Security Leftovers

posted by Roy Schestowitz on May 08, 2026

• LWN ☛ Security updates for Thursday

  Security updates have been issued by AlmaLinux (dovecot, fence-agents, freeipmi, git-lfs, image-builder, kernel, libsoup, osbuild-composer, and python-tornado), Debian (apache2, libdatetime-timezone-perl, lrzip, tzdata, and wireshark), Fedora (dovecot, forgejo-runner, gh, gnutls, krb5, nano, pdns, pyOpenSSL, squid, vim, and xorg-x11-server-Xwayland), Mageia (graphicsmagick, kernel-linus, krb5-appl, libexif, libtiff, nano, nginx, ntfs-3g, opam, perl-Net-CIDR-Lite, perl-Starlet, perl-Starman, tcpflow, and virtualbox), Oracle (dovecot, fence-agents, freeipmi, image-builder, kernel, libcap, LibRaw, libsoup, openssh, osbuild-composer, python, python-tornado, python3, systemd, thunderbird, and tigervnc), SUSE (containerd, curl, erlang, flatpak, java-11-openjdk, java-21-openjdk, java-25-openjdk, liblxc-devel, libpng12, libthrift-0_23_0, openCryptoki, openexr, openssl-3, python3, python311-social-auth-core, rclone, skim, and thunderbird), and Ubuntu (apache2, coin3, editorconfig-core, insighttoolkit, linux, linux-aws, linux-aws-6.17, linux-gcp, linux-gcp-6.17, linux-hwe-6.17, linux-oracle, linux-realtime, linux-realtime-6.17, linux-azure, linux-azure-6.17, linux-oem-6.17, linux-azure-5.15, linux-gcp-6.8, nghttp2, python-dynaconf, slurm-wlm, swish-e, and webkit2gtk).

• OpenSSF (Linux Foundation) ☛ The Road to Gold: How CPS Set a New Standard for Security and Quality in Open Source

  In the world of open source, trust is our most valuable currency. ONAP is a “collection of individual, semi-standalone network automation functions that provide design, orchestration, observability, and automation of network and edge services for operators, cloud providers, and enterprises” (per ONAP).

• Reproducible Builds: Reproducible Builds in April 2026

  Welcome to our April 2026 report from the Reproducible Builds project!

  Our reports outline what we’ve been up to over the past month, highlighting items of news from elsewhere in the increasingly-important area of software supply-chain security. As ever, if you are interested in contributing to the Reproducible Builds project, please see the Contribute page on our website.

• Scoop News Group ☛ Ivanti customers confront yet another actively exploited zero-day

  Attackers are hitting a frequent target in the network edge space, intruding victim networks through a defect in a widely used mobile endpoint security product.

• Security Week ☛ Cisco Patches High-Severity Vulnerabilities in Enterprise Products

  Successful exploitation of the flaws could lead to code execution, server-side request forgery attacks, and denial-of-service conditions.

• Security Week ☛ Vendor Says Daemon Tools Supply Chain Attack Contained

  The software developer has identified the impacted systems, removed potentially compromised files, and validated installation packages.

• Security Week ☛ Claude Code OAuth Tokens Can Be Stolen Through Stealthy MCP Hijacking

  Mitiga researchers say attackers can silently redirect Claude Code MCP traffic, intercept OAuth tokens, and maintain persistent access to connected SaaS platforms.

• Security Week ☛ Palo Alto Zero-Day Exploited in Campaign Bearing Hallmarks of Chinese State Hacking

  The cybersecurity firm has not explicitly accused China of being behind the attack, but the evidence suggests it was. 

• Hot Hardware ☛ New Quasar Linux Malware Is Stealing Developer Credentials with a Hidden Rootkit

  Researchers at Trend Micro have identified a frightening new Linux rootkit, dubbed Quasar Linux (QLNX,) and developers should be especially concerned. Per the report (which we spotted through Bleeping Computer's coverage,) QLNX is a Linux implant "designed for stealth and long-term persistence" that hides in memory and uses seven distinct persistence mechanisms. When combined, its persistence mechanisms make it difficult to actually "kill" QLNX, since any one of the seven can restart the process the instant it stops running.

• Quasar Linux (QLNX): A Supply Chain Foothold with Full RAT Capabilities | SOC Prime

  Quasar Linux (QLNX) is an advanced Linux remote access trojan that combines a user-space and eBPF rootkit with a PAM backdoor and broad credential-harvesting capabilities. The malware supports fileless execution, process name masquerading, and several persistence techniques that help it remain hidden on infected systems. Its focus on developer workstations makes it especially dangerous for supply-chain abuse, as it can steal tokens, SSH keys, and cloud credentials. The malware also uses encrypted communications and supports a peer-to-peer mesh architecture to improve resilience and maintain access.