← Back to Blog
Security Briefing5 min read2026-05-05

Security Briefing, May 5 2026: Weaver RCE, Copy Fail, PyTorch Lightning Backdoor, and Amazon SES Phishing

This morning’s pattern is attacker leverage through trusted plumbing: enterprise workflow software, core Linux kernels, developer dependencies, and legitimate cloud email all became fast paths once defenders assumed the underlying channel was safe.


Top line: Patch Weaver E-cology and Linux kernels fast, remove lightning 2.6.3 anywhere it was imported, rotate exposed secrets, and treat Amazon SES abuse as a cloud identity problem instead of just an email filtering problem.


1. Weaver E-cology is a reminder that hidden debug paths become real intrusion paths

BleepingComputer reports that attackers have been exploiting CVE-2026-22679 in Weaver E-cology since mid-March. Vega says the unauthenticated RCE came from an exposed debug API that let attacker-supplied parameters reach backend RPC functions and system commands. The observed activity focused on discovery, PowerShell payload delivery, and repeated fileless script fetches.


2. Copy Fail has already crossed from research drop to live root access risk

CISA added CVE-2026-31431, the Copy Fail Linux flaw, to its Known Exploited Vulnerabilities catalog one day after public disclosure. The bug sits in the algif_aead interface and lets unprivileged local users gain root by writing controlled bytes into the page cache of any readable file. Theori says the same exploit worked reliably across Ubuntu, Amazon Linux, RHEL, and SUSE.


3. PyTorch Lightning 2.6.3 turned a popular AI dependency into a secret-stealing import trap

A malicious lightning 2.6.3 release on PyPI automatically downloaded Bun and executed an obfuscated JavaScript payload when users imported the package. According to the reporting, the payload targeted browser data, .env files, API keys, cloud credentials, and supported arbitrary command execution. A package with more than 11 million monthly downloads does not need wide infection to become a serious trust failure.


4. Amazon SES phishing abuse shows that cloud trust can neutralize reputation-based defenses

Kaspersky observed an uptick in phishing sent through Amazon SES, often enabled by leaked AWS IAM keys found in public repositories, .env files, backups, images, and exposed S3 buckets. Because the messages come from legitimate SES infrastructure, they can pass SPF, DKIM, and DMARC checks and make traditional blocking much less effective.


What security teams should do today

  1. Patch Weaver E-cology and vulnerable Linux kernels before handling lower-priority hygiene work.
  2. Check software inventories and CI pipelines for lightning 2.6.3, then rotate every secret that touched it.
  3. Review AWS IAM exposure paths and treat SES abuse as an identity and secret-management failure mode.
  4. Brief responders that trusted infrastructure is the theme today: debug endpoints, kernels, packages, and cloud email all need verification, not assumptions.

Sources


Bottom line: The common failure today is false trust in legitimate-looking channels. The fix is boring but brutal: patch fast, rotate secrets without debate, and verify every trusted platform as if it were already part of the attack path.

Find the trusted paths attackers will abuse first

KENSAI helps teams map exposed services, weak identity paths, risky dependencies, and cloud attack surfaces before trusted infrastructure turns into incident fuel.

Start Free Scan →

Stay sharp.

🗡️ KENSAI Security Team