CISA Gives Feds 3 Days to Patch Ivanti Flaw Exploited in Attacks
CISA issued Binding Operational Directive 26-04, mandating that federal agencies patch CVE-2026-10520 — a critical CVSS 10.0 authentication bypass in Ivanti Sentry — within three days after confirmed active exploitation in the wild. The vulnerability allows unauthenticated remote attackers to execute arbitrary commands as root with no user interaction, putting unpatched gateway appliances completely under attacker control. Agencies are required to remediate by June 15, disconnect any instances they cannot patch in time, and report compliance status to CISA; Ivanti released a fix in version 9.20.0 and strongly recommends disconnecting vulnerable systems from the internet until patching is complete.
Over 400 Arch Linux AUR Packages Found Backdoored in Supply Chain Attack
Sonatype researchers uncovered a large-scale supply chain attack dubbed “Atomic Arch” in which threat actors compromised more than 400 packages in the Arch Linux User Repository, embedding a Rust-based infostealer paired with an eBPF rootkit that persists invisibly at the kernel level and evades standard process-listing tools. The malicious payloads targeted stored browser credentials, SSH keys, and cryptocurrency wallet files, exfiltrating them to attacker-controlled infrastructure before the rootkit erased forensic traces. The campaign carried the tracking identifier Sonatype-2026-003775 and highlights the inherent trust risk in community-maintained package repositories where any registered user can submit or update packages without mandatory code review.
VS Code Vulnerability Allows One-Click GitHub Token Theft
A vulnerability in Visual Studio Code’s github.dev web editor allows attackers to steal a victim’s GitHub OAuth token with a single click by embedding a maliciously crafted Jupyter notebook that silently exfiltrates the token via a cross-origin request. The flaw exploits VS Code’s trusted workspace model and the way the github.dev environment inherits GitHub authentication context, meaning a victim need only open a repository or notebook link — no additional interaction required — for the token theft to occur. Microsoft has issued a patch, but the disclosure underscores the risk of sharing or clicking notebook links from untrusted sources, as a stolen GitHub OAuth token can grant full repository access, secrets exposure, and supply chain compromise opportunities.
152 Chrome Extensions Secretly Logging Browsing Data and Faking Google Search Traffic
Socket security researchers identified 152 Chrome extensions — most marketed as “live wallpaper” or aesthetic customization tools with hundreds of thousands of installs — that covertly logged detailed browsing activity and injected hidden iframes to fabricate organic Google search traffic for ad-revenue fraud. The extensions used obfuscated background scripts to phone home to attacker-controlled domains, bypassing Chrome’s standard review by activating malicious behavior only after a delay post-install. Google has been notified, but the campaign illustrates how browser extensions with seemingly benign purposes can abuse broad manifest permissions to conduct sustained covert surveillance and click fraud at scale.
Upcoming Breaking Changes for npm v12
The npm team announced that npm v12 will ship with install scripts, git dependencies, and remote URL dependencies all disabled by default — a significant security-first overhaul designed to eliminate a class of supply chain attacks that rely on malicious postinstall hooks or dependencies fetched from attacker-controlled git repositories. Developers will need to explicitly opt-in to these behaviors per-project via .npmrc flags, and CI pipelines or build systems that currently rely on install scripts without configuration changes will break on upgrade. The change follows a pattern of high-profile supply chain incidents where postinstall scripts were weaponized to exfiltrate environment variables and secrets at install time, and mirrors security posture shifts already adopted by Deno and Bun.
