⚡ Weekly Recap: Linux Flaws, Defender 0-Days, Router Botnets, and Supply Chain Chaos

Monday recap. Same mess, new week. A sketchy dev tool got people pwned, old bugs came back from the dead, and security products somehow needed protecting from themselves. A bunch of companies spent the week checking old boxes and forgotten servers they should've patched years ago. Good times...

MAL-2026-4523 Malicious code in claude-channel-imessage (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 9751c370c062cb40bccb874f46679ad3ca8ba9d3b49d0d8ba1f924d9582e53a3 On npm install, postinstall.js executes whoami and id, reads os.hostname, os.platform, process.cwd, and the CI, GITHUBREPOSITORY, and NODEENV...

CVE-2026-47228

creationtimestamp| type| source ---|---|--- 2026-05-25 08:46:30+00:00| published-proof-of-concept| https://github.com/Admidio/admidio/security/advisories/GHSA-mx25-j3rc-6w2w...

CVE-2026-47231

creationtimestamp| type| source ---|---|--- 2026-05-25 08:46:04+00:00| published-proof-of-concept| https://github.com/Admidio/admidio/security/advisories/GHSA-x628-457g-2pw9...

CVE-2026-47230

creationtimestamp| type| source ---|---|--- 2026-05-25 08:45:49+00:00| published-proof-of-concept| https://github.com/Admidio/admidio/security/advisories/GHSA-q6w3-hpfv-rg36...

CVE-2026-47232

creationtimestamp| type| source ---|---|--- 2026-05-25 08:45:09+00:00| published-proof-of-concept| https://github.com/Admidio/admidio/security/advisories/GHSA-4rgq-38mh-9xqg...

CVE-2026-47234

creationtimestamp| type| source ---|---|--- 2026-05-25 08:44:49+00:00| published-proof-of-concept| https://github.com/Admidio/admidio/security/advisories/GHSA-mch8-wf3h-6x88...

ROOT-APP-GOBINARY-CVE-2025-15558 CVE-2025-15558 in rootio-github.com/docker/cli - Patched by Root

Root has patched CVE-2025-15558 in the rootio-github.com/docker/cli package for Root:Go. Multiple fixed versions available...

Exploit for Command Injection in Github Enterprise_Server

CVE-2026-3854 - GitHub Enterprise Server that allowed an Remot...

CVE-2026-36239

creationtimestamp| type| source ---|---|--- 2026-05-25 02:00:04+00:00| seen| https://t.me/GithubRedTeam/85759 2026-05-25 03:00:10+00:00| seen| Telegram/PWXxTbzLBS2I2NTEEZXYxWglH9J71PY-BvJO95sfjgRqY3E 2026-05-25 09:00:04+00:00| seen| Telegram/hq1WnakkbxJpSdatpwq9NAKRiUtHFa8ysgfQqaCqIO8mwqo...

Malicious code in @zizie071/libsignal-node (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3e6d5096096e7e958916c5449a7480949135e6af5cd9acd4e1b1edab8c331163 On require, index.js schedules install.js which locates the installer's @whiskeysockets/baileys package on disk and overwrites lib/Socket/newsletter....

MAL-2026-4644 Malicious code in power-platform-playwright-toolkit (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 57967d58233d74f2fc4f9b0dee7c050370eb388050df8d63f29e719f83468d73 On npm install, the package's postinstall script postinstall.js collects host identifiers and CI context — whoami, os.hostname, os.platform, cwd, CI,...

CVE-2026-45618

creationtimestamp| type| source ---|---|--- 2026-05-24 13:22:43+00:00| published-proof-of-concept| https://github.com/harttle/liquidjs/security/advisories/GHSA-gf2q-c269-pqgc...

Malicious code in twokey (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 20c6d8e22fd03dd5ff39bac81bcbffd05db3b2a08dcf9768332094ffcca4eebd The package's postinstall hook unconditionally executes node bin/twokey.js --desktop --enable-autostart, which performs three install-time actions...

CVE-2026-46526

creationtimestamp| type| source ---|---|--- 2026-05-24 07:26:23+00:00| published-proof-of-concept| https://github.com/LearningCircuit/local-deep-research/security/advisories/GHSA-g23j-2vwm-5c25...

MAL-2026-4577 Malicious code in harness-skil (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e03ab8467953cd2233e07e792a33c7df7be2c99c66da3b814538a169337b93e6 The package's install.js wired to an npm install lifecycle hook requires childprocess, fs, and https, then issues an https.get to a...

CVE-2026-3515

A vulnerability in the GitHubRepository block of the prefect-github integration in Prefect version 3.6.18 allows an attacker to inject arbitrary git command-line options via the reference field. The reference field is concatenated directly into a git clone command string without proper...

CVE-2026-3515 Argument Injection in prefecthq/prefect

A vulnerability in the GitHubRepository block of the prefect-github integration in Prefect version 3.6.18 allows an attacker to inject arbitrary git command-line options via the reference field. The reference field is concatenated directly into a git clone command string without proper...

CVE-2026-3515 Argument Injection in prefecthq/prefect

A vulnerability in the GitHubRepository block of the prefect-github integration in Prefect version 3.6.18 allows an attacker to inject arbitrary git command-line options via the reference field. The reference field is concatenated directly into a git clone command string without proper...

EUVD-2026-31563

A vulnerability in the GitHubRepository block of the prefect-github integration in Prefect version 3.6.18 allows an attacker to inject arbitrary git command-line options via the reference field. The reference field is concatenated directly into a git clone command string without proper...