# Today's Top Stories

The FBI and CISA have updated their March 2026 advisory warning that Russian intelligence-linked phishing campaigns targeting Signal users have evolved to steal Signal Backup Recovery Keys — not just session credentials. Once a key is obtained, attackers can fully restore an account's message history and take persistent control, as the key remains valid after the initial compromise.

CVE-2026-46331, dubbed 'pedit COW,' is an out-of-bounds write vulnerability in the Linux kernel's traffic-control act_pedit subsystem that allows local unprivileged users to gain root by corrupting shared page-cache memory. A public working exploit appeared within one day of the CVE being assigned on June 16, 2026; Red Hat has rated the flaw as high severity, making rapid patching critical for Linux-based environments.

CVE-2026-43503 (CVSS 8.8), dubbed 'DirtyClone' and part of the DirtyFrag Linux kernel vulnerability family, allows local users to corrupt file-backed memory via cloned network packets to achieve root privilege escalation. JFrog Security Research published a working exploit walkthrough on June 25, 2026, making this the first public demonstration of this variant; a patch has been issued but rapid deployment is essential.

Polymarket, the decentralized prediction market platform, suffered a $3 million supply-chain attack in which hackers injected a malicious script into the platform's frontend after breaching a third-party vendor. Polymarket confirmed it will fully reimburse affected customers, but the incident underscores the systemic risk of frontend supply-chain compromises to crypto and Web3 platforms.

CISA added CVE-2026-12569, a critical remote code execution flaw in PTC Windchill PDMlink and PTC FlexPLM, to its Known Exploited Vulnerabilities catalog after confirming active in-the-wild exploitation via web shell attacks. PTC Windchill is widely deployed in industrial and manufacturing environments, making this the first confirmed exploitation of this product and a significant OT/ICS supply chain risk.

CISA issued an urgent directive giving federal agencies until Sunday to patch an actively exploited vulnerability in Cisco Unified Communications Manager Server. Active exploitation has been confirmed, placing U.S. government network infrastructure at immediate risk and signaling potential broader targeting of enterprise Cisco UC deployments.

Google Threat Intelligence Group has attributed the previously undocumented .NET backdoor STOCKSTAY to Turla (Russian state-sponsored), with confirmed deployments against Ukrainian government and military organizations as well as entities with ties to Italian foreign policy. The backdoor is described as under continuous development, indicating an active and evolving espionage toolchain targeting NATO-adjacent targets.

Citizen Lab confirmed that Russian authorities used Cellebrite UFED forensic tools to extract data from the iPhone of opposition activist Andrey Pivovarov in June 2021 — three months after Cellebrite publicly stated it had ceased sales and services to Russia and Belarus. The finding demonstrates that export controls and vendor contract terminations are insufficient to prevent continued use of commercially sold surveillance technology by authoritarian governments.

Kaspersky has identified a new threat campaign called 'StrikeShark' deploying a previously undocumented loader called SharkLoader to deliver Cobalt Strike Beacon, targeting a diplomatic organization in Indonesia and government organizations in Taiwan. The campaign represents a new custom malware toolkit purpose-built for loader-stage operations against high-value government and diplomatic targets in Southeast Asia.

A newly discovered macOS malware dubbed 'Gaslight' embeds fake error messages and prompt injection strings within its executable specifically to confuse and mislead AI-assisted malware analysis tools. This represents a deliberate adversarial evolution in malware design, targeting the growing reliance on LLM-based sandboxes and analysis platforms used by defenders.