NEW: malware developers added nuclear & biological weapons text to to their spyware.
Goal? To trigger LLM safety refusals... so that their spyware wouldn't be analyzed by an AI security scanner.
Cleanest practical example I can think of for why over-indexing on first order safety alignment is risky.
When closed (and open) models ship with aggressive refusals, they will be sprinkled with second-order blindspots that attackers will discover...and exploit.
We are only in the earliest days of attackers leveraging these features, and it wouldn't surprise me if users systems that need to handle complex cybersecurity issues demand that models be less safety-blunted.
In the weeds: @SocketSecurity's post also shows why intention matters in how you design a malware analysis pipeline to avoid prompt manipulation.
H/T to colleagues that shared this with me https://t.co/f3Aj9TYxU4
The RF world is insane.
Researchers recovered AES-128 keys from a Bluetooth chip by listening to its own antenna from 10 meters away.
Crypto-engine switching noise couples into the RF chain, rides the 2.4 GHz carrier, and leaks out as radio.
‼️🚨 BREAKING: An AI found a Linux kernel zero-day that roots every distribution since 2017. The exploit fits in 732 bytes of Python. Patch your kernel ASAP.
The vulnerability is CVE-2026-31431, nicknamed "Copy Fail," disclosed today by Theori. It has been sitting quietly in the Linux kernel for nine years.
Most Linux privilege-escalation bugs are picky. They need a precise timing window (a "race"), or specific kernel addresses leaked from somewhere, or careful tuning per distribution. Copy Fail needs none of that. It is a straight-line logic mistake that works on the first try, every time, on every mainstream Linux box.
The attacker just needs a normal user account on the machine. From there, the script asks the kernel to do some encryption work, abuses how that work is wired up, and ends up writing 4 bytes into a memory area called the "page cache" (Linux's high-speed copy of files in RAM). Those 4 bytes can be aimed at any program the system trusts, like /usr/bin/su, the shortcut to becoming root.
Result: the next time anyone runs that program, it lets the attacker in as root.
What should worry most: the corruption never touches the file on disk. It only exists in Linux's in-memory copy of that file. If you imaged the hard drive afterwards, the on-disk file would match the official package hash exactly. Reboot the machine, or just put it under memory pressure (any normal system load that needs the RAM), and the cached copy reloads fresh from disk.
Containers do not help either. The page cache is shared across the whole host, so a process inside a container can use this bug to compromise the underlying server and reach into other tenants.
The original sin was a 2017 "in-place optimization" in a kernel crypto module called algif_aead. It was meant to make encryption slightly faster. The change broke a critical safety assumption, and nobody noticed for nine years. That bug then rode every kernel update from 2017 to today.
This vulnerability affects the following:
🔴 Shared servers (dev boxes, jump hosts, build servers): any user becomes root
🔴 Kubernetes and container clusters: one compromised pod escapes to the host
🔴 CI runners (GitHub Actions, GitLab, Jenkins): a malicious pull request becomes root on the runner
🔴 Cloud platforms running user code (notebooks, agent sandboxes, serverless functions): a tenant becomes host root
Timeline:
🔴 March 23, 2026: reported to the Linux kernel security team
🔴 April 1: patch committed to mainline (commit a664bf3d603d)
🔴 April 22: CVE assigned
🔴 April 29: public disclosure
Mitigation: update your kernel to a build that includes mainline commit a664bf3d603d. If you cannot patch immediately, turn off the vulnerable module:
echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif.conf
rmmod algif_aead 2>/dev/null || true
For environments that run untrusted code (containers, sandboxes, CI runners), block access to the kernel's AF_ALG crypto interface entirely, even after patching. Almost nothing legitimate needs it, and blocking it shuts the door on this whole class of bug...
🚨#BREAKING: According to reports, a Claude powered coding agent using the Cursor tool allegedly went rogue, wiping a company’s production database along with its backups in just 9 seconds, raising serious concerns
🚨 Bitwarden CLI 2026.4.0 was compromised as part of the ongoing Checkmarx supply chain campaign after attackers abused a GitHub Action in Bitwarden’s CI/CD pipeline.
We’ll continue updating our coverage as more details are confirmed.
https://t.co/G0aakn8swq
@OpenAI Nothing says "everything is fine" quite like an emergency blog post telling millions of people to update their app immediately. But honestly, handling it publicly like this is the move.
Cisco source code leaked due to supply chain attacks from the past few weeks.
Namely the Trivy hack - same that caused the LiteLLM compromise.
As with the others, all lead back to GitHub Actions to steal creds - via BleepingComputer
🚨 CRITICAL: Active supply chain attack on axios -- one of npm's most depended-on packages.
The latest [email protected] now pulls in [email protected], a package that did not exist before today. This is a live compromise.
This is textbook supply chain installer malware. axios has 100M+ weekly downloads. Every npm install pulling the latest version is potentially compromised right now.
Socket AI analysis confirms this is malware. plain-crypto-js is an obfuscated dropper/loader that:
• Deobfuscates embedded payloads and operational strings at runtime
• Dynamically loads fs, os, and execSync to evade static analysis
• Executes decoded shell commands
• Stages and copies payload files into OS temp and Windows ProgramData directories
• Deletes and renames artifacts post-execution to destroy forensic evidence
If you use axios, pin your version immediately and audit your lockfiles. Do not upgrade.
Software horror: litellm PyPI supply chain attack.
Simple `pip install litellm` was enough to exfiltrate SSH keys, AWS/GCP/Azure creds, Kubernetes configs, git credentials, env vars (all your API keys), shell history, crypto wallets, SSL private keys, CI/CD secrets, database passwords.
LiteLLM itself has 97 million downloads per month which is already terrible, but much worse, the contagion spreads to any project that depends on litellm. For example, if you did `pip install dspy` (which depended on litellm>=1.64.0), you'd also be pwnd. Same for any other large project that depended on litellm.
Afaict the poisoned version was up for only less than ~1 hour. The attack had a bug which led to its discovery - Callum McMahon was using an MCP plugin inside Cursor that pulled in litellm as a transitive dependency. When litellm 1.82.8 installed, their machine ran out of RAM and crashed. So if the attacker didn't vibe code this attack it could have been undetected for many days or weeks.
Supply chain attacks like this are basically the scariest thing imaginable in modern software. Every time you install any depedency you could be pulling in a poisoned package anywhere deep inside its entire depedency tree. This is especially risky with large projects that might have lots and lots of dependencies. The credentials that do get stolen in each attack can then be used to take over more accounts and compromise more packages.
Classical software engineering would have you believe that dependencies are good (we're building pyramids from bricks), but imo this has to be re-evaluated, and it's why I've been so growingly averse to them, preferring to use LLMs to "yoink" functionality when it's simple enough and possible.
The guy writing the TeamPCP/CanisterWorm malware knows me by first name and is leaving little notes in his source code asking me to be nice💀
Somehow, he's finding time to read my ramblings between pushing new versions🙃
from a security perspective: your router's CSI data was always leaking body movement patterns. this just packages the exploit into a clean open-source tool.
every pentest engagement should now include "can we see through their walls with their own router" as a recon vector.
the attack surface just went from "theoretical paper at MIT in 2018" to "git clone and run." that's usually when things get interesting for defenders.
⚠️ GitHub Copilot Exploited to Perform Full Repository Takeover via Passive Prompt Injection
Source: https://t.co/AAB7ZRCYEl
A critical AI-driven vulnerability in GitHub Codespaces, dubbed RoguePilot, that enabled attackers to silently hijack a repository by embedding malicious instructions inside a GitHub Issue.
RoguePilot is classified as a Passive Prompt Injection, a variant where malicious instructions are embedded inside data, content, or developer environments that a language model processes automatically.
Unlike traditional prompt injection requiring a victim to directly interact with the AI, this attack is triggered the moment a developer opens a Codespace from a poisoned GitHub Issue.
#cybersecuritynews
Nothing humbles you like telling your OpenClaw “confirm before acting” and watching it speedrun deleting your inbox. I couldn’t stop it from my phone. I had to RUN to my Mac mini like I was defusing a bomb.
Wait—AI did 𝘸𝘩𝘢𝘵 in 8 minutes? ⚠️
🚨 @sysdig observed a live AI-assisted attack: stolen AWS creds, LLM-generated code, admin access in 8min for LLMjacking, GPU abuse & compromising 19 principals.
This isn’t any attack—it’s a preview of what's coming. https://t.co/3BJijMlnUW
Clawd disaster incoming
if this trend of hosting ClawdBot on VPS instances keeps up, along with people not reading the docs and opening ports with zero auth...
I'm scared we're gonna have a massive credentials breach soon and it can be huge
This is just a basic scan of instances hosting clawdbot with open gateway ports and a lot of them have 0 auth
🚨Cyber Alert ‼️
🇺🇸USA - Target's dev server offline after hackers claim to steal source code.
Hackers claim to be selling 860 GB of internal Target source code and developer documentation after allegedly breaching the company’s private Git environment, publishing samples on Gitea that reference internal systems and engineers.
Although the breach is unconfirmed, the metadata and structure of the leaked files suggest a compromise of Target’s internal development infrastructure.
Source: https://t.co/eLdKasIlP0