mand🛡️

‼️🚨 BREAKING: An AI found a Linux kernel zero-day that roots every distribution since 2017. The exploit fits in 732 bytes of Python. Patch your kernel ASAP. The vulnerability is CVE-2026-31431, nicknamed "Copy Fail," disclosed today by Theori. It has been sitting quietly in the Linux kernel for nine years. Most Linux privilege-escalation bugs are picky. They need a precise timing window (a "race"), or specific kernel addresses leaked from somewhere, or careful tuning per distribution. Copy Fail needs none of that. It is a straight-line logic mistake that works on the first try, every time, on every mainstream Linux box. The attacker just needs a normal user account on the machine. From there, the script asks the kernel to do some encryption work, abuses how that work is wired up, and ends up writing 4 bytes into a memory area called the "page cache" (Linux's high-speed copy of files in RAM). Those 4 bytes can be aimed at any program the system trusts, like /usr/bin/su, the shortcut to becoming root. Result: the next time anyone runs that program, it lets the attacker in as root. What should worry most: the corruption never touches the file on disk. It only exists in Linux's in-memory copy of that file. If you imaged the hard drive afterwards, the on-disk file would match the official package hash exactly. Reboot the machine, or just put it under memory pressure (any normal system load that needs the RAM), and the cached copy reloads fresh from disk. Containers do not help either. The page cache is shared across the whole host, so a process inside a container can use this bug to compromise the underlying server and reach into other tenants. The original sin was a 2017 "in-place optimization" in a kernel crypto module called algif_aead. It was meant to make encryption slightly faster. The change broke a critical safety assumption, and nobody noticed for nine years. That bug then rode every kernel update from 2017 to today. This vulnerability affects the following: 🔴 Shared servers (dev boxes, jump hosts, build servers): any user becomes root 🔴 Kubernetes and container clusters: one compromised pod escapes to the host 🔴 CI runners (GitHub Actions, GitLab, Jenkins): a malicious pull request becomes root on the runner 🔴 Cloud platforms running user code (notebooks, agent sandboxes, serverless functions): a tenant becomes host root Timeline: 🔴 March 23, 2026: reported to the Linux kernel security team 🔴 April 1: patch committed to mainline (commit a664bf3d603d) 🔴 April 22: CVE assigned 🔴 April 29: public disclosure Mitigation: update your kernel to a build that includes mainline commit a664bf3d603d. If you cannot patch immediately, turn off the vulnerable module: echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif.conf rmmod algif_aead 2>/dev/null || true For environments that run untrusted code (containers, sandboxes, CI runners), block access to the kernel's AF_ALG crypto interface entirely, even after patching. Almost nothing legitimate needs it, and blocking it shuts the door on this whole class of bug...

Nanopayments powered by Circle Gateway is now live. This gives builders a new financial rail for agentic economy: → Gas-free USDC transfers down to $0.000001 → Instant verification for high-frequency payments → Unified liquidity across supported chains via Circle Gateway For AI agents, APIs, and machine-scale economy, this unlocks agent-driven economic activity not possible on traditional rails. Read more: https://t.co/Xynv6kilOU

I guess most of the CT users often use fonrtun pro extension or xhunt extension (specially in the chinese community this is very popular), people see open source on github and just trust it. so today, I checked both xhunt and frontrun to see what is really going on under the hood and tbh some of this stuff is wild. xhunt is open source, it is true but being open source doesn't always mean safe. their README says "local-only data storage, no sensitive information uploads" which is a straight up lie. i checked the actual code and every single API call sends your real IP address, physical city, ISP and even persistent device fingerprint using FingerprintJS and the full url of every single page you visit on twitter, all going to their server at kb(.)xhunt(.)ai. they hit 4 different IP geolocation services [ipapi(.)co, ip-api(.)com, ipinfo(.)io, ipify(.)org] just to figure out where you are. even worse, they deliberately use RC4 encryption and String.fromCharCode arrays to hide header names like "authorization" and "x-user-id" and "x-window-location-href" from anyone reviewing the code. tbh legit developers don't do that. they also have a completely unrestricted HTTP proxy in the background script (EXECUTE_REQUEST handler) with zero URL validation, means any code can tell your browser to fetch literally anything, your local network, cloud metadata, whatever. and there is an empty wallet injection function already wired up with world:MAIN access just sitting there waiting to be activated. their remote config runs on Alibaba Nacos so they can push changes server-side in minutes without any chrome store review. frontrun is a lil bit different. it hooks into 12 𝕏 GraphQL endpoints : your feed, followers, following, searches, community posts, all of it and monkey-patches fetch, XHR, and WebSocket on 8+ crypto platforms. the intercepted API data from 𝕏 and crypto platforms stays in your browser for the overlay, but every time you open a crypto site, frontrun pings Amplitude with the platform name, when you log in it sends your email and name to Amplitude and on errors it uploads logs with your device ID and user agent to their own server at loadbalance(.)frontrun(.)pro but the key difference is that intercepted data mostly stays local in your browser for the overlay UI. it's not being sent to their servers the way xhunt does it. it worth noting that frontrun also uses GrowthBook for remote feature flags so they can change extension behavior server-side without a chrome store update too. but overall, frontrun is much less shady than xHunt in practice. neither extension is stealing your keys or draining wallets today. but the infrastructure is there in the case of xhunt. remote config systems that can push silent changes, aggressive permissions, and in xhunt's case deliberate code obfuscation to hide what they are doing. just be aware of what you are installing.

Alright, so when any EOA is delegated to any contract, the EOA essentially behaves like that contract. So what I did is just create a contract that has both receive() as well as fallback() function, so when anyone sends native gas token to the EOA which is behaving like a smart contract due to the EIP-7702 delegation, it triggers the receive() function, which immediately calls an internal function called _forwardNative(). This function checks the msg.sender, if it's not my address, it calls another internal function that reverts the whole transaction, essentially makes your tx fail and your gas token bounces back to you. And if it sees my address as msg.sender, it forwards the gas token right back to me. Now this is a very simple contract, yet very dangerous as well. After the Pectra upgrade, hackers don't monitor for gas token transfers using RPCs anymore. Instead, they design their malicious contract in such a way that whenever you send a gas coin to your compromised wallet, it triggers the receive(), which essentially calls another function that sweeps your gas token directly to the hacker's wallet. And here's the nastiest part, as your wallet is already compromised, means the hacker has your private key, when you try to undelegate the smart contract by setting the delegation to zero address, they re-delegate again to their malicious contract almost immediately using your own private key. They keep the delegation alive to ensure the native coin sweeping runs all the time. It becomes a constant tug of war that you almost always lose. And the irony is u are your own problem here. Every time you send gas tokens to your compromised wallet trying to save it, your own transaction triggers the receive() function, which calls the sweep function that sends your funds straight to the hacker. You are literally funding your own robbery. The hacker doesn't need to run a bot watching for incoming transfers anymore, you are doing the work for them. Your transaction is the trigger, your gas token is the payload, and the contract your wallet delegated to is the weapon. All the hacker did was set the trap.

Many of us are already aware about address poisoning, but sometimes seeing your wallet sending a fake token to a phishing contract or any other address can often make you troubled, thinking that your wallet might be compromised. This usually happens when you send some token and on the block explorer you see that from your wallet some unknown token has been sent to an address whose ending portion is similar to your wallet address. And when you open the tx, you see that phishing addresses are sending these txs. Seeing the phishing address tag, many of us get troubled. 1/ So, from a user's perspective: You might think your wallet is hacked or compromised, but it is not. So, the main question is how is this possible?? Well, block explorers usually rely on event logs to show the ERC-20 token transfer data, but the twist is, anyone can deploy a smart contract that can emit fake event logs like "0x123...abcd sent Y token to 0x321...dcba", but it's just an event log, not an actual transfer. No tokens move, no balances change. Block explorers fetch these event logs and display them on their explorer. The explorer just shows what it reads, it doesn't verify if the event logs are real or fake. So basically, whatever you see on the explorer is not always what actually happens. A bad actor can emit fake events and can display a tx in such a way that it looks like you sent tokens to those addresses. Therefore, seeing these kinds of txs, don't worry, nothing actually happens from your wallet.