May 6, 2026 by sig9

Hacker Wars - May 06, 2026

bulletin-feature-image

Your daily dose of infosec chaos

Today’s theme: your firewall is on fire, your favorite disc imaging tool is a trojan horse, and developers are the new prime targets. Just another Wednesday in the infosec trenches.

Palo Alto Firewall Zero-Day Under Active Exploitation

CVE-2026-0300 is a critical buffer overflow in PAN-OS Captive Portal service, scoring a spicy 9.3 CVSS. It allows unauthenticated remote code execution on PA and VM-series firewalls - meaning attackers can own your perimeter gear without even logging in. Exploitation is already happening in the wild.

What to do: Patch PAN-OS immediately. If you can’t patch yet, disable or restrict access to the Captive Portal service.

DAEMON Tools Supply Chain Attack Hits Governments

Attackers trojanized the official DAEMON Tools installer starting April 8, pushing backdoors to thousands of downloaders worldwide. But here’s the interesting part: the sophisticated payload only deployed on about a dozen high-value systems belonging to government and scientific organizations. Classic supply chain hit with surgical precision.

What to do: Check if your org installed DAEMON Tools recently. Verify installer hashes and scan endpoints for indicators of compromise.

New Quasar Linux Malware Hunts Developers

A previously unknown Linux implant called QLNX is making rounds, combining rootkit, backdoor, and credential-stealing capabilities into one nasty package. It specifically targets developer workstations - because of course it does, that’s where the keys to the kingdom live. Source code repos, cloud creds, CI/CD pipelines, all the goodies.

What to do: Audit developer endpoints for unusual processes or rootkit indicators. Review access controls for source code repositories and CI/CD secrets.

Instructure Breach Exposes 280 Million Education Records

The edtech giant behind Canvas LMS got hit, and the attacker claims to have stolen data from 8,800 schools and universities - 280 million records covering students and staff. That’s a significant chunk of the global education sector’s data in one shot.

What to do: If your institution uses Instructure products, monitor for updates on affected datasets and watch for targeted phishing using leaked student/staff information.

Catch you tomorrow. In the meantime, go check your attack surface.

Brought to you by sig9 - sig9.ch | Protecting the unseen, securing the unknown

This bulletin is provided for informational purposes. Contact us for tailored security analysis.