LodeHQSubscribe →

Active Netlogon RCE, npm Codex tokens, Chrome autofill bypass

Infosec · 2026-06-02

Vulnerabilities & Exploits
Malicious codexui-android npm package exfiltrates OpenAI Codex tokens via hidden code4 MIN

Researchers at Aikido Security revealed that the popular npm package codexui-android, a remote UI for OpenAI Codex, silently reads developers' auth.json files and sends the OAuth token bundle to a malicious server. The covert exfiltration, present only in the published package, has affected thousands of users and enables indefinite token reuse.

Active Exploitation of Critical Windows Netlogon RCE (CVE‑2026‑41089) Targets Domain Controllers2 MIN

The Centre for Cybersecurity Belgium (CCB) warns that CVE‑2026‑41089, a critical Remote Code Execution bug in Windows Netlogon, is now being actively exploited. The unauthenticated flaw lets attackers send crafted network packets to domain controllers and gain SYSTEM‑level code execution. Patches are available for all Windows Server versions from 2012 onward.

HTML Injection Bypasses Strict CSP to Steal Chrome Autofill Passwords13 MIN

A new technique shows that attackers can steal saved passwords via HTML injection even when a site enforces a strict Content Security Policy that blocks JavaScript. By injecting a fake form, Chrome’s password autofill fills it, and the attacker exfiltrates the credentials using the Referer header, requiring only a single click.

Unauthenticated OLT Access Lets Attackers Hijack ISP Networks42 MIN

Research by Quarkslab shows that unauthenticated access to GPON Optical Line Terminals (OLTs) can let attackers hijack ISP networks. By exploiting exposed OLT interfaces, an attacker can pivot to the cloud‑based fleet manager and compromise the entire infrastructure. The findings highlight a critical security gap in telecom equipment used for FTTH services.

CIFSwitch LPE (CVE‑2026‑46243) Lets Unprivileged Users Gain Root on Many Linux Distros12 MIN

Researcher Asim Manizada disclosed CIFSwitch, a logic flaw in the Linux kernel’s CIFS client that lets an unprivileged process forge a cifs.spnego key request. The bug, present since 2007, triggers a privileged upcall and grants root on a range of distributions. A patch and mitigations are now available.

Researcher Recreates Lawful TLS Wiretap via CVE-2023-38198 Exploit10 MIN

A security researcher reproduced the 2023 jabber.ru lawful TLS interception by chaining the acme.sh command‑injection vulnerability (CVE‑2023‑38198) with compromised network routing. The proof‑of‑concept shows how an unpatched acme.sh server can enable a covert man‑in‑the‑middle, exposing risks in state‑mandated wiretaps.

Threats & Malware
Gamaredon’s GammaPhish & GammaWorm: Stealthy USB‑Spreading Toolkit Targeting Ukraine28 MIN

Sekoia’s Threat Detection & Research team maps Gamaredon’s GammaPhish and GammaWorm toolkit, showing how the Russian‑linked group hides malicious code in legitimate Windows features and trusted services like Telegram and Cloudflare. The analysis reveals a multi‑stage, USB‑spreading infection chain designed for long‑term espionage against Ukrainian government and infrastructure.

WordPress malware hijacks Steam comments to hide C2 payloads2 MIN

Researchers at GoDaddy uncovered a campaign that infected about 2,000 WordPress sites, using hidden Unicode characters in Steam Community profile comments to embed command‑and‑control data. The encoded payload fetches malicious JavaScript from a stealthy domain and opens a backdoor that executes PHP code via specially crafted POST requests.

Red Hat Cloud Services npm Packages Hijacked to Deploy Credential-Stealing Worm5 MIN

On June 1, 2026, 96 versions of 32 @redhat-cloud-services npm packages were compromised via a trusted-publishing bypass, embedding the Mini Shai-Hulud-derived “Miasma” worm that steals CI/CD credentials. The attack, linked to the open-source TeamPCP toolkit, has prompted urgent rotation of cloud, SSH and npm secrets for affected users.

Hackers Trick Meta AI Support Bot to Hijack High-Profile Instagram Accounts4 MIN

Researchers discovered that attackers used instructions posted on Telegram to fool Meta’s AI‑powered support assistant into resetting passwords, allowing them to take over Instagram accounts belonging to the Obama White House and the Chief Master Sergeant of the U.S. Space Force. The compromised accounts were defaced with pro‑Iranian imagery, highlighting risks in automated support systems.

Dutch police and NCSC dismantle 17‑million‑device botnet linked to Russian proxy service1 MIN

Dutch authorities seized over 200 servers and took offline a botnet of more than 17 million compromised computers, tablets and smartphones. The network was operated via the ASOCKS residential proxy service and was used for cyber‑attacks, demonstrating the scale of botnet abuse.

Breaches & Industry News
ShinyHunters leaks data on ~5M Charter Communications customers after failed ransom demand1 MIN

The ShinyHunters extortion group released data on roughly 5 million Charter Communications customers after the telecom refused to pay a ransom. The leak includes email addresses, names, phone numbers, and physical addresses, but the company says no sensitive personal or network information was taken. Charter has activated its security response and is cooperating with authorities.

Privacy, Policy & Governance
Spain arrests doxer who leaked personal data of key government agencies2 MIN

Spanish National Police arrested a person responsible for mass doxing of employees from INCIBE, the National Police, Civil Guard, and other state bodies, citing national security risks. The operation, ordered by Madrid Investigative Court No. 22, seized computers and devices from the suspect’s home and may lead to further arrests.

Research & Tools
LLMs Enable Attackers to Shrink EDR Signatures and Slip Past Defenses16 MIN

Praetorian’s research shows that large language models can be used to automatically generate variants of offensive tools that avoid known EDR signatures, effectively reducing detection footprints. By prompting LLMs to rewrite code and strip identifiable strings, adversaries can evade traditional signature‑based defenses with minimal manual effort.

Get Infosec in your inbox, every issue.
Subscribe free
Privacy · Terms · About · Contact
© 2026 LodeHQ