> infrastructure security
for people who build things
Tracking vulnerabilities, supply chain attacks, and threat intelligence that matters to engineers running real infrastructure.
The Login Path Is the Target: Inside the PAM/OpenSSH Backdoor Playbook Attackers Keep Reusing
Sygnia's Operation Highland found a China-nexus group living inside an air-gapped network for a decade by backdooring pam_unix.so and sshd. It's the same target the XZ Utils and Ebury campaigns went after β because the Linux authentication stack is the softest hard target in your fleet.
JADEPUFFER: First Documented Ransomware Attack Run End-to-End by an AI Agent
Sysdig documents JADEPUFFER, an LLM-driven agent that autonomously exploited a year-old Langflow RCE (CVE-2025-3248) to breach, pivot, and encrypt a production database with zero human operator input.
Adobe ColdFusion APSB26-68: Six CVSS 10.0 Flaws, and Exploitation Started Within Hours
Adobe's APSB26-68 bulletin patches 11 ColdFusion flaws β six rated CVSS 10.0 β including a Remote Development Services path-traversal bug (CVE-2026-48282) that attackers began probing within hours of disclosure.
Bad Epoll (CVE-2026-46242): A Six-Instruction Race in epoll() Roots Linux 6.4+ and Android
A use-after-free race in the Linux epoll subsystem, introduced by a 2023 commit, lets an unprivileged local user gain root with a 99%-reliable exploit β and the same code path may be reachable from Chrome's renderer sandbox on Android.
CVE-2026-8451: A New CitrixBleed-Pattern Memory Overread Is Already Under Active Exploitation
Citrix patched CVE-2026-8451, a pre-auth memory overread in NetScaler's SAML IdP parser that leaks session tokens β and attackers were already exploiting it within 24 hours of disclosure.
DuneSlide: Zero-Click Prompt Injection Chains to Full RCE in Cursor IDE (CVE-2026-50548, CVE-2026-50549)
Two critical Cursor IDE flaws, dubbed DuneSlide, let a poisoned MCP response or web search result steer the agent's own sandbox into overwriting its enforcement binary β zero-click prompt injection to unsandboxed remote code execution, patched in Cursor 3.0.
CVE-2026-8037: Pre-Auth Root RCE in Progress Kemp LoadMaster Now Under Active Exploitation
CVE-2026-8037, a CVSS 9.8 uninitialized-heap flaw in Progress Kemp LoadMaster's escape_quotes() function, lets unauthenticated attackers run root commands on the load balancer's management API. eSentire observed exploitation attempts starting June 29.
GuardFall: Decades-Old Bash Quoting Tricks Defeat Safety Guards in 10 of 11 Open-Source AI Coding Agents
Adversa AI's GuardFall research shows that quote removal, $IFS spacing, command substitution, and other decades-old shell tricks bypass the command guards in opencode, Goose, Cline, Aider, and seven other open-source AI coding agents β turning a poisoned README into silent credential theft.
Oracle E-Business Suite Payments Flaw Under Active Exploitation Before Patch Window Closed
CVE-2026-46817, a CVSS 9.8 unauthenticated takeover flaw in Oracle E-Business Suite's Payments module, is being mass-exploited via the ibytransmit endpoint β patched in May but hit in the wild before any public PoC existed.
Public PoC Drops for Critical libssh2 Heap Overflow β curl, Git, and PHP All Carry the Flaw
A public PoC was released June 29 for CVE-2026-55200, a CVSS 9.2 heap overflow in libssh2 β€ 1.11.1 that lets a malicious SSH server execute code on any connecting client. curl, Git, PHP, and a long tail of appliances all link the library.
Ubiquiti UniFi OS Server Triple-CVE Chain Enables Unauthenticated Root RCE
Three max-severity CVEs (2026-34908/09/10) in UniFi OS Server chain from an Nginx auth bypass to root command injection β CISA added all three to KEV on June 23 amid Mirai/Gaafgyt botnet exploitation.
Squidbleed: 29-Year-Old Heap Over-Read in Squid Proxy Leaks Cleartext HTTP Traffic (CVE-2026-47729)
A Heartbleed-style heap buffer over-read in Squid's FTP gateway, tracing to a 1997 commit, lets trusted proxy users drain other users' cleartext HTTP requests including credentials, cookies, and session tokens.
CVE-2026-12569: PTC Windchill/FlexPLM Deserialization RCE Exploited in Wild, CISA Deadline Today
A critical unauthenticated deserialization RCE in PTC Windchill and FlexPLM (CVE-2026-12569, CVSS 9.3) is being actively exploited with JSP web shells; CISA federal patch deadline is today.
Your Backup Server Is a Domain-Admin Factory: The Kill Chain Ransomware Operators Have Automated
The backup server is the highest-privilege machine in most environments and the least-hardened. Ransomware operators have known this for years and built repeatable kill chains around it. This is how they work and what it takes to stop them.
DirtyClone: Linux Kernel LPE via Cloned sk_buff Gives Any Local User Root (CVE-2026-43503)
JFrog releases a working exploit for DirtyClone, a Linux kernel socket-buffer cloning flaw that silently rewrites in-memory setuid binaries and grants rootβwith container escape potential on cloud and Kubernetes hosts.
Linux Kernel CVE-2026-46331: Pedit COW Traffic-Control Bug Delivers Root Shell, Ubuntu Still Unpatched
A weaponized PoC for CVE-2026-46331 (Pedit COW) corrupts the kernel page cache via act_pedit to drop a root shell; Ubuntu 18.04β26.04 remain unpatched.
Arista EOS CVE-2026-7473: Tunnel Decap Flaw Bypasses Segmentation β and Arista Won't Patch It
CVE-2026-7473 lets an unauthenticated attacker push arbitrary tunneled traffic through Arista data-center switches that decapsulate it without checking the protocol. Exploited in the wild, on CISA's KEV list with a deadline of today β and Arista has confirmed no patch is coming.
AryStinger Turns 4,300 End-of-Life Routers Into a Reconnaissance Proxy Network
QiAnXin XLab's AryStinger has hijacked 4,300+ legacy Realtek RTL819X routers β mostly D-Link DIR-850L β into a pre-intrusion recon and proxy mesh using decade-old CVEs.
OptinMonster CDN Supply-Chain Attack: Tampered SDK Backdoors WordPress Admins
Attackers stole an Awesome Motive CDN key and laced the OptinMonster, TrustPulse, and PushEngage SDKs with code that creates rogue admins and plants a web shell β on up to 1.2M fully-patched sites.
Klue OAuth Breach Feeds 'Icarus' Salesforce Data-Theft Spree
A dormant legacy credential at market-intelligence vendor Klue let the new Icarus extortion crew steal customer OAuth tokens and bulk-export Salesforce CRM data from Huntress, Recorded Future, Tanium, Jamf, and more.