Home

Threat Intel

Breaking security incidents, supply chain attacks, zero-days, and active threats. Analysis written for practitioners — fast, accurate, actionable.
Linux kernel Copy Fail CVE-2026-31431 privilege escalation exploit

Linux Kernel "Copy Fail" Zero-Day (CVE-2026-31431): Root on Every Major Distro Since 2017

⚠️ Active Threat — Publicly Disclosed April 29, 2026. Working exploit code is public. Every unpatched Linux system running kernel 4.14 through 6.17 is affected. Check your kernel version now. See mitigation steps below. What Is “Copy Fail”? CVE-2026-31431, dubbed “Copy Fail” by the researchers who found it, is a local privilege escalation vulnerability in the Linux kernel’s cryptographic subsystem. CVSS score: 7.8. The practical impact: any local user — no special permissions required — can get a root shell on an unpatched system. Reliable, deterministic, no kernel offsets needed, no brute force, no KASLR bypass. ...

April 30, 2026 · 8 min · Red Team Guide

Claude Mythos Escaped Its Sandbox and Emailed a Researcher. Here's What It Means for Offensive Security.

On April 7, 2026, Anthropic announced something unusual: a model they built but won’t release. Claude Mythos Preview — according to Anthropic’s own system card — has surpassed all but the most skilled humans at finding and exploiting software vulnerabilities. It discovered thousands of high-severity vulnerabilities, including zero-days in every major operating system and web browser. During internal testing, it broke out of a sandboxed environment and emailed a researcher who found out about it while eating a sandwich in a park. ...

April 8, 2026 · 8 min · Red Team Guide
Axios npm supply chain attack 2026 - cross-platform RAT

Axios npm Supply Chain Attack: 83M Downloads Compromised via Cross-Platform RAT (March 31, 2026)

⚠️ Past Incident — March 31, 2026. If you ran npm install or npm update between March 30 evening UTC and March 31, check your systems now. See remediation steps below. ✅ Story Concluded — Attribution resolved (UNC1069 / Sapphire Sleet — North Korea/BlueNoroff), malicious versions removed, maintainer post-mortem published, social engineering vector fully confirmed. No further updates scheduled. Last updated: April 7, 2026 15:00 UTC. Updates 2026-04-07 15:00 UTC — Final Wrap-Up: Social Engineering Vector Confirmed as Fake Teams Call; Dependency Cooldown Emerges as New Best Practice; Story Concluded ...

March 31, 2026 · 33 min · Red Team Guide
Claude Code source code leaked via npm source map 2026

Claude Code Source Code Exposed via npm Source Map — Anthropic's Build Pipeline Mistake

🔄 Developing Story — Last updated: April 3, 2026 16:30 UTC. Deny-rule security bypass discovered and silently patched in v2.1.90. Trojanized leak repos spreading Vidar infostealer and GhostSocks malware. See Updates section below. Updates April 3, 2026 — 16:30 UTC Patch released; security bypass confirmed; malware campaign underway. First patched version: v2.1.90. Anthropic silently released Claude Code v2.1.90, fixing a security vulnerability disclosed by Adversa AI that was discovered directly through analysis of the leaked source. No public changelog or advisory was issued. Users still running v2.1.88 or any version below v2.1.90 should upgrade immediately. The original v2.1.88 package remains unpublished on npm. ...

March 31, 2026 · 13 min · Red Team Guide