Linux Flaws, Defender 0-Days, Router Botnets, and Provide Chain Chaos

Ravie LakshmananCould 25, 2026Cybersecurity / Hacking

Monday recap. Identical mess, new week.

A sketchy dev software bought individuals pwned, outdated bugs got here again from the lifeless, and safety merchandise by some means wanted defending from themselves. A bunch of corporations spent the week checking outdated bins and forgotten servers they need to’ve patched years in the past. Good occasions.

Phishing crews are getting smarter too – much less apparent rip-off junk, extra focused stuff that truly appears actual. In the meantime, botnets are grabbing something uncovered to the web prefer it’s free sweet. The Web’s nonetheless a dumpster fireplace.

Let’s get into it.

⚡ Risk of the Week

GitHub Breached by way of Nx Console VS Code Extension—GitHub formally confirmed that the breach of its inside repositories was the results of a compromise of an worker system involving a poisoned model of the Nx Console Microsoft Visible Studio Code (VS Code) extension. The assault is alleged to have allowed the risk actor, a cybercriminal group often called TeamPCP, to exfiltrate about 3,800 repositories. GitHub stated it has taken steps to comprise the incident and rotated crucial secrets and techniques, including it is persevering with to watch the state of affairs for follow-on exercise. The Nx workforce revealed that the extension, nrwl.angular-console, was breached after one in every of its builders’ techniques was hacked within the wake of the latest TanStack provide chain assault. Different corporations that had been impacted by the TanStack compromise embrace OpenAI, Mistral AI, and Grafana Labs. Grafana Labs was additionally the goal of an extortion try, however the firm stated it refused to pay the hackers who had threatened to launch the corporate’s codebase. The incidents are just a few examples of the lengthy tail of downstream victims rising from the Mini Shai-Hulud marketing campaign. This, coupled with TeamPCP’s public launch of the Shai-Hulud code, marks a big evolution in software program provide chain threats, because it offers attackers a ready-made blueprint for fleshing out comparable worms focusing on open-source repositories and developer environments.

• Microsoft Took Down Fox Tempest—Microsoft has cracked down on Fox Tempest, a cyber risk actor that fueled Rhysida ransomware assaults and different infections involving Oyster, Lumma Stealer, and Vidar. The group operates upstream within the malware and ransomware provide chain, performing as an enabler and offering instruments for different risk actors to hold out assaults. This included a fraudulent code-signing service that allow cybercriminals deploy malware “by way of the entrance door” with out being detected. Whereas dangerous actors have been recognized to resell code-signing certificates for not less than a decade, Fox Tempest’s operation stood out as a result of it supplied a scalable service for extortion, phishing, search engine optimization poisoning, or malware-laced promoting.
• 9-12 months-Previous Linux Kernel Flaw Allows Root Command Execution—A brand new vulnerability disclosed within the Linux kernel remained undetected for 9 years. The vulnerability, tracked as CVE-2026-46333 (CVSS rating: 5.5), is a case of improper privilege administration that might allow an unprivileged native consumer to reveal delicate information and execute arbitrary instructions as root on default installations of a number of main distributions like Debian, Fedora, and Ubuntu. The problem was launched in November 2016.
• Microsoft Warned of Two Actively Exploited Defender Vulnerabilities—Microsoft has disclosed {that a} privilege escalation and a denial-of-service flaw in Defender have come underneath lively exploitation within the wild. Whereas CVE-2026-41091 might permit an attacker to achieve SYSTEM privileges, CVE-2026-45498 pertains to a case of denial-of-service. Though Microsoft has not formally confirmed, the vulnerability descriptions for CVE-2026-41091 and CVE-2026-45498 overlap with these of RedSun and UnDefend, two Defender zero-days that had been disclosed by Chaotic Eclipse (aka Nightmare-Eclipse) final month.
• Newly Disclosed Drupal Core Flaw Below Assault—A crucial safety flaw impacting Drupal Core has come underneath lively exploitation inside days of public disclosure. The vulnerability in query is CVE-2026-9082 (CVSS rating: 6.5), an SQL injection vulnerability affecting all supported variations of Drupal Core. Drupal acknowledged that “exploit makes an attempt are actually being detected within the wild.” Thales-owned Imperva stated it has noticed over 15,000 assault makes an attempt focusing on virtually 6,000 particular person websites throughout 65 international locations.
• Claude Mythos AI Finds 10K Excessive-Severity Flaws in In style Software program—Anthropic revealed that Undertaking Glasswing has helped uncover greater than 10,000 high- or critical-severity vulnerabilities throughout a number of the most “systemically” essential software program the world over because the cybersecurity initiative went reside final month. Of those vulnerabilities, 6,202 have been categorized as high- or critical-severity flaws impacting greater than 1,000 open-source tasks. Subsequent evaluation of those vulnerability candidates has recognized that 1,726 are legitimate true positives. As many as 1,094 flaws are assessed to be both high- or critical-severity. In whole, these efforts have led to 97 findings being patched upstream and 88 advisories being issued.
• Cisco Patched CVSS 10.0 Safe Workload Flaw—Cisco rolled out updates for a maximum-severity safety flaw impacting Safe Workload that might permit an unauthenticated, distant attacker to entry delicate information. Tracked as CVE-2026-20223 (CVSS rating: 10.0), the vulnerability arises from inadequate validation and authentication when accessing REST API endpoints. “An attacker might exploit this vulnerability if they’re able to ship a crafted API request to an affected endpoint,” Cisco stated. “A profitable exploit might permit the attacker to learn delicate data and make configuration adjustments throughout tenant boundaries with the privileges of the Web site Admin consumer.”
• Microsoft Launched Mitigations for YellowKey—Microsoft launched a mitigation for a BitLocker bypass vulnerability named YellowKey following its public disclosure final week. The zero-day flaw, now tracked as CVE-2026-45585, carries a CVSS rating of 6.8. It has been described as a BitLocker safety characteristic bypass. The problem impacts Home windows 11 model 26H1 for x64-based Methods, Home windows 11 Model 24H2 for x64-based Methods, Home windows 11 Model 25H2 for x64-based Methods, Home windows Server 2025, and Home windows Server 2025 (Server Core set up). Microsoft famous that profitable exploitation might allow an attacker with bodily entry to sidestep the BitLocker System Encryption characteristic on the system storage system and achieve entry to encrypted information.

🔥 Trending CVEs

Bugs drop weekly, and the hole between a patch and an exploit is shrinking quick. These are the heavy hitters for the week: high-severity, broadly used, or already being poked at within the wild.

Verify the record, patch what you’ve got, and hit those marked pressing first — CVE-2026-48172 (LiteSpeed Person-Finish cPanel Plugin), CVE-2026-34926 (Development Micro Apex One), CVE-2026-20223 (Cisco Safe Workload), CVE-2026-41091, CVE-2026-45498, CVE-2026-45584 (Microsoft Defender), CVE-2026-46333 (Linux Kernel), CVE-2026-9082 (Drupal Core), CVE-2026-45585 (Microsoft Home windows BitLocker), CVE-2026-2743 (SEPPMail), CVE-2026-7301, CVE-2026-7302, CVE-2026-7304 (SGLang), CVE-2026-29205 (cPanel), CVE-2026-8178 (Amazon Redshift JDBC driver), CVE-2026-8053 (MongoDB), CVE-2026-45829 aka ChromaToast (ChromaDB), CVE-2026-8153 (Common Robots PolyScope 5), CVE-2026-3102 (ExifTool), CVE-2026-9110, CVE-2026-9111, from CVE-2026-8511 by way of CVE-2026-8522 (Google Chrome), CVE-2026-45434 (Apache OFBiz), CVE-2026-33000, CVE-2026-34908, CVE-2026-34909, CVE-2026-34910, CVE-2026-34911 (UniFi OS), CVE-2026-45401 (Open WebUI), CVE-2026-9256, CVE‑2026‑8711 (F5 NGINX Plus and NGINX Open Supply), CVE-2026-20239 (Splunk Enterprise and Splunk Cloud Platform), CVE-2026-46376 (FreePBX), CVE‑2026‑6637 (PostgreSQL), and CVE-2026-35194 (Apache Flink).

🎥 Cybersecurity Webinars

• Be taught How Attackers Use AI to Supercharge DDoS Effectivity (and The way to Cease It) → Adversaries are weaponizing AI to use community blind spots, auto-generate evasion scripts, and bypass conventional defenses with surgical precision. This webinar bridges the hole between AI-driven exploitation and cloud resilience, providing data-driven insights into how attackers maximize DDoS success charges. Be part of us to maneuver past idea, leverage AI for non-disruptive safety testing (CTEM), and transition your workforce from reactive mitigation to automated, steady resilience.
• Past the Zero-Day: Trying to find Threats That Do not Want an Exploit → Zero-day exploits are not the last word metric of cyber threat. At this time, refined adversaries bypass conventional defenses fully by leveraging id flaws, living-off-the-land strategies, and AI automation that do not depend on unpatched software program. This session strikes past the zero-day obsession to reveal how attackers operationalize fashionable post-compromise techniques—and the way safety groups can pivot from reactive patching to proactive, behavioral risk looking.

📰 Across the Cyber World

• Vulnerability Exploitation Overtakes Compromised Credentials in a Lengthy Time —Vulnerability exploitation has overtaken compromised credentials for the primary time in practically 20 years as the most typical preliminary entry vector for information breaches, per Verizon. Practically a 3rd (31%) of information breaches over the previous 12 months began with vulnerability exploitation, up from 20% in 2024. Credential abuse declined from 22% to 13%. What’s extra, solely 26% of crucial vulnerabilities listed within the U.S. Cybersecurity Infrastructure and Safety Company Identified Exploited Vulnerabilities (KEV) catalog had been absolutely remediated by organizations in 2025, a drop from 38% the earlier 12 months. “The median time for full decision went as much as 43 days, virtually two weeks greater than the earlier 12 months’s 32 days,” the report stated. “Within the median case, organizations had 50% extra crucial vulnerabilities to patch on this 12 months’s reporting dataset in comparison with the earlier 12 months.” Ransomware accounted for 48% of all breaches final 12 months, up from 44% in 2024. However in a constructive growth, ransom funds have continued to say no, with the median fee sliding from $150,000 in 2024 to virtually $140,000.
• Attackers Go After India’s Training Ecosystem —Risk actors are abusing scholar information inside India’s training ecosystem, spanning academic establishments, third-party distributors, and on-line companies, for phishing, impersonation, social engineering, and financially motivated fraud operations. “Attackers generally leverage uncovered or misused scholar data to create extremely convincing scams associated to admissions, scholarships, internships, price funds, and educational companies,” CYFIRMA stated. “In a number of cases, risk actors exploited trusted academic branding, fraudulent portals, and insider entry to acquire credentials, monetary data, or direct funds. Moreover, some circumstances indicated the misuse of student-linked financial institution accounts inside broader fraud and mule account operations.”
• RondoDox Provides ASUS Router Flaw to its Arsenal —The operators of the RondoDox botnet have included CVE-2018-5999 (CVSS rating: 9.8), a crucial ASUS router flaw, to their arsenal, marking the primary commentary of in-the-wild exploitation of the vulnerability. The exercise was first detected on Could 17, 2026, in opposition to its honeypots. “The assault sample: payloads that set the ateCommand_flag to 1, enabling the infosvr interface to simply accept arbitrary configuration adjustments,” VulnCheck CTO Jacob Baines stated in a put up on LinkedIn.
• Faux Microsoft Groups Websites Ship ValleyRAT —Faux Microsoft Groups distribution websites shared on X are getting used to trick unsuspecting customers into downloading a trojanized installer packaged as a ZIP archive, finally resulting in the deployment of ValleyRAT, a malware related to a Chinese language cybercrime group known as Silver Fox. “The delivered payload leverages a DLL sideloading chain by way of a legit executable (GameBox.exe) developed by Tencent, finally deploying a ValleyRAT variant,” K7 Labs stated. “This malware marketing campaign stands out for its clear execution chain, combining social engineering with staged payload supply, in-memory decryption, and stealthy persistence mechanisms.”

• Malicious Exercise Concentrating on Malaysian Entities —An attacker-controlled infrastructure hosted on Microsoft Azure infrastructure within the Malaysia West area has been used to conduct a focused intrusion marketing campaign in opposition to a number of Malaysian organizations, per Oasis Safety. “The operation demonstrates a excessive diploma of operational planning, with the attacker growing purpose-built Python tooling for every goal — overlaying inside community enumeration, database entry, and exterior information exfiltration,” the corporate stated. The infrastructure hosts target-specific Python scripts, webshell deployment instruments, a Laravel distant code execution exploit chain, and supply code for customized command-and-control (C2) parts.
• Texas Legal professional Basic Sues Meta Over WhatsApp Encryption Claims —The Texas Legal professional Basic has sued Meta over allegations that the corporate’s WhatsApp messenger does not present the end-to-end encryption (E2EE) it has lengthy claimed. “Stories counsel that workers of WhatsApp have been in a position to entry consumer communications,” the Workplace of the Texas Legal professional Basic stated. “Further reporting and investigations point out that message content material might be pulled and considered after the message has been despatched. It is a full and whole misrepresentation of Meta’s privateness insurance policies.” The lawsuit hinges on a report from Bloomberg from final month about how the U.S. Commerce Division’s Bureau of Trade and Safety had abruptly closed an investigation into allegations that Meta might entry encrypted WhatsApp messages. Preliminary findings from the division claimed that “there is no such thing as a restrict to the kind of WhatsApp message that may be considered by Meta.” Meta has known as the allegations “baseless.”
• FIOD Arrests Two in Reference to Stark Industries —The Netherlands Fiscal Intelligence and Investigation Service (FIOD) arrested two males and seized 800 servers in reference to a webhosting firm that enabled cyber assaults, interference operations, and disinformation campaigns. The arrested people included a 57-year-old man from Amsterdam and a 39-year-old man from The Hague. Though the title of the corporate was not explicitly talked about, it’s assessed to be Stark Industries, which was sanctioned by the E.U. in Could 2025. Following the sanctions, a big chunk of the technical infrastructure was transferred to a Dutch-based entity often called THE.Hostingaka WorkTitans. “This new firm truly acts as a canopy for the sanctioned entities,” FIOD stated. “The director and (oblique) sole shareholder of this firm is the 57-year-old suspect.” A second unnamed Dutch firm is alleged to have performed a facilitating position. “This firm, of which the 39-year-old is a suspected director and sole shareholder, ensures that the servers of the previous new firm are related to the web,” FIOD added.
• UNG0002 Targets Chinese language Academic Sector —The Chinese language academic sector has develop into the goal of a brand new marketing campaign carried out by UNG0002 as a part of a spear-phishing marketing campaign codenamed Operation Dragon Whistle. “What makes this marketing campaign notably efficient is the precision of its social engineering,” Seqrite Labs stated. “The risk actor didn’t use a generic lure — they particularly recognized that Changzhou College conducts necessary annual health assessments the place failure immediately impacts commencement eligibility. This creates an setting of urgency and compliance that considerably will increase the chance of sufferer engagement.” The emails have been discovered to distribute ZIP archives that finally result in the deployment of Cobalt Strike Beacon.
• Void Botnet Makes use of Ethereum Good Contracts for C2 —A brand new botnet malware known as Void Botnet makes use of Ethereum good contracts for seizure-resistant command-and-control (C2). It is a Rust-based malware that is marketed on cybercrime boards by a developer working underneath the deal with TheVoidStl. “Primarily based on the vendor’s documentation and panel screenshots, Void Botnet is a Rust-native loader with two command-and-control modes in the identical binary,” Qrator Labs stated. “The primary mode routes instructions by way of Ethereum good contracts: the operator writes directions to a contract, and contaminated machines examine it at common intervals, selecting up new duties inside three to 5 minutes. The second mode connects machines on to the operator’s internet panel, with duties finishing in underneath thirty seconds. The operator switches between them at any time by updating the contract.” The botnet works by writing instructions to good contracts, bots polling public RPC endpoints, and C2 infrastructure that’s onerous to take down.
• Proton Debuts AI Entry Tokens in Proton Cross —Proton Cross, a safe, end-to-end encrypted (E2EE) password supervisor, has added credential sharing by way of AI entry tokens, permitting customers to provide AI brokers entry to objects it is permissioned to and monitor their exercise. “AI entry tokens are our latest safe sharing choice to convey password administration into the age of agentic AI,” Proton stated. “Each time an AI agent makes use of an entry token, that is logged, and a motive for the entry have to be supplied. For additional safety, you may also set an expiration for every token, from one hour to 1 12 months, after which it may possibly not be used.”
• DevilNFC and NFCMultiPay Android NFC Relay Malware Noticed —Two new Android NFC relay malware households named DevilNFC and NFCMultiPay have been noticed focusing on European and LATAM banking prospects. “These two NFC relay toolkits are being developed and operated exterior the Chinese language-speaking MaaS ecosystem: DevilNFC carries an solely Spanish-speaking attribution, whereas NFCMultiPay’s developer fingerprint is Portuguese (Brazilian),” Cleafy stated. “Native teams are not shopping for entry to Chinese language platforms; they’re constructing their very own.” It is assessed that the malware households might have been developed with help utilizing generative synthetic intelligence (AI). Each malware households are designed to gather the sufferer’s card PIN. “DevilNFC additional locks the sufferer contained in the malicious interface by way of Kiosk Mode, stopping any escape whereas the relay completes,” the Italian firm stated. “DevilNFC employs an uneven structure by which a single APK serves each roles in a relay assault: a passive reader on the sufferer’s system and a system-level card emulator on the attacker’s rooted system, achieved by way of a hooking framework that intercepts NFC visitors beneath the Android API layer.” DevilNFC overlaps with an NGate variant documented by ESET final month. The malicious apps are distributed by way of SMS or WhatsApp messages, directing victims to faux touchdown pages impersonating Google Play Retailer listings. 
• TAX#TRIDENT Makes use of Indian Revenue Tax Lures —A brand new marketing campaign dubbed TAX#TRIDENT is utilizing Indian Revenue Tax-themed lures to focus on Home windows endpoints by way of three supply paths. The marketing campaign begins with faux tax evaluation lures after which strikes victims towards ZIP information, VBScript downloaders, or PHP-looking internet endpoints that truly return script content material,” Securonix stated. “The primary department makes use of a ZIP file and a signed ClientSetup installer. As soon as executed, the installer creates a hidden shopper tree, provides service and driver persistence, and begins community communication. The second department makes use of ‘Assessment_Order.vbs.’ The script exhibits a tax evaluation decoy picture, downloads the identical ClientSetup payload, writes a brand new ‘YTSysConfig.ini,’ and runs the payload hidden. The third department makes use of a PHP-looking endpoint that returns VBScript. That script downloads extra levels from S3, disguises a VBS file as a PNG picture, adjustments UAC immediate conduct, and silently installs a signed ManageEngine UEMS / Endpoint Central agent.” 
• CISA Launches KEV Nomination Type to Report Exploited Bugs —The U.S. Cybersecurity and Infrastructure Safety Company (CISA) has launched a web based Nomination Type that lets researchers, distributors, and trade companions submit recognized exploited vulnerabilities (KEVs) immediately in order to “rapidly determine, validate, and share KEVs, crucial risk data.”
• Exploitation of 4-Religion Router Flaw —Attackers are exploiting CVE-2024-9643 (CVSS rating: 9.8), a crucial authentication bypass flaw in 4-Religion F3x36 industrial mobile routers, as a part of a large-scale marketing campaign since mid-Could 2026 to show fold compromised gadgets into botnets for additional campaigns. CrowdSec stated it has noticed 139 attacking IP addresses by way of Could 18, 2026. “Exploitation was first noticed on April 20 and escalated to the purpose of being reclassified as mass exploitation on Could 12, a powerful sign that attackers are operationalizing this flaw at scale,” it added.
• Chinese language-Language PhaaS Ecosystem Detailed —An evaluation of a dozen present phishing-as-a-service (PhaaS) choices within the Chinese language underground has discovered that they’ve shifted away from static password harvesting in the direction of real-time interception and tokenization by way of reside administration panels, permitting attackers to seize one-time passcodes (OTPs) and bypass multifactor authentication (MFA) immediately. The companies, equivalent to YY Lai Yu, primarily goal non-Chinese language entities, with ads usually posted to Telegram slightly than channels equivalent to WeChat (Weixin) or Tencent QQ. A vital side of those operations is their exploitation of digital pockets provisioning to monetize stolen fee particulars. Attackers have been discovered to leverage captured credentials and OTPs to provision the sufferer’s card right into a digital pockets on an attacker-controlled system. As soon as tokenized, the cardboard can be utilized for high-value transactions, contactless funds, and ATM withdrawals. “As a substitute of merely gaining account entry, these operations deal with exploiting digital pockets provisioning to remodel stolen fee information into tokenized belongings inside ecosystems,” Google stated. “This shift—mixed with using encrypted supply channels like RCS and iMessage to bypass conventional provider safety filters on SMS messages—represents an rising growth the place the aim is not only a login, however securing direct, unauthorized management over a sufferer’s monetary accounts.”

🔧 Cybersecurity Instruments

• Bumblebee → It’s an open-source safety software for macOS and Linux designed to search out software program supply-chain vulnerabilities on developer computer systems. It acts as a light-weight, read-only scanner that audits metadata information, manifests, and configurations slightly than executing code. This permits it to securely examine native language packages, internet browser extensions, textual content editor add-ons, and AI software configurations for recognized safety exposures with out working doubtlessly malicious set up scripts.
• Claude-BugHunter → It’s an open-source add-on that configures Anthropic’s Claude Code command-line software right into a specialised safety assistant. It equips the AI with pre-built vulnerability patterns, assault strategies, and reporting templates, automating the method of discovering and documenting safety flaws throughout approved testing.

Disclaimer: That is strictly for analysis and studying. It hasn’t been by way of a proper safety audit, so do not simply blindly drop it into manufacturing. Learn the code, break it in a sandbox first, and ensure no matter you’re doing stays on the precise aspect of the regulation.

Conclusion

Patch the simple stuff earlier than it turns into a much bigger downside subsequent week. The outdated bugs everybody ignored? Attackers didn’t ignore them. They by no means do.

Proper now, the web feels held along with tape and luck. Each week, there’s a brand new mess, a brand new rip-off, or some outdated field getting dragged right into a botnet. See you subsequent Monday.