security6.765 min read
Axios supply-chain breach delivers cross-platform RAT through fake dependency
10 days ago•Source: The Hacker News
Security News
The latest security stories, summarized by AI
Featured Security Stories
View original source
22.93 min•11 days ago
Google flags quantum threat to Bitcoin, eyes 2029 post-quantum shift
Google Research warns that the quantum resources needed to break ECDLP-256 have fallen roughly 20-fold, potentially enabling on-spend attacks against Bitcoin within its 10-minute block window and prompting a 2029 migration to post-quantum cryptography; the industry, including Coinbase and the Ethereum Foundation, is coordinating on the transition, though the risk remains years away.
More Top Stories
2
Trivy hit by TeamPCP supply-chain attack through GitHub Actions
BleepingComputer•19 days ago
3
Ancient Telnet Hole Sparks Modern Worry: CVE-2026-32746 Pre-Auth RCE in Telnetd
watchTowr Labs•22 days ago
More Security Stories
BYOVD Enables 54 EDR Killers to Undermine Defenses Ahead of Ransomware
An ESET study finds 54 EDR killer tools abuse Bring-Your-Own-Vulnerable-Driver (BYOVD) tactics across 34 signed drivers to gain kernel privileges, disable security tools, and pave the way for ransomware encryptors; actors range from closed ransomware groups and PoC tweakers to underground marketplace vendors, with some variants using scripting or driverless approaches. The report emphasizes the need for layered defenses and tighter monitoring of driver loading to disrupt attacks at multiple stages.
Ubuntu patches timer-based root access (CVE-2026-3888)
Ubuntu Desktop 24.04+ is patched for CVE-2026-3888, a high-severity local privilege-escalation that can occur via a timing window in systemd-tmpfiles cleanup interacting with snap-confine. An unprivileged attacker could wait for the cleanup to delete /tmp/.snap, recreate it with a payload, and have it bound as root on the next sandbox initialization. Patches are available through updated snapd versions across Ubuntu 24.04.x, 25.10.x, 26.04.x, and upstream; exploitation requires a 10–30 day window and no user interaction. The report also notes a separate race-condition in uutils coreutils that could enable root-level file operations during cron, mitigated by reverting rm to GNU coreutils in Ubuntu 25.10 and applying upstream uutils fixes. Users should apply the patched snapd updates to mitigate risk.
DarkSword: High-End iOS Exploit Kit Uses Zero-Days for Rapid Device Takeover
DarkSword is a JavaScript-based iOS exploit kit targeting iPhones on iOS 18.4–18.7 via watering-hole campaigns, chaining six vulnerabilities to achieve remote code execution, escaping the WebContent sandbox through the GPU into mediaplaybackd, escalating to kernel privileges, and then loading a data-collection module to exfiltrate a wide range of information (including emails, iCloud data, messages, wallet data, photos, contacts, and more) before cleaning up. Used by UNC6353 and linked groups such as UNC6748 and PARS Defense, the kit underscores a growing market for high-end iOS exploits and rapid, non-persistent data theft.
CISA Pushes Hardened Endpoint Security Following Stryker Incident
CISA urges U.S. organizations to harden endpoint-management configurations after the Stryker breach, calling for least-privilege RBAC, phishing-resistant MFA, Entra ID/Conditional Access, and Multi Admin Approval, with guidance drawn from Microsoft Intune best practices to prevent abuse of legitimate endpoint-management tools.
Zero-Auth Telnetd Flaw Enables Remote Root RCE in GNU InetUtils (CVE-2026-32746)
A critical unauthenticated flaw in GNU InetUtils telnetd (CVE-2026-32746) allows remote code execution with root privileges by sending crafted LINEMODE SLC options during the initial handshake. Affects all versions up to 2.7; a fix is expected by April 1, 2026. Mitigations include disabling telnetd where possible, running it non-root when needed, and blocking or isolating port 23 at network and host levels. The issue follows a previous high-severity telnetd flaw (CVE-2026-24061) and has been noted as actively exploited in the wild per CISA.
GlassWorm Expands to 433 Repos Across GitHub, npm, and VSCode
A renewed GlassWorm supply-chain campaign has compromised 433 components across GitHub, npm, and VSCode/OpenVSX, spreading via compromised accounts, obfuscated code, and a Solana-based C2 to harvest wallet data, credentials, and environment info; indicators include marker lzcdrtfxyqiplpd and init.json persistence, with warnings to inspect for rogue Node.js installs and unusual commit histories.
OpenClaw Under Fire: Prompt Injection and Data Leakage Risks
CNCERT warns that OpenClaw’s weak default security and privileged execution could enable prompt-injection attacks, including indirect prompt injection via web content and link previews that leak sensitive data; other risks include misinterpretation causing data loss, uploading malicious skills to repositories like ClawHub, and exploiting known vulnerabilities. China is restricting OpenClaw in state entities, while attackers distribute malware via GitHub rep o s posing as OpenClaw installers. Mitigations include hardening networks, isolating the service, avoiding plaintext credentials, downloading skills only from trusted sources, disabling automatic updates, and keeping the agent up to date.
Ubuntu AppArmor Flaws Could Enable Local Privilege Escalation
Qualys disclosed multiple vulnerabilities in Ubuntu’s AppArmor kernel security module (CrackArmor) that can cause memory leaks and DoS, and, when combined with a sudo discovery, may enable local privilege escalation. Canonical is rolling out fixes across affected Ubuntu releases, addressing issues from DFA state bounds and memory leaks to policy namespace limits and race conditions. The advisory also notes unsafe su behavior prompting hardening, with the sudo flaw affecting releases back to 22.04 LTS and su hardening traced to 20.04 LTS; more details are available in Qualys’ advisory.
HPE patches critical AOS-CX authentication flaw that could reset admin passwords
Hewlett Packard Enterprise has issued patches for Aruba's AOS-CX network operating system, addressing multiple vulnerabilities including a critical authentication bypass (CVE-2026-23813) that could allow an unauthenticated attacker to reset the admin password via the web-based management interface. Mitigations include restricting management access to a secure L2 segment, applying strict Layer-3 ACLs, disabling HTTP(S) on SVIs and routed ports, and enabling comprehensive logging and management ACLs. HPE says no public exploit was observed at the advisory time. The report also notes prior related disclosures and aligns with ongoing industry warnings from CISA on HP/E vulnerability exposure.
KadNap DHT Botnet Turns 14k Edge Devices into Stealth Proxies; ClipXDaemon Hijacks Linux Wallet Addresses
Security researchers uncovered KadNap, a new malware targeting Asus routers and other edge devices that forms a decentralized, Kademlia DHT–based proxy botnet with over 14,000 infected hosts (majority in the U.S.). It uses a shell script downloaded from a C2 at 212.104.141.140 to install persistence, fetch a kad ELF, and join a peer-to-peer network that hides C2 traffic and feeds a Doppelgänger proxy service; the operators tier targets, close SSH (port 22), and collect host time and uptime to build peer hashes for network coordination. The same report also details ClipXDaemon, a memory-only Linux clipboard hijacker that replaces copied cryptocurrency wallet addresses in real time for multiple coins, with no C2 or beaconing and designed to avoid Wayland sessions.