The weekly threat roundup reads like a catalog of cheap shots. Old credentials still working. Trusted apps doing sketchy things. Browser extensions that escape the sandbox. Smart TVs quietly becoming someone else’s infrastructure. Nothing cinematic — just the internet being the internet.
Cloudflare’s PACT with browsers
Cloudflare teamed up with Google Chrome, Microsoft Edge, and Mozilla Firefox on a privacy-preserving bot defense protocol called PACT (Private Access Control Tokens). Websites can issue anonymous tokens asserting that a browsing session is run by a human, reducing the need for captchas or invasive tracking. The protocol is designed so sites can’t use it to track or identify users.
Six curl CVEs — including a 24-year-old bug
AISLE discovered six vulnerabilities in curl, ranging from memory-lifetime issues to logic bugs in how libcurl validates connections, credentials, and host identities. The standout is CVE-2026-8932, which allows reuse of a connection even when mTLS configuration changes should have prevented it. AISLE says it’s the oldest curl vulnerability ever reported — it’s been present since version 7.7, released on March 22, 2001. All six flaws are fixed in curl 8.21.0.
Critical Hoppscotch flaw: CVSS 10.0
Self-hosted versions of Hoppscotch, an open-source API platform, have a critical vulnerability (CVE-2026-50160) with a perfect CVSS score of 10.0. The POST /v1/onboarding/config endpoint allows unauthenticated attackers to inject arbitrary InfraConfig keys — including JWT_SECRET and SESSION_SECRET — through mass assignment. The NestJS ValidationPipe doesn’t strip extra properties, so they pass through unchecked. A single HTTP request, no credentials needed, and an attacker gets full server compromise with persistent access that survives password resets. Fixed in hoppscotch-backend version 2026.5.0.
Smart TVs as proxy hosts
Spur Intelligence scanned 6,038 apps across LG webOS and Samsung Tizen and found that 34.1% contain residential proxy software. On LG, the rate hits 42.5%. Bright Data, Massive, and Oxylabs are the top SDK providers. Clocks, screensavers, games, fish tank apps — low-utility stuff that people install and forget. Smart TVs are almost ideal proxy hosts: always online, on the home network, and nobody audits them like computers. LG and Samsung haven’t enforced policies against proxyware the way Amazon and Roku have.
Edgecution: ransomware via Teams and browser extensions
An initial access broker tied to Payouts King ransomware is posing as IT staff in Microsoft Teams chats to deliver a malicious Edge browser extension called Edgecution. The extension exploits Chrome’s native messaging protocol to break out of the browser sandbox and gain direct host access — filesystem manipulation, process launching, arbitrary code execution. It beacon to a C2 server and relays commands to a Python backdoor. The extension is invisible to the user.
References
- CVE-2026-8932 — curl connection reuse with changed mTLS config
- CVE-2026-50160 — Hoppscotch unauthenticated takeover (CVSS 10.0)
- curl advisory for CVE-2026-8932
- Hoppscotch security advisory GHSA-j542-4rch-8hwf
- AISLE: 6 new curl CVEs including oldest issue ever reported
- Spur Intelligence: Smart TV apps with residential proxy SDKs
- Zscaler: Payouts King ransomware IAB deploys Edgecution
