2026-05-05 安全信息播报
(含中文简译 + 原链,仅收集,请自行查验)
趋势话题
DigiCert 证书机构遭入侵,60个EV代码签名证书被盗
综合摘要:全球顶级证书颁发机构 DigiCert 遭社会工程攻击,攻击者伪装客户通过支持聊天渠道投递恶意屏保文件(.scr),感染支持终端后代理进入客户账户,窃取60个EV代码签名证书。被盗证书已被用于分发"Zhong Stealer"恶意软件家族。DigiCert 已在24小时内吊销全部60个证书。
相关链接:
- SecurityWeek 报道:https://www.securityweek.com/digicert-revokes-certificates-after-support-portal-hack/
- HelpNetSecurity 报道:https://www.helpnetsecurity.com/2026/05/04/digicert-breach-code-signing-certificates-malware/
- Schneier 分析:https://www.schneier.com/blog/archives/2026/05/hacking-polymarket.html
Linux 内核 Copy Fail 漏洞(CVE-2026-31431)已在野利用,CISA 紧急列入 KEV
综合摘要:Linux 内核存在一个可追溯至2017年的高危逻辑缺陷,允许非特权攻击者向其他进程内存写入任意代码,可能导致完整系统沦陷和 root shell 访问。CISA 已确认在野利用并列入已知被利用漏洞目录。该漏洞对容器化和多租户环境尤其危险。
AI 安全竞赛白热化:Anthropic Claude Mythos 发现271个 Firefox 零日,OpenAI 发布 GPT-5.5-Cyber
综合摘要:Anthropic 的 Claude Mythos 模型在 Firefox 中自主发现271个零日漏洞,标志着AI驱动的漏洞发现进入新纪元。同时 OpenAI 发布 GPT-5.5-Cyber 安全大模型,恶意代码识别率提升28%。AI正在同时成为攻击者和防御者的超级武器。
头条精选
1. DigiCert Breached via Weaponized Screensaver File — 60 EV Code Signing Certificates Stolen
中文翻译:DigiCert 遭恶意屏保文件攻击——60个EV代码签名证书被盗- 来源:SecurityWeek | 影响:60个EV证书被盗,已用于分发恶意软件
- https://www.securityweek.com/digicert-revokes-certificates-after-support-portal-hack/
深度点评:DigiCert 作为全球顶级CA被攻破,暴露了证书信任链中最脆弱的一环——人。攻击者用伪装屏保文件的社会工程手段绕过了技术防线,说明再强的加密体系也抵挡不住终端用户的操作失误。EV代码签名证书被盗意味着攻击者可以签发看似合法的恶意软件,这对整个软件信任生态构成系统性威胁。CA行业必须重新审视支持流程中的身份验证和权限控制机制。
2. CVE-2026-31431 (Copy Fail): Linux Kernel Flaw Enables Root Access — Actively Exploited
- 中文翻译:CVE-2026-31431(Copy Fail):Linux内核缺陷可获取root权限——已在野利用
- 来源:CISA / SANS ISC | 严重性:高危,影响所有主流Linux发行版(2017年起)
- https://isc.sans.edu/diary/rss/32952
3. Microsoft Edge Stores All Saved Passwords in Cleartext Process Memory at Launch
- 中文翻译:Microsoft Edge 启动时将所有保存密码以明文存入进程内存
- 来源:Hacker News | Points:518 pts | 183 comments
- https://news.ycombinator.com/item?id=48012735
4. CVE-2026-41940: Critical cPanel Authentication Bypass Exploited Since February
- 中文翻译:CVE-2026-41940:cPanel严重认证绕过漏洞自2月起已被利用
- 来源:CISA / Cybersecurity-Help | CVSS:9.8 严重
- https://www.cybersecurity-help.cz/blog/5386.html
5. CVE-2026-32202: Windows Shell Zero-Click Vulnerability — Feds Order Patch by May 12
- 中文翻译:CVE-2026-32202:Windows Shell零点击漏洞——联邦机构被令5月12日前修补
- 来源:CISA | 类型:零点击,已在野利用
- https://www.goyou.it/en/cybersecurity/2026/05/01/cve-2026-32202-feds-order-patch-by-may-12-for-exploited-zero-click-vulnerability.html
漏洞/CVE
6. Critical Android Zero-Click RCE: CVE-2026-0073
- 中文翻译:Android严重零点击远程代码执行漏洞:CVE-2026-0073
- 来源:CybersecurityNews | 类型:远程代码执行
- https://cybersecuritynews.com/page/210/
7. Critical Apache HTTP Server Double-Free Flaw Exposes Millions to RCE
- 中文翻译:Apache HTTP Server严重双重释放缺陷使数百万服务器面临RCE攻击
- 来源:CybersecurityNews | 影响:数百万服务器
- https://cybersecuritynews.com/page/210/
8. Wiz ZeroDay.Cloud Event Reveals 20-Year-Old PostgreSQL Vulnerabilities
- 中文翻译:Wiz ZeroDay.Cloud活动披露PostgreSQL存在20年旧漏洞
- 来源:HackRead | 影响:pgcrypto关键缺陷
- https://hackread.com/page/14/
9. Security Advisory: Local Privilege Escalation in Lix and Nix
- 中文翻译:安全公告:Lix和Nix本地权限提升漏洞
- 来源:Lobsters | Score:51 pts
- https://discourse.nixos.org/t/security-advisory-local-privilege-escalation-in-lix-and-nix/77407
10. CVE-2026-31431: Copy Fail vs. Rootless Containers
- 中文翻译:CVE-2026-31431:Copy Fail漏洞与无根容器的关系
- 来源:Hacker News | Points:85 pts
- https://news.ycombinator.com/item?id=48017813
11. Podman Rootless Containers and the Copy Fail Exploit
- 中文翻译:Podman无根容器与Copy Fail漏洞利用
- 来源:Lobsters | Score:11 pts
- https://garrido.io/notes/podman-rootless-containers-copy-fail/
防御/安全架构
12. Anthropic Rolls Out Claude Security for AI Vulnerability Scanning
- 中文翻译:Anthropic推出Claude Security用于AI漏洞扫描
- 来源:Infosecurity Magazine | 状态:公开测试版
- https://www.infosecurity-magazine.com/news/the-week-in-brief/
13. CISA and Partners Publish Zero Trust Guidance for OT Security
- 中文翻译:CISA及合作伙伴发布OT安全零信任指南
- 来源:Infosecurity Magazine | 重点:平衡网络防御与安全系统可用性
- https://www.infosecurity-magazine.com/news/the-week-in-brief/
14. Wireshark 4.6.5 Released with Security Fixes
- 中文翻译:Wireshark 4.6.5发布安全修复版本
- 来源:SANS ISC
- https://isc.sans.edu/diary/rss/32944
15. OpenAI To Extend Cyber Program to Government Agencies
- 中文翻译:OpenAI将网络防御项目扩展至政府机构
- 来源:Infosecurity Magazine | 项目:Trusted Access for Cyber
- https://www.infosecurity-magazine.com/news/the-week-in-brief/
攻防/PenTest
16. I Accidentally Made Law Enforcement Shut Down Their DDoS Honeypot
- 中文翻译:我意外让执法部门关闭了他们的DDoS蜜罐
- 来源:Lobsters | Score:64 pts
- https://lina.sh/blog/ddos-honeypot
17. A LinkedIn Recruiter Sent Me Malware Disguised as a “Pre-Interview Code Review”
- 中文翻译:LinkedIn招聘者向我发送伪装为"面试前代码审查"的恶意软件
- 来源:Dev.to | Reactions:40
- https://dev.to/vladimirnovick/a-linkedin-recruiter-sent-me-malware-disguised-as-a-pre-interview-code-review-2k3j
18. Google AppSheet Exploited in 30,000-User Facebook Phishing Operation
- 中文翻译:Google AppSheet被利用于3万用户Facebook钓鱼攻击
- 来源:HackRead | 影响:数千Facebook Business账户
- https://hackread.com/page/14/
19. Deep#Door Python Backdoor Evades Detection on Windows
- 中文翻译:Deep#Door Python后门在Windows上逃避检测
- 来源:Infosecurity Magazine | 手法:隧道+混淆窃取凭据
- https://www.infosecurity-magazine.com/news/the-week-in-brief/
AI安全(大模型安全/提示注入)
20. Claude Mythos Has Found 271 Zero-Days in Firefox
- 中文翻译:Claude Mythos在Firefox中发现271个零日漏洞
- 来源:Schneier on Security | 意义:AI自主漏洞发现的里程碑
- https://www.schneier.com/blog/archives/2026/04/claude-mythos-has-found-271-zero-days-in-firefox.html
21. AI Agents vs Code Vulnerabilities: Was Anthropic Mythos a Big Deal or Fear-mongering?
- 中文翻译:AI代理vs代码漏洞:Anthropic Mythos是大事还是恐吓?
- 来源:Dev.to | Reactions:13
- https://dev.to/maximsaplin/ai-agents-vs-code-vulnerabilities-was-anthropic-mythos-a-big-deal-or-fear-mongering-8ci
22. What Anthropic’s Mythos Means for the Future of Cybersecurity
- 中文翻译:Anthropic Mythos对网络安全未来的意义
- 来源:Schneier on Security
- https://www.schneier.com/blog/archives/2026/04/what-anthropics-mythos-means-for-the-future-of-cybersecurity.html
23. Nine-Year-Old Zero-Day Flaw in Linux Kernel Discovered by AI-Equipped Security Researcher
- 中文翻译:AI辅助安全研究员发现Linux内核9年零日漏洞
- 来源:Infosecurity Magazine | 漏洞:CVE-2026-31431
- https://www.infosecurity-magazine.com/news/the-week-in-brief/
零信任/身份安全
24. ADT Breach Impacts 5.5M Users After Attackers Compromised Okta SSO Login
- 中文翻译:ADT数据泄露影响550万用户——攻击者攻破Okta SSO登录
- 来源:eSecurityPlanet | 影响:550万用户,Salesforce云被入侵
- https://www.esecurityplanet.com/weekly-roundup/supply-chain-attacks-ai-security-and-major-breaches-define-this-week-in-cybersecurity-in-may-2026/
25. FBI Extracts Deleted Signal Messages from iPhone Notification Database
- 中文翻译:FBI从iPhone通知数据库提取已删除的Signal消息
- 来源:Schneier on Security | 影响:端到端加密的局限性
- https://www.schneier.com/blog/archives/2026/04/fbi-extracts-deleted-signal-messages-from-iphone-notification-database.html
DevSecOps
26. pnpm 11 Turns On Minimum Release Age by Default to Reduce npm Supply Chain Risk
- 中文翻译:pnpm 11默认开启最小发布年龄以减少npm供应链风险
- 来源:CybersecurityNews | 意义:供应链防御的重要一步
- https://cybersecuritynews.com/page/210/
27. SAP npm Packages Compromised in Supply-Chain Attack Linked to TeamPCP
- 中文翻译:SAP npm包遭供应链攻击——与TeamPCP组织有关
- 来源:Cybersecurity-Help | 影响:窃取AWS/Azure/GCP凭据、SSH密钥
- https://www.cybersecurity-help.cz/blog/5386.html
28. Cursor Extension Flaw Exposes Developer API Keys
- 中文翻译:Cursor扩展漏洞暴露开发者API密钥
- 来源:Infosecurity Magazine | 风险:扩展可窃取API密钥和会话令牌
- https://www.infosecurity-magazine.com/news/the-week-in-brief/
供应链安全/SBOM
29. DigiCert Hack: EV Code Signing Certificates Used to Distribute “Zhong Stealer”
- 中文翻译:DigiCert被黑:EV代码签名证书被用于分发"Zhong Stealer"恶意软件
- 来源:Cybersecurity-Help | 被盗:60个EV证书,27个直接关联攻击者
- https://www.cybersecurity-help.cz/blog/5389.html
30. QCon London 2026: SBOMs Move from Best Practice to Legal Obligation as CRA Enforcement Looms
- 中文翻译:QCon London 2026:随着CRA执行临近,SBOM从最佳实践变为法律义务
- 来源:InfoQ | 时间线:2026年9月开始执行,2027年12月全面合规
- https://www.infoq.com/news/2026/03/sbom-viktor-petersson/
31. Malicious npm Dependency Linked to AI-Assisted Commit Targets Crypto Wallets
- 中文翻译:与AI辅助提交关联的恶意npm依赖瞄准加密钱包
- 来源:Infosecurity Magazine | 手法:AI辅助代码提交植入恶意依赖
- https://www.infosecurity-magazine.com/news/the-week-in-brief/
合规/隐私
32. VECT 2.0 Ransomware Permanently Destroys Files — Paying Ransom Won’t Help
- 中文翻译:VECT 2.0勒索软件永久销毁文件——支付赎金也无济于事
- 来源:HackRead / Infosecurity Magazine | 缺陷:实现错误导致大文件无法解密
- https://hackread.com/page/14/
33. Two US Cybersecurity Experts Jailed for Aiding BlackCat Ransomware
- 中文翻译:两名美国网络安全专家因协助BlackCat勒索软件被判入狱
- 来源:HackRead / Infosecurity Magazine | 性质:内部人员威胁
- https://www.infosecurity-magazine.com/news/the-week-in-brief/
34. A Ransomware Negotiator Was Working for a Ransomware Gang
- 中文翻译:一名勒索软件谈判代表同时在为勒索软件团伙工作
- 来源:Schneier on Security | 性质:利益冲突与信任危机
- https://www.schneier.com/blog/archives/2026/05/a-ransomware-negotiator-was-working-for-a-ransomware-gang.html
35. 网信部门严管"自媒体"未规范标注信息来源行为,处置违规账号9.8万余个
- 来源:中国网信网 | 影响:9.8万+违规账号
- https://www.cac.gov.cn/2026-05/03/c_1779492291101867.htm
安全工具
Foxboron / ssh-tpm-agent
- 中文翻译:基于TPM的SSH代理工具
- SSH key agent with TPM support
语言: Go | v0.9.0 released | 总 Stars: N/A- https://github.com/Foxboron/ssh-tpm-agent/releases/tag/v0.9.0
I Built a Tool That Detects SEO Poisoning Across Multiple Search Engines
- 中文翻译:我构建了一个跨搜索引擎检测SEO投毒的工具
- 来源:Dev.to | Reactions:15
- https://dev.to/null_saint/i-built-a-tool-that-detects-seo-poisoning-across-multiple-search-engines-15n9
AI-Powered Pentesting Tools Are Reshaping Offensive Security in 2026
- 中文翻译:AI驱动的渗透测试工具正在重塑2026年攻防安全
- 来源:1337skills | 工具:Metasploit AI模块选择器、Burp Suite AI扫描
- https://1337skills.com/blog/2026-04-25-ai-powered-pentesting-tools-reshaping-offensive-security/
编辑推荐
- DigiCert EV证书被盗事件 — 全球CA信任链遭受社会工程攻击,60个EV代码签名证书被盗用于分发恶意软件,对软件信任生态构成系统性威胁 https://www.securityweek.com/digicert-revokes-certificates-after-support-portal-hack/
- CVE-2026-31431 Linux内核Copy Fail漏洞 — 潜伏9年的高危漏洞已在野利用,影响所有主流Linux发行版,容器化环境尤其危险 https://www.cybersecurity-help.cz/blog/5386.html
- Claude Mythos发现Firefox 271个零日 — AI自主漏洞发现进入新纪元,安全攻防的AI军备竞赛正式打响 https://www.schneier.com/blog/archives/2026/04/claude-mythos-has-found-271-zero-days-in-firefox.html