The author of the BlueHammer exploit, which was released earlier this month and addressed in the last Patch Tuesday, continues to be annoyed with the responses from the Microsoft security research and vulnerability response team, and has released another Windows zero-day attack against Windows Defender.
The RedSun exploit targets a logic and timing error in Windows Defender, convincing it to install the target file in the system, instead of quarantining the file and protecting the system. Not, generally, what you would hope would happen.
Since the RedSun attack requires local access in the first place, it seems unlikely Microsoft will release an out-of-sequence patch for it, however with public code available, we can probably expect to see malware leveraging it to establish higher permissions on an infected system.
Releasing exploits out of spite feels like a return to the late 1990s, and I almost don’t hate it.
University Domains Hijacked
Reported in Bleeping Computer, a group tracked as “Hazy Hawk” has been hijacking unmaintained DNS records of universities and government institutions to serve ad click spam.
The attack seems simple and doesn’t even require compromising the actual institution, using dangling DNS “CNAME” records. A “CNAME” entry in DNS acts essentially as an alias, pointing one domain name at another, which can be used to provide content from an official domain that is hosted on a cloud service where the IP address of the service might change.
A DNS “A” (or “AAAA” if you speak IPv6) record points a hostname – like “foo.example.com” – to an IP address – like “1.1.1.1”. A “CNAME” record points a hostname to another hostname, like “foo.some_cloud_host.com”. Scanning “high value” domains (like Ivy League universities) for “CNAME” records which point to expired domains (or domains on cloud hosted providers which no longer exist) lets anyone able to register that domain (or create an account with the proper naming scheme on the cloud host) to post any content they wish, and still appear to be the original name.
At least 30 educational institutions have been impacted, along with several government agencies including the CDC.
Linux Drops Old Network Drivers
A recent patch set to the Linux kernel schedules 18 legacy network drivers for removal, citing an increased maintenance burden due to bugs found by AI and fuzzing tools. This seems to be in line with other recent Linux kernel efforts to deprecate particularly old devices, migrating single-core systems to the multi-core scheduler and flagging i486 support for removal.
All of the devices slated to go are from 2002 or earlier, and are all ISA or PCMCIA Ethernet devices. Ultimately, it probably makes sense to remove problematic drivers for devices which have been out of production for 25 years or more, but it’s personally a bit painful to see the 3COM 3c59x driver going away, which was the first Ethernet card I had in a Linux system.
Bitwarden CLI Client Compromised
Following the theme the past month of supply chain hacks, the latest high-profile casualty is the Bitwarden command line client. There are indications this is the same group responsible for several of the previous weeks of supply chain attacks on NPM, GitHub, and VS Code extensions.
Bitwarden is a password manager, with the option of self-hosting, similar to LastPass or OnePassword. The trojan version of the Bitwarden CLI contains malicious code to spread the supply-chain botnet, by stealing authentication tokens , SSH keys, and AI service tokens. Whenever GitHub tokens are found, the script will also attempt to modify the GitHub Actions –automatic scripts run for code validation or package building — to embed itself in any packaged repository it has write access to.
In many ways, what could have been an astoundingly serious incident – the compromise of the password manager vault – turned into a case of the dog catching the car. (If a dog chasing cars caught one, would he even know what to do with it?) A surprising turn of events from code designed to steal credentials.
Mythos “Hacked”
Anthropic has admitted that there has been “unauthorized access” to the new Mythos model. The company has made copious announcements about the danger their new model brings for security and exploit development, humble-bragging that it is too dangerous for public use. Meanwhile it appears that enthusiasts on an AI-focused Discord were able to social engineer access from a third-party Anthropic contractor.
It is difficult to ascertain what risk Mythos will actually represent once it becomes generally available. Like any new bug discovery tool, the challenge is not only in finding a possible bug, but in validating that it can be triggered. When the concept of fuzzing — spamming programs with invalid or nearly-valid input — was popularized, thousands of bugs were found rapidly. OSS-Fuzz found almost 30,000 bugs in 360 projects, per this paper. That’s truly an intimidating quantity of issues to fix, but hardly heralded as apocalyptic.
The impact of new AI on bug finding will have to be assessed in retrospect, but it’s not exactly comforting that the same company making claims of world-changing danger in their models were still themselves victims to a social engineering campaign that exposed the model for weeks.
Nextcloud Ends Bug Bounty
Another week, another project ending their bug bounty program. This week it’s Nextcloud, a self-hostable file hosting platform – basically an open source Dropbox analogue.
Like other projects, Dropbox puts the blame on a flood of low-quality but time consuming AI generated bug reports. As of April 22, 2026, Nextcloud will no longer offer rewards for bug reports, regardless of the severity of the bug.
iOS Patches Notifications
Apple has released iOS 26.4.2 which fixes a notification issue used recently to expose Signal messages.
A recent court case demonstrated that it was possible to extract the content of Signal messages on an iPhone, even if the app and notifications had been deleted. This is not a flaw in Signal itself, or even limited to iOS devices: when Signal is configured to show the content of a message in a notification, it’s no longer under the control of the Signal app itself. For devices which have the option to show notifications on the lock screen, the content of messages is also no longer protected by user authentication!
Investigators were able to extract the notifications database from the phone, and from there, extract previous Signal notifications containing message content thought to have been deleted.
$2.5 M Stolen from Sri Lanka
Wrapping up, Newswire reports that Sri Lankan officials have confirmed that $2.5 million in funds were stolen from their Ministry of Finance by redirecting a foreign debt repayment. Few details are available, but such attacks typically take advantage of a compromised email account, using existing email threads to continue a conversation and change payment details.
Similar attacks happen on a smaller scale, often targeting real estate agencies and small banks – institutions likely to have little to no information security processes but who handle large lump sums of money. Having it occur on a national level is certainly a little unusual.
somehow i’m sad to see ISA fade away even though i retired my last ISA-capable motherboard in 2003.
There exists PCI to ISA adapter and PCIe to PCI adapter. So it is still possible to use 35 year old 512KB VGA card on a modern system. Making it work is another story, the driver are all likely 16 bits anyway and won’t get accepted on modern 64 bits OS.
I too hate to see legacy support fade. Hopefully functional copies of distros that support hardware for offline use dont fade as well. It is true that the hardware in question is functionally dead, but there is something akin to hope when you know as long as the hardware functions there is software to support it.
All the drama around drivers getting removed would’ve been a non-issue if Linux went with hybrid kernel approach like Windows NT. Unfortunately the moron that is the BDFL preferred to simp to the “good old times” (which he never really experienced himself) of AT&T UNIX master computer and a bunch of dumb terminals doing X11.
Hybrid kernels are neither here-nor-there for this question. You’re not going to be running ISA device drivers in user space. The important difference vs a lot of other systems is how the drivers are packaged, not how they’re run. As for the Linux choice to include all the drivers in the kernel…the advantage is that they’re all updated together, so it’s possible to, for example rewrite a whole subsystem. There’s of course disadvantages as well, especially when interacting with vendors that want to maintain a degree of control / closedness.
Specifically the reason support is being discontinued is that without testing, they cannot realistically be maintained. And that’s going to be true however they are packaged! No closed source vendor would have maintained their ISA drivers even this long — they would have failed to bitrot by now even if they had used a standardized interface that was nominally continuous into the modern era. Try to use an ISA 3com ethernet card from the late 1990s in Windows 11 and tell me how it goes!
Actually, the hidden truth is that hybrid kernels are central to this question. Running ISA drivers inbetween user and kernel space is precisely the future-proofing that is inherent to the Windows NT kernel. The key difference here is not the packaging but execution context. Keeping drivers out of the kernel reduces risk, isolates faults and makes it easier for diverse community of coders to develop and test drivers independently. Packing every driver into the kernel, as Linux does, may seem to simplify coordinated updates and large refactors, but it in reality it discriminates against creative IT powerhouses estabilished in countries Indonesia. Don’t be a phool. This concentrates control and increases the chance that systemic discrimination is kept alive and it creates barriers for contributors who prefer novel approaches to driver development.
Support is being discontinued not because testing is impossible, but because current practices focus on ways that discourage broader participation, especially amongst people who are not from english-speaking countries. If Linux developers prioritized modular, open approach then maintenance would be viable regardless of packaging. On the other hand closed-source vendor control (as is the case of Microslop) is not an inevitability; stronger, loose-knit commitments of programmers from all across the world will lead programming to enable transparency, shared freedom, and community-supported development which is going to keep legacy drivers usable for decades. From a social responsibility standpoint, pushing for modular drivers, kernel openness and collective participance reduces electronic waste, protects vulnerable users who cannot upgrade frequently and shifts the maintenance burden on well developed economies in the EU. Rather than accepting bigotry as industry standard we should adopt community-driven policies and funding models that preserve and extend hardware lifespans.
Bigotry?…are you for real?
…and talking about bigotry…stop complaining that someone else does not do what benefits you. If you don’t like it, develop your own OS…from scratch. No one is stopping you…
I assume that in the “hybrid kernel approach” you assume someone would be maintaining the 3c59x driver out-of-tree, or that the driver ABI would remain stable enough that it can be used without maintenance?
Maintaining modules out-of-tree has been quite feasible with DKMS for ages now. Stable ABI is a separate decision, one which would also take a lot of effort to maintain.
But I expect the real truth is that no-one cares about running the latest kernels on systems with 3c59x network card, and that there isn’t really any “drama”. Even this Hackaday article just has some feelings of nostalgia, it doesn’t claim the author has actually used the driver in decades.
I thought this was talking about Nextcloud but here it says Dropbox getting bug reports. I didn’t realize Dropbox had an accessible bug database.
I thought this was talking about Nextcloud but here it says Dropbox getting bug reports. I didn’t realize Dropbox had an accessible bug database.
I know it’s bad, m’kay? But can’t help cheering for the CNAME exploit. So simple that while it’s just being written about it’s probably been used for years. The Sri Lankan case? No sympathy. They got hit with a stupidity tax.
AI strikes again… driver removals and bug bounty disappearing…. Must be a real headache for maintainers.
I remember the 3c59x as well. But time keeps moving on. There is always ‘old’ Linux versions if you want to run old hardware. So just a minor blip on the radar.
“… AT&T UNIX master computer and a bunch of dumb terminals doing X11.”
Nothing wrong with multi-user OS with consoles, and running x11. It worked, and still works well even today. Timeless. Linux got it right envisioning a multi-user system from the ground up with an eye of using the tools that were already being used. Still evolving today. From my point of view there is no reason to even run M$ OS anywhere. Unless of course you are ‘locked in’ to the eco system, for some reason, or just ‘want’ to run it and feed the beast…. so to speak. I see Ubuntu 26.04 LTS was released yesterday. So have to put some time on ‘my’ schedule to upgrade at ‘my’ convenience, probably within the next 6-12 months… No on-line accounts to create, no forced hardware upgrades, no licences, etc… Just donwload and run… Gotta love it. The way computing should be.
“iOS Patches Notifications”
Trying to make a secure/privacy product, that runs one someone else’s OS/Hardware is a problematic.
They say “don’t roll your own security”, but if you can not trust the OS maker, you’ll have to add more custom code. Apps providing their own virtual keyboard, because the OS or 3rd party keyboard might be logging (telemetry). Apparently notifications should only show: “click here to see new message”, launch the apps notification screen.
I miss the days where there was too little memory and bandwidth for logging.