Cordyceps bug chains, Bitwarden C2, and botnet TVs

A researcher demonstrates how three modest flaws, a token‑reuse race condition, an LFI in the admin plugin, and AI‑aided CAPTCHA bypass, can be combined into a pre‑authentication RCE chain against Discuz! X5.0. The work shows that even popular Chinese forum software is vulnerable when small bugs are stitched together.

Novee Security uncovered a systemic CI/CD vulnerability in GitHub Actions they call Cordyceps, permitting any unauthenticated user to inject code, steal credentials, and commandeer supply‑chain pipelines. Their scan of ~30k high‑impact repos flagged 654, with over 300 fully exploitable, affecting giants like Microsoft, Google, and Apache.

Security researchers uncovered a malicious Microsoft Edge extension called Edgecution that abuses Chrome's native messaging to launch a Python backdoor on the host. The technique lets the Payouts King ransomware broker gain full filesystem and process control after a phishing lure installs the extension via a hidden Edge instance.

Spur Intelligence scanned 6,038 LG and Samsung smart‑TV apps and found 2,058 (34 %) embedding residential‑proxy SDKs that silently route third‑party traffic through home networks. The practice monetises users’ IP addresses and can expose local devices to external reach, yet platform policies remain silent.

Researchers built a bidirectional command‑and‑control channel through Bitwarden’s icon proxy, embedding commands in PNG metadata and exfiltrating results via DNS lookups. The technique works without a Bitwarden account, leveraging trusted Azure infrastructure to hide malicious traffic.

An EU-led Operation Endgame takedown, backed by Microsoft and dozens of security firms, neutralised roughly 200 C2 servers and 50 domains used by the Amadey and StealC infostealers. The effort recovered about 27 million compromised credentials and cut off control of 18 000 victim machines, striking a major choke point in the credential‑stealing supply chain.

SentinelOne uncovered macOS.Gaslight, a Rust‑based macOS backdoor linked to North Korea that injects 38 fake system messages to sabotage LLM‑driven triage. The implant hides a credential stealer and talks to its command‑and‑control server via a Telegram Bot API, encrypting traffic with AES‑GCM over pinned TLS.

Tata Electronics confirmed a cybersecurity incident after the World Leaks ransomware gang posted over 200,000 files, including alleged component designs for Apple and Tesla. The breach threatens the supply chain of two major tech firms, though Tata says operations remain unaffected.

Researchers show that LLMs cannot reliably separate privileged system or assistant text from user input; they rely on the text’s style rather than explicit role tags. This “role confusion” lets attackers craft stylized prompts that bypass safety policies, achieving up to 60% injection success on frontier models.