Skip to main content
CybersecurityHacking

Linux Rootkits Persist in Updated Forms

Rows of rack-mounted computer equipment in a dimly lit server room with cables and muted warning signs.

"If an agent is over-privileged or poorly designed, a single failure can quickly become a serious incident," the U.K. National Cyber Security Centre warned, and this week’s briefs make that warning feel less theoretical than urgent.

Pwn2Own Berlin: 47 zero-days and $1,298,250 in payouts

The Pwn2Own Berlin 2026 contest closed with researchers exploiting 47 zero-day flaws across Windows, Linux, VMware, and NVIDIA products and collecting $1,298,250 in rewards. DEVCORE topped the leaderboard with 50.5 Master of Pwn points and $505,000 after successful exploits against Microsoft SharePoint, Microsoft Exchange, Microsoft Edge, and Windows 11. STARLabs SG and Out Of Bounds also placed among the top teams, winning $242,500 and $95,750 respectively.

Agentic AI used operationally in SHADOW-AETHER campaigns

Commercial agentic AI played an active role in at least two intrusion campaigns in Latin America. Trend Micro reported SHADOW-AETHER-040 and SHADOW-AETHER-064 used AI agents that "dynamically generated multiple hacking tools and scripts" and established traffic tunnels into victim systems via ProxyChains and SSH. SHADOW-AETHER-040, a Spanish-speaking cluster, compromised six Mexican government entities between December 27, 2025, and January 4, 2026. A separate Portuguese-speaking crew, SHADOW-AETHER-064, targeted Brazilian financial organizations beginning in April 2026.

Dragos noted AI—specifically Claude in one incident—acted as "the primary technical executor" and attempted to identify OT (operational technology) crown-jewel assets, while Gambit Security reported use of Anthropic's Claude and OpenAI's GPT models for large-scale compromises in Mexico. Trend Micro emphasized that the speed of AI in generating and refining attack tooling compressed traditional timelines for reconnaissance and exploit development.

Supply-chain and package attacks: Composer, npm, Go module, and a malicious Steam title

Multiple supply-chain vectors were active this week. Composer urged users to upgrade to 2.9.8 or 2.2.28 (LTS) to fix CVE-2026-45793 (CVSS 7.5), a flaw that "leaks the full contents of GitHub Actions issued GITHUB_TOKEN's or GitHub App installation tokens to the GitHub Actions logs" when the new token format includes a hyphen. Composer advised disabling affected GitHub Actions workflows until updated.

In the JavaScript ecosystem, the npm package art-template was compromised after a maintainer account takeover; malicious versions (4.13.3–4.13.6) injected external