Threat Advisories

CVE 2026 31431, commonly known as “Copy Fail”, is a high severity local privilege escalation vulnerability affecting the Linux kernel. The issue impacts kernels shipped by all major Linux distributions since 2017 and allows a local, unprivileged user to gain root level execution on the host system.

In late March 2026, a threat actor operating under the alias “The_Auditors” claimed to have breached BlackLine Systems, a US‑based financial automation and accounting software provider. The attacker alleges the exfiltration of approximately 354 GB of sensitive financial and operational documents, reportedly totaling over 1.5 million records belonging not only to BlackLine, but to its enterprise customers. At the time of writing, BlackLine has not publicly confirmed a breach, and the claims remain unverified. However, multiple cybersecurity intelligence firms have assessed the allegations as credible based on multiple indicators.

A new and active npm supply‑chain attack has been observed abusing compromised maintainer credentials to self‑propagate malicious code across packages in the Node.js ecosystem. The malware steals authentication material (npm tokens, cloud credentials, CI/CD secrets, SSH keys, and wallet data) and uses any discovered publishing tokens to inject itself into additional packages owned by the same maintainer, creating worm‑like lateral spread.

Microsoft has disclosed a critical remote code execution (RCE) vulnerability in the Windows Internet Key Exchange (IKE) Service Extensions, tracked as CVE‑2026‑33824. The vulnerability is caused by a double‑free memory handling flaw that can be triggered remotely by an unauthenticated attacker sending specially crafted network traffic to a vulnerable system. Successful exploitation could allow arbitrary code execution with system‑level privileges.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has confirmed active exploitation of a high‑severity remote code execution (RCE) vulnerability in Apache ActiveMQ Classic, tracked as CVE‑2026‑34197. The flaw has been added to CISA’s Known Exploited Vulnerabilities (KEV) Catalog, signalling verified malicious activity in the wild and elevating remediation priority for all organizations using affected versions of ActiveMQ.

A critical supply chain attack has impacted the widely used JavaScript library Axios following the compromise of its primary maintainer’s npm account. Threat actors used the hijacked account to publish two malicious versions, axios@1.14.1 and axios@0.30.4, which introduced a rogue dependency (plain-crypto-js@4.2.1). This dependency was not part of the legitimate Axios codebase and existed solely to execute a post install script that deployed a cross-platform Remote Access Trojan (RAT).

LiteLLM is a highly popular open-source Python library and proxy server that provides a unified interface for calling over 100+ Large Language Model (LLM) APIs, such as OpenAI, Anthropic, Bedrock, and VertexAI, using the standard OpenAI input/output format. It simplifies multi-LLM integration, offering features like automatic fallbacks, retries, and cost tracking. Because it functions as an API gateway, it acts as a credential aggregator by design, securely holding API keys for various LLM providers.

CVE202620963 was originally published in January 2026, but it has recently gained renewed attention due to confirmed active exploitation.

The UK and Ireland are now facing elevated cyber risk as Iranian‑aligned threat actors launch retaliatory operations in response to Operation Epic Fury, the joint US‑Israeli strikes on Iran.

Earlier this week we wrote a blog post on the cyber affairs amidst the US-Israel war on Iran, called Operation Epic Fury. In which we observed that there would be an elevated response from state sponsored threat actors, against the western organisations with a middle eastern presence as a retaliation for these attacks.