Overview
Another week, another cascade of active exploits and supply chain compromises. This Monday recap covers the most impactful cybersecurity stories from May 18–25, 2026 — from Linux kernel privilege escalation bugs to Windows Defender zero-days being weaponized in the wild, a coordinated DNS hijacking campaign targeting Microsoft 365 accounts via router botnets, and a freshly named cross-ecosystem supply chain attack making the rounds across npm, PyPI, and Crates.io.
Linux Kernel Flaws: Root Access at Risk
Dirty Frag Zero-Day
Researchers disclosed Dirty Frag, a new Linux kernel zero-day vulnerability that achieves local root privilege escalation on all major Linux distributions. The flaw leverages a race condition in the kernel's memory fragmentation handling and requires no special capabilities to trigger.
Proof-of-concept code circulated quickly, and CISA added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog following confirmed in-the-wild exploitation. All major Linux vendors issued emergency patches within 24 hours of the PoC becoming public.
Affected systems: Linux kernel 5.15 through 6.x across Ubuntu, RHEL, Debian, Fedora, and derivatives.
Pack2TheRoot
A separate Linux privilege escalation technique dubbed Pack2TheRoot emerged this week, targeting a flaw in the kernel's network packet handling subsystem. Unlike Dirty Frag, Pack2TheRoot requires an initial foothold on the target system but enables reliable root escalation from a standard user context.
Patch status: Kernel patch merged upstream; distribution backports underway.
Windows Defender Zero-Days Under Active Exploitation
Two Defender Vulnerabilities Weaponized
Microsoft confirmed that two actively exploited Windows Defender vulnerabilities are being used in targeted attacks. The flaws allow attackers with local access to escalate privileges and disable security monitoring — effectively blinding endpoint detection systems before deploying secondary payloads.
Microsoft released out-of-band updates for both issues. Security teams should prioritize these patches over standard Patch Tuesday scheduling.
YellowKey and GreenPlasma
A researcher known for responsible (and sometimes not-so-responsible) disclosure dropped YellowKey and GreenPlasma — two Windows zero-day exploit chains targeting Bitlocker bypass and CTFMon privilege escalation respectively. Neither had patches at time of release.
MiniPlasma, a related Windows system-level privilege escalation exploit with a working PoC, was also publicly released. Microsoft acknowledged all three and is working on fixes.
Router Botnet DNS Hijacking Campaign
Authorities disrupted an ongoing campaign where threat actors compromised SOHO routers to modify DNS settings and redirect traffic from unsuspecting users to attacker-controlled infrastructure. The primary objective was stealing Microsoft 365 login credentials.
The campaign followed a well-worn playbook:
- Exploit weak or default credentials on consumer routers
- Modify DNS resolver settings to point to rogue servers
- Intercept authentication requests and harvest valid session cookies
- Use stolen credentials for follow-on BEC (Business Email Compromise) attacks
Law enforcement in multiple countries coordinated to sinkhole botnet infrastructure and notify affected ISPs.
Supply Chain Chaos: TrapDoor Campaign
The week's most far-reaching story came from researchers who named and documented TrapDoor — a coordinated cross-ecosystem supply chain attack campaign that has been running since at least May 22, 2026.
| Metric | Detail |
|---|---|
| Malicious packages | 34 packages confirmed |
| Poisoned versions | 384+ package versions |
| Ecosystems targeted | npm, PyPI, Crates.io |
| Primary payload | Credential-stealing malware |
The campaign targets developer credentials, CI/CD pipeline tokens, cloud provider access keys, and SSH credentials. Malicious code executes via post-install hooks, making it difficult to detect without specialized supply chain scanning tools.
Full coverage: TrapDoor Supply Chain Attack Spreads Credential-Stealing Malware via npm, PyPI, and Crates.io
Law Enforcement Wins
First VPN Seized in Global Ransomware Crackdown
Europol and partner agencies announced the seizure and takedown of "First VPN", a commercial VPN service widely used by ransomware operators to anonymize infrastructure. The operator was arrested and the service — allegedly used by at least 25 ransomware groups — was dismantled.
KimWolf Botnet Admin Arrested
Canadian authorities charged the alleged administrator of the KimWolf DDoS botnet, a service-for-hire operation responsible for attacks against critical infrastructure including I2P network disruptions. The arrest came through joint cooperation between the FBI and RCMP.
Other Notable Stories
- GitHub breach follow-up: Grafana confirmed source code theft via unrotated TanStack attack token (full story)
- Drupal critical SQL injection actively exploited; added to CISA KEV — patch immediately
- Cisco SD-WAN sixth zero-day of 2026 exploited in the wild; patch released
- Microsoft Exchange zero-day under active attack — no patch available at time of writing
- SonicWall VPN MFA bypass due to incomplete patching discovered in the wild
This Week's Patch Priority List
| Priority | Product | Issue |
|---|---|---|
| Critical | Linux kernel | Dirty Frag zero-day (root privesc) |
| Critical | Windows Defender | Two actively exploited vulns |
| Critical | Microsoft Exchange | Zero-day under active attack |
| High | Cisco SD-WAN | Sixth exploited zero-day of 2026 |
| High | Drupal | SQL injection in KEV |
| High | SonicWall VPN | MFA bypass via incomplete patch |
Sources
- The Hacker News — Weekly Recap: Linux Flaws, Defender 0-Days, Router Botnets, and Supply Chain Chaos