Researchers at Synacktiv disclosed an unpatched flaw in Argo CD, the popular GitOps tool for deploying to Kubernetes, that can lead to full cluster takeover. The problem is in repo-server, the component that turns Git repository files into Kubernetes manifests: its internal gRPC service requires no authentication, so anyone who can reach it on the cluster network can send a crafted request and run commands. Synacktiv reported it about eighteen months ago, but there is still no fix and no CVE, so it went public to warn users. With no patch, the practical defense is network isolation using Kubernetes network policies.
Microsoft has refused to issue a CVE for what an outside researcher and the CERT Coordination Center both describe as a privilege escalation in Azure Backup for Azure Kubernetes Service. The flaw lets a user holding only the low-privileged 'Backup Contributor' Azure role gain cluster-admin on AKS clusters, which Microsoft dismissed by saying the attacker 'already held administrator access.' CERT/CC validated the bug and tracked it as VU#284781. The researcher says Microsoft also tried to get MITRE to reject the submission as 'AI-generated content,' then quietly added new permission checks, suggesting a silent patch even as Microsoft says 'no product changes were made.'
Trend Micro disclosed Quasar Linux (QLNX), a previously undocumented Linux remote access trojan designed for developer workstations and DevOps environments. The malware harvests credentials for npm, PyPI, GitHub, AWS, Docker, and Kubernetes - then uses them to publish trojanized packages to public registries. QLNX runs entirely fileless and in-memory, dynamically compiling its rootkit and PAM backdoor on the target host using gcc, then loading them via /etc/ld.so.preload for system-wide interception. Capabilities include a 58-command RAT, dual-layer rootkit, keylogging, SSH lateral movement, and peer-to-peer mesh networking. Only four security tools detect the binary as malicious.