CISA Advisories

🚨 Linux Root Exploit Is Live + Python AI Packages Caught Stealing Your Cloud Keys

Two major threats landed today that every developer and IT admin should know about — one puts Linux servers at immediate risk, the other quietly raided AI developer machines for cloud credentials.

🐧 Unpatchable Linux Bug Lets Anyone Become Root — And Exploits Are Already Public

A critical vulnerability in the Linux kernel (CVE-2026-23111) is making waves because it's both easy to exploit and already has working public exploits for Debian, Ubuntu, and Red Hat systems. The flaw lives in a component called nf_tables — part of the Linux firewall system — and allows any regular user on a Linux machine to quietly escalate their privileges to full root (administrator) access. Even worse, it can be used to "escape" containers like Docker, meaning attackers inside isolated environments can break out into the host system.

In plain terms: if someone has any foothold on a Linux server — even a low-privilege user account — they now have a reliable path to total control. Given that Linux powers the vast majority of the world's web servers, cloud infrastructure, and enterprise systems, the blast radius here is enormous. Admins should prioritize kernel updates immediately, and consider disabling unprivileged user namespaces as a temporary workaround.

Read more →

🐍 19 Popular Python AI Packages Were Secretly Stealing Your AWS, GitHub, and SSH Keys

If you work with Python — especially in AI or machine learning — this one's for you. Attackers gained control over 19 legitimate, widely-used Python packages (including popular tools like bramin, executor-engine, and magique) and uploaded 37 malicious versions that installed a hidden backdoor on your system the moment you ran any Python script. You didn't even need to import the infected packages — they activated automatically at Python startup.

The backdoor, dubbed the "Hades Cluster" worm, quietly harvested AWS, Google Cloud, and Azure credentials, along with GitHub tokens, npm API keys, and SSH private keys — then exfiltrated everything to attacker-controlled repositories. To hide its tracks, it disguised outbound traffic as normal Anthropic AI API calls. If you have any of the affected packages installed (even older versions), treat your entire environment as compromised: rotate all cloud and VCS tokens immediately and audit your requirements.txt and poetry.lock files.

Read more →

Stay ahead of threats like these with GOCO Security — because knowing about a breach after the fact isn't good enough.

Comments

Popular Posts