Find notable cyber news and cases, enriched with sources, timelines, and signals.

Recent notable Happenings and Cases

Hide ▲
Last updated: 16:02 11/07/2026 UTC
  • Campaign H score 71 WP-SHELLSTORM webshell access brokerage campaign SOCRadar reports WP-SHELLSTORM as a webshell access brokerage that used automated scans to plant WordPress/Joomla backdoors for later resale, materially expanding the scale of exploitable targets revealed by leaked infrastructure and tooling.
  • Service Disruption H score 53 Progress ShareFile Storage Zone Controller access disruption Progress says ShareFile customers must shut down Windows Storage Zone Controllers after a credible external threat, advancing the incident response by constraining access to affected controller servers.
  • Campaign H score 38 Helix vishing and SharePoint data-extortion campaign The Helix campaign is now described as breaking into SharePoint via vishing and MFA abuse, then adding a new authenticator app for persistence and extorting victims with enumerated/exfiltrated files.
  • Law Enforcement H score 36 Angelo Martino BlackCat ransomware sentencing A court sentenced Angelo Martino to 70 months for helping target U.S. companies in BlackCat (ALPHV) ransomware attacks, advancing accountability for ransomware negotiation/operations tied to victims.
  • Vulnerability H score 34 Tangem crypto wallet card unpatchable laser password reset security flaw Researchers disclosed an unpatchable Tangem laser-timed password reset flaw affecting every Tangem card sold, advancing risk by removing the usual remediation path for compromised physical cards.
  • Technical Analysis H score 28 Prompt-injection proof-of-concept enables silent RCE in Claude Code and Codex A proof-of-concept shows silent remote code execution via prompt injection in Claude Code and Codex during auto-mode workflows, advancing agent risk by demonstrating a trust-boundary bypass that can execute hidden commands during scanning.
Last updated: 18:32 10/07/2026 UTC

Latest updates

Browse →

ACSC CMS remediation guidance

Advisory/Mitigation

Updated: 11.07.2026 17:18 · First: 11.07.2026 17:18 · 📰 1 src / 1 articles · H score: 33

The ACSC issued remediation guidance for CMS operators under active exploitation pressure, telling administrators to install the latest security updates for themes and plugins to reduce webshell deployment risk. The advisory also calls for removing unused components and enabling automatic updates where possible. These steps target exposed sites that can otherwise be used for persistence, credential theft, and deeper network compromise.

WP-SHELLSTORM webshell access brokerage campaign

Campaign

Updated: 10.07.2026 14:30 · First: 10.07.2026 14:30 · 📰 2 src / 2 articles · H score: 71

The WP-SHELLSTORM campaign exposed its own infrastructure, revealing a webshell access brokerage that targeted WordPress and Joomla sites at scale and backdoored thousands of sites. The exposed files contained webshells, exploit scripts, scan results, command history, and target lists naming more than 1.4 million websites. The operation relied on automated scanning of public flaws such as CVE-2026-3844 to plant backdoors for later resale. Separate files show an earlier phase that harvested cloud credentials and other secrets from corporate Java systems before the large-scale webshell push.

Ghostcommit PNG-embedded prompt injection against AI code reviewers

Technical Analysis

Updated: 11.07.2026 12:03 · First: 11.07.2026 12:03 · 📰 1 src / 1 articles · H score: 25

Researchers demonstrated Ghostcommit, a PNG-embedded prompt-injection technique that can bypass AI code review and leak .env secrets into committed source. The payload hides inside docs/images/build-spec.png instead of plain text, so text-only reviewers miss the instruction while a later coding agent follows it. In one end-to-end run, the agent turned repository secrets into a 311-integer constant that decoded back to the full secret file. The result exposes a structural blind spot in pull-request automation where review tooling, not the model alone, determines whether exfiltration succeeds.

Zimbra Classic Web Client stored XSS cross-site scripting flaw

Vulnerability

Updated: 11.07.2026 09:45 · First: 11.07.2026 09:45 · 📰 1 src / 1 articles · H score: 26

Zimbra fixed a critical stored XSS flaw in the Classic Web Client that could let a specially crafted email run malicious code in a user's session. The weakness could expose mailbox information, session data, or account settings, creating account-compromise risk. Zimbra says customers should upgrade to Zimbra Collaboration Suite 10.1.19 to reduce exposure.

U-Boot FIT signature verification upstream patch release

Security Patch Release

Updated: 11.07.2026 00:59 · First: 11.07.2026 00:59 · 📰 1 src / 1 articles · H score: 16

Upstream fixes were accepted for six U-Boot flaws in the FIT signature verification code, advancing the security patch process for a bootloader component used during firmware startup. The issues include paths to arbitrary code execution and denial of service, which can undermine boot-time trust and enable stealthy firmware compromise. Downstream firmware updates are still needed before customers are protected, and some older unsupported devices may never receive a patch.

Karen Serobovich Vardanyan Ryuk ransomware guilty plea

Law Enforcement

Updated: 10.07.2026 20:46 · First: 10.07.2026 20:46 · 📰 1 src / 1 articles · H score: 21

Karen Serobovich Vardanyan pleaded guilty in a U.S. Ryuk ransomware case after extradition from Kyiv, deepening his exposure in a cybercrime prosecution tied to attacks on multiple organizations. He was previously indicted in February 2024 and had been arrested in Kyiv in April 2025 before being brought to the United States. The case links him to ransomware deployments against a Michigan company, a technology company in Oregon, and a school in Texas. He now faces sentencing in September 2026 and potential restitution tied to the ransomware proceeds.

@Injectivelabs/[email protected] wallet-stealing package

Malware Activity

Updated: 10.07.2026 20:29 · First: 10.07.2026 20:29 · 📰 1 src / 1 articles · H score: 30

The malicious @injectivelabs/[email protected] package is a wallet-stealing malware activity that can expose private keys and mnemonic seed phrases when library functions are used. The tainted release came from a compromised Injective Labs SDK GitHub repository and was published to npm on July 8, 2026. It also spread through 17 additional @injectivelabs packages that pinned the same version, expanding risk to transitive users. The package sent captured wallet derivation material to testnet.archival.chain.grpc-web.injective[.]network, making the release a direct supply-chain theft event.

Progress ShareFile Storage Zone Controller access disruption

Service Disruption

Updated: 10.07.2026 19:30 · First: 10.07.2026 19:30 · 📰 1 src / 1 articles · H score: 53

ShareFile Storage Zone Controller customers lost access when Progress Software temporarily disabled affected accounts and marked them not operational while investigating a credible external security threat. The disruption affects the Windows servers that run the controllers, not standard cloud-only ShareFile accounts. Customers were told to keep the controllers offline, so the service remains constrained until the threat is understood.

Progress ShareFile Storage Zone Controllers shutdown guidance

Advisory/Mitigation

Updated: 10.07.2026 19:26 · First: 10.07.2026 19:26 · 📰 2 src / 2 articles · H score: 44

Progress Software has told ShareFile customers using Storage Zone Controllers to shut down their servers immediately after detecting a credible external security threat. The instruction affects on-premises Windows servers that bridge the cloud service and customer-managed storage. Progress says it has no indication of unauthorized access to ShareFile accounts or data, but it has temporarily disabled access for affected customers while it investigates.

U-Boot FIT signature-check and image-parsing flaws memory corruption flaw

Vulnerability

Updated: 10.07.2026 18:57 · First: 10.07.2026 18:57 · 📰 2 src / 2 articles · H score: 1

U-Boot has six newly disclosed flaws in its FIT signature-checking and image-parsing path, putting routers, smart cameras, and data-center server management chips at risk of boot-time crash or code execution. Two of the flaws can let a malicious image run attacker code before signature verification, while four can crash the bootloader. Binarly published proof-of-concept images and reproduction steps, and no real-world exploitation has been reported. Upstream fixes were merged in June, but downstream firmware updates are still needed.

Rossen G. Iossifov had assets seized in Rossen G. Iossifov seized-crypto laundering case

Law Enforcement

Updated: 10.07.2026 18:30 · First: 10.07.2026 18:30 · 📰 1 src / 1 articles · H score: 25

Federal prosecutors charged Rossen G. Iossifov in the Eastern District of Kentucky over a money laundering case involving $290,000 in seized cryptocurrency, pushing a cybercrime prosecution tied to stolen fraud proceeds back into court.

GigaWiper modular backdoor with wiping and espionage capabilities

Malware Activity

Updated: 10.07.2026 18:30 · First: 10.07.2026 18:30 · 📰 1 src / 1 articles · H score: 22

The newly analyzed GigaWiper backdoor combines espionage and destructive wiping functions, giving operators a single implant that can control, sabotage, and erase infected systems. Microsoft said the tool also includes fake ransomware behavior and multiple destructive commands, expanding the impact of a single compromise. The finding raises concern because the malware unifies capabilities that are usually spread across separate tools. The result is a more flexible platform for covert access and system destruction.

GigaWiper reuses multiple malware lineages in a unified destructive backdoor

Technical Analysis

Updated: 10.07.2026 18:30 · First: 10.07.2026 18:30 · 📰 1 src / 1 articles · H score: 22

Microsoft's July 9 analysis of GigaWiper shows a modular backdoor that merges espionage, C2, and destructive wiping into one implant, widening the damage a single payload can cause. The research concluded the tool was assembled by combining and reimplementing components from Crucio ransomware, FlockWiper, and a third unrecovered framework. The findings provide reusable technical context for spotting similar multi-function malware and understanding how its destructive commands are organized.

Tangem crypto wallet card unpatchable laser password reset security flaw

Vulnerability

Updated: 10.07.2026 17:51 · First: 10.07.2026 17:51 · 📰 1 src / 1 articles · H score: 34

A Tangem crypto wallet card vulnerability lets a precisely timed laser pulse reset the card's password, creating a path for a thief with the physical card to take control of the wallet. The flaw sits in the Samsung S3D232A chip recovery logic and affects every card sold because Tangem cards cannot take software updates. The research was disclosed to Tangem on February 10, 2026 and remains unpatchable.

OpenClaw 2026.6.6 security update for three flaws

Security Patch Release

Updated: 10.07.2026 17:19 · First: 10.07.2026 17:19 · 📰 1 src / 1 articles · H score: 31

OpenClaw maintainers shipped version 2026.6.6 to fix three security flaws that could enable credential theft, privilege escalation, and arbitrary code execution on the host. Two of the issues are command-injection bugs and the third is a path traversal/link-following flaw. The release reduces risk for deployments where lower-trust input can reach the affected paths.

OpenClaw command-injection, path-traversal, and link-following flaws (multiple vulnerabilities)

Vulnerability

Updated: 10.07.2026 17:19 · First: 10.07.2026 17:19 · 📰 1 src / 1 articles · H score: 33

OpenClaw now has three patched high-severity vulnerabilities that can lead to credential theft, privilege escalation, and arbitrary code execution on the host. The set includes two command-injection flaws and one path traversal/link-following bug, with fixes in version 2026.6.6. A researcher said the issues can be triggered from an external WhatsApp message when lower-trust input reaches the affected paths.

Prompt-injection proof-of-concept enables silent RCE in Claude Code and Codex

Technical Analysis

Updated: 10.07.2026 16:45 · First: 10.07.2026 16:45 · 📰 1 src / 1 articles · H score: 28

Researchers demonstrated a proof-of-concept exploit that can force remote code execution in Anthropic’s Claude Code and OpenAI’s Codex, exposing a trust-boundary flaw in AI coding agents. The attack uses multi-stage prompt injection inside an untrusted repository to make attacker text look like normal task context. In auto-mode/auto-review, the agents can be pushed to run a supposed security.sh workflow that actually launches hidden code. The result is silent execution on a victim machine during a defensive scan.

Silver Fox MODBEACON Rust RAT activity

Malware Activity

Updated: 10.07.2026 16:15 · First: 10.07.2026 16:15 · 📰 1 src / 1 articles · H score: 23

The Silver Fox ecosystem has been tied to MODBEACON, a Rust-based remote access trojan that gives operators encrypted C2 and modular control over infected hosts. The malware is being pushed through counterfeit installers and bogus ZIP archives seeded by SEO poisoning, broadening exposure across technology, education, and state-owned enterprises. The design supports plugin loading, scheduled-task persistence, and follow-on payload expansion, raising the risk of stealthy long-term compromise. The C2 transport reuses Xray/V2Ray-style components and runs through Amazon and Cloudflare CDN infrastructure.

Silver Fox counterfeit-installer SEO-poisoning campaign across Asia

Campaign

Updated: 10.07.2026 16:15 · First: 10.07.2026 16:15 · 📰 1 src / 1 articles · H score: 32

Silver Fox is running a counterfeit-installer SEO-poisoning campaign that delivers malware across Asia and puts technology, education, and state-owned enterprise users at renewed risk. The operation uses bogus installer downloads and repeated search poisoning to drive infections. It shows sustained distribution activity rather than a one-off lure.

GodDamn ransomware PoisonX BYOVD activity

Malware Activity

Updated: 09.07.2026 13:43 · First: 09.07.2026 13:43 · 📰 2 src / 2 articles · H score: 14

GodDamn ransomware, part of the Hyadina family, has evolved into a Windows intrusion chain that uses AnyDesk, credential theft, and the PoisonX kernel driver to disable endpoint defenses before encrypting files. Public reporting places the latest variant in May 2026 and ties it to an early June 2026 intrusion in which operators used PsExec for lateral movement and repeated the deployment across at least 10 hosts. The activity shows a reusable ransomware workflow that reduces detection, expands access, and ends with file encryption and ransom notes.

China- and India-linked cyberespionage campaign against Pakistani law enforcement

Campaign

Updated: 10.07.2026 14:55 · First: 10.07.2026 14:55 · 📰 1 src / 1 articles · H score: 29

Cyberespionage groups linked to China and India ran a Feb 2024–Apr 2026 campaign against Pakistani law enforcement, reaching police systems that held sensitive records and citizen-facing data. The operation hit Balochistan Police most heavily and exposed servers tied to biometric databases, criminal case files, and personnel records. The intrusions used PlugX, ShadowPad, Cobalt Strike, and Remcos, and some access was delivered through fake software updates on a public complaint portal.

XQUIC XRING remote crash security flaw

Vulnerability

Updated: 10.07.2026 14:47 · First: 10.07.2026 14:47 · 📰 1 src / 1 articles · H score: 1

XQUIC's XRING flaw leaves HTTP/3 servers exposed to remote crashes through valid QPACK traffic, with no patch available. The bug needs no login and no malformed packets, and FoxIO says about 260 bytes of ordinary traffic can take the server process down. Any server embedding XQUIC and serving HTTP/3 with default QPACK settings is exposed, including embedders such as Tengine.

Zimbra Classic Web Client stored XSS cross-site scripting flaw

Vulnerability

Updated: 10.07.2026 14:47 · First: 10.07.2026 14:47 · 📰 1 src / 1 articles · H score: 22

Zimbra's Classic Web Client stored cross-site scripting (XSS) flaw was patched in Zimbra 10.1.19, closing a path that could expose session data, account settings, and mailbox information. The issue is triggered by specially crafted emails opened in the Classic UI and had no CVE ID yet at release time. Zimbra told customers using the Classic Web Client to upgrade as soon as possible.

Zimbra Classic Web Client stored XSS security update

Security Patch Release

Updated: 10.07.2026 14:47 · First: 10.07.2026 14:47 · 📰 2 src / 2 articles · H score: 32

Zimbra released ZCS v10.1.19 to patch a stored XSS flaw in the Classic Web Client, narrowing exposure for users of that interface. The bug could be triggered through specially crafted emails and could expose session data, account settings, or mailbox information if opened. Zimbra told customers to upgrade as soon as possible because the issue affects only Classic Web Client users and had no CVE ID yet.

SNOWLIGHT-to-VShell remote-access backdoor chain

Malware Activity

Updated: 10.07.2026 14:30 · First: 10.07.2026 14:30 · 📰 1 src / 1 articles · H score: 51

The SNOWLIGHT dropper was used to install VShell, giving operators covert remote access on compromised hosts and hiding the backdoor as [kworker/0:2] in process lists. The chain combines delivery and stealth, making post-compromise control harder to spot. It represents a focused malware activity thread centered on persistence and concealment.

Pink new extortion brand within The Com

Threat Actor Meta

Updated: 08.07.2026 19:47 · First: 08.07.2026 19:47 · 📰 2 src / 2 articles · H score: 31

Pink is a The Com-linked extortion brand associated with O-UNC-066 that is now being used in a voice-based phishing campaign against Microsoft 365 users. The activity sends targets to a panel-controlled phishing kit that mimics Entra passkey enrollment and captures credentials and MFA responses so the attacker can register an unauthorized passkey and gain account access. Okta says the campaign has targeted food and beverage, technology, healthcare, automotive, construction, and aviation organizations, and the brand is linked to a data leak site operating since April 2026 under the name Pink.

Wallet software weak recovery-phrase generation actively exploited security flaw

Vulnerability

Updated: 10.07.2026 12:00 · First: 10.07.2026 12:00 · 📰 1 src / 1 articles · H score: 31

Coinspect disclosed Ill Bloom, a weak-randomness recovery-phrase flaw in crypto wallet software that is actively exploited and can let attackers derive wallet addresses and drain funds. The issue is concentrated in older or lesser-known mobile wallets, while hardware devices and most mainstream software wallets are not affected. A confirmed May 27 sweep drained about $3.1 million from 431 wallets.

NHS patient-data unauthorized-access guidance

Advisory/Mitigation

Updated: 10.07.2026 12:00 · First: 10.07.2026 12:00 · 📰 1 src / 1 articles · H score: 7

The NHS issued patient-data unauthorized-access guidance that tells healthcare organizations to tighten monitoring, reporting, and access controls across staff systems. The rollout pairs a staff campaign with concrete mitigations to reduce improper viewing of medical records. It raises the operational bar for internal access by pushing least privilege, MFA, and role-based access controls. The guidance targets both human behavior and system design to stop unauthorized access before it happens.

NHS awareness campaign and guidance on unauthorized patient-data access

Public Sector Action

Updated: 10.07.2026 12:00 · First: 10.07.2026 12:00 · 📰 1 src / 1 articles · H score: 8

The NHS launched a new awareness-raising campaign and guidance to curb unauthorized access to patient data across staff and healthcare organizations. The initiative warns that unlawful access can lead to jail time, loss of employment, and referral to the ICO and police for criminal prosecution. It also pushes controls such as least privilege, MFA, role-based access controls, and monitoring in electronic patient record systems. The rollout follows recent insider cases involving 11 staff sacked, 14 written warnings, and an investigation into about 40 staff at a Cambridgeshire hospital.

Angelo Martino BlackCat ransomware sentencing

Law Enforcement

Updated: 10.07.2026 11:17 · First: 10.07.2026 11:17 · 📰 2 src / 2 articles · H score: 36

Angelo Martino was sentenced to 70 months in prison for helping target U.S. companies in BlackCat (ALPHV) ransomware attacks. The sentence increases criminal exposure for a former DigitalMint employee who worked inside ransomware negotiation activity. It also adds to the penalties already imposed on other negotiators tied to the same cybercrime scheme.