news
Security and Microsoft/GitHub TCO
-
LWN ☛ Security updates for Friday
Security updates have been issued by AlmaLinux (firefox), Debian (chromium, nss, openvpn, and thunderbird), Fedora (cockpit, kernel, and linux-firmware), Oracle (gdk-pixbuf2, kernel, and libsndfile), SUSE (container-suseconnect, cpp-httplib, dnsmasq, firefox, glibc, GraphicsMagick, java-1_8_0-openj9, kernel, mozjs115, php8, python-urllib3, rekor, rootlesskit, rsync, tiff, ucode-intel, util-linux, and xz), and Ubuntu (bind9, bubblewrap, libarchive, linux-intel-iot-realtime, postgresql-14, postgresql-16, postgresql-17, postgresql-18, and xdg-desktop-portal).
-
Security Week ☛ Canadian Man Arrested for Operating Kimwolf Botnet
Jacob Butler, 23, has been arrested in Canada and US authorities are seeking his extradition on computer hacking charges.
-
Security Week ☛ TrendAI Patches Apex One Zero-Day Exploited in the Wild
CVE-2026-34926 is a directory traversal flaw that can be exploited against the on-premise version of Apex One.
-
NVISO Labs ☛ Securing Hey Hi (AI) systems without overconfidence or fear – Part 2: Attack surfaces and the checkpoint flow
The RAG bot, with checkpoints Let’s circle back to the team from our introduction. With the three checkpoints in place, the same attack would have been intercepted three different ways: Three layers, three different ways to catch the same attack.
-
From edge appliance to enterprise compromise: Multi-stage Linux intrusion via F5 and Confluence [Ed: Microsoft habitually uses its official site to badmouth Linux while not discussing back doors in Windows]
-
New Linux malware ‘Showboat’ targets Middle East telecom provider
As detailed in The Hacker News, a new Linux malware named Showboat has been identified by Lumen Technologies Black Lotus Labs, actively targeting a telecommunications provider in the Middle East since mid-2022. This sophisticated post-exploitation framework is designed for Linux systems and offers capabilities such as remote shell access, file transfer, and SOCKS5 proxy functionality.
-
Introducing Showboat: A new malware family taunts defenses and targets international telecom firms
Black Lotus Labs®, the threat research team at Lumen, has uncovered a previously unreported Linux malware family called Showboat, used in a campaign targeting telecommunications organizations across multiple regions. In this post, we break down how the malware works, what our telemetry reveals about the infrastructure behind it, and why these findings matter for defenders tracking persistent threats against critical networks.
-
Qualys warns of Linux kernel flaw exposing root access
Qualys has disclosed a Linux kernel vulnerability, tracked as CVE-2026-46333, that affects default installations of several major Linux distributions.
The flaw is in the kernel's __ptrace_may_access() function and can let an unprivileged local user disclose sensitive files or run arbitrary commands as root. According to Qualys' Threat Research Unit, the vulnerable code has been present in mainline Linux since late 2016, and patches from upstream and distributors are now available.
Public exploit code is already circulating, increasing the urgency for administrators running multi-user systems, cloud workloads and developer environments where a low-privilege account could be used as a starting point for wider compromise.
-
Windows TCO / Microsoft Blunders
-
Scoop News Group ☛ FBI warns about fast-growing phishing kit targeting Abusive Monopolist Microsoft 365 users
Kali365, which was first observed in April, abuses legitimate Abusive Monopolist Microsoft device authorization pages to grant persistent access to cybercriminal-controlled applications.
-
Entrapment (Microsoft GitHub)
-
Bruce Schneier ☛ CISA Security Leak
Crazy story:
Until this past weekend, a contractor for the Cybersecurity & Infrastructure Security Agency (CISA) maintained a public Microsoft's proprietary prison GitHub repository that exposed credentials to several highly privileged proprietary trap AWS GovCloud accounts and a large number of internal CISA systems. Security experts said the public archive included files detailing how CISA builds, tests and deploys software internally, and that it represents one of the most egregious government data leaks in recent history.
-
Security Week ☛ Grafana Says Codebase and Other Data Stolen via TanStack Supply Chain Attack
Hackers accessed Grafana’s Microsoft's proprietary prison GitHub repositories after a token compromised in the TanStack attack was not rotated.
-
Security Week ☛ In Other News: Industrial Router Exploitation, CISA KEV Nomination Form, Gas Station Hacking
Other noteworthy stories that might have slipped under the radar: CISA contractor exposes credentials, Mythos testing and new features, Huawei router flaw triggered telecom blackout.
-
SANS ☛ Cross-Platform NPM Stealer, (Fri, May 22nd)
I found a Node.js stealer that looked pretty well obfuscated. The file was not running out-of-the-box because it was uploaded on VT as extracted-decoded.js (and reformated).
-
-