TL;DR
Linux kernel flaw CVE-2026-46242 allows unprivileged users to gain root access across desktops, servers, and Android devices; patch available. FatFs filesystem library shipping in millions of embedded devices contains seven unpatched vulnerabilities. North Korea-linked threat actors distribute malicious npm packages masquerading as Rollup polyfills to steal developer credentials.
Executive Summary
- A critical Linux kernel privilege escalation flaw (CVE-2026-46242) affecting Android, desktop, and server deployments has a patch available and requires immediate deployment.
- FatFs, a filesystem library bundled into millions of embedded devices including IoT and consumer electronics, contains seven disclosed but unpatched vulnerabilities with unknown exploitation status.
- Threat actors with North Korean links are distributing trojanized npm packages impersonating Rollup tooling to compromise developer environments and exfiltrate credentials.
- The NetNut residential proxy botnet spanning 2 million compromised Android devices has been disrupted by FBI and Google, though the scope of past damage to affected users remains under assessment.
Top Threats Today
1. Linux Kernel Privilege Escalation (CVE-2026-46242) — Patched
Severity: HIGH Affected: Technology
A newly disclosed Linux kernel flaw called Bad Epoll (CVE-2026-46242) allows an ordinary user with no special access to take full control of a machine as root [1]. The vulnerability affects Linux desktops, servers, and Android devices [1]. A fix is available [1].
Sources:[1] The Hacker News
Recommended Action
- Prioritize Linux kernel security updates across all deployed systems (servers, workstations, containers)
- For Android devices, check for July 2026 security patches from your device manufacturer or carrier
- Verify patch deployment across your infrastructure before moving to other pending updates
2. FatFs Filesystem Vulnerabilities — Unpatched, Scope Unknown
Severity: HIGH Affected: Technology
Security firm runZero has disclosed seven vulnerabilities in FatFs, a small filesystem library that enables devices to read and write FAT and exFAT formats used on USB drives and SD cards [1]. FatFs is bundled into the firmware of millions of embedded devices [1]. The vulnerabilities remain unpatched as of disclosure [1].
Sources:[1] The Hacker News
Recommended Action
- Contact your embedded device vendors (routers, IoT gateways, smart TVs, automotive systems) to determine if FatFs is present in your deployed fleet
- Request vendor guidance on available firmware updates or mitigations
- Monitor FatFs releases and vendor advisories for patch availability
- If FatFs source is available in-house, engage your development team to assess exposure
3. North Korea-Linked Malicious npm Packages — Supply Chain Threat
Severity: HIGH Affected: Technology
Threat actors with ties to North Korea have been linked to malicious npm packages named “rollup-packages-polyfill-core” and “rollup-runtime-polyfill-core” that masquerade as Rollup polyfill tooling [1]. These packages facilitate remote access and data theft, according to JFrog [1].
Sources:[1] The Hacker News
Recommended Action
- Audit your npm dependencies immediately for the malicious package names: “rollup-packages-polyfill-core” and “rollup-runtime-polyfill-core”
- Remove any instances and regenerate credentials (API keys, tokens, cloud secrets) if exposure is confirmed
- Implement npm audit and SBOM tooling to detect typosquatting and malicious package candidates before installation
- Review recent package install logs to identify affected development environments and CI/CD pipelines
4. NetNut Residential Proxy Botnet Disrupted
Severity: MEDIUM Affected: Technology
A joint operation involving Google and the FBI has disrupted NetNut, a residential proxy network that gave access to millions of compromised Android devices, including smart TVs and streaming boxes [1]. The FBI seized hundreds of domains associated with NetNut, which is operated by the publicly-traded Israeli company Alarum Technologies [2]. The service had been renting access to millions of compromised devices, allowing cybercriminals and nation-state actors to mask their identities during attacks [3].
Sources:[1] BleepingComputer[2] Krebs on Security[3] SecurityWeek
Recommended Action
- If you manage Android-based consumer devices (smart TVs, streaming boxes), check for firmware updates and security patches
- Review your network logs for outbound traffic to known NetNut domains (now seized) to identify any historically compromised devices on your network
- For enterprise environments, monitor for lateral movement or credential theft that may have occurred while NetNut access was active
5. Avalon Modular Malware Framework — Multi-Stage Distribution
Severity: MEDIUM Affected: Technology
Cybersecurity researchers have discovered a previously undocumented modular malware framework codenamed Avalon distributed via a multi-stage phishing chain capable of bypassing traditional security controls [1]. Avalon combines credential collection, lateral movement, remote access, and reconnaissance capabilities [1].
Sources:[1] The Hacker News
Recommended Action
- Review phishing detection and email filtering rules for multi-stage attachment or link patterns
- Conduct security awareness training focused on phishing campaigns with legitimate-seeming lures and unusual attachment types
- Ensure EDR/MDR tools are configured to detect credential collection and lateral movement behavior
Ongoing Coverage
Additional stories from today’s feeds that reference previously-covered threats:
- Microsoft 365 Phishing Toolkits: BleepingComputer reports on a new phishing-as-a-service platform dubbed “ARToken” operating as an affiliate of the EvilTokens platform, providing insight into an extensive toolkit designed to compromise Microsoft 365 accounts [7]. (See earlier coverage for related Microsoft phishing campaigns.)
- Scattered Spider Extraditions: A 19-year-old has been extradited to the US on charges stemming from Scattered Spider activities, including breaches of luxury retailers [24,29]. Two additional members pleaded guilty in the United Kingdom in connection with the Transport for London attack [12]. (See earlier coverage.)
- Fortinet FortiBleed Exploitation: Dark Reading reports that actors exploiting the FortiBleed vulnerability in Fortinet firewalls are now collaborating with Inc and Lynx ransomware gangs to monetize access [19]. (See earlier coverage.)
- Pegasus Spyware: Stelios Kouloglou, a former member of the European Parliament’s committee investigating commercial spyware abuse, was twice infected with Pegasus while serving [21].
Today’s Action Checklist
- ☐ URGENT: Deploy Linux kernel security updates (CVE-2026-46242) across servers and workstations; coordinate Android device updates with carriers and manufacturers.
- ☐ HIGH: Search your npm dependency trees for malicious packages “rollup-packages-polyfill-core” and “rollup-runtime-polyfill-core”; regenerate exposed credentials.
- ☐ HIGH: Contact embedded device vendors to determine FatFs exposure in deployed firmware and request patch timelines.
- ☐ MEDIUM: Audit recent Avalon phishing campaigns in your email logs; reinforce multi-stage attack detection rules.
- ☐ MEDIUM: Review network logs for historical NetNut domain activity; assess for credential exfiltration or lateral movement during compromise window.