Since our last update, the pattern holds: attackers are going after trust relationships and everyday infrastructure rather than exotic zero-days. A state-linked espionage campaign rode ordinary IP cameras, a new extortion crew abused a legitimate passkey enrollment flow, and researchers showed that AI code-review tools can be blinded by a technique as simple as an image file. Here’s what changed.
Espionage watch: hijacked doorbell cameras tracked NATO weapons shipments
Dutch intelligence services AIVD and MIVD disclosed a large-scale Russian operation that compromised internet-connected doorbell and IP cameras positioned along military transport routes across NATO member states, including the Netherlands, and inside Ukraine. The goal: identify which weapons systems were moving toward Kyiv by watching the cameras that happened to overlook the roads they travel on. Attackers used off-the-shelf scanning tools to find devices still running default passwords and outdated firmware — no custom malware or novel exploit required. Affected camera operators along the identified routes have been notified, but the exact locations remain undisclosed. Euromaidan Press · Newsmax
For any organization running IP cameras or other unmanaged IoT devices on a network segment that touches anything logistics- or security-sensitive, this is a reminder that “consumer-grade” devices are still endpoints. Default credentials and unpatched firmware on a doorbell camera are exactly as exploitable as they are on a server.
Patch priority: “Bad Epoll” hands out root on Linux and Android
A use-after-free race condition in the Linux kernel’s epoll subsystem — the I/O event notification facility used by nginx, Node.js, Python’s asyncio, databases, and Android’s own event loop — lets any unprivileged local user escalate straight to root. Tracked as CVE-2026-46242 and dubbed “Bad Epoll,” the bug affects kernel versions 5.10 through 6.11 and was quietly patched upstream on April 24, but sat unannounced for roughly 70 days until researcher Jaeyoung Chung published a working exploit with a reported 99% success rate. No special capabilities or elevated access are needed to trigger it. The Hacker News · Security Affairs
Because epoll is load-bearing for nearly everything, there’s no meaningful workaround short of patching. Check kernel versions across your server fleet and mobile device management inventory now — this affects both.
Identity abuse: a second vishing crew targets Entra passkey enrollment
A threat actor Okta tracks as O-UNC-066, running a data-extortion brand called “Pink,” has been vishing employees since April 2026 with a pretext that they need to enroll a new Microsoft Entra passkey for security reasons. The call routes victims to an operator-controlled phishing kit — hosted on domains containing the word “passkey” and branded to match the victim’s own organization — where the attacker enters the harvested credentials on Microsoft’s real sign-in page in real time, observes whatever MFA challenge appears, and walks the victim through registering a passkey the attacker controls instead of the victim. Targets span food and beverage, technology, healthcare, automotive, construction, and aviation. Pink launched a public extortion site on May 31 to pressure victims into paying. Okta Threat Intelligence · BleepingComputer
This is the same identity-first playbook covered in last week’s Helix writeup, applied to a different Microsoft authentication flow. Two independent crews converging on device/passkey enrollment abuse in the same month suggests it’s becoming a preferred technique, not an isolated stunt. Any employee-facing “re-enroll your security method” call should route through a verified callback number, never a link read out over the phone.
AI supply chain: prompt injection hidden inside an image
Security researchers demonstrated a technique called “Ghostcommit” that hides an AI prompt injection payload as text rendered inside a PNG image, referenced from a repository’s AGENTS.md file. AI code-review tools CodeRabbit and Bugbot both missed it — CodeRabbit’s default configuration excludes image files from review entirely, and Bugbot returned no findings even when the researchers left the words “malicious prompt injection” directly in the image. The trap only fires later: when a developer asks an unrelated coding agent for a routine feature, the agent follows the AGENTS.md pointer to the image, reads the instructions embedded in it, opens the repository’s .env file, and emits its contents as an encoded numeric constant inside committed code — a working exfiltration path that passed code review clean. Cursor and Antigravity followed the instructions and leaked the .env under several models tested; Claude Code refused under every model tested, explicitly narrating the refusal. BleepingComputer
If your engineering org runs AI coding agents against internal repositories, this is worth testing directly: confirm your code-review tooling actually opens and screens image assets, and don’t assume “no findings” from an AI reviewer means a file is clean.
Final thought
Three of this week’s four stories didn’t need a traditional exploit at all — a scanner finding default-password cameras, a phone call routed through a real Microsoft login page, and an image file a review bot never opened. Kernel patching still matters (get ahead of Bad Epoll), but detection coverage has to extend to unmanaged IoT devices, enrollment-flow abuse, and now the AI tooling sitting inside your own development pipeline. If you want a second opinion on whether your current logging would catch an unusual passkey enrollment or unexpected outbound traffic from a build agent, see our guide to supply chain attacks against software companies or book a discovery call.