This morning’s pattern is attacker leverage through trusted plumbing: enterprise workflow software, core Linux kernels, developer dependencies, and legitimate cloud email all became fast paths once defenders assumed the underlying channel was safe.
Top line: Patch Weaver E-cology and Linux kernels fast, remove lightning 2.6.3 anywhere it was imported, rotate exposed secrets, and treat Amazon SES abuse as a cloud identity problem instead of just an email filtering problem.
BleepingComputer reports that attackers have been exploiting CVE-2026-22679 in Weaver E-cology since mid-March. Vega says the unauthenticated RCE came from an exposed debug API that let attacker-supplied parameters reach backend RPC functions and system commands. The observed activity focused on discovery, PowerShell payload delivery, and repeated fileless script fetches.
CISA added CVE-2026-31431, the Copy Fail Linux flaw, to its Known Exploited Vulnerabilities catalog one day after public disclosure. The bug sits in the algif_aead interface and lets unprivileged local users gain root by writing controlled bytes into the page cache of any readable file. Theori says the same exploit worked reliably across Ubuntu, Amazon Linux, RHEL, and SUSE.
A malicious lightning 2.6.3 release on PyPI automatically downloaded Bun and executed an obfuscated JavaScript payload when users imported the package. According to the reporting, the payload targeted browser data, .env files, API keys, cloud credentials, and supported arbitrary command execution. A package with more than 11 million monthly downloads does not need wide infection to become a serious trust failure.
Kaspersky observed an uptick in phishing sent through Amazon SES, often enabled by leaked AWS IAM keys found in public repositories, .env files, backups, images, and exposed S3 buckets. Because the messages come from legitimate SES infrastructure, they can pass SPF, DKIM, and DMARC checks and make traditional blocking much less effective.
Bottom line: The common failure today is false trust in legitimate-looking channels. The fix is boring but brutal: patch fast, rotate secrets without debate, and verify every trusted platform as if it were already part of the attack path.
KENSAI helps teams map exposed services, weak identity paths, risky dependencies, and cloud attack surfaces before trusted infrastructure turns into incident fuel.
Start Free Scan →Stay sharp.
🗡️ KENSAI Security Team