https://rfxn.com Open source Linux security and systems tools from R-fx Networks. en-us Tue, 26 May 2026 16:21:33 GMT https://rfxn.com/research/copyfail-cve-2026-31431 https://rfxn.com/research/copyfail-cve-2026-31431 Thu, 30 Apr 2026 00:00:00 GMT CVE-2026-31431 ("Copy Fail") is an algif_aead AEAD scratch-write bug that gives any unprivileged tenant a 4-byte page-cache write to any readable file at attacker-chosen offset. On RHEL-family kernels the modules are builtin, so modprobe blacklists are no-ops and userspace cuts are the only defense that bites the running kernel. We dissect the primitive, lay out the five-rung defense ladder, and ship a signed RPM family (rfxn-defense) that pairs a single-file LD_PRELOAD shim with a read-only host posture auditor. Research https://rfxn.com/research/cpanel-sessionscribe-cve-2026-41940 https://rfxn.com/research/cpanel-sessionscribe-cve-2026-41940 Wed, 29 Apr 2026 00:00:00 GMT CVE-2026-41940 is an unauthenticated session forgery in cPanel/WHM that composes two asymmetric defects in the session-write path into root RCE. We dissect the patch via snapshot-driven binary diff, derive the primitive mechanically, document an adjacent pre-validation identity-commit issue, publish a five-rule ModSecurity pack with a non-destructive probe and on-host IOC scanner, and standardize on proxy-endpoint enforcement as the forward posture for cPanel/WHM. Research https://rfxn.com/research/cpanel-sessionscribe-field-notes https://rfxn.com/research/cpanel-sessionscribe-field-notes Sat, 02 May 2026 00:00:00 GMT Active-incident battle journal for CVE-2026-41940. Chronology of exploitation from the first probe forward: 17-day quiet zero-day arc, a single-host kill chain walked end-to-end from sessionscribe-ioc-scan output, three operator profiles distinguished by websocket-Shell terminal dimensions, the Pattern A through I catalog, the operator-toolkit usage cards, the Tier-1 attacker IP block list, and a flagged piece of pre-disclosure evidence still under corroboration. The campaign is still active; we update this page as we identify additional patterns, attacker IPs, and IOCs. Research https://rfxn.com/research/ai-generated-webshells-detection https://rfxn.com/research/ai-generated-webshells-detection Tue, 21 Apr 2026 00:00:00 GMT LLMs generate novel PHP webshells on demand, and every sample is lexically unique. But a webshell must still read input, decode it, and hand it to an exec primitive. maldet's compound signature engine matches on that semantic skeleton, and the paraphrase problem collapses back into a known one. Research https://rfxn.com/research/php-composer-supply-chain https://rfxn.com/research/php-composer-supply-chain Tue, 28 Apr 2026 00:00:00 GMT npm supply chain attacks get the coverage, but Composer has the same RCE primitives, mutable Git tags instead of immutable registry hashes, and composer-plugin packages that activate transitively on every invocation. We map the trust chain, translate the npm attack classes, and put maldet on vendor/. Research https://rfxn.com/research/portable-bash-pre-usr-merge https://rfxn.com/research/portable-bash-pre-usr-merge Tue, 05 May 2026 00:00:00 GMT rfxn ships Bash to CentOS 6, Rocky 9, Ubuntu 24.04, Gentoo, Slackware, and FreeBSD. Every red cell in the portability matrix has produced a production bug. A reference on the usr-merge cliff, the /sbin split, the Bash 4.1 floor, init-system detection, and the grep patterns that enforce the rules. Research https://rfxn.com/research/bats-docker-tcp-ci https://rfxn.com/research/bats-docker-tcp-ci Tue, 12 May 2026 00:00:00 GMT Three Bash projects. Eight Linux distros from CentOS 6 through Ubuntu 24.04. Full-matrix CI in about ninety seconds warm, running on a spare LAN box with no monthly bill. The stack is BATS as the runner, a shared harness (batsman) as a git submodule, and Docker over TCP with mutual TLS. Research https://rfxn.com/research/axios-npm-supply-chain-attack https://rfxn.com/research/axios-npm-supply-chain-attack Tue, 31 Mar 2026 00:00:00 GMT The axios npm package (50M+ weekly downloads) was compromised via maintainer account hijack. Malicious versions 1.14.1 and 0.30.4 inject a postinstall dropper that delivers a cross-platform RAT attributed to Lazarus Group (DPRK/APT38). We publish 33 maldet signatures covering the dropper, all platform payloads, and C2 infrastructure. Research https://rfxn.com/research/wordpress-supply-chain-attacks https://rfxn.com/research/wordpress-supply-chain-attacks Fri, 27 Mar 2026 00:00:00 GMT Three premium plugin supply chain compromises in 12 months (BuddyBoss, Gravity Forms, and Groundhogg) show attackers systematically targeting vendor update infrastructure. We publish 10 new maldet signatures including generic detection rules that catch future supply chain backdoors in any WordPress plugin. Research https://rfxn.com/research/mu-plugin-malware-ecosystem https://rfxn.com/research/mu-plugin-malware-ecosystem Wed, 08 Apr 2026 00:00:00 GMT WordPress must-use plugins auto-execute on every page load, don't appear in the admin panel, and can't be deactivated. Five distinct malware families, from simple redirectors to a 7-layer persistence fortress, have independently converged on this vector. We document them all and publish detection signatures. Research https://rfxn.com/research/webrtc-skimmer-csp-bypass https://rfxn.com/research/webrtc-skimmer-csp-bypass Wed, 15 Apr 2026 00:00:00 GMT The first documented payment skimmer using WebRTC DataChannels for both payload delivery and data exfiltration. CSP connect-src cannot block RTCPeerConnection. DTLS-encrypted UDP is invisible to HTTP security tools. We break down the technique and connect it to the ongoing Magento PolyShell mass exploitation. Research https://rfxn.com/research/magento-polyshell-mitigation https://rfxn.com/research/magento-polyshell-mitigation Wed, 25 Mar 2026 00:00:00 GMT A critical unauthenticated file upload vulnerability in Magento's REST API allows attackers to plant PHP webshells disguised as GIF images. We break down the attack, publish 7 ModSecurity rules, Apache hardening guidance, and four new maldet signatures. Research https://rfxn.com/research/structured-audit-logging-bash https://rfxn.com/research/structured-audit-logging-bash Thu, 02 Apr 2026 00:00:00 GMT Most bash tools log unstructured text. We built elog_lib.sh, a shared event logging library that emits 23 typed events to six formats simultaneously: JSONL, CEF, syslog, GELF, and Elasticsearch ECS. One function call, zero-code SIEM integration, no compiled dependencies. Research https://rfxn.com/research/compound-signatures-detection-language https://rfxn.com/research/compound-signatures-detection-language Thu, 12 Mar 2026 00:00:00 GMT ClamAV's signature format cannot express boolean logic. We built a compound signature engine that evaluates AND/OR/threshold rules using shell-native primitives (grep, awk, sort) with 22x less memory and 2.1x higher detection rates. No daemon, no dependencies. Research https://rfxn.com/research/batch-parallel-scan-engine https://rfxn.com/research/batch-parallel-scan-engine Thu, 05 Mar 2026 00:00:00 GMT Linux Malware Detect v1.6.6 forked 500,000 subprocesses per scan. The v2.0 rewrite uses batch parallel workers, Aho-Corasick grep, and awk preloading to scan 10,000 files in 28 seconds, zero external dependencies and a 44 MB memory footprint. Research https://rfxn.com/talks/project-blacklight-cerebral-valley https://rfxn.com/talks/project-blacklight-cerebral-valley Wed, 29 Apr 2026 00:00:00 GMT The pitch from the Anthropic Built with Opus 4.7 x Cerebral Valley Hackathon. Six days, 296 commits, one scorched-earth pivot, and an agentic defense layer that uses what most operators already have: ModSecurity, Apache, iptables, and a shell script. Built on Opus 4.7 + Anthropic Managed Agents. Talks https://rfxn.com/talks/prompts-to-pipelines-v1-5 https://rfxn.com/talks/prompts-to-pipelines-v1-5 Tue, 21 Apr 2026 00:00:00 GMT The iterated version of the Claude Code harness talk. Five plagues of agentic development, four primitives (memory, hooks, subagents, settings) that fix them, and the fixtures to wire a CLAUDE.md, settings.json, and adversarial reviewer in an afternoon. The through-line: the model is capable, the instructions are the product. Talks https://rfxn.com/talks/lmd-2x-deep-dive https://rfxn.com/talks/lmd-2x-deep-dive Thu, 02 Apr 2026 00:00:00 GMT A deep dive on the maldet 2.x rewrite: 348K+ deployments, a bash-native scan engine that beats ClamAV on memory by 22x, and the architecture decisions behind a pure-shell malware scanner that ships on everything from CentOS 6 to Ubuntu 24.04. Talks https://rfxn.com/projects/blacklight https://rfxn.com/projects/blacklight An agentic defense layer for the operators running ModSecurity, Apache, iptables, LMD, and ClamAV on real Linux servers. Built in six days for the Cerebral Valley Built with 4.7 hackathon, on Opus 4.7 + Anthropic Managed Agents. https://rfxn.com/projects/linux-malware-detect https://rfxn.com/projects/linux-malware-detect A high-performance malware scanner for Linux designed for the multi-core era. v2.0.1 introduces a foundational engine leap that delivers up to 10x faster performance than traditional scanners via hash-first short-circuiting and batch-parallel processing. https://rfxn.com/projects/advanced-policy-firewall https://rfxn.com/projects/advanced-policy-firewall An iptables(netfilter) based firewall system for Linux servers. Provides three-fold filtering with static rules, stateful connection tracking, and sanity-based packet inspection. https://rfxn.com/projects/brute-force-detection https://rfxn.com/projects/brute-force-detection A modular shell script for parsing application logs and detecting authentication failures. Uses regex rules and integrates with APF, Shorewall, or raw iptables for blocking. https://rfxn.com/projects/irsync-incremental-rsync https://rfxn.com/projects/irsync-incremental-rsync An incremental backup utility built on rsync with traffic control shaping, hard-link snapshots, point-in-time restore, and MySQL backup support. https://rfxn.com/projects/linux-environment-security https://rfxn.com/projects/linux-environment-security A security hardening tool that prevents environment-based attacks including PATH tainting, profile script hijacking, and system traversal exploitation. https://rfxn.com/projects/linux-socket-monitor https://rfxn.com/projects/linux-socket-monitor A port monitor that tracks changes to network sockets and Unix domain sockets using differential comparison, alerting on newly activated services. https://rfxn.com/projects/network-socket-inode-validation https://rfxn.com/projects/network-socket-inode-validation Validates network socket inodes at the kernel level, correlating processes to sockets to expose hidden or injected connections indicative of compromise. https://rfxn.com/projects/process-resource-monitor https://rfxn.com/projects/process-resource-monitor A CPU, memory, and process resource monitor for Linux and BSD. Supports global and per-process/per-user limits with automatic enforcement. https://rfxn.com/projects/system-integrity-monitor https://rfxn.com/projects/system-integrity-monitor A system and services monitor for SysVinit systems. Monitors services, load, disk space, and network status with auto-restart for downed services. https://rfxn.com/projects/system-priority https://rfxn.com/projects/system-priority A tool for managing system process priorities and CPU scheduling on Linux. Provides persistent, rule-based priority management via nice and scheduling subsystems.