Find notable cyber news and cases, enriched with sources, timelines, and signals.

Recent notable Happenings and Cases

Hide ▲
Last updated: 15:22 15/07/2026 UTC
Last updated: 14:06 15/07/2026 UTC

Latest updates

Browse →

AsyncAPI malicious npm package supply-chain malware

Malware Activity

Updated: 15.07.2026 18:37 · First: 15.07.2026 18:37 · 📰 1 src / 1 articles · H score: 21

Malicious AsyncAPI npm releases pushed a remote access trojan and info-stealing payload into packages with more than 2.25 million weekly downloads, putting downstream installs and lock files at risk. The trojanized versions were published through a compromised GitHub Actions release path in the @asyncapi namespace during a July 14 exposure window. The malicious code could establish persistence, contact external infrastructure, and collect secrets from development environments. Even after removal from npm, existing installs can still carry the payload until teams clean packages, rebuild lock files, and rotate credentials.

OkoBot hardware-wallet phrase theft campaign

Campaign

Updated: 15.07.2026 18:30 · First: 15.07.2026 18:30 · 📰 1 src / 1 articles · H score: 37

An active OkoBot campaign is driving hundreds of victimizations across more than 25 countries, showing broad coordinated malware activity. The operation uses overlapping delivery paths and payloads, including SeedHunter seed-phrase theft against Windows wallet users. Its reach across Brazil, Vietnam, Canada, Mexico, and Türkiye points to sustained multi-region targeting with wallet-theft and credential-theft risk.

OkoBot Windows malware framework with SeedHunter wallet phrase theft

Malware Activity

Updated: 15.07.2026 18:30 · First: 15.07.2026 18:30 · 📰 1 src / 1 articles · H score: 31

The OkoBot malware framework is actively running on Windows and using SeedHunter to steal hardware wallet recovery phrases, putting wallet owners and endpoint data at risk. The framework has been active since April 2025 and was still operating as of the July 15 analysis. Telemetry tied to the malware shows hundreds of victims across 25+ countries, with the largest share in Brazil, Vietnam, Canada, Mexico, and Türkiye. OkoBot also carries additional payloads that steal credentials, wallet files, browser profiles, cookies, and other data.

SeasonalInvite eCard phishing campaign targeting Windows and macOS users

Campaign

Updated: 15.07.2026 18:00 · First: 15.07.2026 18:00 · 📰 1 src / 1 articles · H score: 30

The SeasonalInvite phishing campaign has been active for six months, tricking Windows and macOS users into installing legitimate RMM software through fake eCards. The operation used 959 domains and a traffic distribution system (TDS) to route victims to a BlueMountain impersonation page that auto-downloaded an installer. The campaign matters because the installers were commercially signed and therefore could pass normal security checks while still enabling attacker-controlled remote access.

CISA Microsoft SharePoint hardening guidance for exploited zero-days

Advisory/Mitigation

Updated: 15.07.2026 17:07 · First: 15.07.2026 17:07 · 📰 1 src / 1 articles · H score: 46

CISA’s Microsoft SharePoint servers hardening guidance responds to newly disclosed zero-day vulnerabilities that can be exploited remotely, creating immediate risk for supported on-premises deployments. CVE-2026-56164 was added to the KEV catalog, and federal agencies must patch it within three days under BOD 26-04. Microsoft’s July 2026 Patch Tuesday also resolved CVE-2026-55040 and CVE-2026-58644, while CISA urged monitoring, intrusion hunting, and tighter exposure controls.

SharePoint Server unauthenticated privilege escalation flaw actively exploited (CVE-2026-56164)

Vulnerability

Updated: 14.07.2026 23:25 · First: 14.07.2026 23:25 · 📰 4 src / 4 articles · H score: 82

CVE-2026-56164 is an actively exploited SharePoint Server vulnerability that lets an unauthenticated attacker escalate privileges over the network. The flaw puts on-premises SharePoint Server deployments at immediate risk, especially where the service is exposed to remote access. Microsoft has already identified it as a fix-first issue for July 2026.

Microsoft security patch release for CVE-2026-56164

Security Patch Release

Updated: 14.07.2026 23:25 · First: 14.07.2026 23:25 · 📰 2 src / 3 articles · H score: 11

Microsoft released a record 622-CVE Patch Tuesday that includes two exploited flaws in SharePoint Server and Active Directory Federation Services, raising urgency for identity and collaboration systems. The top-priority fixes are CVE-2026-56164 and CVE-2026-56155, both elevation-of-privilege bugs already being used in attacks. Microsoft also bundled additional updates across Windows, Office, Edge, Azure, Defender, and developer tools. The release matters because defenders must triage a much larger-than-usual update set while attackers can immediately focus on the flaws already in use.

Microsoft SharePoint Server actively exploited multi-CVE wave

Exploitation Wave

Updated: 15.07.2026 12:44 · First: 15.07.2026 12:44 · 📰 3 src / 3 articles · H score: 78

SharePoint Server exploitation wave remains active across internet-exposed on-premises instances, with CVE-2026-32201, CVE-2026-45659, and CVE-2026-56164 used to bypass authentication, reach remote code execution, and enable IIS machine key theft, persistence, and malware deployment. CISA added the exploited CVEs to the Known Exploited Vulnerabilities Catalog and urged operators to apply Microsoft's latest patches, verify installation, enable AMSI and Microsoft Defender Antivirus detections, reduce direct internet exposure, block SharePoint Central Administration, and use a Layer 7 reverse proxy where needed.

Active SharePoint exploitation around CVE-2026-56164 drives patching and federal response

Case

Updated: 15.07.2026 17:07 · First: 14.07.2026 23:25 · 📰 0 src / 5 articles

Active exploitation of on-premises SharePoint Server now spans CVE-2026-56164 and broader reporting around CVE-2026-32201 and CVE-2026-45659 on internet-exposed systems. Available evidence includes authentication bypass, remote code execution, or unauthenticated privilege escalation paths, followed by IIS machine key theft, persistence, and malware deployment. Microsoft has released fixes for CVE-2026-56164, while CISA is urging immediate hardening, monitoring, and intrusion hunting across supported self-hosted deployments. U.S. federal agencies face a July 17 deadline to secure or discontinue affected servers.

Creative Mail plugin SQL injection SQL injection flaw (CVE-2026-3985)

Vulnerability

Updated: 15.07.2026 17:01 · First: 15.07.2026 17:01 · 📰 1 src / 1 articles · H score: 50

A SQL injection flaw in the Creative Mail plugin exposes database read access, including admin hashes and secret tokens. The issue is tracked as CVE-2026-3985 and requires WooCommerce alongside Creative Mail to reach the vulnerable path. A working proof of concept was produced, and the plugin was pulled from the WordPress store pending review. Sites running that combination face immediate credential and token disclosure risk until a patch is available.

UEFI shim Secure Boot bypass (multiple vulnerabilities)

Vulnerability

Updated: 14.07.2026 15:46 · First: 14.07.2026 15:46 · 📰 2 src / 2 articles · H score: 1

Researchers identified 11 old, Microsoft-signed UEFI shim bootloaders that can bypass Secure Boot on systems trusting the Microsoft Corporation UEFI CA 2011 certificate, creating a path to arbitrary code execution during boot. The affected shims can let an attacker load malicious code before the operating system starts, enabling UEFI bootkits and other persistent malware. Microsoft revoked the impacted shims in June 2026 Patch Tuesday after responsible disclosure earlier in February 2026. The issues are tracked as CVE-2026-8863 and CVE-2026-10797.

Mozilla Firefox 152.0.6 security update (CVE-2026-15718, CVE-2026-15719)

Security Patch Release

Updated: 15.07.2026 16:18 · First: 15.07.2026 16:18 · 📰 1 src / 1 articles · H score: 41

Mozilla's Firefox 152.0.6 update fixes two critical flaws after exploit code was published, reducing risk for users running unpatched browsers. The release remediates CVE-2026-15718 and CVE-2026-15719 in Firefox. Mozilla said it was not aware of attacks in the wild abusing the flaws.

Identity-based access becomes the leading ransomware initial-access trend in 2026

Trend

Updated: 15.07.2026 15:45 · First: 15.07.2026 15:45 · 📰 1 src / 1 articles · H score: 28

Identity-based attacks became the leading ransomware initial-access trend, raising the risk of credential abuse and legitimate login misuse across affected networks. Sophos found 79% of ransomware incidents traced back to compromised identities, while exploitation of known vulnerabilities fell to 18% in 2026. The shift shows attackers are favoring easier access paths such as phishing, malicious email, and brute force over exploit-driven entry.

Windows User Profile Service arbitrary hive load elevation of privileges privilege-escalation flaw

Vulnerability

Updated: 15.07.2026 14:07 · First: 15.07.2026 14:07 · 📰 1 src / 1 articles · H score: 11

A new LegacyHive proof-of-concept exposes a Windows User Profile Service (ProfSvc) arbitrary hive-load elevation-of-privileges flaw on supported Windows desktop and server versions, including systems with the July 2026 Patch Tuesday update. The stripped-down exploit shows that the weakness can still be exercised publicly, raising the risk of local privilege escalation and hive manipulation on affected hosts. The researcher said the original exploit was broader, did not require additional credentials, and was not limited to usrclass.dat. That makes the flaw a live security issue for in-support Windows builds rather than a theoretical bug.

Cursor Windows repo-root git.exe code execution security flaw

Vulnerability

Updated: 15.07.2026 13:55 · First: 15.07.2026 13:55 · 📰 1 src / 1 articles · H score: 9

Cursor on Windows automatically runs a repo-root git.exe when a repository is opened, creating arbitrary code execution as the logged-in user. The flaw affects cloned projects and can expose source, SSH keys, and cloud tokens. As of publication there was no patch and no public Cursor advisory.

AsyncAPI repositories and npm publishing workflow hit by network compromise

Incident

Updated: 15.07.2026 12:16 · First: 15.07.2026 12:16 · 📰 2 src / 2 articles · H score: 27

The AsyncAPI npm publishing pipeline was compromised in a July 14 supply-chain attack that used the project’s normal GitHub Actions release path to publish trojanized packages. Attackers reportedly compromised two AsyncAPI GitHub repositories, injected malware into project files, and shipped malicious releases in the @asyncapi npm namespace with apparently valid OIDC provenance attestations. The packages were later removed from npm, but existing installs and lock files created during the exposure window may still be affected.

Compromised @asyncapi npm packages distributing the Miasma loader

Malware Activity

Updated: 15.07.2026 12:16 · First: 15.07.2026 12:16 · 📰 1 src / 1 articles · H score: 29

Four compromised @asyncapi npm packages now deliver a multi-stage botnet loader when imported, exposing consumers to Miasma payloads during normal Node.js module load. The hidden implant fetches an encrypted second stage from IPFS and runs it outside the install path. The payload is built for credential theft, persistence, and broader post-compromise control. Any build or developer workflow that loaded one of the affected packages may have executed the malware.

UK government updates National Risk Register and announces resilience campaign

Public Sector Action

Updated: 15.07.2026 11:48 · First: 15.07.2026 11:48 · 📰 1 src / 1 articles · H score: 15

The UK government expanded the National Risk Register with new cyber-related scenarios, strengthening national planning for disruptions that could affect critical infrastructure and household resilience. The update adds risks tied to digital infrastructure, water infrastructure, police systems, and a CrowdStrike-style outage. It also brings in scenarios for election infrastructure attacks and hack-and-leak activity. The government said it will launch a national resilience campaign later this year to push households toward basic preparedness steps.

Microsoft Windows 11 update rollout blocked on Dell devices over driver incompatibility

Service Disruption

Updated: 15.07.2026 11:26 · First: 15.07.2026 11:26 · 📰 1 src / 1 articles · H score: 1

Microsoft is blocking KB5101650 on some Dell devices after a driver incompatibility caused unexpected shutdowns and other stability problems. The hold affects Windows 11 25H2 and 24H2 systems after the June 23, 2026 KB5095093 preview update introduced a conflict with the Intel Innovation Platform Framework Processor Participant driver. Affected devices can also see poor performance, increased heat, and battery drain while Microsoft and Dell work on a fix.

Aleksandr Volosovik unsealed charges in three Russian nationals and Media Land / ML.Cloud

Law Enforcement

Updated: 15.07.2026 10:45 · First: 15.07.2026 10:45 · 📰 1 src / 1 articles · H score: 31

U.S. federal prosecutors unsealed charges against three Russian nationals accused of supplying bulletproof hosting to ransomware gangs, escalating a cybercrime case tied to over $62 million in reported damages.

U.S. Department of State offers RFJ reward for BPH-linked cyber actors

Public Sector Action

Updated: 15.07.2026 10:45 · First: 15.07.2026 10:45 · 📰 1 src / 1 articles · H score: 32

The U.S. Department of State is now offering up to $10 million through Rewards for Justice (RFJ) for information tied to the alleged bulletproof hosting operators and their malicious cyber activity. The incentive adds a new public-sector pressure point against the same cybercrime network named in the charges and can help identify foreign government-linked associates. The reward is aimed at information on the actors, their cyber activity, and the use of their companies.

CISA KEV catalog addition for SonicWall SMA 1000 flaws

Public Sector Action

Updated: 15.07.2026 08:30 · First: 15.07.2026 08:30 · 📰 1 src / 1 articles · H score: 34

CISA added CVE-2026-15409 and CVE-2026-15410 affecting SonicWall SMA 1000 appliances to the KEV catalog, turning the flaws into a federal remediation priority for FCEB agencies. The directive requires those agencies to apply the fixes by July 17, 2026 after reports of active exploitation. The action escalates the vulnerabilities from vendor disclosure to a mandatory government tracking and remediation item.

SonicWall security patch release for CVE-2026-15409

Security Patch Release

Updated: 15.07.2026 00:23 · First: 15.07.2026 00:23 · 📰 2 src / 2 articles · H score: 54

SonicWall released hotfix security updates for SMA1000 appliances after confirming active exploitation of CVE-2026-15409 and CVE-2026-15410. The fixes are available in platform-hotfix 12.4.3-03453 and 12.5.0-02835 or later, covering affected SMA1000 models 6210, 7210, and 8200v. Customers were told to upgrade as soon as possible and check for compromise indicators. CISA KEV listing and the vendor's guidance indicate urgent remediation for exposed deployments.

Spanish Police dismantle €140 million BEC fraud ring

Law Enforcement

Updated: 14.07.2026 23:23 · First: 14.07.2026 23:23 · 📰 1 src / 1 articles · H score: 29

Spanish Police dismantled a cybercrime and money-laundering organization tied to investment fraud and business email compromise (BEC), disrupting a ring that generated €140 million ($160 million). Four suspects were arrested across Spain, Portugal, and Panama, and investigators say the operation used at least 800 bank accounts and 67 money mules. The action also included raids, the seizure of devices, and the freezing of €3 million ($3.4 million) in crime proceeds.

Microsoft Corp. security patch release for CVE-2026-56155

Security Patch Release

Updated: 14.07.2026 22:22 · First: 14.07.2026 22:22 · 📰 2 src / 2 articles · H score: 48

Microsoft released July 2026 Patch Tuesday updates that close at least 570 security holes in Windows and other software, expanding the remediation burden for defenders. The bundle includes nearly 60 critical vulnerabilities and three zero-days already exploited in the wild. It also covers issues such as CVE-2026-56155 in Active Directory Federation Services, CVE-2026-56164 in SharePoint, and CVE-2026-50661 in Windows BitLocker. The release is almost triple last month’s record patch count and adds operational risk during rollout.

Microsoft Copilot remote code execution flaw (CVE-2026-48561)

Vulnerability

Updated: 14.07.2026 22:22 · First: 14.07.2026 22:22 · 📰 1 src / 1 articles · H score: 33

A CVE-2026-48561 remote code execution flaw in Microsoft Copilot can let an unauthorized attacker execute code over the network, creating remote takeover risk for affected users. The bug carries a 9.6 CVSS score and is tied to an exploit path involving a malicious website and Microsoft Edge for Android. Microsoft’s July 2026 patch cycle includes updates covering the issue.

GitHub fake-repository infostealer campaign

Campaign

Updated: 14.07.2026 22:15 · First: 14.07.2026 22:15 · 📰 1 src / 1 articles · H score: 41

A GitHub impersonation campaign is distributing infostealer malware through 292 fake repositories, expanding the risk to users searching for trusted software downloads. The operation uses README links and spoofed download pages to push a ZIP archive that side-loads a trojanized DLL into a signed updater. The payload can bypass Chrome’s App-Bound Encryption and steals browser, wallet, messaging, and credential data. Several dozen redirectors were still active at report time, keeping the delivery chain live.

BoryptGrab infostealer variant delivered via fake GitHub repositories

Malware Activity

Updated: 14.07.2026 22:15 · First: 14.07.2026 22:15 · 📰 1 src / 1 articles · H score: 30

A BoryptGrab infostealer variant is being delivered through fake GitHub repositories, expanding a credential-theft operation that can drain browser, wallet, and messaging data from infected systems. The payload uses a trojanized libcurl.dll and a signed WinGUP updater to sideload and run in memory. It can bypass Chrome's App-Bound Encryption and exfiltrates data to a Russia-based C2 server.

Microsoft Windows 10 KB5099539 extended security update

Security Patch Release

Updated: 14.07.2026 21:49 · First: 14.07.2026 21:49 · 📰 1 src / 1 articles · H score: 16

Microsoft released Windows 10 KB5099539, a security update bundle for Windows 10 ESU that rolls in July 2026 Patch Tuesday fixes for 570 vulnerabilities. The package also includes additional security fixes, making it a broad maintenance release for supported Windows 10 and Enterprise LTSC systems. Microsoft says enrolled devices can install it through Windows Update like a normal update.

Microsoft RDP file security guidance

Advisory/Mitigation

Updated: 14.07.2026 21:49 · First: 14.07.2026 21:49 · 📰 1 src / 1 articles · H score: 28

Microsoft issued RDP mitigation guidance that restricts which .rdp files users can open and recommends migrating trusted publishers to SHA-256 thumbprints, reducing phishing risk for Remote Desktop users.