Rose debug info
---------------

Programmer’s Digest #191

06/24/2026-07/01/2026 Linux Kernel Flaw, Langflow RCE Exploited, Hijacked npm and Go Packages And More.

1. DirtyClone: Fourth Linux Kernel Flaw in Six Weeks Escalates to Root

JFrog Security Research published a working exploit for CVE-2026-43503 (CVSS 8.8), a Linux kernel privilege escalation dubbed DirtyClone—the fourth in the DirtyFrag family. All four share the same flaw: file-backed memory gets treated as writable network packet data instead of being copied. An attacker loads a privileged binary like /usr/bin/su into memory, forces the kernel to clone it through a loopback IPsec tunnel, and overwrites its authentication logic—granting root with no disk changes or audit trail. The exploit needs CAP_NET_ADMIN, reachable on Debian and Fedora via default-enabled unprivileged namespaces; Ubuntu 24.04+ blocks this path via AppArmor.

Each prior DirtyFrag patch closed one code path while leaving others exposed, since the shared-frag flag wasn’t enforced everywhere. A broader fix merged May 21, with Linux v7.1-rc5 as the first patched release; Ubuntu, Debian, and SUSE have advisories out. If patching isn’t immediate, disabling unprivileged user namespaces or blacklisting esp4/esp6/rxrpc modules reduces exposure, though neither is a real fix.

2. Langflow RCE Exploited to Deploy Monero Miner on Exposed AI App Endpoints

Attackers are exploiting CVE-2026-33017 (CVSS 9.3), an unauthenticated RCE flaw in Langflow, to deploy a Monero cryptominer, Trend Micro reports. Observed between March 27 and April 15, 2026, the attack runs a Python script via the exposed API to fetch a Go-based binary called “lambsys.” The malware kills rival miners (Kinsing, WatchDog, Rocke, Outlaw), deletes their wallets, disables security tools like AppArmor, SELinux, and iptables, wipes logs, and sets up cron persistence. It spreads via reused SSH keys and manipulates file immutability attributes to protect its changes. Finally, it downloads a custom XMRig miner and checks the victim’s IP/location for pool selection and geo-fencing.

An earlier binary version dates to May 2024, suggesting over two years of development. This follows other Langflow exploits, including 2025’s Flodrix botnet campaign, underscoring how exposed AI infrastructure is becoming a new entry point for commodity attackers.

3. Exploitation of Recent Oracle E-Business Suite Vulnerability Begins

Threat intelligence firm Defused warns that attackers have begun exploiting CVE-2026-46817 (CVSS 9.8), a critical flaw in the File Transmissions component of Oracle E-Business Suite’s Payments product. Unauthenticated attackers can exploit it over HTTP, with Oracle warning successful attacks could lead to a full takeover of Oracle Payments. The bug was patched in late May under Oracle’s first monthly Critical Security Patch Update, which fixed 77 vulnerabilities. Defused detected the first exploitation attempts hitting its EBS honeypots over the weekend, though no prior in-the-wild activity or public PoC had been reported.

Oracle EBS is a frequent target: Cl0p exploited a zero-day in it last October to steal data from over 100 organizations, and ShinyHunters recently claimed a separate campaign against Oracle PeopleSoft. Organizations are urged to patch immediately.

4. Public PoC Released for Critical libssh2 CVE-2026-55200 Client-Side SSH Flaw

A public PoC has landed for CVE-2026-55200 (CVSS 9.2), a critical libssh2 flaw letting a malicious SSH server trigger memory corruption on connecting clients—no auth or user interaction needed. It affects all versions through 1.11.1. The bug sits in ssh2_transport_read(), which never enforced an upper bound on packet_length, allowing a 32-bit integer overflow that leads to an undersized buffer and an out-of-bounds heap write. A near-identical flaw was patched in 2019 (CVE-2019-3855).
Since libssh2 is a client-side library embedded in curl, Git, PHP, and many appliances—often statically linked—affected copies are easy to miss. The published PoC is a local trigger/harness, not a turnkey remote exploit, and no in-the-wild use has been confirmed yet.

No official patched release exists yet, though the fix is merged upstream and some distros are backporting it. Organizations should inventory libssh2 usage, apply patched builds when available, and restrict outbound SSH to trusted, verified hosts in the meantime.

5. Hijacked npm and Go Packages Use VS Code Tasks to Deploy Python Infostealer

Researchers found two hijacked npm packages (html-to-gutenberg, fetch-page-assets) and 16 Go packages deploying a Python infostealer across Windows, Linux, and macOS. Instead of using npm lifecycle scripts, the attack hides in a VS Code task set to auto-run on folder open, disguising JavaScript as a font file. It fetches encrypted payloads via blockchain dead drops (TronGrid, Aptos), establishes a socket.io backdoor for remote control, and deploys a Python stealer. The campaign, dubbed “Fake Font” by researchers, is linked to North Korea’s Contagious Interview operation targeting developers via fake job interviews. The stealer harvests browser credentials, crypto wallets, password managers, Git/GitHub data, OS credential stores, and cloud storage metadata, exfiltrating everything as ZIP archives to a C2 server or Telegram.

Affected users should remove the packages, check for hidden VS Code auto-run tasks, and rotate all credentials, tokens, and wallet keys immediately.

6. Amazon Q flaw Let Booby-Trapped Git Repos Execute Code

A high-severity flaw in Amazon Q’s VS Code extension, tracked as CVE-2026-12957 (CVSS 8.5), let attackers achieve code execution just by getting a developer to open a malicious repository. Wiz found that Amazon Q automatically loaded and executed commands from a project’s .amazonq/mcp.json file—no prompt, consent, or workspace trust check required.

Since MCP-spawned processes inherit the developer’s environment, a poisoned config could run arbitrary commands with full access to AWS credentials, API keys, SSH agent sockets, and other loaded secrets. Wiz demonstrated the attack by crafting a malicious MCP config that executed an AWS command using the victim’s own credentials, triggered simply by opening the folder and activating Amazon Q.

Amazon patched the issue in language server version 1.65.0, which should deploy automatically to most users. Wiz notes similar workspace-configuration flaws have surfaced in other AI coding assistants, pointing to a broader industry risk as MCP adoption grows.

7 h   digest   programmers'