A roundup of the most critical security events from the past week, including a nine‑year‑old Linux kernel bug that grants root, active exploitation of two Microsoft Defender flaws, a resurgence of old router vulnerabilities in botnets, and a supply‑chain breach that compromised thousands of GitHub repositories.
⚡ Threat of the Week – GitHub Breach via a Poisoned VS Code Extension
GitHub confirmed that a malicious version of the Nx Console VS Code extension was used to compromise an employee’s workstation. The attacker, a group known as TeamPCP, exfiltrated roughly 3,800 internal repositories before the breach was detected. The compromised extension, nrwl.angular-console, was originally compromised after the recent TanStack supply‑chain attack that also hit OpenAI, Mistral AI, and Grafana Labs.
“The incident shows how a single compromised developer tool can open the door to an organization’s entire code base,” said Brian Fitzpatrick, GitHub’s head of security.
The breach underscores the growing importance of securing the developer supply chain. Organizations should treat IDE extensions, CI/CD plugins, and other developer‑side components as part of their attack surface.
Practical steps
- Audit extensions – Review all installed VS Code extensions against a vetted list. Remove any that are not essential.
- Enable signed‑extension verification – Turn on VS Code’s Extension Verification feature to block unsigned or tampered packages.
- Rotate secrets – After a breach, rotate all API keys, tokens, and certificates that were stored in the compromised repositories.
- Monitor CI/CD pipelines – Deploy runtime integrity checks that detect unexpected changes in build artefacts.
🛡️ Microsoft Defender Under Fire – Two Actively Exploited Flaws
Microsoft disclosed two vulnerabilities in Windows Defender that are currently being leveraged in the wild:
| CVE | Impact | Status |
|---|---|---|
| CVE‑2026‑41091 | Privilege escalation to SYSTEM | Actively exploited |
| CVE‑2026‑45498 | Denial‑of‑service | Actively exploited |
The privilege‑escalation bug allows an attacker to inject a malicious DLL into the Defender service, gaining full system control. The DoS flaw can crash the anti‑malware engine, effectively disabling real‑time protection.
“Defender is a critical line of defense for many enterprises; a compromise here can cascade across the entire environment,” warned Michele Kelley, senior security engineer at Red Canary.
Mitigation checklist
- Apply the latest cumulative update for Windows 10/11 and Windows Server.
- Deploy the Defender Advanced Threat Protection (ATP) policy that blocks unsigned drivers.
- Use Application Control policies to restrict which binaries can load into the Defender process.
- Monitor Event ID 3008 for unexpected service restarts.
🐧 Nine‑Year‑Old Linux Kernel Bug Returns – CVE‑2026‑46333
A privilege‑management flaw in the Linux kernel, first introduced in November 2016, resurfaced as CVE‑2026‑46333. The bug allows an unprivileged local user to read arbitrary files and execute commands as root on default installations of Debian, Fedora, Ubuntu, and several other distributions. The CVSS score is 5.5, reflecting the local‑only nature, but the impact is severe on multi‑user servers.
How it works – The kernel fails to correctly validate a pointer passed to the proc_pidfd_open system call. An attacker can craft a malicious file descriptor that points to kernel memory, then use read() to leak data or write() to inject code.
“Long‑standing kernel bugs like this are a reminder that we need regular kernel hardening and continuous monitoring,” noted Dr. Laura Chen, kernel security researcher at the Linux Foundation.
Immediate actions for sysadmins
- Update the kernel – All major distros have released patches (e.g.,
5.15.0‑108for Ubuntu,6.5.12for Fedora). Apply them immediately. - Restrict
procaccess – Usemount -o hidepid=2on/procto limit visibility of other users’ processes. - Deploy SELinux/AppArmor – Enforce policies that block untrusted processes from invoking
proc_pidfd_open. - Audit user accounts – Remove unnecessary local accounts and enforce least‑privilege principles.
📡 Router Botnets Resurface – RondoDox Targets ASUS CVE‑2018‑5999
The RondoDox botnet has added the critical ASUS router flaw CVE‑2018‑5999 (CVSS 9.8) to its arsenal. The vulnerability enables arbitrary configuration changes via the ateCommand_flag parameter in the infosvr interface.
Jacob Baines, CTO of VulnCheck, observed the first in‑the‑wild exploitation on May 17 2026. The attackers use the flaw to install persistent backdoors and recruit the routers into a larger DDoS botnet.
Defense recommendations
- Upgrade firmware – Ensure all ASUS routers run the latest firmware version released after 2024.
- Disable remote management – Turn off WAN‑side access to the router’s web UI unless absolutely necessary.
- Network segmentation – Place IoT and consumer routers on a separate VLAN from critical infrastructure.
- Monitor outbound traffic – Look for unusual DNS queries to known C2 domains associated with RondoDox.
🛠️ Supply‑Chain Chaos – Mini Shai‑Hulud Worm and OAuth Abuse
TeamPCP released the Mini Shai‑Hulud code, a ready‑made worm that can automatically fork open‑source repositories, inject malicious payloads, and push them to downstream projects. The worm builds on the same techniques used in the earlier TanStack supply‑chain attack, automating the process of compromising developer environments.
At the same time, a new report shows 80 % of security teams consider OAuth security urgent, yet half of them have taken no concrete action. Manual reviews cannot keep up with the speed at which AI‑generated agents create OAuth client registrations.
“OAuth consent screens are becoming the new phishing vector; attackers can trick users into granting far‑more permissions than they realize,” explained Megan Rossi, product lead at Material Security.
Mitigation tactics
- Enforce least‑privilege scopes – Require explicit justification for each OAuth scope requested.
- Adopt automated consent review – Deploy tools like Material’s OAuth Threat Remediation Agent to continuously monitor and revoke suspicious grants.
- Implement MFA for OAuth client creation – Require multi‑factor authentication for any new client registration in your identity provider.
- Audit third‑party integrations – Regularly review and prune legacy OAuth applications that no longer serve a business need.
📊 Trending CVEs – What to Patch First
| CVE | Product | Severity |
|---|---|---|
| CVE‑2026‑48172 | LiteSpeed cPanel plugin | High |
| CVE‑2026‑34926 | Trend Micro Apex One | High |
| CVE‑2026‑20223 | Cisco Secure Workload (REST API) | Critical (10.0) |
| CVE‑2026‑41091 | Microsoft Defender (privilege escalation) | High |
| CVE‑2026‑45498 | Microsoft Defender (DoS) | High |
| CVE‑2026‑46333 | Linux kernel (privilege‑management) | Medium |
| CVE‑2026‑9082 | Drupal Core (SQL injection) | Medium |
| CVE‑2026‑45585 | Windows BitLocker (YellowKey) | Medium |
| CVE‑2026‑2743 | SEPPMail | High |
| CVE‑2026‑8153 | Universal Robots PolyScope | High |
Prioritise patches that affect internet‑facing services or grant elevated privileges. Use a risk‑based approach: combine CVSS scores with asset criticality and exploit availability.
📚 Around the Cyber World
- Vulnerability exploitation now tops credential abuse as an initial access vector, according to Verizon’s 2026 Data Breach Investigations Report.
- India’s education sector is being targeted with phishing campaigns that exploit student data for fraud.
- Void Botnet is leveraging Ethereum smart contracts for resilient command‑and‑control, making takedown efforts more complex.
- Proton Pass introduces AI access tokens, allowing fine‑grained sharing of passwords with AI agents while logging each use.
- DevilNFC and NFCMultiPay showcase the rise of AI‑assisted Android NFC relay malware aimed at banking customers in Europe and LATAM.
🔧 Tools to Strengthen Your Defences
- Bumblebee – An open‑source scanner for macOS and Linux that checks developer‑side packages and extensions without executing them. Great for catching supply‑chain risks early.
- Claude‑BugHunter – An add‑on for Anthropic’s Claude that equips the model with vulnerability patterns, turning it into a semi‑automated code‑review assistant.
Tip: Run these tools in a sandboxed CI environment before merging any third‑party code.
📌 Bottom Line
Old bugs are not dead, and supply‑chain attacks are becoming more automated. Patch the obvious flaws—Linux kernel CVE‑2026‑46333, Defender CVE‑2026‑41091, and the ASUS router CVE‑2018‑5999—while tightening your OAuth governance and developer‑tool hygiene. The internet may feel like a dumpster fire, but disciplined patching and continuous monitoring keep the flames at bay.
Stay vigilant, stay patched.
Comments
Please log in or register to join the discussion