TL;DR
North Korean threat actors have distributed 108 malicious packages via npm and other platforms as part of the PolinRider campaign. A critical Linux kernel vulnerability (CVE-2026-46242) enables privilege escalation on desktops, servers, and Android; a patch is available. JadePuffer represents the first confirmed LLM-agent-automated ransomware attack. NetNut residential proxy network, which controlled 2 million compromised Android devices, has been disrupted by the FBI and Google.
Executive Summary
- North Korean threat actors linked to the Contagious Interview campaign have published 108 unique malicious packages and browser extensions across npm, Packagist, Go, and Google Chrome as part of an ongoing PolinRider operation.
- Linux kernel vulnerability CVE-2026-46242 (Bad Epoll) allows unprivileged users to achieve root access on Linux desktops, servers, and Android devices; a patch has been released.
- JadePuffer ransomware operation represents the first documented case of a ransomware attack conducted entirely by an LLM agent, automating credential collection, lateral movement, and encryption.
- The NetNut residential proxy network, which operated across 2 million compromised Android devices, has been disrupted through joint action by the FBI and Google; the network facilitated cybercriminal and nation-state activity.
- A U.S. government entity paid approximately $1 million in an extortion case to the group calling itself Kairos to prevent the leak of stolen files.
Top Threats Today
1. North Korean PolinRider Supply-Chain Campaign
Severity: HIGH Affected: Technology
North Korean threat actors linked to the Contagious Interview campaign have published 108 unique malicious packages and web browser extensions spanning npm, Packagist, Go, and Google Chrome as part of an ongoing activity referred to as PolinRider [1]. The campaign remains active and continues to distribute new malicious payloads [1].
Sources:[1] The Hacker News
Recommended Action
- Review npm, Packagist, and Go package dependencies for any recently installed or updated packages from untrusted sources.
- Monitor browser extension installations and audit active extensions for unexpected additions or suspicious behavior.
- Deploy or update threat intelligence feeds to detect known PolinRider indicators of compromise in network traffic and logs.
2. CVE-2026-46242 (Bad Epoll) Linux Kernel Privilege Escalation
Severity: HIGH Affected: Technology
A newly disclosed Linux kernel vulnerability, CVE-2026-46242 (Bad Epoll), allows an unprivileged user with no special access to take full control of a machine as root [1]. The flaw affects Linux desktops, servers, and Android systems; a patch has been released [1].
Sources:[1] The Hacker News
Recommended Action
- Prioritize patching Linux kernel and Android devices to the latest available version addressing CVE-2026-46242.
- Monitor privilege escalation attempts in system logs and audit trails.
- Apply principle of least privilege to restrict unprivileged user capabilities on critical systems.
3. JadePuffer Ransomware—First LLM-Agent-Automated Attack
Severity: HIGH Affected: Technology
Researchers have identified what is believed to be the first documented case of a ransomware operation, JadePuffer, conducted entirely by a large language model (LLM) agent [1]. The attack automates credential collection, lateral movement, remote access, reconnaissance, and encryption, demonstrating the emerging threat of agentic AI in ransomware ⚠ campaigns [1].
Sources:[1] BleepingComputer
Recommended Action
- Enhance EDR and behavioral monitoring to detect agentic AI patterns: rapid lateral movement, bulk credential usage, and automated reconnaissance.
- Enforce MFA and credential access governance to limit lateral movement impact.
- Segment networks and restrict lateral movement paths through microsegmentation and zero-trust principles.
4. NetNut Residential Proxy Network Disrupted
Severity: HIGH Affected: Technology
A joint operation involving the FBI and Google has disrupted NetNut, a residential proxy network that gave access to millions of compromised Android devices, including smart TVs and streaming boxes [1][2][3]. Hundreds of domains associated with the service, operated by publicly-traded Israeli company Alarum Technologies, have been seized [2]. The network facilitated cybercriminal and nation-state activity including advertising fraud, account takeovers, and mass data-scraping efforts [2].
Sources:[1] BleepingComputer[2] Krebs on Security[3] SecurityWeek
Recommended Action
- Audit and patch Android devices on your network; update firmware on connected devices (smart TVs, streaming boxes) to remove malware associated with NetNut botnet.
- Review authentication logs for unusual login patterns or account takeovers that may have occurred through the proxy network.
- Segment IoT and smart-device networks to prevent cross-contamination if infection is suspected.
5. Government Entity Pays $numerous in Extortion Attack
Severity: MEDIUM Affected: Government
A U.S. government entity paid approximately $1 million to keep stolen files from being leaked, according to case analysis by Ransom-ISAC based on leaked negotiation chat and blockchain transaction records [1]. The extortion group calls itself Kairos [1].
Sources:[1] The Hacker News
Recommended Action
- Review extortion and ransomware response policies; consider whether ransom payment aligns with organizational risk tolerance and regulatory guidance.
- Strengthen data loss prevention (DLP) and access controls to reduce exposure of sensitive files to exfiltration.
- Implement file encryption and immutable backup strategies to reduce negotiating leverage of extortion actors.
Today’s Action Checklist
- ☐ URGENT: Scan npm, Packagist, and Go repositories for PolinRider packages and audit browser extension inventory for malicious additions.
- ☐ URGENT: Patch CVE-2026-46242 (Bad Epoll) on Linux and Android systems; prioritize systems with unprivileged user access.
- ☐ HIGH: Enhance EDR/SIEM detection rules for agentic AI ransomware patterns: rapid lateral movement, bulk credential usage, reconnaissance automation.
- ☐ HIGH: Audit Android devices and IoT devices for NetNut malware; update firmware on smart TVs and streaming boxes.
- ☐ MEDIUM: Review data exfiltration logs and authentication records for indicators of compromise from NetNut proxy network abuse.