End-of-Day report
Timeframe: Donnerstag 07-05-2026 18:00 - Freitag 08-05-2026 18:00
Handler: Felician Fuchs
Co-Handler: Michael Schlagenhaufer
News
New PCPJack worm steals credentials, cleans TeamPCP infections
A new malware framework called PCPJack is stealing credentials from exposed cloud infrastructure while actively removing TeamPCP's access to the systems. Among the targeted services are Docker, Kubernetes, Redis, MongoDB, RayML, and vulnerable web applications. In many cases, the threat actor moves laterally on the network. [..] To mitigate this risk, the researchers recommend enforcing multi-factor authentication (MFA), using IMDSv2 in AWS, ensuring proper authentication for Docker and Kubernetes services, following least-privilege principles, and avoiding storing secrets in plaintext.
https://www.bleepingcomputer.com/news/security/new-pcpjack-worm-steals-credentials-cleans-teampcp-infections/
Ende-zu-Ende-Verschlüsselung: Instagram deaktiviert Privatsphärenschutz
Es flog etwas unter dem Radar, doch ab dem heutigen Freitag wird es Ernst: Instagram verwässert den Privatsphärenschutz des sozialen Netzwerks. Die Opt-in-Option zur Ende-zu-Ende-Verschlüsselung (End-to-End-Encryption, E2EE) schaltet Meta für Direktnachrichten global ab. [..] Als Erklärung dazu, warum die Ende-zu-Ende-Verschlüsselung nun nicht mehr möglich sein soll, liefert ein aktualisierter Facebook-Blog-Beitrag eine Antwort: Demnach haben nur sehr wenige Menschen die Möglichkeit der Aktivierung der Ende-zu-Ende-Verschlüsselung in Direktnachrichten genutzt.
https://www.heise.de/news/Ende-zu-Ende-Verschluesselung-Instagram-deaktiviert-Privatsphaerenschutz-11287210.html
ShinyHunters escalates Canvas attacks with school login defacements
According to new reporting, ShinyHunters has now hit Instructure again, this time moving from quiet data theft to very visible extortion. Using another vulnerability in Instructure-s systems, the attackers were able to modify Canvas login portals for hundreds of educational institutions, defacing both web logins and the Canvas app with an on-screen ransom message.
https://www.malwarebytes.com/blog/news/2026/05/shinyhunters-escalates-canvas-attacks-with-school-login-defacements
ClaudeBleed Vulnerability Lets Hackers Hijack Claude Chrome Extension to Steal Data
Cybersecurity researchers from LayerX have found a major security flaw in the Claude for Chrome browser extension that could allow hackers to take full control of the AI assistant. They have named this vulnerability ClaudeBleed, and their research shows that even a basic extension with no special permissions can hijack Claude to steal private files and send emails without the user-s knowledge or consent. [..] After being notified by LayerX, Anthropic released a patch on 6 May in version 1.0.70. This update added new pop-up windows to ask for user permission. However, the LayerX team quickly found a way around them, discovering that by forcing the extension into a privileged mode, aka Act without asking mode, they could skip the permission screens entirely.
https://hackread.com/claudebleed-vulnerability-hackers-claude-chrome-extension/
Kubernetes security fundamentals: Secrets
In this post, we'll be exploring secrets management in Kubernetes. Securely handling secrets is essential for any cluster operator, and there are several important nuances to keep in mind.
https://securitylabs.datadoghq.com/articles/kubernetes-security-fundamentals-part-8/
Behind the Scenes Hardening Firefox with Claude Mythos Preview
Two weeks ago we announced that we had identified and fixed an unprecedented number of latent security bugs in Firefox with the help of Claude Mythos Preview and other AI models. In this post, we-ll go into more detail about how we approached this work, what we found, and advice for other projects on making good use of emerging capabilities to harden themselves against attack.
https://hacks.mozilla.org/2026/05/behind-the-scenes-hardening-firefox/
Stop MITM on the first SSH connection, on any VPS or cloud provider
This little script stops attacks on the first SSH connection to a new VM, even on providers (like Hetzner Cloud) that don't offer a proprietary solution; we only need cloud-init, which is widely supported.
https://www.joachimschipper.nl/Stop%20MITM%20on%20the%20first%20SSH%20connection%2C%20on%20any%20VPS%20or%20cloud%20provider.html
Vulnerabilities
Lokale Privilegieneskalation im Linux-Kernel ("Dirty Frag" und "Copy Fail 2") - PoCs verfügbar, kein Patch
Am 7. Mai 2026 wurden zwei neue Schwachstellen im Linux-Kernel öffentlich gemacht, die unter den Namen -Dirty Frag- und -Copy Fail 2: Electric Boogaloo- bekannt sind. Beide Schwachstellen ermöglichen lokalen, nicht privilegierten Benutzer:innen eine Eskalation auf root. [..] Es handelt sich um deterministische Logikfehler ohne Race-Condition; bei einem Fehlschlag tritt keine Kernel-Panik auf, die Erfolgswahrscheinlichkeit wird als hoch beschrieben. [..] Bestehende Gegenmaßnahmen gegen -Copy Fail- (CVE-2026-31431), insbesondere das Sperren des Moduls algif_aead, schützen NICHT gegen -Dirty Frag- oder -Copy Fail 2-. [..] Betroffen sind die meisten aktuellen Linux-Distributionen mit aktiviertem Page-Cache-Pfad in esp4/esp6 bzw. rxrpc. [..] Zum Zeitpunkt der Veröffentlichung dieser Warnung liegen für die meisten Distributionen noch keine vollständig gepatchten Kernel vor.
https://www.cert.at/de/warnungen/2026/5/linux-lpe-dirty-frag-copy-fail-2
LWN Security updates for Friday
https://lwn.net/Articles/1071859/