Checkmarx Jenkins AST Plugin Compromised; Linux Kernel Privilege Escalation; Apple OS Updates Include Notification Fix Backport

On May 9, 2026, software security company Checkmarx posted a security update warning that a "modified" version of its Jenkins Application Security Testing (AST) Scanner plugin had been published in the Jenkins Marketplace; Jenkins is an automation platform used for continuous integration and continuous delivery (CI/CD). This is the latest in a series of Checkmarx supply chain compromises ongoing since March, affecting the company's GitHub Actions and OpenVSX extensions, believed to be follow-on attacks from Trivy's supply chain breaches beginning in late February. The threat actors defaced the GitHub repository for the Checkmarx Jenkins AST Scanner plugin, and according to SOCRadar, "backdoored the plugin itself [...] Any Jenkins instance that pulled this version during the exposure window would have installed a compromised plugin." The unauthorized plugin is version 2026.5.09, and Checkmarx urges users to roll back to version 2.0.13-829.vc72453fa_1c16 (published December 17, 2025) or earlier. SOCRadar also recommends rotating all secrets accessible from affected Jenkins runners, searching for indicators of compromise (IoCs) including artifacts mentioned in the Checkmarx advisory as well as "Dune-themed" repository names, reviewing Jenkins build logs, and pinning plugins to known safe versions. Checkmarx has not described the exact nature of the modified plugin nor verified threat actor attribution.

A researcher has publicly disclosed the second privilege escalation exploit for the Linux kernel in two weeks. Dubbed "Dirty Frag" and compared to the recent "Copy Fail," the exploit is deterministic and involves chaining two page cache write vulnerabilities, one "write-what-where condition" involving the esp/xfrm component (CVE-2026-43284, CVSS 8.8), and one "out-of-bounds write" involving the rxrpc component (CVE-2026-43500, CVSS 7.8). Together these allow an attacker to elevate privileges to root by making unauthorized changes to protected system files. Microsoft notes that "Dirty Frag may be leveraged after initial compromise through SSH access, web-shell execution, container escape, or compromise of a low-privileged account. [...] Affected environments may include Ubuntu, RHEL, CentOS Stream, AlmaLinux, Fedora, openSUSE, and OpenShift." While kernel maintainers have released fixes for both flaws, only a handful of distributions have published patches at the time of this writing. Both Dirty Frag and Copy Fail were disclosed with proof-of-concept exploits before distributions had issued patches. Wiz security urges users to temporarily disable the vulnerable kernel modules, assess operational impact and patch immediately once available, harden local access paths, monitor for suspicious activity, and conduct cleanup if compromise is suspected. Microsoft has observed signs of possible ongoing exploitation in the wild.

Apple has released updates to address more than 50 security flaws across its products. On May 11 the company released version 26.5 of MacOS, iOS, iPadOS, visionOS, tvOS, watchOS, and HomePod, as well as updates to iOS and iPad OS 18, 15.8.8, 16.7.16, and 17.7.11, which include backporting of a fix for the notification retrieval flaw reported in April (CVE-2026-28950). Version 26.5 also adds support for encrypted RCS messaging. This is likely to be the last major update to these OS versions before Apple's Worldwide Developer Conference later this summer.

Last month, law enforcement authorities in Taiwan arrested a 23-year-old student for allegedly sending signals to Taiwan High Speed Rail's (THSR's) communication network. The student was released on NT$100,000 (about US$3,168) bail on Wednesday, April 29. The suspect allegedly sent a General Alarm signal via a terrestrial trunked radio (TETRA) handset. Protocol required employees to follow emergency response plans and manually stop the trains. Because of the method by which the signal was sent, authorities initially thought the unauthorized signal was from an insider. However, using information gleaned from CCTV footage and TETRA network logs, authorities were able to trace the device used to send the unauthorized signal to the suspect's home. Authorities have determined that the student, who is identified only by his surname, Lin, had an accomplice who provided him with information that allowed the false alarm to be sent. Taiwan High Speed Rail (THSR) confirmed that the incident disrupted services of three trains for just under an hour on April 5, 2026.

The Canvas educational technology platform is back online after being taken down in response to a ransom demand. On Thursday, May 7, threat actors defaced the Canvas login page, demanding a ransom be paid or they would leak personal data. Canvas serves 275 million students and faculty members at close to 9,000 educational institutions. Canvas parent company Instructure took the platform down in response to the demand, which urged individual educational institutions to negotiate their own ransom payments to prevent personal data from being published. The decision disrupted students' and faculty's access to the platform in the midst of final exams. Some schools made the decision to postpone exams. The ransom demand is the latest in a string of related incidents: on May 1, Instructure CISO Steve Proud posted on the Confirmed Security Incident page that the company "recently experienced a cybersecurity incident perpetrated by a criminal threat actor." A post the following day reads that the company "believe[s] the incident has been contained," and a May 6 post says, "Canvas is fully operational." On May 11, Instructure CEO Steve Daly issued an apology on the company's Security Incident Update & FAQs page for the way in which information was communicated the preceding week, and announced changes intended to remedy earlier missteps. The incident has since been resolved, and Canvas is once again available to students and faculty.

The UK Information Commissioner's Office (ICO) has fined South Staffordshire Plc and South Staffordshire Water Plc £963,900 ($1.3 million) for failing to implement adequate security protections, as evidenced by a ransomware attack that was discovered in 2022. The attack resulted in the intruders publishing personal information of more than 660,000 people. A subsequent investigation revealed that the intruders initially gained access to South Staffordshire Water's systems in 2020. The issues the ICO found with the systems included "limited controls, which allowed the attacker to escalate their privileges to admin after gaining an initial foothold on the network; inadequate monitoring and logging; [... just] 5 percent of South Staffordshire's IT environment was being monitored; running unsupported software, including Windows Server 2003; and poor vulnerability management." South Staffordshire Water supplies drinking water to 1.6 million people.

The FCC has delayed the deadline for its ban on software and firmware updates for foreign-made routers from March 1, 2027 to at least January 1, 2029. The FCC has not ruled out making the waiver for updates permanent. The policy change, which the FCC says was made in "the public interest," comes just weeks after an April 27 letter to the FCC from the Consumer Technology Association (CTA) urging the FCC to extend the deadline. The extended deadline also applies to foreign made drones.

BWH Hotels is notifying customers that their personal data were compromised following a security breach of an online application. According to the notification email, BWH became aware of the incident on April 22, 2026, and the intruders accessed six months worth of information, dating back to October 14, 2025. The breach involved a "web application that houses certain guest reservation data." The Register has asked BWH whether the intruders had access to the application data for six months, or of the April breach allowed the intruders to access six months worth of data. They also asked BWH if the incident is related to reports earlier this year that BWH customer data were being used in phishing campaigns. BWH has not yet responded to the Register's request for comment. BWH Hotels owns the WorldHotels, Best Western Hotels & Resorts, and Sure Hotels brands.

Law enforcement authorities in Germany have "shut down the relaunch of the criminal online trading platform 'Crimenetwork' on Wednesday in an internationally coordinated operation." One individual was arrested in Mallorca; the suspect is a German citizen and is being charged with building and administering a new technical infrastructure for Crimenetwork within days of the shutdown of the previous version of the marketplace and the arrest of its administrator in December 2024. The Crimenetwork marketplace trafficked in illicit goods and services, including stolen data, drugs, and forged documents, with transactions conducted in cryptocurrency. Police seized Crimenetwork's technological infrastructure and roughly €194,000 (US$228,000) in illicitly obtained assets, along with user and transaction data that can be used to conduct further investigations into criminal activity. The operation was led by Germany's Central Office for Combating Internet Crime, Zentralstelle zur Bekämpfung der Internetkriminalität (ZIT) and the Federal Criminal Police Office Bundeskriminalamt (BKA) with assistance from law enforcement authorities in Spain.

A US federal jury in Virginia has convicted former federal contractor Sohaib Akhter on multiple charges, including conspiracy to commit computer fraud and password trafficking. Akhter and his twin brother and co-defendant, Muneeb Akhter, were both employed by a company in Washington, DC, "that provided software products and services to more than 45 federal government agencies and hosted data for some federal government clients on servers." The brothers were fired from their positions at the unnamed company after the company learned that Sohaib had a prior felony conviction from 2015. Within hours of losing their jobs, the two men "sought to harm their employer and its U.S. government customers by accessing computers without authorization, write-protecting databases, deleting databases, and destroying evidence of their unlawful activities." In all, they deleted 96 databases holding US government information. Both were arrested on December 3, 2025. Sohaib Akhter is scheduled to be sentenced on September 9, 2026; he may face up to 21 years in prison. Muneeb Akhter has not yet been convicted