130 zero-days and fatal SSH cert flaw

Security researcher Sasha Romijn shows that an XSS flaw in infrastructure web UIs can be weaponized by embedding malicious JavaScript in Wi‑Fi SSIDs or LoRa node names. The trick turns innocuous radio‑frequency identifiers into code delivery vectors, exposing outdated embedded browsers to remote takeover.

A public proof-of-concept for CVE-2026-55200 has landed on GitHub. The libssh2 vulnerability lets a malicious SSH server corrupt client memory and achieve remote code execution without any credentials or user interaction. All libssh2 releases up to 1.11.1 are affected, forcing an urgent update.

Trail of Bits discovered "short‑sleeve" RSA keys riddled with zero blocks that appear in real‑world TLS certificates and SSH hosts. Polynomial‑time factoring cracks these keys, expanding the weak‑RSA landscape beyond ROCA and Coppersmith. The flaw hits legacy NetApp and CompleteFTP implementations, exposing thousands of devices.

An anonymous GitHub researcher (bikini) released 'exploitarium', a repo with 130+ zero‑day PoCs across 22 projects. Two exploits, libssh2 CVE‑2026‑55200 (pre‑auth RCE, CVSS 9.2) and Gitea CVE‑2026‑20896 (authentication bypass), are already being weaponised. The dump skips coordinated disclosure, giving defenders and attackers simultaneous access.

China‑aligned Mustang Panda is running two espionage campaigns against Indian government and hydropower agencies, using the Zoho WorkDrive cloud service as a covert command‑and‑control channel. The group’s new ZOHOMURK tool hard‑codes Zoho OAuth tokens, letting it read commands and exfiltrate data through ordinary‑looking cloud traffic, exposing the danger of trusted SaaS platforms in supply‑chain attacks.

Microsoft ripped 119 malicious Edge extensions from its store, ending the StegoAd campaign that used steganography in images and fonts to hide ad‑fraud and credential‑stealing malware. The effort affected roughly 2.6 million installs and shows how seemingly harmless browser add‑ons can become sleeper malware, underscoring the need for stricter extension vetting.

Researchers at JFrog found two malicious npm packages and a suite of compromised Go modules that hide a VS Code task named eslint‑check. When a developer opens the project folder, the task runs automatically, pulling encrypted JavaScript and installing a Python‑based infostealer on Windows, Linux and macOS. This bypasses traditional npm lifecycle scripts, making detection harder.

The National Association of Insurance Commissioners confirmed unauthorized access to its PeopleSoft system via a zero‑day Oracle flaw. ShinyHunters posted over 105,000 files, about 3.1 TB, mostly insurer regulatory filings, though later corrected the claim on the data types. The breach highlights the risk of unpatched enterprise software in critical regulatory bodies.

A New York Times investigation linked a Russian cyber‑crime group to the August 2025 ransomware attack that shut Jaguar Land Rover’s factories for six weeks. The breach cost the British economy about $2.5 billion and forced a £1.5 billion emergency loan, underscoring how automotive supply chains are now prime targets for state‑linked actors.

In a 6‑3 decision, the Court held that police must obtain a warrant before accessing a person’s cellphone location history via a geofence warrant. The ruling extends Fourth Amendment protection to digital location data, curbing mass surveillance and forcing law‑enforcement to meet traditional search standards.

The NSA’s SIGINT Enabling Project is lobbying the IETF to replace the stronger ‘ietf‑tls‑ecdhe‑mlkem’ with a weaker ‘ietf‑tls‑mlkem’ draft. If adopted, the diluted post‑quantum TLS could give the agency easier access to encrypted traffic, raising serious privacy and security concerns.