Researchers disclosed “Dirty Frag,” a Linux kernel vulnerability involving page-cache corruption in the decryption fast path that may allow local privilege escalation to root.

The bug is drawing comparisons to past kernel flaws like Dirty Pipe because of its potential impact on multi-user and containerized environments.

Technical analysis, affected systems, and mitigation details: https://thecybersecguru.com/news/dirty-frag-linux-kernel-root-vulnerability/

A critical RCE vulnerability (CVE-2026-23918) has been found in Apache HTTP Server ≤2.4.66, caused by a double-free bug in HTTP/2 handling. It’s rated CVSS 8.8 and could allow remote code execution on vulnerable servers. Apache has fixed it in 2.4.67, but given how widely Apache is deployed, this has a significant impact if left unpatched. If you’re running HTTP/2, update immediately to version 2.4.67.

Read more: https://thecybersecguru.com/news/apache-rce-vulnerability-cve-2026-23918/

A massive data breach (allegedly) has occurred at Adobe. Carried out by a threat actor calling themselves "Mr. Raccoon", the claims are that over 13M support ticket details have been leaked along with details of over 15,000 employees. Additionally, they have access to their microsoft SharePoint instance and also to make matters worse, Adobe's HackerOne account. Adobe is yet to comment on this matter.

Cisco reportedly suffered a breach of its internal development environment after attackers leveraged credentials stolen during the recent Trivy supply-chain compromise. More details linked with sample data

Axios is one of the most used npm packages which just got hit by a supply chain attack. Malicious versions of Axios (1.14.1 and 0.30.4) hit the npm registry yesterday. They carry a malware dropper called plain-crypto-js@4.2.1. If you ran npm install in the last 24 hours, check your lockfile. Roll back to 1.14.0 and rotate every credential that was in your environment. Currently, as of now, npmjs has removed the compromised versions of axios package along with the malicious plain crypto js package. Live updates + info linked.

Malicious versions of the telnyx Python SDK (4.87.1, 4.87.2) were uploaded to PyPI. Code executes directly on import. It works cross-platform.

Delivery method is the interesting part. The package fetches a .wav file from C2, reads frame data, base64-decodes it, then XORs using the first few bytes as key to reconstruct the payload. File is valid audio, so it blends in and its pretty hard to detect by traditional methods.

Windows path drops msbuild.exe into Startup for persistence.

Linux/macOS path uses a staged Python loader → fetch WAV → extract second stage → execute via stdin → AES encrypt + exfil.

C2: 83.142.209.203:8080

Endpoints: /hangup.wav, /ringtone.wav

If you pulled those versions: downgrade, rotate secrets, and check for outbound traffic to that IP.

Backdoor operates at the kernel level using BPF to passively inspect traffic and trigger on crafted packets, avoiding exposed ports or typical C2 indicators.

Tradecraft enables long-term persistence and covert access inside core network infrastructure, with very limited visibility from standard monitoring.

Interesting case of network-layer backdoor design rather than traditional userland implants.

Breach occurred at Navia Benefit Solutions, a 3rd party, not HackerOne infra.

Around 287 HackerOne employees PII leaked.

Navia delayed breach notifications by weeks. Filed at Maine AG.

Navia was independently breached. Over 10K US employee's PII exposed.

Reports point to an auth flaw (BOLA-type) enabling access to employee PII (SSNs, DoB, addresses, benefits data).

Exposure window: Dec 2025 to Jan 2026.

Analysis of the LiteLLM incident: stolen CI tokens → malicious PyPI releases → credential exfiltration from runtime environments.

With focus on trust boundaries in CI/CD and secret exposure.

There are reports of OVHcloud-related data being posted on a forum for sale. No official confirmation so far from OVHCloud. Given OVH’s scale, potential impact could be significant depending on scope, especially in Europe

UPDATE: OVHcloud CEO, Octave Klaba has commented that the sample dataset was not found in their system.