Copy Fail Roots Linux 🐧, DPRK Web3 Job Attacks 🕵️, Ransomware Gangs Feud 💀

Q: CVE-2026-31431 is a Linux kernel logic bug exploitable with a 732-byte Python script to gain root on

CVE-2026-31431 is a Linux kernel logic bug exploitable with a 732-byte Python script to gain root on Ubuntu, Amazon Linux, RHEL, and SUSE via controlled writes into setuid binary page cache.

Q: GitGuardian found 28,000 LLM-generated passwords in 34 million GitHub commits, with Llama-3.3-70b-in

GitGuardian found 28,000 LLM-generated passwords in 34 million GitHub commits, with Llama-3.3-70b-instruct repeating the same substring in 96% of outputs and weak credentials appearing in 1,800 .env files.

Q: A DPRK-attributed supply chain attack disguised as a 0G Labs Web3 job interview used an npm prepare

A DPRK-attributed supply chain attack disguised as a 0G Labs Web3 job interview used an npm prepare hook RCE to beacon victim environment variables and MAC addresses every 5 seconds to a Texas-based IP.

TLDR·Friday, May 1, 2026·6 min read

Security Technology Engineering

Share𝕏 in

AI Summary

This TLDR Information Security newsletter covers a critical Linux kernel privilege escalation vulnerability (CVE-2026-31431) exploitable with a 732-byte Python script, a DPRK-attributed supply chain attack disguised as a Web3 job interview, and a ransomware gang turf war where groups leaked each other's operational data. Additional stories cover Google patching a CVSS 10 RCE in Gemini CLI, LLM-generated passwords appearing in 1,800 .env files on GitHub, and new security tools including Claude Security and snoop.

Key Facts

✓CVE-2026-31431 is a Linux kernel logic bug exploitable with a 732-byte Python script to gain root on Ubuntu, Amazon Linux, RHEL, and SUSE via controlled writes into setuid binary page cache.

✓GitGuardian found 28,000 LLM-generated passwords in 34 million GitHub commits, with Llama-3.3-70b-instruct repeating the same substring in 96% of outputs and weak credentials appearing in 1,800 .env files.

✓A DPRK-attributed supply chain attack disguised as a 0G Labs Web3 job interview used an npm prepare hook RCE to beacon victim environment variables and MAC addresses every 5 seconds to a Texas-based IP.

Author Takes

SkepticalTLDR InfoSec

Detection-as-Code Pipelines

Detection-as-Code pipelines may be overrated due to complex infrastructure requirements, and LLM agents could automate much of the process from linting to deployment at the cost of strict determinism.

SkepticalTLDR InfoSec

Browser Extension Entropy-Based Authorship Detection

In an era where both legitimate authors and malicious attackers use the same coding agents to generate code, entropy-based techniques for detecting malicious browser extension code may become less relevant.

Contrarian Angle

Ransomware Gangs as Mutual Threat Intelligence Sources

Feuding ransomware groups like 0APT and KryBit leaked each other's admin panels, affiliate data, and full operational stacks, inadvertently providing defenders with rich IoC data.

Threat actors attacking each other creates unexpected intelligence windfalls for blue teams without any defender effort.

More from TLDR

Grok 4.3 🤖, Claude security beta 🛡️, Cursor xAI analysis 📝

xAI launched Grok 4.3 with better cost-per-intelligence than its predecessor, while Anthropic's Claude Security entered public beta for Enterprise cus

May 1

Google Cloud’s AI Boom ☁️, AI Agents Delete Prod Data 🫠, Agent Security Gets Real 🔐

Google Cloud crossed $20B in quarterly revenue driven by enterprise AI demand, while AI agent security incidents prompted both Railway and Microsoft t

May 1

Veblen services 🤝, managing token use 🤖, X ads reboot 📰

TLDR Founders covers the rise of Veblen services where high prices signal credibility, strategies for managing token costs as AI models improve, and n

May 1