Five stories this week, one thread: the attack surface isn't just at the perimeter. It's every layer your stack inherited and forgot about. The kernel under every Linux box, the pipeline under every code push, the registry behind every build, the installer from a vendor you already trust. Here's what stood out from the operator chair.

A reliable privilege escalation makes every initial access vector more dangerous. A Linux kernel flaw dubbed copy_fail gives any local user root in ten lines of Python, unmodified, across virtually every major distro shipped since 2017. The team's read: this changes how you score risk. A 7.3-severity initial access bug you might have deprioritized becomes a full-compromise chain when paired with something this reliable. The systems most at risk are the ones that can't come down for a patch window: hospitals, critical infrastructure, IoT devices nobody thinks to update. Segment them and assume the race has already started.

A single git push was all it took to reach GitHub's shared storage nodes. Whiz Research found that any authenticated GitHub user could trigger remote code execution on backend infrastructure with a single git push, reaching shared nodes housing millions of public and private repos. GitHub patched and validated in six hours with no evidence of exploitation. However, our team pushes back on treating that as a benchmark. Most organizations aren't wired the same way. When availability isn't the product, patch urgency gets weighed against business disruption, and that calculus looks different for everyone.

Package trust can't be static. Every dependency is a relationship that can change after you adopt it.A sleeper account on RubyGems spent seven months publishing legitimate packages before turning malicious to harvest credentials: environment variables, SSH keys, AWS credentials. You can't catch this with a point-in-time scan. The account name also surfaced a real cybersecurity firm in search results, providing just enough ambient legitimacy to avoid scrutiny. Continuous behavioral monitoring of your dependency tree is no longer optional.

A signed installer is not a safe installer. The official Daemon Tools vendor site distributed a trojanized installer dropping QuickRat, an implant that injects into notepad.exe and conhost.exe and beacons over QUIC. Signature validation failed to catch it; behavioral analysis is the layer that still applies. The telling read: burning a capable RAT on a niche tool suggests the consumer infections were collateral. Government and scientific sector targets in the attribution footprint look like the actual campaign.

Kaspersky found the official Daemon Tools vendor site distributing a trojanized installer dropping QuickRat, an implant that injects into notepad.exe and conhost.exe and beacons over QUIC to blend into normal traffic. Signatures passed. The tell was behavioral. The consumer infections look like collateral: the actual targets were government and scientific sector organizations where Daemon Tools was known to be in use, meaning the delivery vector was chosen for its access, not its volume.

Centralizing education doesn't create convenience — it creates leverage. Shiny Hunters hit Canvas during finals week, threatening to leak data tied to nearly 9,000 institutions. When Canvas went down, school stopped. Not because institutions failed to protect themselves, but because Canvas long ago stopped being a tool and became the infrastructure itself. The grade book is Canvas. The classroom is Canvas. There was no fallback because there was nothing else. Canvas is to education what Salesforce is to enterprise: the single system everything runs through, the one you can't rip out. The difference is that enterprises have the budget, legal exposure, and regulatory pressure to treat that dependency seriously. Education has the same concentration risk and none of the defenses. Compliance requirements exist, but they carry almost no enforcement teeth — which makes it structurally difficult to justify the security investment until something like this happens. Canvas held the data, Canvas was the target, and the schools and students were collateral. That's not a security failure. That's what centralized infrastructure looks like when it gets hit.

A three-day deadline means nothing if the clock started 180 days ago. CISA is weighing a proposal to cut federal KEV remediation deadlines from weeks to three days, driven by AI-accelerated exploitation compressing the gap between disclosure and weaponization. Our team's counterpoint: the three-day clock starts at disclosure, but by then the vulnerability may have been in the wild for 90 to 180 days already. GitHub patching in six hours feels like a gold standard, but finding a bug there is like finding one in hospital. You spot it fast because everything is spotless. Most organizations aren't working in those conditions, and a deadline without enforcement or the infrastructure to meet it is just pressure with nowhere to go.

Security Headlines:

• Dangerous New Linux Exploit Gives Attackers Root Access to Countless Computers, Wired
• GitHub rushed to fix a critical vulnerability in less than six hours The Verge
• Poisoned Ruby Gems and Go Modules Exploit CI Pipelines for Credential Theft The Hacker News
• Government, Scientific Entities Hit via Daemon Tools Supply Chain Attack Security Week
• Cyberattack Hits Canvas System Used by Thousands of Schools as Finals Loom Security Week
• Exclusive: US officials weigh cutting deadlines to fix digital flaws amid worries over AI-powered hacking Reuters