"The pipeline had a single boolean return value that meant both 'no scanners are configured' and 'all scanners failed to run,'... So when scanners failed under load, Open VSX treated it as 'nothing to scan for' and waved the extension right through."
These findings led us to conclude that this exploit kit was not patchworked but rather designed with a unified approach. We assume that it's an updated version of the same exploitation framework that was used - at least to some extent - in Operation Triangulation.
Microsoft is removing trust for kernel drivers that haven't been through the Windows Hardware Compatibility Program, targeting those signed by the long-deprecated cross-signed root program. This change will take effect with the April 2026 Windows Update.
"This is more likely to complement existing SIEMs than replace them. Early adoption will come from large enterprises already committed to Databricks, especially those seeking flexibility or cost control."
The first vulnerability, CVE-2026-4673, is a heap buffer overflow issue in WebAudio that earned the reporting researcher a $7,000 bug bounty reward. Google has yet to determine the bounty amount for CVE-2026-4677, another bug reported by the same researcher.
CanisterWorm, as Aikido has named the malware, targets organizations' CI/CD pipelines used for rapid development and deployment of software. Every developer or CI pipeline that installs this package and has an npm token accessible becomes an unwitting propagation vector.
