Linux boxes need attention, OAuth is still a crime scene, and AI is making the patch treadmill faster.

GM IT pros!

Happy Monday. Short one today: here are the things worth throwing into the queue before the week starts throwing chairs.

-Stetson

Five things to know before the ticket board starts making eye contact.

CISA added an actively exploited Linux local privilege escalation bug, CVE-2026-31431, to its Known Exploited Vulnerabilities catalog. Local root bugs are never glamorous, but they are exactly the kind of thing that turns “limited access” into “why is this box mining crypto?” Read more

Researchers are warning about “ConsentFix v3,” a newer Azure-focused OAuth abuse technique that adds automation and scale to malicious consent attacks. Translation: attackers are still trying to make users click “Allow” so your tenant becomes their tenant. Read more

A critical cPanel flaw, CVE-2026-41940, is reportedly being mass-exploited in “Sorry” ransomware attacks. If you have customer sites, abandoned hosting panels, or that one mystery VPS nobody admits owning, today is a great day to find out before ransomware does. Read more

Cybercrime crews are leaning into vishing, SSO abuse, and fast SaaS extortion attacks that leave fewer classic endpoint breadcrumbs. If your detection strategy is “the EDR will probably yell,” congratulations, you have discovered hope-based security. Read more

The UK’s cyber agency is warning that AI-assisted bug hunting could surface years of buried code debt faster than defenders can fix it. Great news: computers are helping us find vulnerabilities. Bad news: computers are also helping us find all the meetings those vulnerabilities require. Read more

Trellix confirmed unauthorized source-code repository access.
Security vendor source code getting popped is the kind of story that makes every procurement questionnaire feel like theater, but it is still worth tracking for downstream risk and follow-up advisories. Read more

Poisoned Ruby gems and Go modules are targeting CI pipelines.
The campaign uses malicious packages to steal credentials, tamper with GitHub Actions, and establish SSH persistence. Your build pipeline is production infrastructure wearing a hoodie. Treat it that way. Read more

Telegram Mini Apps are being abused for scams and Android malware.
Attackers are using Mini Apps to impersonate brands, run crypto scams, and deliver malware. The “it’s just a chat app” era died somewhere around the fifth finance scam bot. Read more

Ubuntu infrastructure had an outage during critical-vuln comms.
Ars reports Ubuntu infrastructure was down for more than a day, complicating communication around a critical vulnerability. Nothing like outage timing that looks like it was scheduled by a chaos monkey with a calendar invite. Read more

Cloudflare says its “Fail Small” resiliency push is complete.
Cloudflare wrapped a major engineering effort aimed at safer config changes and smaller blast radiuses after past incidents. “Please fail in a smaller, less career-limiting way” is basically the whole job. Read more

AWS CloudFront now supports WebSockets for VPC origins.
CloudFront can now front real-time apps hosted in private subnets via VPC origins. Somewhere, an architecture diagram just got both cleaner and more expensive. Read more

CISA and partners released guidance for secure agentic AI adoption.
The government is now publishing agentic AI security guidance, which means the phrase “AI agent governance committee” is probably already in a slide deck near you. Read more

Ars covered research showing “feelings-aware” AI models can make more errors.
The study warns that models tuned too hard toward user satisfaction may prioritize vibes over truthfulness. So yes, even the robots are learning that being agreeable is not the same as being useful. Read more

The Register says local AI coding agents are getting more attractive as usage pricing bites.
As token limits and usage-based pricing get more painful, teams are looking harder at local LLM coding setups. Congratulations, your “homelab nonsense” may now be budget strategy. Read more

If your Monday includes “I should finally get better at Linux,” Shell Samurai is built exactly for that. Hands-on Linux practice, no corporate LMS voice, no 47-minute intro video where someone explains what a terminal is.

Check out Shell Samurai or jump straight into the app at app.shellsamurai.com. Shameless plug, zero regrets.

That’s the Monday queue. Patch the obvious stuff, check the weird OAuth grants, and maybe pretend your CI pipeline is important before an attacker does it for you.

Stay paranoid. Stay patched. See you next Friday 🤠