Critical GitHub Vulnerability Exposed Millions of Repositories
Researchers disclosed CVE-2026-3854, a critical flaw in GitHub’s internal Git infrastructure that could let any authenticated user execute arbitrary commands on backend servers with a single git push. Wiz said the bug affected both GitHub.com and GitHub Enterprise Server, and that on GitHub.com it exposed shared storage nodes containing millions of public and private repositories. GitHub says it fixed the issue quickly and found no evidence of in-the-wild exploitation, but Wiz also reported that a large majority of GitHub Enterprise Server instances were still unpatched as of this week.
BlueNoroff Uses Fake Zoom Calls to Turn Victims Into Attack Lures
North Korea’s BlueNoroff is escalating crypto-targeted social engineering by using fake Zoom meetings filled with AI-generated avatars and stolen video footage of real people to convince executives to install malware. What stands out is the feedback loop: according to Arctic Wolf, the group steals webcam footage from each victim and then reuses that footage to make future fake meetings more believable, which turns every compromise into fuel for the next one.
US, UK agencies warn hackers were hiding on Cisco firewalls long after patches were applied
U.S. and U.K. authorities warned that a custom implant called Firestarter can persist on compromised Cisco firewalls even after organizations apply software patches and perform normal reboots. Investigators found the malware on a federal agency’s Cisco device after attackers exploited 2025 flaws, and CISA said the backdoor allowed the operators to regain access months later without re-exploiting the original bugs. Cisco has released updated software, but both Cisco and CISA emphasized that suspected devices may need reimaging or a hard power cycle because the persistence method can survive standard recovery steps.
Over 10,000 Zimbra servers vulnerable to ongoing XSS attacks
CISA added CVE-2025-48700 to its Known Exploited Vulnerabilities catalog after evidence of active attacks against Zimbra Collaboration Suite, and Shadowserver says more than 10,500 internet-exposed servers remain unpatched. The flaw can let unauthenticated attackers run arbitrary JavaScript in a victim’s session and steal sensitive data, and Zimbra had already warned that exploitation could be triggered just by viewing a malicious email in the Classic UI. For defenders, this is another reminder that email and collaboration platforms remain high-value targets long after patches are released.
Progress Software fixes sneaky WAF bypass vulnerability (CVE-2026-21876)
Progress shipped fixes for multiple high-severity flaws in MOVEit WAF and LoadMaster, including CVE-2026-21876, a bug in the OWASP Core Rule Set that can let unauthenticated attackers slip malicious payloads past WAF inspection using crafted multipart HTTP requests. The issue is notable because it undercuts a defensive control that many teams assume is catching bad traffic upstream, and Help Net Security notes that proof-of-concept exploits are already public. Progress says it is not aware of active exploitation, but it is urging customers to move to patched versions immediately.
The post InfoSec News Nuggets 04/29/2026 appeared first on AboutDFIR – The Definitive Compendium Project.
