Originally reported by The Hacker News, SANS ISC, MSRC Security Updates
TL;DR
Security teams face multiple active threats this week including a critical remote code execution vulnerability in OCaml affecting Marshal deserialization, over 900 Sangoma FreePBX instances remaining compromised with web shells since December, and nearly 3,000 exposed Google Cloud API keys providing unauthorized Gemini access.
Multiple actively exploited vulnerabilities including 900+ compromised FreePBX instances with persistent web shells and a critical OCaml RCE vulnerability affecting versions before 4.14.3 and 5.4.1.
CVE-2026-28364 represents a critical security flaw in OCaml versions before 4.14.3 and 5.x before 5.4.1. The vulnerability stems from a buffer over-read in Marshal deserialization within runtime/intern.c, enabling remote code execution through a multi-phase attack chain. The root cause lies in missing bounds validation in the readblock() function, which performs unbounded memcpy() operations using attacker-controlled lengths from crafted Marshal data.
Organizations using affected OCaml versions should prioritize immediate updates to patched releases.
The Shadowserver Foundation reports that over 900 Sangoma FreePBX instances remain infected with web shells following attacks that began in December 2025. The compromises exploit a command injection vulnerability, with the United States hosting 401 affected instances, followed by Brazil (51), Canada (43), Germany (40), and France (36).
The persistence of these infections months after initial compromise indicates insufficient remediation efforts across the affected organizations. System administrators should immediately audit FreePBX deployments for web shell presence and implement proper patching procedures.
Truffle Security discovered nearly 3,000 Google Cloud API keys (prefixed with "AIza") embedded in client-side code that could be exploited to authenticate against sensitive Gemini endpoints. These keys, originally intended as project identifiers for billing purposes, provide unauthorized access to private data when Gemini services are enabled.
The research highlights a fundamental misconfiguration where API keys designated for client-side use gain elevated privileges through improper service enablement.
Cybersecurity researchers identified a malicious Go module (github[.]com/xinfeisoft/crypto) that impersonates the legitimate golang.org/x/crypto codebase. The module injects malicious code designed to harvest passwords entered via terminal, establish persistent SSH access, and deploy the Rekoobe Linux backdoor.
Developers should verify Go module authenticity and implement dependency scanning to detect typosquatting attacks targeting critical cryptographic libraries.
CVE-2026-21518 addresses a security feature bypass vulnerability in GitHub Copilot and Visual Studio Code. Microsoft has released fixes with corrected download links, though specific technical details remain limited in the advisory.
The Department of Justice seized $61 million in Tether linked to pig butchering cryptocurrency scams. The confiscated funds were traced to addresses used for laundering proceeds from cryptocurrency investment fraud schemes targeting victims worldwide.
Microsoft Security Response Center published advisories for numerous Linux kernel vulnerabilities, including:
CVE-2026-22976: NULL dereference in sch_qfq schedulerCVE-2026-22977: Hardened usercopy panic in socket error queue handlingCVE-2026-22978: Information leak in WiFi iw_point structureCVE-2026-23216: Use-after-free in iSCSI target implementationThese represent standard kernel maintenance fixes addressing memory safety and information disclosure issues across multiple subsystems.
SANS Internet Storm Center analyzed a FedEx-themed phishing campaign delivering malware rather than traditional credential harvesting. The campaign demonstrates evolving social engineering tactics moving beyond simple login page redirects to direct malware delivery.
Defense Secretary Pete Hegseth designated Anthropic as a "supply chain risk" following failed negotiations over AI usage restrictions. Anthropic reports the impasse centered on two specific use cases: mass domestic surveillance of Americans and fully autonomous weapons systems.
Originally reported by The Hacker News, SANS ISC, MSRC Security Updates