Hacker-City
Hacker-City
Get the brief
Technology|May 25, 2026|8 min read

Weekly Recap: Linux Flaws, Defender 0-Days, Router Botnets, and Supply Chain Chaos

A comprehensive cybersecurity recap covering critical vulnerabilities including a 9-year-old Linux kernel flaw, actively exploited Microsoft Defender zero-days, router botnet campaigns, and major supply chain incidents affecting GitHub, Drupal, and other critical infrastructure.

#linux-vulnerabilities#zero-day-exploits#supply-chain-attacks#botnets#microsoft-defender#drupal-vulnerability#github-breach#ransomware#phishing#cybersecurity
T

The Hacker News

Contributor

Weekly Recap: Linux Flaws, Defender 0-Days, Router Botnets, and Supply Chain Chaos

In this week's cybersecurity roundup, we examine significant vulnerabilities that have surfaced, including a long-standing flaw in the Linux kernel, actively exploited zero-day vulnerabilities within Microsoft Defender, ongoing router botnet campaigns, and crucial incidents impacting supply chains, particularly concerning GitHub and Drupal.

Phishing tactics continue to evolve, with cybercriminals employing more sophisticated and targeted approaches that appear convincingly legitimate. At the same time, botnets are rapidly exploiting exposed systems across the internet, underscoring the urgent need for improved security measures.

Threat of the Week

GitHub Breached via Nx Console VS Code Extension — GitHub has confirmed that a recent breach of its internal repositories stemmed from the compromise of an employee's device, which involved a tainted version of the Nx Console extension for Microsoft Visual Studio Code (VS Code). This breach is attributed to the cybercriminal group TeamPCP, which managed to exfiltrate approximately 3,800 repositories. To address the incident, GitHub has implemented containment measures and rotated sensitive secrets while monitoring for any subsequent activities. The Nx team's investigation revealed that the compromise of the extension, nrwl.angular-console, occurred following a developer's system being hacked due to the TanStack supply chain attack. Other notable organizations affected by the TanStack incident include OpenAI, Mistral AI, and Grafana Labs, the latter of which faced an extortion attempt, choosing not to comply with the demands to pay off the hackers threatening to release its codebase. These events illustrate the extensive repercussions of the Mini Shai-Hulud campaign and highlight a disturbing trend in software supply chain vulnerabilities where attackers now possess frameworks for orchestrating similar threats to open-source environments.

Top News

  • Microsoft Took Down Fox Tempest — Microsoft has acted against Fox Tempest, a cyber threat group implicated in Rhysida ransomware attacks and various infections involving Oyster, Lumma Stealer, and Vidar. This group is a key player in the malware and ransomware supply chain, supplying tools to other cybercriminals including a fraudulent code-signing service that enabled malware deployment discreetly.

  • 9-Year-Old Linux Kernel Flaw Enables Root Command Execution — A newly disclosed vulnerability in the Linux kernel, tracked as CVE-2026-46333 with a CVSS score of 5.5, remained undetected for nine years. This issue, arising from improper privilege management, could allow an unprivileged local user to access sensitive files and execute arbitrary commands as root on default installations of numerous major distributions, including Debian, Fedora, and Ubuntu. The flaw surfaced due to changes introduced in November 2016.

  • Microsoft Warned of Two Actively Exploited Defender Vulnerabilities — Microsoft has revealed that a privilege escalation vulnerability and a denial-of-service vulnerability within Defender are currently being actively exploited in the wild. The vulnerability identified as CVE-2026-41091 could enable an attacker to gain SYSTEM-level privileges, while CVE-2026-45498 relates to a denial-of-service scenario. Although Microsoft has yet to confirm this formally, descriptions of these vulnerabilities correspond with zero-day vulnerabilities—RedSun and UnDefend—previously disclosed by the group Chaotic Eclipse (aka Nightmare-Eclipse).

  • Newly Disclosed Drupal Core Flaw Under Attack — A critical security vulnerability affecting Drupal Core, marked as CVE-2026-9082 and rated at a CVSS score of 6.5, has been reported under active exploitation shortly after its public announcement. This SQL injection vulnerability impacts all supported versions of Drupal Core. Drupal has confirmed that "exploit attempts are now being detected in the wild," with Imperva, a Thales subsidiary, noting over 15,000 attacks targeting approximately 6,000 sites across 65 countries.

  • Claude Mythos AI Finds 10K High-Severity Flaws in Popular Software — Anthropic has disclosed that its Project Glasswing initiative has unearthed over 10,000 high- or critical-severity vulnerabilities present in essential software since its launch last month. Among these vulnerabilities, 6,202 have been categorized as high- or critical-severity flaws impacting more than 1,000 open-source projects. Further analysis revealed 1,726 of these to be valid true positives, with 1,094 being classified as high- or critical-severity. This comprehensive effort has led to the remediation of 97 critical findings and the issuance of 88 advisories.

  • Cisco Patched CVSS 10.0 Secure Workload Flaw — Cisco has released fixes for a critical security vulnerability impacting Secure Workload, which could allow an unauthenticated remote attacker to access sensitive data. Designated CVE-2026-20223 and graded with a CVSS score of 10.0, this flaw arises from inadequate validation and authentication mechanisms associated with REST API endpoints. According to Cisco, if exploited, this vulnerability may enable attackers to read sensitive data and alter configurations across tenant boundaries with the privileges of the Site Admin user.

  • Microsoft Released Mitigations for YellowKey — Microsoft has introduced a mitigation strategy for a recently disclosed BitLocker bypass vulnerability identified as YellowKey, now tracked as CVE-2026-45585 with a CVSS score of 6.8. This vulnerability pertains to a security feature bypass of BitLocker, affecting multiple Windows platforms, including Windows 11 and Windows Server 2025. Successful exploitation could allow an attacker with physical access to circumvent the BitLocker Device Encryption feature, thereby gaining unauthorized access to encrypted data.

Trending CVEs

As vulnerabilities continue to emerge weekly, the timeframe between their disclosure and the development of exploits is shortening rapidly. Below are the high-severity vulnerabilities that warrant immediate attention: CVE-2026-48172 (LiteSpeed User-End cPanel Plugin), CVE-2026-34926 (Trend Micro Apex One), CVE-2026-20223 (Cisco Secure Workload), CVE-2026-41091, CVE-2026-45498, CVE-2026-45584 (Microsoft Defender), CVE-2026-46333 (Linux Kernel), CVE-2026-9082 (Drupal Core), CVE-2026-45585 (Microsoft Windows BitLocker), CVE-2026-2743 (SEPPMail), CVE-2026-7301, CVE-2026-7302, CVE-2026-7304 (SGLang), CVE-2026-29205 (cPanel), CVE-2026-8178 (Amazon Redshift JDBC driver), CVE-2026-8053 (MongoDB), CVE-2026-45829 aka ChromaToast (ChromaDB), CVE-2026-8153 (Universal Robots PolyScope 5), CVE-2026-3102 (ExifTool), CVE-2026-9110, CVE-2026-9111 (Google Chrome), CVE-2026-8511 through CVE-2026-8522 (Google Chrome), CVE-2026-45434 (Apache OFBiz), CVE-2026-33000, CVE-2026-34908, CVE-2026-34909, CVE-2026-34910, CVE-2026-34911 (UniFi OS), CVE-2026-45401 (Open WebUI), CVE-2026-9256, CVE-2026-8711 (F5 NGINX Plus and NGINX Open Source), CVE-2026-20239 (Splunk Enterprise and Splunk Cloud Platform), CVE-2026-46376 (FreePBX), CVE-2026-6637 (PostgreSQL), and CVE-2026-35194 (Apache Flink).

Around the Cyber World

  • Vulnerability Exploitation Overtakes Compromised Credentials — A report by Verizon indicates that vulnerability exploitation has surpassed compromised credentials as the leading initial access vector for data breaches for the first time in nearly two decades. In the past year, 31% of data breaches occurred due to vulnerability exploitation, a substantial increase from 20% in 2024, while credential abuse decreased from 22% to 13%. Notably, only 26% of critical vulnerabilities listed in the U.S. Cybersecurity Infrastructure and Security Agency (CISA) Known Exploited Vulnerabilities (KEV) catalog were addressed by organizations in 2025, down from 38% the previous year. Ransomware attacks accounted for 48% of all breaches last year, up from 44% in 2024.

  • Attackers Go After India's Education Ecosystem — Cybercriminals are exploiting student data across India's education ecosystem, targeting educational institutions, third-party vendors, and online services for phishing, impersonation, social engineering, and financially motivated fraud.

  • RondoDox Adds ASUS Router Flaw to its Arsenal — The RondoDox botnet operators have begun exploiting CVE-2018-5999 (CVSS score: 9.8), a critical flaw in ASUS routers, marking the first recorded instance of this vulnerability being exploited in the wild. The activity was initially detected on May 17, 2026, targeting honeypots.

  • Fake Microsoft Teams Sites Deliver ValleyRAT — Fraudulent Microsoft Teams download sites promoted on X are being utilized to deceive users into downloading a trojanized installer packaged as a ZIP archive, which ultimately leads to the deployment of ValleyRAT, a malware connected to the Chinese cybercrime group Silver Fox.

  • Malicious Activity Targeting Malaysian Entities — Infrastructure controlled by attackers and hosted on Microsoft Azure in the Malaysia West region is being employed to execute targeted intrusion campaigns against several Malaysian organizations.

  • Texas Attorney General Sues Meta Over WhatsApp Encryption Claims — The Texas Attorney General has initiated a lawsuit against Meta, alleging that the company's WhatsApp messenger fails to provide the end-to-end encryption (E2EE) it has consistently claimed to offer.

  • FIOD Arrests Two in Connection with Stark Industries — The Netherlands Fiscal Intelligence and Investigation Service (FIOD) has arrested two individuals and seized 800 servers linked to a web hosting company that facilitated cyber attacks, interference operations, and disinformation initiatives.

  • UNG0002 Targets Chinese Educational Sector — The Chinese educational sector has become the focus of a new campaign by UNG0002, which is conducting a spear-phishing initiative codenamed Operation Dragon Whistle.

  • Void Botnet Uses Ethereum Smart Contracts for C2 — A groundbreaking botnet named Void Botnet is leveraging Ethereum smart contracts for command-and-control (C2) operations that are seizure-resistant.

  • Proton Debuts AI Access Tokens in Proton Pass — Proton Pass, a secure password manager utilizing end-to-end encryption (E2EE), has introduced a credential-sharing feature via AI access tokens, allowing users to grant AI agents access to specific items while monitoring their activities.

  • DevilNFC and NFCMultiPay Android NFC Relay Malware Spotted — Two emerging Android NFC relay malware families, DevilNFC and NFCMultiPay, have been detected targeting banking customers in Europe and Latin America.

  • TAX#TRIDENT Uses Indian Income Tax Lures — A new campaign named TAX#TRIDENT is targeting Windows endpoints through three delivery methods, utilizing Indian Income Tax-themed lures.

  • CISA Launches KEV Nomination Form — The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has unveiled an online nomination form that enables researchers, vendors, and industry partners to submit known exploited vulnerabilities (KEVs) directly.

  • Exploitation of Four-Faith Router Flaw — Attackers are exploiting CVE-2024-9643 (CVSS score: 9.8), a critical authentication bypass vulnerability in Four-Faith F3x36 industrial cellular routers, as part of a significant campaign to commandeer compromised devices into botnets.

  • Chinese-Language PhaaS Ecosystem Detailed — An examination of various phishing-as-a-service (PhaaS) offerings within the Chinese underground reveals a shift from static password harvesting to real-time interception and tokenization using live administration panels.

Cybersecurity Tools

  • Bumblebee — This open-source security tool for macOS and Linux is designed to detect software supply-chain vulnerabilities on developer machines. It operates as a lightweight, read-only scanner that reviews metadata files, manifests, and configurations without executing any code.

  • Claude-BugHunter — This open-source add-on transforms Anthropic's Claude Code command-line utility into a specialized security assistant.

Conclusion

As we navigate through these ongoing challenges, it is crucial to address vulnerabilities promptly to prevent them from escalating into more significant threats. Old bugs that have been neglected continue to be exploited by attackers, highlighting the importance of proactive security measures.

The current state of the internet resembles a precarious structure held together by chance and minimal maintenance. Each week brings new vulnerabilities, scams, and the potential for outdated systems to be thrust into botnet activities. We look forward to seeing you next week for further updates.

Share this story

Next story

Ghost CMS CVE-2026-26980 Exploited in the Wild

A critical vulnerability in Ghost CMS (CVE-2026-26980) is being actively exploited in the wild, putting thousands of websites at risk. Security researchers urge immediate patching to prevent unauthorized access and data breaches.