Medtronic Data Breach Impacts 3.8 Million People
Medtronic has begun notifying more than 3.8 million individuals that their personal and medical information was stolen after the ShinyHunters extortion group breached its corporate IT systems in April. The attackers claimed to have taken over 9 million records including names, contact details, dates of birth, Social Security numbers, and health information, and the group’s removal of Medtronic from its leak site suggests a ransom may have been paid. Manufacturing and distribution operations were not affected, and the company is offering affected individuals two years of credit and dark web monitoring along with identity theft restoration services.
FBI Seizes NetNut Proxy Platform, Popa Botnet
The FBI, working with Google, Lumen, Shadowserver, and the IRS Criminal Investigation division, seized hundreds of domains tied to NetNut, a residential proxy service linked to the Popa botnet that had compromised over two million consumer devices such as smart TVs and streaming boxes. Google’s Threat Intelligence Group observed 316 distinct threat clusters using the network in a single week to mask their origins during password-spray attacks and espionage operations, and it has since disabled accounts and apps tied to the infrastructure. Experts caution that proxy operators tend to rebuild by reselling capacity from competitors, so the disruption may prove only temporary without broader coordinated action.
Bad Epoll Flaw Gives Attackers Root Access on Linux and Android
A newly disclosed use-after-free vulnerability in the Linux kernel’s epoll subsystem, dubbed Bad Epoll, allows an unprivileged local user to gain full root access on both Linux systems and Android devices. Researcher Jaeyoung Chung built a proof-of-concept that succeeds roughly 99 percent of the time despite the exploit needing to hit a timing window only six CPU instructions wide, and noted the flaw sits in the same code section where an Anthropic AI model had previously found a related bug but missed this one. There is no workaround since epoll cannot be disabled, so affected systems need the upstream patch, which major distributions are already rolling out.
Threat Actors Probe Gitea Docker Flaw CVE-2026-20896 13 Days After Disclosure
Cloud security firm Sysdig has detected the first exploitation attempts against a critical Gitea Docker vulnerability, just under two weeks after it was publicly disclosed. The flaw stems from the official Docker image hard-coding a wildcard trusted-proxy setting, which lets anyone who can reach the container send a spoofed authentication header and impersonate any user, including admin accounts, with no password required. Around 6,200 internet-facing Gitea instances remain exposed, and while the probing activity observed so far hasn’t progressed beyond reconnaissance, organizations are urged to update to the patched version and lock down the proxy configuration.
CISA: Microsoft SharePoint RCE Flaw Now Actively Exploited
CISA has confirmed active exploitation of a high-severity Microsoft SharePoint remote code execution vulnerability and added it to its Known Exploited Vulnerabilities catalog, giving federal agencies until Saturday to patch under its binding directive. The flaw allows any authenticated attacker with minimal Site Member permissions to execute code remotely through deserialization of untrusted data, requiring no admin privileges or user interaction. More than 10,000 SharePoint servers remain exposed online according to Shadowserver, and the disclosure marks the eleventh SharePoint vulnerability CISA has flagged as actively exploited since 2021.