eastbaycyber

Palo Alto Exploited, Chrome Zero-Day Patched, and Three Critical CVEs

Threat digests 8 min read
EC
East Bay Cyber Editorial Team Reviewed 2026-06-28

TL;DR - AI coding agents can be tricked by clean-looking GitHub repos into running malware. - High-risk flaws landed in Gitea act_runner, Zephyr, FFmpeg, and a WordPress plugin. - Prioritize CI runners, embedded Zephyr builds, media pipelines, and WordPress hardening today.

Top Stories

Clean GitHub repo tricks AI coding agents into running malware

A notable supply-chain risk emerged this week: a benign-looking GitHub repository can cause AI coding agents to fetch and execute a malicious payload during setup, while appearing clean to scanners, AI reviewers, and humans. BleepingComputer’s write-up is the clearest operational summary here: BleepingComputer.

Why this matters

Security teams have spent years teaching developers not to blindly run install scripts. Agentic tooling reintroduces the same problem at machine speed:

  • the repository may look harmless on first inspection
  • the malicious logic may be staged indirectly
  • automated setup steps can execute attacker-controlled code before review gates trigger

What to do now

  • Restrict AI coding agents from executing arbitrary bootstrap commands on untrusted repos.
  • Run agent-driven cloning and setup in isolated sandboxes with no production credentials.
  • Block outbound network access from development sandboxes unless explicitly required.
  • Require human approval before curl | bash, package post-install hooks, container builds, or setup scripts run.

AI and cybersecurity race coverage remains noisy

Two AI/cybersecurity stories circulated widely via Google News aggregation: Wall Street Journal coverage on China’s progress in cybersecurity-related AI capabilities and commentary from the University of St. Thomas on AI-related cyber threats. These are useful for strategic awareness, but they are less actionable than the concrete exploitation and vulnerability stories in today’s digest. Sources: WSJ via Google News, University of St. Thomas via Google News.

Operational takeaway

Treat AI tooling as an extension of your software supply chain, not just a productivity layer.

Critical Vulnerabilities

CVE-2026-58053: Gitea act_runner Docker backend hardening bypass

CVSS 9.9

A critical issue in Gitea act_runner with the Docker backend allows a user who can run a workflow to pass dangerous container options even when privileged: false is configured. According to the advisory, options such as --pid=host, --cap-add, and --security-opt can still be merged into the container config, enabling host escape and root-level compromise of the runner host. References: VulnCheck advisory, PoC.

Why defenders should care

If developers, contractors, or CI users can submit or modify workflows on self-hosted Docker-backed runners, this can become a direct path to host takeover.

Immediate actions

  • Disable or isolate Docker-backed self-hosted Gitea runners handling untrusted workflows.
  • Treat all runner hosts as high-risk and rotate credentials accessible from them.
  • Review workflow permissions and who can trigger jobs.
  • Segregate runner hosts from production networks and secrets stores.

Technical Notes

Check whether your runner deployment uses Docker and whether workflows can set container options.

# Example: inspect act_runner service and config
systemctl status act_runner
ps aux | grep act_runner

# Search for runner config and references to Docker backend
grep -R "docker" /etc /opt /srv 2>/dev/null | grep act_runner
grep -R "privileged" /etc /opt /srv 2>/dev/null

Hunt for suspicious container launches on runner hosts:

docker ps -a
docker inspect <container_id> | jq '.[0].HostConfig | {Privileged, PidMode, CapAdd, SecurityOpt}'

High-signal indicators include:

PidMode: "host"
CapAdd: ["SYS_ADMIN", ...]
SecurityOpt: ["seccomp=unconfined", ...]
Binds to sensitive host paths

CVE-2026-10643: Zephyr recvmsg() out-of-bounds write

CVSS 8.7

Zephyr’s IP socket recvmsg() path improperly validated ancillary control-buffer sizing and could write past the end of the provided buffer. On systems with CONFIG_USERSPACE, the bug can corrupt kernel heap memory from an unprivileged userspace thread under reachable conditions. Fix reference: Zephyr commit.

Why defenders should care

This is primarily a product-security and embedded-device risk. If you ship devices based on Zephyr and expose network-facing UDP services, this deserves priority triage.

Immediate actions

  • Identify products and internal projects using Zephyr.
  • Review whether affected builds enable userspace and relevant socket options.
  • Pull the upstream fix into your build pipeline.
  • Prioritize QA for network-facing embedded devices.

Technical Notes

Teams maintaining Zephyr-based firmware should start with source and config discovery:

# Find Zephyr trees in monorepos
find . -type d -name zephyr

# Look for config flags relevant to userspace and networking
grep -R "CONFIG_USERSPACE=y" .
grep -R "IP_PKTINFO\|IPV6_RECVPKTINFO\|recvmsg" .

Review whether your application uses UDP sockets with ancillary data:

setsockopt(fd, IPPROTO_IP, IP_PKTINFO, &on, sizeof(on));
recvmsg(fd, &msg, 0);

If present, validate patched source against the upstream commit.


CVE-2026-58049: FFmpeg RASC decoder out-of-bounds write

CVSS 8.6

FFmpeg’s RASC decoder contains an out-of-bounds write and adjacent read in decode_dlta, leading to memory corruption when a crafted media stream is decoded. References: FFmpeg source, VulnCheck advisory, PoC.

Why defenders should care

This is most relevant if you:

  • process untrusted media uploads
  • run automated transcoding pipelines
  • use FFmpeg in desktop, server, or appliance workflows

Even niche codecs matter when broad libraries are embedded deep inside products.

Immediate actions

  • Inventory where FFmpeg is bundled, not just where it is manually installed.
  • Block or quarantine untrusted media ingestion where feasible.
  • Update packages once vendor fixes are available in your distribution or product channel.
  • Consider disabling decoding paths you do not need.

Technical Notes

Identify installed FFmpeg builds:

ffmpeg -version
which ffmpeg
dpkg -l | grep ffmpeg
rpm -qa | grep -i ffmpeg

Search applications that embed FFmpeg libraries:

ldconfig -p | grep avcodec
find /opt /usr/local -type f \( -name "*.so*" -o -name "*.bin" \) 2>/dev/null | xargs strings 2>/dev/null | grep -i ffmpeg

For media-processing services, watch for crash indicators:

segfault
double free
heap-buffer-overflow
invalid read
invalid write
libavcodec
rasc

CVE-2026-8095: WordPress Frontend File Manager Plugin arbitrary file deletion

CVSS 8.1

The Frontend File Manager Plugin for WordPress is affected by authenticated arbitrary file deletion in versions up to and including 23.6. The issue reportedly allows Subscriber-level users to manipulate a stored file path and ultimately pass arbitrary filesystem paths to unlink(), which could include wp-config.php. References: Plugin source 1, Plugin source 2, Wordfence advisory.

Why defenders should care

Subscriber-access bugs are dangerous on sites with:

  • open registration
  • customer portals
  • membership functionality
  • weak role hygiene

File deletion can become site takeover if key files are removed and recovery flows are abused.

Immediate actions

  • Disable or remove the plugin if not strictly needed.
  • Update as soon as a fixed version is available.
  • Audit low-privilege WordPress accounts.
  • Restrict self-registration and enforce MFA for administrators.

Technical Notes

Check plugin presence and version:

wp plugin list | grep -i "frontend file manager\|nmedia-user-file-uploader"

Review recent WordPress users and suspicious AJAX activity:

wp user list --role=subscriber
grep -R "admin-ajax.php" /var/log/nginx /var/log/apache2 2>/dev/null | grep -i "wpfm"

Potential log patterns to review:

POST /wp-admin/admin-ajax.php
action=wpfm_file_meta_update
WPFM_DIR_PATH=
wpfm_dir_path=

What Defenders Should Do Today

1. Lock down CI and automation environments

Today’s highest operational risk is the combination of AI-assisted development and CI runner trust.

  • Sandbox all automated repo setup steps.
  • Remove long-lived credentials from runner hosts.
  • Enforce ephemeral build workers where possible.
  • Separate untrusted build infrastructure from internal management networks.

2. Prioritize patching by blast radius

A practical order for many teams:

  1. Gitea runners if untrusted users can submit workflows
  2. WordPress plugin if subscriber access exists
  3. FFmpeg in untrusted media pipelines
  4. Zephyr in shipping embedded products and exposed UDP services

3. Hunt for signs of exploitation or unsafe exposure

Start with these questions:

  • Which systems execute untrusted code automatically?
  • Which services decode untrusted files?
  • Which low-privilege users can reach dangerous AJAX endpoints?
  • Which embedded products ship Zephyr networking features?

4. Tighten monitoring around these paths

Useful telemetry sources today include:

  • Docker daemon events on CI hosts
  • WordPress web logs and admin-ajax access
  • crash logs for FFmpeg-driven services
  • firmware build manifests and SBOMs for Zephyr consumers

Technical Notes

Example Docker event monitoring during triage:

docker events --since 24h

Quick WordPress file integrity check:

find /var/www/html -type f -name "wp-config.php" -ls
wp core verify-checksums

Basic package and service inventory snapshot:

uname -a
systemctl list-units --type=service
dpkg -l > /tmp/pkglist.txt 2>/dev/null || rpm -qa > /tmp/pkglist.txt

Bottom Line

The standout theme today is trust abuse in automation. The AI-agent GitHub repo story shows how quickly “helpful” execution can become a malware path, while the Gitea flaw shows what happens when workflow trust boundaries are too loose. Pair that with exploitable bugs in Zephyr, FFmpeg, and a WordPress plugin, and the message is clear: reduce automatic execution, isolate risky workloads, and patch high-exposure systems first.

Primary sources cited: BleepingComputer, VulnCheck Gitea advisory, Zephyr fix commit, VulnCheck FFmpeg advisory, Wordfence advisory.

For more information on data classification, check out our glossary: What is Data Classification?. To learn how to review privilege escalation incidents, visit our FAQ: How to Review Privilege Escalation Incidents.

This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you. ```

Last verified: 2026-06-28

Disclaimer: This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.