security3.225 min read
TrapDoor Strikes npm, PyPI, and Crates.io with Cross-Ecosystem Credential-Stealing Malware
1 day ago•Source: The Hacker News
Security News
The latest security stories, summarized by AI
Featured Security Stories
View original source
8.075 min•1 day ago
AI-Fueled Bug Hunt Redraws the Security Patch Landscape
AI agents are increasingly autonomously finding software flaws and crafting exploits, upending bug-bounty economics as researchers log far more discoveries and attackers speed up development. Major programs are trimming or shifting payouts (Curl’s bounty ended; Google adjusted Chrome/Android rewards) and experts warn that faster zero-days and compressed disclosure windows could pressure quicker patches. The trend, including industry calls for structural defenses and architecture changes, suggests a future where human-led bug hunting remains essential but must be complemented by better-infrastructure that makes many bugs irrelevant.
More Top Stories
2
Git tag hijack turns Laravel Lang releases into credential-stealing malware
BleepingComputer•1 day ago
3
AI-Generated Reports, GitHub Chaos, and Linux Vulnerabilities This Week
Hackaday•3 days ago
More Security Stories
Cisco patches critical unauthenticated REST API flaw in Secure Workload
Cisco fixed a high-severity, unauthenticated REST API vulnerability in Secure Workload (CVE-2026-20223, CVSS 10.0) that could let remote attackers read sensitive data and alter tenant configurations across boundaries with Site Admin privileges. The flaw affects Secure Workload Cluster Software on SaaS and on-prem deployments with no available workarounds; patches are available in Release 3.10.8.3 (3.10) and 4.0.3.17 (4.0), with users of 3.9 and earlier advised to migrate. Cisco notes no known exploits in the wild at this time; the article also references a separate CVE-2026-20182 exploit in Catalyst SD-WAN Controller.
Ubiquiti issues patches for three high-severity UniFi OS flaws exploitable remotely
Ubiquiti released patches for three max-severity UniFi OS vulnerabilities (CVE-2026-34908/34909/34910) that allow remote attackers to change targeted systems, access underlying files, or inject commands, plus earlier patches for CVE-2026-33000 and CVE-2026-34911. The flaws can be exploited with low complexity on UniFi OS devices. Threat intel tracks nearly 100,000 internet-exposed UniFi OS endpoints (many in the U.S.); there’s no public confirmation of exploitation yet. The fixes were disclosed via HackerOne.
Two Actively Exploited Defender Flaws Prompt Auto-Patch Rollout
Microsoft warns that Defender is under active exploitation due to a privilege-escalation flaw (CVE-2026-41091) and a separate denial-of-service flaw (CVE-2026-45498). Updates are delivered automatically via Defender Antimalware Platform versions 1.1.26040.8 and 4.18.26040.7, and systems with Defender disabled are not affected. CISA has added both flaws to its Known Exploited Vulnerabilities catalog, with a June 3, 2026 patch deadline for Federal Civilian Executive Branch agencies. The article also references older Microsoft CVEs that have been added to KEV in recent weeks.
Drupal Core Flaw Exposes PostgreSQL Sites to RCE via Anonymous SQL Injection
Drupal released highly critical security updates for Drupal Core to fix CVE-2026-9082, a flaw in the database abstraction API that allows anonymous attackers to perform arbitrary SQL injections on PostgreSQL sites, potentially leading to information disclosure, privilege escalation, or remote code execution (CVSS 6.5). Affected versions include 11.3.10, 11.2.12, 11.1.10, 10.6.9, 10.5.10, and 10.4.10; Drupal 7 is not affected. End-of-life releases are patched on a best-effort basis, and the updates include upstream fixes for Symfony and Twig.
Exposed ChromaDB servers hit by high-severity RCE via post-load authentication bypass
A max-severity vulnerability in ChromaDB’s Python FastAPI server (CVE-2026-45829) lets unauthenticated attackers load a malicious model and run code before authentication, enabling remote code execution on exposed servers. The flaw affects the PyPI package (nearly 14 million monthly downloads); mitigations include using the Rust frontend or restricting network access, and validating models before runtime. Patch status is unclear after version 1.5.9, and Shodan shows about 73% of internet-exposed instances are still vulnerable.
Nine-Year-Old Linux Kernel Bug Lets Local Users Root on Major Distros
Qualys disclosed CVE-2026-46333, a nine-year-old Linux kernel privilege-escalation flaw in __ptrace_may_access() that can let an unprivileged local user read /etc/shadow, access SSH private keys, and execute commands as root on Debian, Fedora, and Ubuntu; a PoC is available, patches have been released, and mitigations include updating the kernel or setting kernel.yama.ptrace_scope=2 and rotating host keys.
Microsoft Unveils Mitigations for Windows YellowKey Zero-Day
Microsoft released mitigations for the YellowKey Windows BitLocker zero-day (CVE-2026-45585) after a PoC disclosure by Nightmare Eclipse, detailing steps to prevent exploitation—removing the autofstx.exe entry from the Session Manager BootExecute to stop FsTx replay, reestablishing BitLocker trust for WinRE, and enforcing TPM+PIN startup or a startup PIN with TPM on devices (via PowerShell, Intune, or Group Policy)—to block attacks until a patch is available.
GitHub breach tied to poisoned VS Code extension hits thousands of internal repos
GitHub confirmed that a poisoned Visual Studio Code extension installed on an employee’s device led to the exfiltration of roughly 3,800 internal repositories; the malicious extension was removed from the VS Code Marketplace and the endpoint isolated, with incident response begun. Current assessment indicates only GitHub’s internal repositories were affected and there is no evidence that customer data outside the affected repos was compromised. The TeamPCP group has claimed access to about 4,000 repos on a cybercrime forum, though attribution remains unsettled. This follows a history of trojanized VS Code extensions used to steal code and credentials.
Public GitHub repo exposed CISA secrets, enabling high-privilege access
Security researchers revealed that a public GitHub repo named Private-CISA exposed plaintext passwords, SSH private keys, tokens, and other sensitive CISA assets since at least November 2025, potentially enabling high-privilege access to AWS GovCloud; the repo is now offline and reportedly managed by Nightwing, a CISA contractor, which has not publicly commented, following earlier CISA missteps including a director uploading sensitive docs to ChatGPT.
Tycoon2FA Expands to Device-Code Phishing Targeting Microsoft 365
A new Tycoon2FA variant uses device-code phishing via a Trustifi click-tracking URL to hijack Microsoft 365 accounts by steering victims to the legitimate device-login flow at microsoft.com/devicelogin, granting attackers OAuth tokens and access to email, calendar, and files. After a takedown, the kit resurfaced with obfuscation and new delivery chains, prompting defenders to disable the device-code flow when not needed, restrict OAuth permissions, enable Continuous Access Evaluation, and monitor Entra logs for deviceCode activity and related IoCs.