Security Leftovers

posted by Roy Schestowitz on Apr 29, 2026

• LWN ☛ Security updates for Tuesday

  Security updates have been issued by Debian (openjdk-21 and webkit2gtk), Fedora (botan3, chromium, cockpit, firefox, flatpak, gum, libarchive, libcoap, mingw-python3, ngtcp2, nss, openssh, openssl, openvpn, PackageKit, python3-docs, python3.11, python3.12, python3.13, python3.14, vim, and xrdp), Oracle (firefox, gdk-pixbuf2, java-1.8.0-openjdk, java-21-openjdk, python3.12, python3.9, sudo, and tigervnc), Red Hat (tigervnc and xorg-x11-server-Xwayland), Slackware (mpg123 and proftpd), SUSE (emacs, firefox, fontforge, freeciv, freerdp, libngtcp2-16, libsystemd0, and strongswan), and Ubuntu (authd, clamav, glance, haproxy, jq, lcms2, nginx, nltk, ntfs-3g, packagekit, pillow, strongswan, and vim).

• Scoop News Group ☛ Rep. Delia Ramirez takes over as top House cybersecurity Dem

  She replaces Rep. Eric Swalwell following his resignation, giving her the position of ranking member of the Subcommittee on Cybersecurity and Infrastructure Protection.

• Security Week ☛ Alleged Chinese State Hacker Extradited to US

  A member of Silk Typhoon, Xu Zewei is accused of launching cyberattacks against universities in the US.

• Security Week ☛ Robinhood Vulnerability Exploited for Phishing Attacks

  Legitimate-looking emails coming from Robinhood systems lured recipients to phishing websites.

• Security Week ☛ Vimeo Confirms User and Customer Data Breach

  The ShinyHunters group is threatening to leak stolen files unless Vimeo agrees to pay a ransom.

• Peter 'CzP' Czanik ☛ Support for OpenSSL 4.0?

  Although OpenSSL 4.0 released just two weeks ago, the syslog-ng project has already received a Microsoft's proprietary prison GitHub issue complaining that we do not support it. So, before we would allocate too much effort on it: what should we expect?

  OpenSSL 4.0 was announced on April 14: https://openssl-library.org/post/2026-04-14-openssl-40-final-release/ However, this announcement mentions that it is NOT a long-term support (LTS) release.

• SANS ☛ HTTP Requests with X-Vercel-Set-Bypass-Cookie Header, (Tue, Apr 28th)

  This weekend, we saw a few requests to our honeypot that included an "X-Vercel-Set-Bypass-Cookie" header. A sample request: [...]

• XSAs released on 2026-04-28

  The Xen Project has released one or more Xen security advisories (XSAs).

• Hacker News ☛ VECT 2.0 Ransomware Irreversibly Destroys Files Over 131KB on Windows, Linux, ESXi

  Threat hunters are warning that the cybercriminal operation known as VECT 2.0 acts more like a wiper than a ransomware due to a critical flaw in its encryption implementation across Windows, Linux, and ESXi variants that renders recovery impossible even for the threat actors.

• Pack2TheRoot flaw allows Linux privilege escalation

  A vulnerability dubbed Pack2TheRoot, identified as CVE-2026-41651, has been publicly disclosed, enabling unprivileged local users to gain root access on affected Linux systems. This flaw, which has persisted for nearly 12 years, allows unauthorized installation or removal of system packages. The vulnerability was discovered by Deutsche Telekom's Red Team and has a high severity rating with a CVSS score of 8.8, as reported by Security Affairs.

• HackRead ☛ Pack2TheRoot: 12-Year-Old Linux PackageKit Flaw Enables Full Compromise

  Researchers from Deutsche Telekom’s Red Team have identified a high-severity security flaw in PackageKit, the software that helps in managing packages across different Linux systems. The flaw, dubbed Pack2TheRoot and tracked as CVE-2026-41651 with CVSS 3.1: 8.8, is a serious issue as it allows an unprivileged user to gain root access on a computer.

• HackRead ☛ New Linux FIRESTARTER Backdoor Targets Cisco Firepower Devices

  The US Cybersecurity and Infrastructure Security Agency (CISA) and the UK National Cyber Security Centre (NCSC) released a joint malware analysis report on 23 April 2026 regarding a dangerous new threat- a Linux-based ELF file called FIRESTARTER.

  This malware is, reportedly, the current favourite of Advanced Persistent Threat (APT) actors as it allows them to maintain persistence on Cisco Firepower and Secure Firewall devices running firmware like Adaptive Security Appliance/ASA (software that handles basic firewall and VPN tasks) or Firepower Threat Defense/FTD (an advanced firewall system that combines multiple security features).

• TechRadar ☛ Proton VPN's promises post-quantum groundwork, Stealth for Linux, and slick new app releases

  Linux VPN users are in for a major upgrade, too. Proton is redesigning its Linux GUI app to align with the sleek look and feel found on other platforms. Crucially, the update will introduce long-awaited support for the Stealth protocol, which masks VPN traffic to help users bypass aggressive network blocks and deeply restrictive firewalls.

• Entrapment (Microsoft GitHub)

  • It's FOSS ☛ Hackers Hijacked a Microsoft's proprietary prison GitHub Actions Workflow to Push Malicious Code to PyPI

    Elementary Data's open source CLI was the victim, and v0.23.3 is not a version you want installed.

• Windows TCO / Windows Bot Nets

  • Security Week ☛ No Patch for New PhantomRPC Privilege Escalation Technique in Windows

    A fake RPC server can be used to listen for RPC requests and impersonate the target service to elevate privileges to System.

  • Security Week ☛ Dozens of Open VSX Extension Clones Linked to GlassWorm Malware

    Over 70 cloned Open VSX extensions are likely sleeper extensions designed to distribute malware.

    [...]

    Designed to steal GitHub, Git, and NPM credentials, sensitive information, and cryptocurrency, GlassWorm spread to other open source software ecosystems in November and re-emerged in January and again in March, when it compromised over 150 repositories.

  • Tom's Hardware ☛ Decades-old pre-Stuxnet cyber sabotage tool breaks cover, NSA listed it as 'nothing to see here' — fast16 targeted nuclear reactors, dam design, and other high-precision civil engineering software years before Stuxnet broke cover

    Security researchers have uncovered a cyber-sabotage platform that targeted software used for major civil engineering projects and predates Stuxnet by at least half a decade.