AMOS malware spreads on macOS through social engineering, stealing credentials while researchers debate whether its threat level is truly novel.

Google API keys are credentials that let applications access Google services, from Maps to the Gemini AI. If a key is leaked, an attacker can use it to make API calls, rack up charges, and, if Gemini is enabled, access uploaded files and cached conversations. The assumed fix is simple: delete the key. But Aikido Security has found that deletion doesn’t actually work right away. The testing The researcherd found successful authentications up to 23 … More →

The post Deleted Google API keys keep working for up to 23 minutes, researchers warn appeared first on Help Net Security.

There was a way to elevate normal Linux users' privileges to root, granting threat actors admin access.

The loophole allows spammers and scammers to send emails from a legitimate Microsoft email address typically used for sending genuine account alerts.

A critical zero-day remote code execution (RCE) vulnerability, dubbed nginx-poolslip, has been publicly disclosed in NGINX version 1.31.0, the latest stable release of the world’s most widely deployed web server software.

The discovery, made by security researcher Vega of the NebSec security team, was announced via X (formerly Twitter) on May 21, 2026, sending shockwaves through the global security community.

The timing is particularly alarming, just weeks prior, administrators worldwide scrambled to patch CVE-2026-42945, a critical heap buffer overflow in NGINX’s ngx_http_rewrite_module carrying a CVSS v4 score of 9.2.

That flaw, embedded in the codebase since 2008, exposed an estimated 5.7 million internet-facing NGINX servers to denial-of-service attacks and conditional RCE.

F5 patched it in NGINX Open Source versions 1.31.0 and 1.30.1, the very release that nginx-poolslip now targets.

New NGINX 0-Day “nginx-poolslip”

nginx-poolslip exploits a flaw in NGINX’s internal memory pool handling mechanism, allowing unauthenticated attackers to achieve remote code execution and potentially compromise the entire system.

Most critically, the vulnerability functions as a bypass of Address Space Layout Randomization (ASLR), a foundational OS-level memory protection designed to thwart exactly this category of memory corruption exploit.

The attack surface traces back to an nginx-rift predecessor vulnerability, which affected earlier NGINX versions and was subsequently patched.

Introducing nginx-poolslip, a fresh RCE for the the latest nginx release 1.31.0.

nginx-rift has been patched, but our security agent Vega has found a new 0 day.

We will release the full technical writeup with ASLR bypass 30 days after the patch on https://t.co/LAhOC5UHrp. pic.twitter.com/4rqMp4uA4i

— Nebula Security (@nebusecurity) May 20, 2026

However, NebSec’s research confirms that the patch for nginx-rift failed to remediate the underlying memory pool attack surface, leaving the door open for nginx-poolslip to emerge in the updated codebase.

NGINX powers an estimated 30–40% of all global web servers, spanning high-traffic platforms, reverse proxies, load balancers, and API gateways.

Because nginx-poolslip specifically targets version 1.31.0, the patch was rushed to deployment by admins. Following CVE-2026-42945, organizations that acted diligently may now find themselves re-exposed to a fresh, unpatched threat.

According to CSN, no CVE identifier has been assigned, and no official patch from F5/NGINX is available.

NebSec is operating under a 30-day responsible disclosure timeline, withholding full technical details, including the complete ASLR bypass methodology, until an official fix is released.

Mitigations

Until an official patch is issued, administrators should implement the following interim measures:

• Monitor NebSec and F5 security advisories closely for patch availability
• Restrict public exposure of NGINX admin interfaces and deploy WAF rules to reduce the attack surface
• Ensure ASLR is enforced system-wide by setting /proc/sys/kernel/randomize_va_space to 2
• Audit NGINX configurations for rewrite, if, and set directives using unnamed PCRE capture groups — a known precondition for pool-level memory corruption
• Evaluate memory-safe alternatives such as Cloudflare Pingora for mission-critical infrastructure

Given NGINX’s outsized role in global web infrastructure, the security community is closely monitoring NebSec’s coordinated disclosure.

Organizations are strongly urged to subscribe to F5’s security bulletin feed and prepare emergency patching workflows in anticipation of an imminent fix.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.

The post New NGINX 0-Day “nginx-poolslip” Exposes Millions to RCE appeared first on Cyber Security News.

Open source software giant GitHub confirmed a data breach this week involving the theft of thousands of repos. One threat actor — TeamPCP — took credit.