vulnerability

Public PoC Released for Critical Libssh2 CVE-2026-55200 Client-Side SSH Flaw

A critical vulnerability (CVE-2026-55200) in the libssh2 client-side SSH library allows a malicious SSH server to trigger memory corruption and potentially execute code on the client without user interaction or credentials. The flaw, present in all versions up to 1.11.1, arises from improper bounds checking on packet length during the SSH handshake, leading to an out-of-bounds heap write. While a patch has been merged but not yet officially released, security advisories urge organizations to inventory affected software linking libssh2 and apply vendor or distribution backports, restrict SSH connections to trusted servers, and monitor for anomalous behavior.

https://thehackernews.com/2026/06/public-poc-released-for-critical.html

New DirtyClone Linux Kernel Flaw Lets Local Users Gain Root Via Cloned Packets

A newly disclosed Linux kernel vulnerability called DirtyClone (CVE-2026-43503) allows local users to escalate privileges to root by exploiting a flaw in the handling of cloned network packets that share file-backed memory. Attackers with CAP_NET_ADMIN can manipulate in-memory copies of privileged binaries without altering the disk files, evading detection and gaining root access once the binaries are executed. The Linux kernel patch fixing this issue was released in May 2026, and users are urged to apply updates or restrict unprivileged user namespaces to mitigate the risk.

https://thehackernews.com/2026/06/new-dirtyclone-linux-kernel-flaw-lets.html

Vulnerability Reports Are Not Special Anymore

Filippo Valsorda argues that vulnerability reports have lost their special status due to advances in large language models (LLMs), which can now identify potential security issues as effectively as human researchers. This shift diminishes the scarcity and confidentiality that once made vulnerability reports valuable, making the main challenge for maintainers triage and remediation rather than discovery. The article suggests security teams should adapt by focusing on rapid assessment and integrating automated LLM analysis into their workflows while recognizing some high-severity or trusted-source reports still require special handling.

https://words.filippo.io/vuln-reports/

Hundreds of AI-powered iOS Apps Found Exposing Credentials

Researchers from Wake Forest University analyzed 444 iOS apps with AI features and found that 282 exposed exploitable credentials or backend access, affecting diverse categories like productivity and health. Despite responsible disclosure, only 28% of the vulnerable apps remediated the issue, while 23% remained exploitable due to lack of action or flawed authentication. The study highlights systemic credential leakage in AI-powered iOS apps, posing ongoing security risks beyond individual developers and providers.

https://www.helpnetsecurity.com/2026/06/22/llm-api-credential-leakage-ios-apps/

What the Latest ShinyHunters Breaches Reveal About Modern Cyberattacks

The recent breaches attributed to the ShinyHunters cybercrime group highlight a shift in modern cyberattacks toward exploiting identities, authentication workflows, and SaaS integrations rather than traditional software vulnerabilities. Attackers increasingly use stolen credentials, compromised OAuth tokens, social engineering, and abuse of legitimate access privileges to bypass perimeter defenses, demonstrating that identity has become the primary battleground in enterprise security. This trend exposes limitations in conventional security tools and underscores the need for continuous identity threat detection, risk-based authentication, and stricter access governance to prevent and mitigate such identity-centric attacks.

https://www.securityweek.com/what-the-latest-shinyhunters-breaches-reveal-about-modern-cyberattacks/

Microsoft Confirms RoguePlanet Defender Zero-Day, Says Patch Is in Development

Microsoft has confirmed a privilege escalation zero-day vulnerability in Microsoft Defender, known as RoguePlanet (CVE-2026-50656), and is developing a patch to address it. The flaw, disclosed by researcher Chaotic Eclipse, exploits a race condition that can grant SYSTEM-level access regardless of Defender’s real-time protection setting.

https://thehackernews.com/2026/06/microsoft-confirms-rogueplanet-defender_02022423645.html

A Backdoor in a LinkedIn Job Offer

A LinkedIn message from a recruiter at a crypto startup led Roman Imankulov to analyze a suspicious GitHub repo purportedly needing a Node modules review. The repo contained a hidden backdoor in a test file that executed arbitrary code fetched from a remote server whenever dependencies were installed, triggered by an npm lifecycle script. The repo and recruiter used stolen identities, highlighting the risk of supply-chain and social engineering attacks via seemingly legitimate job offers.

https://roman.pt/posts/linkedin-backdoor/

Mini Shai-Hulud, Miasma, and Hades Worms Target Bioinformatics and MCP Developers Via Malicious PyPI Wheels

The Mini Shai-Hulud, Miasma, and Hades supply chain campaign has expanded with 23 new malicious PyPI packages targeting bioinformatics and MCP developers by using varied delivery mechanisms including trojanized native extensions and .pth startup hooks to execute obfuscated JavaScript stealers via Bun. These malware-laden packages aim to compromise developer workstations and CI/CD environments to steal credentials, tokens, SSH keys, and cloud secrets, with attackers innovating their payload deployment to evade detection and complicate forensic analysis. Security teams are advised to review affected package versions, monitor for unusual Python startup behaviors, and rotate exposed credentials to mitigate the threat.

https://socket.dev/blog/mini-shai-hulud-miasma-and-hades-worms-target-bioinformatics-and-mcp-developers-via-malicious

Microsoft Defender RoguePlanet Zero-Day Grants SYSTEM Access on Updated Windows

A security researcher known as Chaotic Eclipse has released a proof-of-concept exploit for a Microsoft Defender zero-day vulnerability called RoguePlanet, which enables privilege escalation to SYSTEM access on fully patched Windows 10 and 11 machines. The exploit, a race condition, allows attackers to run arbitrary code and remains effective despite recent updates, although it currently does not work on Windows Server without modification. This disclosure follows a series of public Microsoft Defender vulnerabilities revealed by the researcher amid a dispute with Microsoft over the handling of vulnerability reports and coordinated disclosure.

https://thehackernews.com/2026/06/microsoft-defender-rogueplanet-zero-day.html

June 2026 Patch Tuesday Fixes 200 Microsoft Vulnerabilities

Microsoft's June 2026 Patch Tuesday addressed a record number of 200 vulnerabilities across its products, aiming to enhance security and mitigate risks from potential exploits. This massive update underscores the increasing complexity and volume of vulnerabilities in software ecosystems and highlights the critical need for timely patch management in cybersecurity defense.

https://thecyberexpress.com/june-2026-patch-tuesday-200-microsoft/

The Miasma Worm’s Path of Destruction

The Miasma worm is a new, aggressive variant of the Mini Shai-Hulud malware that has recently compromised Red Hat’s npm packages and spread to 73 Microsoft GitHub repositories, including critical Azure and Durable Task projects. It exploits legitimate GitHub OIDC tokens and valid SLSA provenance attestations to bypass traditional security defenses, weaponizes AI coding tools to propagate when infected repos are cloned, and targets cloud identities in GCP and Azure. Security teams are advised to assume credential compromise, rotate all secrets, audit environments for unauthorized activity, and implement strict dependency allowlisting and SBOMs to defend against such sophisticated supply chain attacks.

https://cloudsmith.com/blog/miasma-worms-path-of-destruction

One-Character Linux Kernel Flaw Enables Local Root Access, Exploits Now Public

A critical one-character use-after-free vulnerability (CVE-2026-23111) in the Linux kernel's nf_tables packet-filtering code enables local privilege escalation from an unprivileged user to root, including container breakout. The flaw, patched since February 2026, has publicly available exploits and affects distributions with nf_tables and unprivileged user namespaces enabled, requiring urgent kernel updates and reboots to mitigate risk. This issue is part of a recent surge in Linux local-root exploits, emphasizing the need to restrict unprivileged user namespaces until patches are deployed.

https://thehackernews.com/2026/06/one-character-linux-kernel-flaw-enables.html

AI Agent Uncovers 21 Zero-Days in FFmpeg; Chrome Patches Record 429 Bugs

An autonomous AI agent from security startup depthfirst discovered 21 zero-day vulnerabilities in FFmpeg, some latent for over two decades, highlighting AI's growing role in vulnerability detection. Meanwhile, Google released Chrome 149, patching a record 429 security bugs—including critical use-after-free flaws—with much of the increased workload attributed to managing a surge in AI-generated bug reports. These developments underscore the accelerating pace and volume of vulnerability discovery driven by AI, emphasizing the need for faster patch cycles and robust update mechanisms.

https://thehackernews.com/2026/06/ai-agent-uncovers-21-zero-days-in.html

Critical Hugging Face Transformers Vulnerability Enables Remote Code Execution Attacks

A critical vulnerability (CVE-2026-4372) in the HuggingFace Transformers library allows remote code execution via malicious model configuration files, bypassing existing security controls. This flaw affects versions 4.56.0 through 5.2.x when used with the kernels package, enabling attackers to execute arbitrary Python code during model loading from HuggingFace Hub without user consent. HuggingFace fixed the issue in version 5.3.0 and advises users to upgrade immediately and audit their environments to mitigate supply chain risks in AI workflows.

https://cybersecuritynews.com/hugging-face-rce-vulnerability/

New Gafgyt Variant Targets Multiple Linux Architectures With Modular Propagation

A new variant of the Gafgyt botnet malware, called C0XMO, has been identified targeting multiple Linux architectures by exploiting a stack buffer overflow vulnerability (CVE-2021-27137) in the UPnP service of DD-WRT router firmware. This modular malware uses architecture-specific payloads and Python-based scripts for lateral movement, allowing it to compromise a wide range of IoT and embedded devices, launch DDoS attacks, and exploit various other known vulnerabilities in devices from D-Link, GLPI project software, and Avtech DVR cameras. Users are advised to apply firmware updates, disable UPnP where unnecessary, and monitor network traffic to mitigate this ongoing threat.

https://cybersecuritynews.com/new-gafgyt-variant-targets-multiple-linux-architectures/

Scroll to Top