NRG Networks Inc.

  1. Workspace Trust & Input Safety (Highest Priority) Never auto‑trust workspaces in CI Require explicit trust configuration for any repo contents before loading configs or env files. Mandatory for AI agents running in headless mode (e.g., Gemini CLI). Treat forks, PRs, issues, and comments as untrusted Especially dangerous when pipelines run on pull_request_target . Never load .env , .gemini/ , or agent config from untrusted inputs. Block configuration discovery Disable recursive discovery of agent configs unless explicitly allow‑listed. 2. AI Agent–Specific Controls (Gemini CLI, Claude Code, etc.) Upgrade all agent tools Gemini CLI ≥ 0.39.1 run-gemini-cli Action ≥ 0.1.22 Disable unrestricted execution modes Avoid --yolo or equivalent autonomous modes. If required, enforce strict command allowlists . Separate “analysis” from “execution” Let agents review or suggest changes. Require a human gate or isolated job for command execution. No agent runs with contributor‑level pr...

Critical Gemini CLI Vulnerabilities 1. Critical RCE in CI/CD (CVSS 10.0 – GHSA‑wpqr‑6v78‑jr5g) A maximum‑severity Remote Code Execution (RCE) flaw was discovered in Google’s Gemini CLI ( @google/gemini-cli ) and the run-gemini-cli GitHub Action . In headless/CI environments , Gemini CLI automatically trusted workspace folders , loading .gemini/ configuration and environment variables without review or sandboxing , allowing attackers to execute arbitrary commands on the host before sandbox initialization . Exploitation required no authentication, no user interaction, and no prompt injection . Impact Full host command execution in CI/CD runners Theft of secrets, tokens, and credentials Software supply‑chain compromise via malicious pull requests Affected versions @google/gemini-cli < 0.39.1 @google/gemini-cli ≤ 0.40.0-preview.2 google-github-actions/run-gemini-cli < 0.1.22 Fixed versions @google/gemini-cli 0.39.1 , 0.40.0-preview.3 run-gemini-cli 0.1.22 Root causes Implic...

In April 2026 , Microsoft confirmed active exploitation of a zero‑click Windows Shell vulnerability tracked as CVE‑2026‑32202 . The flaw allows attackers to silently steal NTLM credentials when a user merely views a folder containing a malicious shortcut— no opening, clicking, or execution required . The issue stems from an incomplete February patch and has been abused in the wild, prompting CISA to add it to the Known Exploited Vulnerabilities (KEV) catalog with a federal patch deadline of May 12, 2026 . What makes this “zero‑click”? Unlike typical phishing or malware attacks that require user interaction, this flaw triggers when Windows Explorer renders a directory . Explorer automatically parses shortcut metadata (e.g., to fetch icons). A crafted .lnk file can embed a UNC path (e.g., \\attacker\share\file ) that causes Windows to auto‑initiate an SMB connection to an attacker‑controlled server— without any user action —leaking the victim’s Net‑NTLMv2 hash . Root cause and...

  What is “Copy Fail”? Copy Fail is a high‑severity Linux kernel local privilege‑escalation (LPE) zero‑day vulnerability disclosed publicly on April 29–30, 2026 and tracked as CVE‑2026‑31431 . ] It allows any unprivileged local user to gain full root access on essentially every major Linux distribution released since 2017 , using a tiny (≈732‑byte) Python exploit that works unchanged across distributions. Root Cause (Technical Summary) The bug is a logic flaw , not a race condition. It lives in the Linux kernel’s cryptographic userspace API —specifically: algif_aead.c the AEAD (Authenticated Encryption with Associated Data) socket interface ( AF_ALG ) the authencesn crypto template A 2017 optimization allowed kernel operations to run in place on page‑cache memory. When combined with: an AF_ALG socket the splice() system call …the kernel can be manipulated into performing a controlled 4‑byte write directly into page‑cache memory belonging to any readable file .  Be...

  Citizens Bank experienced a confirmed data breach in April 2026 tied to a third‑party vendor compromise , with exposed data including customer names, home addresses, and account numbers — while hackers claim they hold up to 3.4 million Citizens records. Multiple credible reports confirm that Citizens Bank did not suffer a direct network breach . Instead, attackers infiltrated a third‑party vendor that stored Citizens customer data. Citizens publicly acknowledged the incident on April 21, 2026 , stating that “most of this was masked test data” and only a limited set of real customer information was involved. Meanwhile, the Everest ransomware gang posted Citizens Bank on its leak site on April 20, 2026 , claiming to possess ~3.4 million records . This discrepancy — Citizens reporting limited exposure vs. Everest claiming millions — is common in extortion campaigns. Data Exposed Across verified disclosures and samples posted by attackers, the following data types were involved:...

ADT suffered a confirmed data breach on April 20, 2026, linked to the ShinyHunters extortion group, exposing customer names, phone numbers, and addresses — with some cases including dates of birth and the last four digits of SSNs or Tax IDs. No financial data or home security systems were compromised. ADT detected unauthorized access to customer and prospective customer data on April 20, 2026 . The intrusion was quickly terminated, and ADT launched a forensic investigation with third‑party cybersecurity experts while notifying law enforcement. The threat actor ShinyHunters claimed responsibility, stating they stole over 10 million records and threatened to leak the data unless ADT paid a ransom. ADT has not confirmed the 10M figure but acknowledges a breach occurred. What Data Was Exposed ADT states the compromised data includes: Names Phone numbers Addresses In a small percentage of cases: Dates of birth Last four digits of SSNs or Tax IDs Critically: No payment information ...

  CVE‑2026‑40372 — ASP.NET Core Elevation of Privilege Vulnerability Summary CVE‑2026‑40372 is a critical elevation‑of‑privilege (EoP) vulnerability in ASP.NET Core’s Data Protection subsystem that allows unauthenticated attackers to forge authentication material and gain SYSTEM‑level or administrative privileges under specific conditions. The issue was disclosed and patched by Microsoft via an out‑of‑band update in April 2026 , highlighting its severity and exploit potential.  Severity & Classification CVSS v3.1 Score: 9.1 (Critical / Important) CWE: CWE‑347 – Improper Verification of Cryptographic Signature Attack Vector: Network (no authentication required) Impact: Authentication bypass, token forgery, privilege escalation Affected Components The vulnerability exists in the following packages and versions: Component Affected Versions Fixed Version Microsoft.AspNetCore.DataProtection 10.0.0 – 10.0.6 10.0.7 When Are You Vulnerable? You are affected if all of th...