> infrastructure security
for people who build things
Tracking vulnerabilities, supply chain attacks, and threat intelligence that matters to engineers running real infrastructure.
Klue OAuth Breach Feeds 'Icarus' Salesforce Data-Theft Spree
A dormant legacy credential at market-intelligence vendor Klue let the new Icarus extortion crew steal customer OAuth tokens and bulk-export Salesforce CRM data from Huntress, Recorded Future, Tanium, Jamf, and more.
One Symlink From Host Root: The runC maskedPaths Escapes and the Myth of the Container Boundary
Three runC CVEs disclosed in November 2025 turned container escape back into a /dev/null symlink race — and one of them walks straight through AppArmor and SELinux. Here is how the maskedPaths breakout works, why seccomp and user namespaces are the layers that actually held, and what to change before the next runtime CVE.
Gravity SMTP CVE-2026-4020: Unauthenticated Flaw Leaks Cloud Email API Keys Amid Mass Exploitation
Attackers are mass-exploiting CVE-2026-4020 in the Gravity SMTP WordPress plugin to dump site config and third-party email provider API keys. Patch to 2.1.5 and rotate every key now.
A Zero-Length Compare and 27 Years: OpenBSD's PAP Authentication Bypass (CVE-2026-55706)
CVE-2026-55706 is a 27-year-old authentication bypass in OpenBSD's sppp(4) PAP handler. An attacker-controlled compare length means empty credentials produce a PAP_ACK — and an oversized one leaks kernel heap. Full details and a working PoC are public.
Two Critical NGINX Flaws Put HTTP/3 and gRPC Proxying One Bug Away From Unauthenticated RCE
F5 patched CVE-2026-42530 and CVE-2026-42055, two CVSS 9.2 unauthenticated memory-corruption bugs in NGINX's HTTP/3 and HTTP/2 paths. Both reach RCE where ASLR can be bypassed, and both touch NGINX Ingress Controller and Gateway Fabric.
FortiBleed: Cracked Admin Credentials Leak for 73,932 Internet-Facing FortiGate Firewalls
A Russian-speaking crew cracked weak legacy FortiOS password hashes to harvest working admin and SSL VPN credentials for 73,932 FortiGate firewalls — roughly half the internet-facing fleet across 194 countries. Assume compromise and rotate now.
LiteSpeed cPanel Plugin CVE-2026-54420: A Symlink Trick That Escapes CageFS for Root
An actively-exploited symlink flaw in LiteSpeed's user-end cPanel plugin lets any tenant with FTP or web-shell access break out of CageFS and become root. CISA's federal patch deadline is today.
Pickle in the Middle: Vertex AI SDK Bucket-Squatting Bug Enabled Cross-Tenant RCE
Unit 42's 'Pickle in the Middle' shows how a predictable staging-bucket name in the Vertex AI Python SDK let an attacker hijack model uploads and run code cross-tenant. Patched in google-cloud-aiplatform 1.148.0.
Mastra npm Scope Hijacked: 144 AI-Framework Packages Backdoored with the easy-day-js Stealer
An attacker hijacked a former contributor's npm account to republish ~144 @mastra packages — including @mastra/core (918K weekly downloads) — each pulling in easy-day-js, a dayjs typosquat that drops a cross-platform crypto/infostealer at install time.
RoguePlanet Gets a CVE: Microsoft Confirms Patch in Progress for Defender SYSTEM Race Condition (CVE-2026-50656)
One week after a public PoC dropped during Patch Tuesday, Microsoft has assigned CVE-2026-50656 to RoguePlanet — a Defender Malware Protection Engine race condition that hands SYSTEM on fully patched Windows 10 and 11 — and confirmed a fix is in flight. No patch yet.
Velvet Ant's Operation Highland: A China-Nexus APT Backdoored the Linux Auth Stack for a Decade
Sygnia's Operation Highland report details how the China-nexus group Velvet Ant hid in an isolated network for nearly a decade by backdooring pam_unix.so and OpenSSH binaries — no exploit, no dropped malware, no anomalous logs.
Ivanti Sentry CVE-2026-10520: Unauthenticated Root RCE via handleMessage, Now in CISA KEV
A CVSS 10.0 OS command injection in Ivanti Sentry's unauthenticated /mics/api/v2/sentry/mics-config/handleMessage endpoint yields remote code execution as root. watchTowr published a PoC on June 10, CISA added it to KEV on June 11 with a June 14 deadline, and exploitation has followed.
Jenkins CVE-2026-53435: config.xml Deserialization RCE Exploited Five Days After Disclosure
CVE-2026-53435 (CVSS 9.0) is an unsafe-deserialization RCE in Jenkins' config.xml handling. Disclosed June 10, a public PoC is now driving in-the-wild exploitation against internet-exposed CI/CD servers. Patch to weekly 2.568 or LTS 2.555.3.
Chrome V8 Zero-Day CVE-2026-11645 Exploited in the Wild — Patch Every Chromium Runtime, Not Just Browsers
Google patched CVE-2026-11645, an actively exploited out-of-bounds read/write in V8. The real blast radius is every Chromium runtime you operate — headless Chrome in CI, Electron apps, and server-side renderers.
Splunk Enterprise CVE-2026-20253: An Unauthenticated Postgres Sidecar Hands Over Pre-Auth RCE
CVE-2026-20253 (CVSS 9.8) is a pre-auth RCE in Splunk Enterprise. An unauthenticated Postgres sidecar endpoint gives an arbitrary file write that escalates to code execution — on the box holding all your logs. Full exploit details are public; patch now.
Veeam VBR CVE-2026-44963: Any Domain User Can Own Your Backup Server
A critical CVSS 9.4 RCE lets any authenticated domain user run code on domain-joined Veeam Backup & Replication servers. Patch to 12.3.2.4854 now.
eBPF Cuts Both Ways: The Kernel Rootkit Is Now Standard Issue in 2026's Supply-Chain Malware
In two weeks, IronWorm and the atomic-lockfile AUR compromise both shipped an eBPF kernel rootkit as just another payload module. The observability primitive your stack is built on is now the malware's stealth layer — and most detection assumptions are structurally defeated.
Proto6: Six protobuf.js Flaws Turn Trusted Schemas Into RCE and DoS Across gRPC, Cloud, and AI Stacks
Cyera's Proto6 research discloses six CVEs in protobuf.js, including a prototype-pollution-to-RCE chain, in a library pulled 50M+ times a week across gRPC, Google Cloud SDKs, vector databases, and CI/CD.
400+ AUR Packages Compromised: atomic-lockfile npm Payload Drops Credential Stealer With eBPF Rootkit
Over 400 Arch User Repository packages were modified to pull a malicious npm package that deploys a developer-focused credential stealer with optional root-only eBPF rootkit capabilities.
CISA Kills the Flat KEV Deadline: BOD 26-04 Starts a Three-Day Patch Clock
BOD 26-04 revokes BOD 22-01 and 19-02, replacing flat KEV due dates with risk-tiered deadlines: three days plus mandatory forensic triage for internet-facing, automatable, total-control flaws.