LodeHQSubscribe →

Claude Code CI hijack, RedSun SYSTEM priv esc, Iran AI attacks

Infosec · 2026-06-03

Vulnerabilities & Exploits
Claude Code GitHub Actions flaw enables CI hijacking and secret theft16 MIN

Security researcher RyotaK uncovered a permission bypass and prompt injection in Anthropic's Claude Code GitHub Actions, allowing attackers to run workflows on public repos, read /proc/self/environ, and exfiltrate secrets, potentially compromising downstream repositories. Anthropic fixed the bugs in version 1.0.94.

RedSun abuse of Windows Defender yields SYSTEM-level privilege escalation17 MIN

RedSun (CVE‑2026‑41091) exploits a flaw in Windows Defender’s remediation workflow that rewrites quarantined files, letting an unprivileged user write arbitrary data to C:\Windows\System32 and execute code as NT AUTHORITY\SYSTEM. The technique leverages NTFS junction points, opportunistic locks, and volume shadow copies to hijack Defender’s SYSTEM‑privileged file operations.

Threats & Malware
Iran Exploits Western AI Services for Phishing, Malware and Military Research6 MIN

A Financial Times report finds Iranian cyber actors are systematically using Western AI tools such as ChatGPT and Gemini to draft phishing lures, assist malware development, and conduct target research for military operations, while Tehran builds its own domestic AI platform at Sharif University. OpenAI and Google acknowledge misuse but claim their safety systems block novel capabilities.

APT28’s PixyNetLoader evolves with new steganographic tricks up to 202615 MIN

ExaTrack analyzed roughly 90 PixyNetLoader samples, identifying four sub‑families and a unified YARA rule. The latest 2026 variants use advanced PNG‑based steganography to hide a Covenant Grunt payload, with new C2 channels and delivery via CVE‑2026‑21509 exploits. The report includes IOCs, detection guidance, and a payload extraction script.

Breaches & Industry News
Dashlane locks accounts amid automated brute‑force login attacks3 MIN

Dashlane detected repeated failed attempts to register new devices and submit authentication tokens, triggering automated protections that temporarily suspended affected user accounts and 2FA access on Sunday afternoon. The precaution aims to safeguard customers while the company investigates the brute‑force campaign.

Privacy, Policy & Governance
OIG audit flags NIST’s vulnerability database for backlog and duplicated effort3 MIN

A Department of Commerce Office of Inspector General report found NIST’s National Vulnerability Database suffering from poor planning, a contract lapse, and duplicated work with MITRE, inflating a backlog from 13 000 to over 27 000 unprocessed vulnerabilities. Auditors call for new processes and staffing reforms to restore trust.

UK to Consider Banning Strangers Chat on Fortnite, Roblox for Under‑16s102 MIN

A UK government consultation on the Online Safety Act proposes that platforms block voice and text chat between minors and unknown players. If adopted, games like Fortnite and Roblox would have to prevent children under 16 from talking to strangers, a move aimed at curbing online abuse but raising privacy and implementation concerns.

Research & Tools
Pipelock Open‑Source Firewall Secures AI Agent Egress with Verifiable Receipts25 MIN

Pipelock acts as an inline proxy for AI agents, inspecting outbound HTTP, MCP, A2A, and WebSocket traffic for data exfiltration and prompt‑injection attempts. It blocks threats and produces mediator‑signed action receipts that external parties can independently verify, offering transparent egress control across popular AI tooling.

Screamer tool maps subnets using multi‑protocol TTL probes14 MIN

The Screamer tool leverages TTL‑limited probes across ICMP, UDP, and TCP to infer subnet structures without exhaustive port scans. By analyzing ICMP Time Exceeded and other responses, it builds a network graph that reveals routing devices and hidden subnets efficiently, reducing traffic overhead in large address spaces.

Cybercriminals Register Up to 20% of New gTLD Domains, Study Finds2 MIN

Interisle's 2025 analysis reveals that cybercriminals bought at least 10%, potentially 20%, of all new generic top‑level domain registrations, with abuse concentrated among a few registrars and TLDs. The report highlights how cheap, disposable domains fuel phishing, malware, and botnet C2, urging stronger abuse‑prevention measures.

Five‑Year Database Ransom Study Reveals Massive Data Loss and Concentrated Bitcoin Profits14 MIN

A five‑year census of 65,907 exposed databases found 30,515 (46%) with ransom notes, totaling over 215 billion records at risk. Tracing 514 attacker Bitcoin wallets revealed 62% received no on‑chain payments, yet the data was still destroyed or held. The few wallets that did receive funds captured most of the value, showing a highly concentrated, automated extortion ecosystem.

Get Infosec in your inbox, every issue.
Subscribe free
Privacy · Terms · About · Contact
© 2026 LodeHQ