Linux Flaws, Defender 0-Days, Router Botnets, and Supply Chain Chaos

Ravie LakshmananMay 25, 2026Cybersecurity / Hacking

Monday recap. Same mess, new week.

A sketchy dev tool got people pwned, old bugs came back from the dead, and security products somehow needed protecting from themselves. A bunch of companies spent the week checking old boxes and forgotten servers they should’ve patched years ago. Good times.

Phishing crews are getting smarter too – less obvious scam junk, more targeted stuff that actually looks real. Meanwhile, botnets are grabbing anything exposed to the internet like it’s free candy. The Internet’s still a dumpster fire.

Let’s get into it.

⚡ Threat of the Week

GitHub Breached via Nx Console VS Code Extension—GitHub officially confirmed that the breach of its internal repositories was the result of a compromise of an employee device involving a poisoned version of the Nx Console Microsoft Visual Studio Code (VS Code) extension. The attack is said to have allowed the threat actor, a cybercriminal group known as TeamPCP, to exfiltrate about 3,800 repositories. GitHub said it has taken steps to contain the incident and rotated critical secrets, adding it’s continuing to monitor the situation for follow-on activity. The Nx team revealed that the extension, nrwl.angular-console, was breached after one of its developers’ systems was hacked in the wake of the recent TanStack supply chain attack. Other companies that were impacted by the TanStack compromise include OpenAI, Mistral AI, and Grafana Labs. Grafana Labs was also the target of an extortion attempt, but the company said it refused to pay the hackers who had threatened to release the company’s codebase. The incidents are just some examples of the long tail of downstream victims emerging from the Mini Shai-Hulud campaign. This, coupled with TeamPCP’s public release of the Shai-Hulud code, marks a significant evolution in software supply chain threats, as it gives attackers a ready-made blueprint for fleshing out similar worms targeting open-source repositories and developer environments.

🔔 Top News

• Microsoft Took Down Fox Tempest—Microsoft has cracked down on Fox Tempest, a cyber threat actor that fueled Rhysida ransomware attacks and other infections involving Oyster, Lumma Stealer, and Vidar. The group operates upstream in the malware and ransomware supply chain, acting as an enabler and providing tools for other threat actors to carry out attacks. This included a fraudulent code-signing service that let cybercriminals deploy malware “through the front door” without being detected. While bad actors have been known to resell code-signing certificates for at least a decade, Fox Tempest’s operation stood out because it provided a scalable service for extortion, phishing, SEO poisoning, or malware-laced advertising.
• 9-Year-Old Linux Kernel Flaw Enables Root Command Execution—A new vulnerability disclosed in the Linux kernel remained undetected for nine years. The vulnerability, tracked as CVE-2026-46333 (CVSS score: 5.5), is a case of improper privilege management that could permit an unprivileged local user to disclose sensitive files and execute arbitrary commands as root on default installations of several major distributions like Debian, Fedora, and Ubuntu. The issue was introduced in November 2016.
• Microsoft Warned of Two Actively Exploited Defender Vulnerabilities—Microsoft has disclosed that a privilege escalation and a denial-of-service flaw in Defender have come under active exploitation in the wild. While CVE-2026-41091 could allow an attacker to gain SYSTEM privileges, CVE-2026-45498 relates to a case of denial-of-service. Although Microsoft has not formally confirmed, the vulnerability descriptions for CVE-2026-41091 and CVE-2026-45498 overlap with those of RedSun and UnDefend, two Defender zero-days that were disclosed by Chaotic Eclipse (aka Nightmare-Eclipse) last month.
• Newly Disclosed Drupal Core Flaw Under Attack—A critical security flaw impacting Drupal Core has come under active exploitation within days of public disclosure. The vulnerability in question is CVE-2026-9082 (CVSS score: 6.5), an SQL injection vulnerability affecting all supported versions of Drupal Core. Drupal acknowledged that “exploit attempts are now being detected in the wild.” Thales-owned Imperva said it has observed over 15,000 attack attempts targeting almost 6,000 individual sites across 65 countries.
• Claude Mythos AI Finds 10K High-Severity Flaws in Popular Software—Anthropic revealed that Project Glasswing has helped uncover more than 10,000 high- or critical-severity vulnerabilities across some of the most “systemically” important software across the world since the cybersecurity initiative went live last month. Of these vulnerabilities, 6,202 have been classified as high- or critical-severity flaws impacting more than 1,000 open-source projects. Subsequent analysis of these vulnerability candidates has identified that 1,726 are valid true positives. As many as 1,094 flaws are assessed to be either high- or critical-severity. In total, these efforts have led to 97 findings being patched upstream and 88 advisories being issued.
• Cisco Patched CVSS 10.0 Secure Workload Flaw—Cisco rolled out updates for a maximum-severity security flaw impacting Secure Workload that could allow an unauthenticated, remote attacker to access sensitive data. Tracked as CVE-2026-20223 (CVSS score: 10.0), the vulnerability arises from insufficient validation and authentication when accessing REST API endpoints. “An attacker could exploit this vulnerability if they are able to send a crafted API request to an affected endpoint,” Cisco said. “A successful exploit could allow the attacker to read sensitive information and make configuration changes across tenant boundaries with the privileges of the Site Admin user.”
• Microsoft Released Mitigations for YellowKey—Microsoft released a mitigation for a BitLocker bypass vulnerability named YellowKey following its public disclosure last week. The zero-day flaw, now tracked as CVE-2026-45585, carries a CVSS score of 6.8. It has been described as a BitLocker security feature bypass. The issue impacts Windows 11 version 26H1 for x64-based Systems, Windows 11 Version 24H2 for x64-based Systems, Windows 11 Version 25H2 for x64-based Systems, Windows Server 2025, and Windows Server 2025 (Server Core installation). Microsoft noted that successful exploitation could permit an attacker with physical access to sidestep the BitLocker Device Encryption feature on the system storage device and gain access to encrypted data.

🔥 Trending CVEs

Bugs drop weekly, and the gap between a patch and an exploit is shrinking fast. These are the heavy hitters for the week: high-severity, widely used, or already being poked at in the wild.

Check the list, patch what you have, and hit the ones marked urgent first — CVE-2026-48172 (LiteSpeed User-End cPanel Plugin), CVE-2026-34926 (Trend Micro Apex One), CVE-2026-20223 (Cisco Secure Workload), CVE-2026-41091, CVE-2026-45498, CVE-2026-45584 (Microsoft Defender), CVE-2026-46333 (Linux Kernel), CVE-2026-9082 (Drupal Core), CVE-2026-45585 (Microsoft Windows BitLocker), CVE-2026-2743 (SEPPMail), CVE-2026-7301, CVE-2026-7302, CVE-2026-7304 (SGLang), CVE-2026-29205 (cPanel), CVE-2026-8178 (Amazon Redshift JDBC driver), CVE-2026-8053 (MongoDB), CVE-2026-45829 aka ChromaToast (ChromaDB), CVE-2026-8153 (Universal Robots PolyScope 5), CVE-2026-3102 (ExifTool), CVE-2026-9110, CVE-2026-9111, from CVE-2026-8511 through CVE-2026-8522 (Google Chrome), CVE-2026-45434 (Apache OFBiz), CVE-2026-33000, CVE-2026-34908, CVE-2026-34909, CVE-2026-34910, CVE-2026-34911 (UniFi OS), CVE-2026-45401 (Open WebUI), CVE-2026-9256, CVE‑2026‑8711 (F5 NGINX Plus and NGINX Open Source), CVE-2026-20239 (Splunk Enterprise and Splunk Cloud Platform), CVE-2026-46376 (FreePBX), CVE‑2026‑6637 (PostgreSQL), and CVE-2026-35194 (Apache Flink).

🎥 Cybersecurity Webinars

• Learn How Attackers Use AI to Supercharge DDoS Efficiency (and How to Stop It) → Adversaries are weaponizing AI to exploit network blind spots, auto-generate evasion scripts, and bypass traditional defenses with surgical precision. This webinar bridges the gap between AI-driven exploitation and cloud resilience, offering data-driven insights into how attackers maximize DDoS success rates. Join us to move beyond theory, leverage AI for non-disruptive security testing (CTEM), and transition your team from reactive mitigation to automated, continuous resilience.
• Beyond the Zero-Day: Hunting for Threats That Don’t Need an Exploit → Zero-day exploits are no longer the ultimate metric of cyber risk. Today, sophisticated adversaries bypass traditional defenses entirely by leveraging identity flaws, living-off-the-land techniques, and AI automation that don’t rely on unpatched software. This session moves beyond the zero-day obsession to expose how attackers operationalize modern post-compromise tactics—and how security teams can pivot from reactive patching to proactive, behavioral threat hunting.

📰 Around the Cyber World

• Vulnerability Exploitation Overtakes Compromised Credentials in a Long Time —Vulnerability exploitation has overtaken compromised credentials for the first time in nearly two decades as the most common initial access vector for data breaches, per Verizon. Nearly a third (31%) of data breaches over the past year started with vulnerability exploitation, up from 20% in 2024. Credential abuse declined from 22% to 13%. What’s more, only 26% of critical vulnerabilities listed in the U.S. Cybersecurity Infrastructure and Security Agency Known Exploited Vulnerabilities (KEV) catalog were fully remediated by organizations in 2025, a drop from 38% the previous year. “The median time for full resolution went up to 43 days, almost two weeks more than the previous year’s 32 days,” the report said. “In the median case, organizations had 50% more critical vulnerabilities to patch in this year’s reporting dataset compared to the previous year.” Ransomware accounted for 48% of all breaches last year, up from 44% in 2024. But in a positive development, ransom payments have continued to decline, with the median payment sliding from $150,000 in 2024 to almost $140,000.
• Attackers Go After India’s Education Ecosystem —Threat actors are abusing student data within India’s education ecosystem, spanning educational institutions, third-party vendors, and online services, for phishing, impersonation, social engineering, and financially motivated fraud operations. “Attackers commonly leverage exposed or misused student information to create highly convincing scams related to admissions, scholarships, internships, fee payments, and academic services,” CYFIRMA said. “In several instances, threat actors exploited trusted educational branding, fraudulent portals, and insider access to obtain credentials, financial information, or direct payments. Additionally, some cases indicated the misuse of student-linked bank accounts within broader fraud and mule account operations.”
• RondoDox Adds ASUS Router Flaw to its Arsenal —The operators of the RondoDox botnet have incorporated CVE-2018-5999 (CVSS score: 9.8), a critical ASUS router flaw, to their arsenal, marking the first observation of in-the-wild exploitation of the vulnerability. The activity was first detected on May 17, 2026, against its honeypots. “The attack pattern: payloads that set the ateCommand_flag to 1, enabling the infosvr interface to accept arbitrary configuration changes,” VulnCheck CTO Jacob Baines said in a post on LinkedIn.
• Fake Microsoft Teams Sites Deliver ValleyRAT —Fake Microsoft Teams distribution sites shared on X are being used to trick unsuspecting users into downloading a trojanized installer packaged as a ZIP archive, ultimately leading to the deployment of ValleyRAT, a malware associated with a Chinese cybercrime group called Silver Fox. “The delivered payload leverages a DLL sideloading chain via a legitimate executable (GameBox.exe) developed by Tencent, ultimately deploying a ValleyRAT variant,” K7 Labs said. “This malware campaign stands out for its clean execution chain, combining social engineering with staged payload delivery, in-memory decryption, and stealthy persistence mechanisms.”
• Malicious Activity Targeting Malaysian Entities —An attacker-controlled infrastructure hosted on Microsoft Azure infrastructure in the Malaysia West region has been used to conduct a targeted intrusion campaign against multiple Malaysian organizations, per Oasis Security. “The operation demonstrates a high degree of operational planning, with the attacker developing purpose-built Python tooling for each target — covering internal network enumeration, database access, and external data exfiltration,” the company said. The infrastructure hosts target-specific Python scripts, webshell deployment tools, a Laravel remote code execution exploit chain, and source code for custom command-and-control (C2) components.
• Texas Attorney General Sues Meta Over WhatsApp Encryption Claims —The Texas Attorney General has sued Meta over allegations that the company’s WhatsApp messenger doesn’t provide the end-to-end encryption (E2EE) it has long claimed. “Reports suggest that employees of WhatsApp have been able to access user communications,” the Office of the Texas Attorney General said. “Additional reporting and investigations indicate that message content can be pulled and viewed after the message has been sent. This is a complete and total misrepresentation of Meta’s privacy policies.” The lawsuit hinges on a report from Bloomberg from last month about how the U.S. Commerce Department’s Bureau of Industry and Security had abruptly closed an investigation into allegations that Meta could access encrypted WhatsApp messages. Preliminary findings from the department claimed that “there is no limit to the type of WhatsApp message that can be viewed by Meta.” Meta has called the allegations “baseless.”
• FIOD Arrests Two in Connection with Stark Industries —The Netherlands Fiscal Intelligence and Investigation Service (FIOD) arrested two men and seized 800 servers in connection with a web hosting company that enabled cyber attacks, interference operations, and disinformation campaigns. The arrested individuals included a 57-year-old man from Amsterdam and a 39-year-old man from The Hague. Although the name of the company was not explicitly mentioned, it is assessed to be Stark Industries, which was sanctioned by the E.U. in May 2025. Following the sanctions, a significant chunk of the technical infrastructure was transferred to a Dutch-based entity known as THE.Hostingaka WorkTitans. “This new company actually acts as a cover for the sanctioned entities,” FIOD said. “The director and (indirect) sole shareholder of this company is the 57-year-old suspect.” A second unnamed Dutch company is said to have played a facilitating role. “This company, of which the 39-year-old is a suspected director and sole shareholder, ensures that the servers of the former new company are connected to the internet,” FIOD added.
• UNG0002 Targets Chinese Educational Sector —The Chinese educational sector has become the target of a new campaign conducted by UNG0002 as part of a spear-phishing campaign codenamed Operation Dragon Whistle. “What makes this campaign particularly effective is the precision of its social engineering,” Seqrite Labs said. “The threat actor did not use a generic lure — they specifically identified that Changzhou University conducts mandatory annual fitness assessments where failure directly impacts graduation eligibility. This creates an environment of urgency and compliance that significantly increases the probability of victim engagement.” The emails have been found to distribute ZIP archives that ultimately lead to the deployment of Cobalt Strike Beacon.
• Void Botnet Uses Ethereum Smart Contracts for C2 —A new botnet malware called Void Botnet uses Ethereum smart contracts for seizure-resistant command-and-control (C2). It’s a Rust-based malware that’s advertised on cybercrime forums by a developer operating under the handle TheVoidStl. “Based on the seller’s documentation and panel screenshots, Void Botnet is a Rust-native loader with two command-and-control modes in the same binary,” Qrator Labs said. “The first mode routes commands through Ethereum smart contracts: the operator writes instructions to a contract, and infected machines check it at regular intervals, picking up new tasks within three to five minutes. The second mode connects machines directly to the operator’s web panel, with tasks completing in under thirty seconds. The operator switches between them at any time by updating the contract.” The botnet works by writing commands to smart contracts, bots polling public RPC endpoints, and C2 infrastructure that is hard to take down.
• Proton Debuts AI Access Tokens in Proton Pass —Proton Pass, a secure, end-to-end encrypted (E2EE) password manager, has added credential sharing through AI access tokens, allowing users to give AI agents access to items it’s permissioned to and monitor their activity. “AI access tokens are our newest secure sharing option to bring password management into the age of agentic AI,” Proton said. “Every time an AI agent uses an access token, this is logged, and a reason for the access must be provided. For extra security, you can also set an expiration for each token, from one hour to one year, after which it can no longer be used.”
• DevilNFC and NFCMultiPay Android NFC Relay Malware Spotted —Two new Android NFC relay malware families named DevilNFC and NFCMultiPay have been observed targeting European and LATAM banking customers. “These two NFC relay toolkits are being developed and operated outside the Chinese-speaking MaaS ecosystem: DevilNFC carries an exclusively Spanish-speaking attribution, while NFCMultiPay’s developer fingerprint is Portuguese (Brazilian),” Cleafy said. “Local groups are no longer buying access to Chinese platforms; they are building their own.” It’s assessed that the malware families may have been developed with assistance using generative artificial intelligence (AI). Both malware families are designed to collect the victim’s card PIN. “DevilNFC further locks the victim inside the malicious interface via Kiosk Mode, preventing any escape while the relay completes,” the Italian company said. “DevilNFC employs an asymmetric architecture in which a single APK serves both roles in a relay attack: a passive reader on the victim’s device and a system-level card emulator on the attacker’s rooted device, achieved via a hooking framework that intercepts NFC traffic below the Android API layer.” DevilNFC overlaps with an NGate variant documented by ESET last month. The malicious apps are distributed via SMS or WhatsApp messages, directing victims to fake landing pages impersonating Google Play Store listings. 
• TAX#TRIDENT Uses Indian Income Tax Lures —A new campaign dubbed TAX#TRIDENT is using Indian Income Tax-themed lures to target Windows endpoints via three delivery paths. The campaign starts with fake tax assessment lures and then moves victims toward ZIP files, VBScript downloaders, or PHP-looking web endpoints that actually return script content,” Securonix said. “The first branch uses a ZIP file and a signed ClientSetup installer. Once executed, the installer creates a hidden client tree, adds service and driver persistence, and starts network communication. The second branch uses ‘Assessment_Order.vbs.’ The script shows a tax assessment decoy image, downloads the same ClientSetup payload, writes a new ‘YTSysConfig.ini,’ and runs the payload hidden. The third branch uses a PHP-looking endpoint that returns VBScript. That script downloads more stages from S3, disguises a VBS file as a PNG image, changes UAC prompt behavior, and silently installs a signed ManageEngine UEMS / Endpoint Central agent.” 
• CISA Launches KEV Nomination Form to Report Exploited Bugs —The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has introduced an online Nomination Form that lets researchers, vendors, and industry partners submit known exploited vulnerabilities (KEVs) directly so as to “quickly identify, validate, and share KEVs, critical threat information.”
• Exploitation of Four-Faith Router Flaw —Attackers are exploiting CVE-2024-9643 (CVSS score: 9.8), a critical authentication bypass flaw in Four-Faith F3x36 industrial cellular routers, as part of a large-scale campaign since mid-May 2026 to turn fold compromised devices into botnets for further campaigns. CrowdSec said it has observed 139 attacking IP addresses through May 18, 2026. “Exploitation was first observed on April 20 and escalated to the point of being reclassified as mass exploitation on May 12, a strong signal that attackers are operationalizing this flaw at scale,” it added.
• Chinese-Language PhaaS Ecosystem Detailed —An analysis of a dozen current phishing-as-a-service (PhaaS) offerings in the Chinese underground has found that they have shifted away from static password harvesting towards real-time interception and tokenization via live administration panels, allowing attackers to capture one-time passcodes (OTPs) and bypass multifactor authentication (MFA) instantly. The services, such as YY Lai Yu, primarily target non-Chinese entities, with advertisements regularly posted to Telegram rather than channels such as WeChat (Weixin) or Tencent QQ. A crucial aspect of these operations is their exploitation of digital wallet provisioning to monetize stolen payment details. Attackers have been found to leverage captured credentials and OTPs to provision the victim’s card into a digital wallet on an attacker-controlled device. Once tokenized, the card can be used for high-value transactions, contactless payments, and ATM withdrawals. “Instead of simply gaining account access, these operations focus on exploiting digital wallet provisioning to transform stolen payment data into tokenized assets within ecosystems,” Google said. “This shift—combined with the use of encrypted delivery channels like RCS and iMessage to bypass traditional carrier security filters on SMS messages—represents an emerging development where the goal is no longer just a login, but securing direct, unauthorized control over a victim’s financial accounts.”

🔧 Cybersecurity Tools

• Bumblebee → It is an open-source security tool for macOS and Linux designed to find software supply-chain vulnerabilities on developer computers. It acts as a lightweight, read-only scanner that audits metadata files, manifests, and configurations rather than executing code. This allows it to safely check local language packages, web browser extensions, text editor add-ons, and AI tool configurations for known security exposures without running potentially malicious install scripts.
• Claude-BugHunter → It is an open-source add-on that configures Anthropic’s Claude Code command-line tool into a specialized security assistant. It equips the AI with pre-built vulnerability patterns, attack techniques, and reporting templates, automating the process of finding and documenting security flaws during authorized testing.

Disclaimer: This is strictly for research and learning. It hasn’t been through a formal security audit, so don’t just blindly drop it into production. Read the code, break it in a sandbox first, and make sure whatever you’re doing stays on the right side of the law.

Conclusion

Patch the easy stuff before it becomes a bigger problem next week. The old bugs everyone ignored? Attackers didn’t ignore them. They never do.

Right now, the internet feels held together with tape and luck. Every week, there’s a new mess, a new scam, or some old box getting dragged into a botnet. See you next Monday.