthropic’s Claude Code command-line software right into a specialised security assistant. It equips the AI with pre-built vulnerability patterns, assault methods, and reporting templates, automating the method of discovering and documenting security flaws throughout approved testing.

Disclaimer: That is strictly for analysis and studying. It hasn’t been via a proper security audit, so do not simply blindly drop it into manufacturing. Learn the code, break it in a sandbox first, and ensure no matter you’re doing stays on the proper facet of the regulation.

Conclusion

Patch the straightforward stuff earlier than it turns into an even bigger downside subsequent week. The previous bugs everybody ignored? Attackers didn’t ignore them. They by no means do.

Proper now, the web feels held along with tape and luck. Each week, there’s a brand new mess, a brand new rip-off, or some previous field getting dragged right into a botnet. See you subsequent Monday.