Back to Blog
Weekly CISO Digest — Week of 2026-06-29: Linux pedit COW Exploit Unveiled
security-guides

Weekly CISO Digest — Week of 2026-06-29: Linux pedit COW Exploit Unveiled

breachwire TeamJun 29, 20264 min read

Headline Incident: New Linux pedit COW Exploit Enables Root Access by Poisoning Cached Binaries

A critical zero-day (CVE-2026-46331) was discovered in the Linux kernel's traffic-control subsystem, allowing unprivileged users to escalate privileges to root by corrupting shared page-cache memory via the act_pedit function. The exploit enables attackers to poison cached copies of setuid root binaries in memory—without altering files on disk—making detection and forensics difficult. Major distributions impacted include Red Hat Enterprise Linux 10, Debian 13, and multiple Ubuntu versions. This vulnerability is global in scope and affects any organization running unpatched Linux systems. Immediate patching and memory integrity monitoring are essential, as exploitation grants stealthy root access and bypasses traditional file integrity checks.

This Week's Incidents

Klue-Salesforce Supply Chain Data Breach by Icarus

What: Attackers exploited legacy credentials to access OAuth tokens for Klue's Salesforce integrations, exfiltrating bulk data and triggering ransom/extortion campaigns.
Who's at risk: Organizations using Klue, Salesforce, and connected SaaS platforms.
Action: Audit and rotate all third-party integration credentials; disable unused OAuth connections.

KDDI Data Breach Impacts up to 14.2 Million Email Accounts at Six ISPs

What: KDDI suffered a breach exposing up to 14.2 million email accounts across six Asia-Pacific ISPs.
Who's at risk: Telecommunications providers and their customers in Asia-Pacific.
Action: Notify affected users, monitor for credential stuffing, and enforce MFA for customer accounts.

Russian Intelligence Used Fake Support Texts to Steal Messaging Credentials

What: Russian intelligence ran a global phishing campaign using fake SMS support messages to steal credentials from government, military, and activist messaging accounts.
Who's at risk: Officials, politicians, and activists in Ukraine, Europe, and the U.S. using Signal, WhatsApp, and similar platforms.
Action: Train staff to recognize phishing SMS; enforce strong authentication and monitor for suspicious logins.

Tata Electronics Data Breach Exposes Apple and Tesla Secrets

What: Tata Electronics leaked over 630 GB of proprietary documents tied to Apple and Tesla after a major breach by the World Leaks group.
Who's at risk: Manufacturing supply chains, especially those handling sensitive client IP.
Action: Review third-party data access, tighten DLP controls, and monitor for dark web leaks.

Clean GitHub repo tricks AI coding agents into running malware

What: Researchers showed that AI coding agents can be manipulated into executing malicious shell commands via clean-looking GitHub repos and DNS TXT records.
Who's at risk: Organizations using AI code assistants and automated DevOps pipelines.
Action: Restrict agent permissions, validate external code sources, and monitor agent activity logs.

Chinese Framework Powers 200,000 Scam Sites Using Investment Scam Templates

What: Over 200,000 scam sites built with Uni-App framework are hosting fake crypto exchanges and phishing sites, causing millions in global losses.
Who's at risk: Investors, fintech, and users in the US, Australia, New Zealand, and globally.
Action: Block known scam domains, educate users on investment fraud, and monitor for similar template-based scams.

macOS.Gaslight: North Korea-Linked Malware Targeting Analysts

What: SentinelLabs found macOS.Gaslight, a Rust-based infostealer using prompt injection to mislead AI malware analysts and exfiltrate data via Telegram.
Who's at risk: Security researchers, analysts, and organizations using macOS.
Action: Update endpoint protection, monitor for suspicious Telegram traffic, and review AI-assisted analysis workflows.

Mirage2FA phishing kit steals Microsoft 365 credentials via HTML smuggling

What: Fortra researchers identified Mirage2FA phishing kit using HTML smuggling and fake MFA prompts to steal Microsoft 365 credentials.
Who's at risk: Microsoft 365 users and organizations relying on SaaS authentication.
Action: Block known IOCs (cheacker.store domains), educate users on MFA phishing, and enable conditional access policies.

Malware steals Chrome session cookies to hijack accounts

What: A phishing campaign delivered malware that installs a Chrome extension to steal session cookies, enabling account hijack and MFA bypass.
Who's at risk: Any Chrome users, especially those with access to sensitive SaaS or cloud resources.
Action: Block IOCs (Fattura-2819889242.pfd.js, ext2.info), enforce extension whitelisting, and monitor for unusual session activity.

Activist Phone Hacked with Cellebrite After Russia Contract Cancellation

What: Russian authorities used Cellebrite forensic tools to extract data from activist Andrey Pivovarov’s iPhone despite contract cancellations.
Who's at risk: Political activists, NGOs, and individuals targeted by state actors.
Action: Use secure devices, disable biometric unlock, and review device seizure protocols.

Chinese-Speaking APT Deploys New TinyRCT Backdoor in Southeast Asia Campaign

What: APT group CL-STA-1062 deployed TinyRCT backdoor via AppDomainManager injection, targeting at least 10 Southeast Asian government and critical infrastructure entities.
Who's at risk: Public sector and infrastructure organizations in Southeast Asia.
Action: Block IOCs (45.32.113.172, chrome_setup.zip), monitor for suspicious DLLs, and review archive file handling.

Amazon Q Flaw Enabled Cloud Credential Theft via Malicious Repositories

What: CVE-2026-12957/12958 in Amazon Q Developer extension let attackers steal AWS credentials via malicious VS Code repos; AWS has patched.
Who's at risk: Developers using Amazon Q Developer extension for Visual Studio Code.
Action: Update to latest extension version, review recent repo activity, and rotate exposed credentials.

Microsoft Warns of Photo ZIP Phishing Campaign Targeting Hotels with Node.js Implant

What: Hotels in Europe and Asia targeted with photo-themed ZIPs dropping TonRAT Node.js implant via multi-hop phishing chains.
Who's at risk: Hospitality sector, especially hotels in Europe and Asia.
Action: Block IOCs (photo-<numbers>.zip, TON blockchain C2 domains), train staff on phishing, and monitor for Node.js processes.

Malicious JetBrains Plugins Steal AI API Keys

What: 15 malicious plugins on JetBrains Marketplace stole AI provider API keys from developers; plugins included CodeGPT AI Assistant and DeepSeek AI Assist.
Who's at risk: Developers using JetBrains IDEs and AI coding plugins.
Action: Remove affected plugins, block C2 IP 39.107.60.51, and rotate all exposed API keys.

This Week's Pattern

  • Supply chain and third-party integration attacks surged, affecting Salesforce, JetBrains, and Amazon Q users.
  • Credential theft via phishing, malware, and session hijacking remains a top tactic, targeting both end-users and developers.
  • Nation-state and APT activity is persistent, with new malware strains and backdoors targeting government, hospitality, and activist sectors—highlighting the need for layered defense and rapid patching.

Start Your 14-Day Free Trial

Get curated cyber intelligence delivered to your inbox every morning at 6 AM. No credit card required.

Get Started Free
Share this article: