Skip to content
Chimera readability score 71 out of 100, Expert reading level.

The Januscape vulnerability allows a user in a guest VM managed by the Linux Kernel Virtual Machine (KVM) to corrupt memory in the host system and break out of isolation.
KVM virtualization is used by major hosting platforms like Amazon AWS, Google GCP, Digital Ocean, and many more. All of the shared hosting platforms count on virtualization to isolate untrusted guest systems from the physical hardware and each other; being able to corrupt memory for all guests or break isolation presents a major threat.
The bug report says the error has been present for 16 years, which is nearly the entire lifetime of the KVM subsystem in Linux. Fixes are available in mainline, and major hosting providers who count on KVM are likely already updating.
Vulnerabilities In Balcony Solar
Micro solar, or “balcony solar”, installs have been gaining traction in Europe as a way to offset rising electrical costs by connecting solar and battery systems to a house or apartment power system.
Vulnerabilities have been found in the popular Hoymiles micro-inverter, which uses a proprietary RF radio protocol to manage the devices. Unfortunately, it looks like this protocol has no encryption or authentication beyond validating the serial number, and the serial number is also available over a wireless probe command.
Armed with a Nordic nRF radio researchers were able to discover nearby inverters in the wild and collect the serial numbers, though of course they stopped short of issuing commands to random users.
The wireless management control allows controlling the device power and output levels, as well as setting a lockout PIN, which the researchers suspect could be used to disable devices and lock the legitimate owners out completely.
There are an estimated 500,000 units in use, and currently the only known mitigation is to unplug the device entirely and disconnect the solar panels, though the team suggests that setting an anti-theft PIN may also help – or at least prevent an unknown PIN being set.
Be sure to check out the link for an in-depth analysis of the protocol and the surprising lack of protection.
OpenSSH 10.4
OpenSSH 10.4 is out, bringing a handful of security fixes and new features.
The most interesting security fixes appear to be to file handling in the sftp
and scp
file transfer tools, a malicious remote server could cause the files to be downloaded to the wrong directories. Besides those, the security fixes seem relatively calm, making behavior more consistent when forwarding and tunneling options were in conflict, mitigating a potential denial of service, and cleaning up other behavior.
OpenSSH 10.4 introduces some experimental support for additional post-quantum encryption standards, but beyond that seems to be a normal update.
Tenda Routers (may) Have Backdoor
According to CVE-2026-11405, Tenda brand routers may have a deliberate backdoor in the web interface.
The vulnerability report claims that the httpd
binary contains a fallback to a plaintext, hardcoded password that allows anything on the internal network to bypass authentication and reconfigure the router. This seems entirely plausible, based on issues found in other router firmwares, however additional reports raise doubts about the pervasiveness of the backdoor, or if it exists in all firmware versions.
If you have a Tenda brand router and are so inclined, now might be a great time to investigate OpenWRT or other alternate, updated firmware, but there’s probably not a reason to panic just yet.
Tricking the GitHub Agent With Prompt Injection
Can we go a week without discussing prompt injection in AI agents? Apparently the answer is no.
Noma Labs reveals how they were able to use prompt injection against the GitHub support agent to reveal private repositories of an organization. Leveraging the GitHub Agentic Workflows that link workflows with AI agents, Noma Labs were able to file an issue in a public repository that exposed private repositories in the same organization.
The attack appears to be as simple as filing an issue in the public repo, and requesting the contents of files in both the public and private repo, which the agent happily provided. Not only did the AI agent provide the file content of private repos, but it put it in a public issue in the public repository!
Noma Labs says in the writeup that GitHub had instituted guardrails to prevent an agent from accessing private repositories, but simply including the request to “additionally” perform other tasks was sufficient to bypass. This makes GitHub the latest in a seemingly endless chain of AI agents happily helping bypass corporate security, and it doesn’t seem like a trend that will slow down for a while.
Windows Device Identifier Catches Ransomware Operator
Windows installs contain a globally unique identifier generated during the initial install, which is used to track device behavior across Microsoft platforms. Toms Hardware reports that during an investigation of the “Scattered Spider” ransomware group, Microsoft provided records tracking the GDID of one of the ransomware operators, allowing the identification and arrest of one of the groups members.
Scattered Spider has been responsible for millions of dollars in ransomware attacks globally, including high-profile ransomware attacks against major Las Vegas resorts, Qantas airlines, Visa, and hundreds of other companies.
Court documents reveal that following the arrest of one of the suspected members of the group, the Windows global ID was used to link other behavior across Azure, video games, and other telemetry.
CISA reviews lessons learned
Mentioned here in May, the US government cybersecurity agency (CISA) suffered a disclosure of authentication tokens, cloud infrastructure, and plaintext passwords via a public GitHub repository named “Private-CISA” and operated by a contractor.
CISA has published the results of their internal review. Unsurprisingly, as a large government agency, CISA essentially followed the playbook for dealing with incidents: identify the most critical issues and disable the access of the contractor who exposed credentials, determine the full scope of disclosed data, and terminate accounts, change passwords, and expire authentication tokens which were exposed.
More NPM malware packages
Opensource Malware reports on additional infostealer malware uploaded to the NPM repository. Like most NPM-based malware, these packages rely on the install script mechanism to trigger arbitrary commands, firing immediately during package install with no additional interaction.
All of the malware packages mimic existing popular packages and depend on user typos or confusion to get selected. Once triggered, the malware collects a machine fingerprint, git user information, GitHub account information, SSH account information, and corporate identifiers. The packages are largely nonfunctional – the code in the package itself is irrelevant, once a victim triggers the install the malware payload is fired.
All of the packages were uploaded by the same source, tracked to the owner of a cybersecurity company. It is unclear if this is a misguided attempt to generate leads or hype, or if this is a research project gone wrong, but the payload of the malicious packages has been developed and tuned over time. For a company trying to build a reputation or trust, this is surely the wrong way to do it.
Please be kind and respectful to help make the comments section excellent. (Comment Policy)

Facts Only

* The Januscape vulnerability allows a user in a guest VM managed by KVM to corrupt host system memory and break isolation.
* KVM is used by Amazon AWS, Google GCP, and Digital Ocean.
* Vulnerabilities were found in Hoymiles micro-inverters due to an unencrypted RF protocol.
* This protocol exposed serial numbers via wireless probe commands.
* Tenda routers may have a backdoor where the httpd binary contains a fallback to a plaintext, hardcoded password allowing internal network bypass.
* OpenSSH 10.4 includes fixes for file handling in sftp and scp tools.
* Prompt injection against GitHub support agents allowed the agent to reveal private repository contents by leveraging Agentic Workflows.
* Windows installs contain a globally unique identifier tracked across Microsoft platforms, which was used to link behavior during an investigation into the Scattered Spider ransomware group.
* NPM malware packages mimic popular packages and execute arbitrary commands upon installation, collecting machine fingerprints and user information.
* CISA reviewed lessons learned after a disclosure of authentication tokens via a public GitHub repository.

Executive Summary

KVM virtualization, used by major hosting platforms like AWS and GCP, faces a vulnerability in the Januscape bug that allows a guest VM to corrupt host memory and break isolation. This issue has been present for approximately sixteen years, and fixes are available in the mainline Linux kernel, which major providers are expected to update. Separately, vulnerabilities were found in Hoymiles micro-inverters due to a proprietary RF protocol lacking encryption, allowing serial number exposure via wireless probes. Tenda routers may contain a backdoor where the httpd binary allows internal network access without authentication, though this is disputed across firmware versions. OpenSSH 10.4 introduced file handling fixes related to sftp and scp tools, improving consistency in forwarding/tunneling and mitigating denial of service risks. Furthermore, prompt injection attacks against GitHub agents have been demonstrated, allowing an agent to leverage workflows to expose private repository contents by requesting files from both public and private repositories. Finally, research into NPM malware packages revealed infostealers that execute upon installation, collecting machine fingerprints and corporate identifiers, often uploaded by the same cybersecurity entity responsible for investigating incidents like those handled by CISA.

Full Take

The convergence of these findings illustrates systemic fragility across layers of modern infrastructure, from hardware virtualization to AI agents and software distribution. The KVM issue highlights a profound trust deficit within the core virtualization layer used by global cloud providers; an unpatched bug spanning sixteen years in a fundamental subsystem creates an existential risk for all systems relying on isolation. This mirrors the complexity observed in proprietary hardware protocols, where a perceived convenience (wireless control) is directly traded for security, creating exploitable gaps.
The attacks against GitHub agents demonstrate that the promise of advanced AI workflows introduces novel vectors where guardrails are brittle when layered with agentic capabilities. The successful bypass shows that relying on explicit controls is insufficient; the mechanism of chaining actions—requesting data from disparate sources—is now a potent means to subvert intended security policies.
The NPM malware pattern reveals a shift in attack economics: highly effective, automated exploitation is being packaged and distributed, leveraging familiar package mechanisms to mask malicious payload delivery. The connection between tracking device identifiers (Windows GDID) across different entities, alongside the CISA review, suggests a correlation where granular telemetry data, even when aggregated by government bodies, can be leveraged for retrospective attribution, emphasizing that digital artifacts serve as persistent linkage points in security investigations and accountability structures.
Bridge Questions: How can trust be algorithmically enforced across complex, multi-tenant systems like KVM? What architectural shift is necessary to ensure that agentic workflows cannot trivially bypass established security boundaries? If telemetry links behavior across disparate entities, what new frameworks are needed for individual digital sovereignty?

Sentinel — Human

Confidence

This text reads like a compilation or digest of various cybersecurity news items, presenting technical facts alongside analytical commentary on emerging risks, strongly suggesting human synthesis rather than pure machine generation.

Signals Detected
low severity: Sentence length variance is erratic and varies between highly technical statements and narrative observations.
low severity: Coherent flow, though the shift between disparate topics (VM bugs to solar inverters to prompt injection) suggests compilation rather than monolithic narrative focus.
medium severity: The text shifts abruptly between technical vulnerability disclosures and more speculative commentary, lacking a consistent argumentative thread.
medium severity: Specific CVEs (CVE-2026-11405) and specific group names ('Scattered Spider') are presented alongside seemingly plausible speculative claims, demanding source verification.
Human Indicators
The blending of high-level infrastructure security (KVM), consumer hardware vulnerabilities (Hoymiles), software updates (OpenSSH), and emerging AI/agent risks (Prompt Injection) suggests a human analyst synthesizing disparate industry reports.
The inclusion of cautionary, yet relatively soft, language regarding speculative findings ('may have a backdoor,' 'seems entirely plausible') indicates nuanced interpretation rather than pure, uncontextualized data dumps.
This Week in Security: Escaping Linux VMs, Vulnerable Solar, Confusing AI (Again), and Confusing NPM Malware — Arc Codex