Security Leftovers

posted by Roy Schestowitz on Apr 03, 2026

• LWN ☛ Security updates for Thursday

  Security updates have been issued by AlmaLinux (python3.11, python3.12, squid, and thunderbird), Debian (gst-plugins-bad1.0 and gst-plugins-ugly1.0), Fedora (bpfman, crun, gnome-remote-desktop, polkit, python3.14, rust-rustls-webpki, rust-sccache, rust-scx_layered, rust-scx_rustland, rust-scx_rusty, and scap-security-guide), Oracle (freerdp, gstreamer1-plugins-bad-free, gstreamer1-plugins-base, gstreamer1-plugins-good, and gstreamer1-plugins-ugly-free, kernel, libxslt, python3.11, python3.12, squid, and thunderbird), SUSE (389-ds, busybox, chromium, cosign, curl, docker-compose, exiv2, expat, firefox, freerdp, freerdp2, gstreamer-plugins-ugly, harfbuzz, heroic-games-launcher, ImageMagick, kea, keylime, libjxl, librsvg, libsodium, libsoup, net-snmp, net-tools, netty, nghttp2, poppler, postgresql13, postgresql16, postgresql17, postgresql18, protobuf, python-black, python-orjson, python-pyasn1, python-pyOpenSSL, python-tornado, python-tornado6, python311-nltk, thunderbird, tomcat10, tomcat11, vim, and xen), and Ubuntu (kernel, linux, linux-aws, linux-kvm, linux-lts-xenial, linux-raspi, linux-raspi, linux-raspi-realtime, rust-cargo-c, rust-tar, and undertow).

• Diffoscope ☛ Reproducible Builds (diffoscope): diffoscope 316 released

  The diffoscope maintainers are pleased to announce the release of diffoscope version 316. This version includes the following changes:

  * Fix compatibility with LLVM version 22.

  * Add some debugging info for PyPI debugging.

• Security Week ☛ Apple Rolls Out DarkSword Exploit Protection to More Devices

  The DarkSword exploit kit has been used by both state-sponsored hackers and commercial spyware vendors.

• Security Week ☛ Sophisticated CrystalX RAT Emerges

  The malware can spy on victims, steal their information, and make configuration changes on devices.

• Security Week ☛ Mercor Hit by LiteLLM Supply Chain Attack

  The Hey Hi (AI) recruiting firm is investigating the incident as Lapsus$ claimed the theft of 4TB of Mercor data.

• SANS ☛ Attempts to Exploit Exposed "Vite" Installs (CVE-2025-30208), (Thu, Apr 2nd)

• Security Week ☛ Critical Vulnerability in Claude Code Emerges Days After Source Leak

  Within days of each other, Anthropic first leaked the source code to Claude Code, and then a critical vulnerability was found by Adversa AI.

• Security Week ☛ 250,000 Affected by Data Breach at Nacogdoches Memorial Hospital

  In January 2026, a threat actor hacked the hospital’s internal network and stole personal and health information.

• Security Week ☛ Cisco Patches Critical and High-Severity Vulnerabilities

  The bugs could lead to authentication bypass, remote code execution, information disclosure, and privilege escalation.

• Bruce Schneier ☛ US Bans All Foreign-Made Consumer Routers

  This is for new routers; you don’t have to throw away your existing ones: [...]

• BBC ☛ US bans new foreign-made consumer [Internet] routers

  It puts routers - which are used widely in homes and businesses to connect computers, phones, TVs and other devices to the internet - on a par with foreign-made drones, which were banned at the end of last year.

• Mobile Systems/Mobile Applications

  • Bruce Schneier ☛ Possible US Government iPhone Hacking Tool Leaked

    It’s always super interesting to see what malware looks like when it’s created through a professional software development process. And the TechCrunch article has some speculation as to how the US lost control of it. It seems that an employee of L3Harris’s surviellance tech division, Trenchant, sold it to the Russian government.

  • Wired ☛ A Possible US Government iPhone-Hacking Toolkit Is Now in the Hands of Foreign Spies and Criminals

    A highly sophisticated set of iPhone hijacking techniques has likely infected tens of thousands of phones or more. Clues suggest it was originally built for the US government.

  • TechCrunch ☛ US military contractor likely built iPhone hacking tools used by Russian spies in Ukraine | TechCrunch

    Last week, Google revealed that over the course of 2025, it discovered that a sophisticated iPhone-hacking toolkit had been used in a series of global attacks. The toolkit, dubbed “Coruna” by its original developer, was made of 23 different components first used “in highly targeted operations” by an unnamed government customer of an unspecified “surveillance vendor.” It was then used by Russian government spies against a limited number of Ukrainians and finally by Chinese cybercriminals “in broad-scale” campaigns with the goal of stealing money and cryptocurrency.