> infrastructure security
for people who build things
Tracking vulnerabilities, supply chain attacks, and threat intelligence that matters to engineers running real infrastructure.
CISA AA26-097A: CyberAv3ngers Exploit Rockwell PLCs Across US Water, Energy, and Government Systems
Six US agencies issue joint advisory after Iranian-affiliated CyberAv3ngers compromise Rockwell Allen-Bradley PLCs in water, energy, and government sectors, manipulating SCADA displays and control logic.
CVE-2026-39860: Nix Package Manager Symlink Bug Gives Any User Root on Multi-User Installs
A critical symlink-following flaw in the Nix daemon lets unprivileged users overwrite arbitrary files as root during fixed-output derivation builds.
CVE-2026-32922: OpenClaw Privilege Escalation Lets Any Paired Device Achieve Full RCE
A missing scope validation in OpenClaw's device.token.rotate endpoint lets any device with operator.pairing scope mint admin tokens and execute arbitrary code on connected nodes.
CISA Adds Ivanti EPMM Zero-Days to KEV as Mass Exploitation Ramps Up
CISA adds CVE-2026-1340 to the Known Exploited Vulnerabilities catalog as attackers chain two Ivanti EPMM zero-days for unauthenticated RCE against mobile device management infrastructure.
North Korea's Contagious Interview Campaign Hits 1,700 Malicious Packages Across Five Ecosystems
DPRK-linked Contagious Interview operation now spans npm, PyPI, Go Modules, crates.io, and Packagist with 1,700+ poisoned packages delivering BeaverTail and InvisibleFerret malware.
APT28's FrostArmada Hijacked 18,000 SOHO Routers to Steal Microsoft 365 Credentials — FBI Disrupts Operation
Russia-linked APT28 compromised 18,000 MikroTik and TP-Link routers across 120 countries to hijack DNS and steal Microsoft 365 OAuth tokens. FBI disrupts the operation.
BlueHammer: Unpatched Windows Defender Zero-Day Turns Definition Updates Into SYSTEM Shells
A disgruntled researcher leaked BlueHammer, a Windows Defender LPE zero-day that chains TOCTOU race conditions with Cloud Files oplocks to dump SAM hives and escalate to SYSTEM. No patch available.
Over 1,000 Exposed ComfyUI Instances Hijacked for Cryptomining and Proxy Botnet
Active campaign targets unauthenticated ComfyUI deployments across cloud providers, enlisting them into Monero mining and a Hysteria V2 proxy botnet via malicious custom nodes.
Docker AuthZ Bypass Returns: CVE-2026-34040 Lets Attackers Create Privileged Containers With a Single Padded Request
An incomplete fix for a 2024 Docker AuthZ bypass has resurfaced as CVE-2026-34040, allowing unauthenticated container creation with host filesystem access via oversized HTTP requests.
Three High-Severity Command Injection Flaws in AWS Research and Engineering Studio Give Authenticated Users Root RCE
AWS patches three CVSS 8.8 command injection and privilege escalation bugs in Research and Engineering Studio (RES) — any authenticated user could get root on virtual desktop hosts or the cluster manager.
Flowise AI Under Active Exploitation: CVSS 10.0 RCE via CustomMCP Node Hits 12,000+ Exposed Instances
Critical unauthenticated RCE in Flowise AI's CustomMCP node (CVE-2025-59528, CVSS 10.0) is under active exploitation. Over 12,000 instances are exposed. Patch to 3.0.6 immediately.
Storm-1175 Chains Zero-Days to Deploy Medusa Ransomware in Under 24 Hours
Microsoft exposes Storm-1175 as a primary Medusa ransomware affiliate, weaponizing zero-days in SmarterMail and GoAnywhere MFT with sub-24-hour dwell times.
Akira Ransomware Now Encrypts in Under an Hour: SonicWall VPNs Are the Front Door
Akira ransomware operators are completing full attack chains from initial VPN access to encryption in under 60 minutes, targeting SonicWall SSL VPNs even on patched devices.
CVE-2026-23442: Remote Kernel Panic via SRv6 NULL Pointer Dereference Threatens IPv6 Infrastructure
A CVSS 8.2 flaw in the Linux kernel's SRv6 implementation lets remote attackers crash systems with crafted IPv6 packets. Patches are out—update now.
CVE-2026-34612: Kestra SQL Injection Chains to Host RCE via PostgreSQL COPY TO PROGRAM
Critical CVSS 9.9 flaw in Kestra orchestration platform lets authenticated attackers chain SQL injection through PostgreSQL COPY TO PROGRAM for arbitrary command execution on the Docker host.
CVE-2026-32211: Azure MCP Server Ships with No Auth — Your DevOps Secrets Are One Request Away
Critical CVSS 9.1 flaw in Azure MCP Server has zero authentication on critical functions, exposing API keys, tokens, repos, and pipeline configs to unauthenticated attackers. No patch available.
Ubiquiti UniFi Network Application Hit With CVSS 10 Path Traversal — Unauthenticated Account Takeover Possible
CVE-2026-22557 is a maximum-severity path traversal in Ubiquiti UniFi Network Application that enables unauthenticated full account takeover. Chain it with CVE-2026-22558 for admin escalation. Patch to 10.1.89 immediately.
Device Code Phishing Attacks Surge 37x as EvilTokens PhaaS Fuels OAuth Abuse Against Microsoft 365
Device code phishing attacks exploiting the OAuth 2.0 Device Authorization Grant have surged 37x in 2026, driven by turnkey PhaaS kits like EvilTokens that bypass MFA and compromise enterprise M365 tenants.
CVE-2026-4681: CVSS 10.0 Deserialization RCE in PTC Windchill Has German Police Knocking on Doors
A maximum-severity deserialization flaw in PTC Windchill and FlexPLM (CVE-2026-4681, CVSS 10.0) prompted German federal police to physically visit companies and wake up sysadmins. No patch yet. Here's what you need to know.
36 Malicious npm Packages Disguised as Strapi Plugins Deploy Redis Exploits, PostgreSQL Credential Harvesting, and Persistent Implants
A coordinated campaign planted 36 fake Strapi CMS plugins on npm that exploit Redis and PostgreSQL instances, harvest credentials, and install persistent C2 implants targeting production infrastructure.