Find notable cyber news and cases, enriched with sources, timelines, and signals.

Recent notable Happenings and Cases

Hide ▲
Last updated: 19:38 14/07/2026 UTC
Last updated: 15:02 14/07/2026 UTC

Latest updates

Browse →

GitHub fake-repository infostealer campaign

Campaign

Updated: 14.07.2026 22:15 · First: 14.07.2026 22:15 · 📰 1 src / 1 articles · H score: 41

A GitHub impersonation campaign is distributing infostealer malware through 292 fake repositories, expanding the risk to users searching for trusted software downloads. The operation uses README links and spoofed download pages to push a ZIP archive that side-loads a trojanized DLL into a signed updater. The payload can bypass Chrome’s App-Bound Encryption and steals browser, wallet, messaging, and credential data. Several dozen redirectors were still active at report time, keeping the delivery chain live.

BoryptGrab infostealer variant delivered via fake GitHub repositories

Malware Activity

Updated: 14.07.2026 22:15 · First: 14.07.2026 22:15 · 📰 1 src / 1 articles · H score: 30

A BoryptGrab infostealer variant is being delivered through fake GitHub repositories, expanding a credential-theft operation that can drain browser, wallet, and messaging data from infected systems. The payload uses a trojanized libcurl.dll and a signed WinGUP updater to sideload and run in memory. It can bypass Chrome's App-Bound Encryption and exfiltrates data to a Russia-based C2 server.

Microsoft Windows 10 KB5099539 extended security update

Security Patch Release

Updated: 14.07.2026 21:49 · First: 14.07.2026 21:49 · 📰 1 src / 1 articles · H score: 16

Microsoft released Windows 10 KB5099539, a security update bundle for Windows 10 ESU that rolls in July 2026 Patch Tuesday fixes for 570 vulnerabilities. The package also includes additional security fixes, making it a broad maintenance release for supported Windows 10 and Enterprise LTSC systems. Microsoft says enrolled devices can install it through Windows Update like a normal update.

Microsoft RDP file security guidance

Advisory/Mitigation

Updated: 14.07.2026 21:49 · First: 14.07.2026 21:49 · 📰 1 src / 1 articles · H score: 28

Microsoft issued RDP mitigation guidance that restricts which .rdp files users can open and recommends migrating trusted publishers to SHA-256 thumbprints, reducing phishing risk for Remote Desktop users.

Active Directory Federation Services actively exploited elevation of privilege privilege-escalation flaw (CVE-2026-56155)

Vulnerability

Updated: 14.07.2026 21:01 · First: 14.07.2026 21:01 · 📰 1 src / 1 articles · H score: 29

Microsoft patched CVE-2026-56155 in Active Directory Federation Services (AD FS) after confirming active exploitation of an elevation-of-privilege flaw that could let an authorized attacker gain administrative privileges locally. The vulnerability was included in Microsoft’s July 2026 Patch Tuesday and is part of a larger security update release covering 570 flaws.

Microsoft July 2026 Patch Tuesday security updates (570 flaws, 3 zero-days)

Security Patch Release

Updated: 14.07.2026 21:01 · First: 14.07.2026 21:01 · 📰 1 src / 1 articles · H score: 36

Microsoft's July 2026 Patch Tuesday released security updates for 570 flaws, including three zero-days and two vulnerabilities exploited in attacks, creating immediate patch urgency for Microsoft environments.

Windows 11 KB5101650 and KB5099414 cumulative updates

Security Patch Release

Updated: 14.07.2026 20:41 · First: 14.07.2026 20:41 · 📰 1 src / 1 articles · H score: 27

Microsoft released Windows 11 KB5101650 and KB5099414 cumulative updates for 25H2/24H2 and 23H2, delivering the July 2026 Patch Tuesday fixes for 571 vulnerabilities. The updates are mandatory and cover the same security fixes across the supported Windows 11 branches. They also include non-security changes, but the security patch bundle is the main event.

LabubaRAT Rust RAT masquerading as NVIDIA software on Windows

Malware Activity

Updated: 14.07.2026 19:52 · First: 14.07.2026 19:52 · 📰 1 src / 1 articles · H score: 24

A newly documented Rust-based RAT, LabubaRAT, now gives operators Windows host control with file movement, screenshot capture, and traffic proxying. The malware masquerades as NVIDIA software and uses nvidia-sysruntime.exe to blend into target environments. It can communicate over HTTPS, WebView2, or DNS tunneling, which makes shutdown harder once it lands. Researchers also saw signs of a malware-as-a-service model, which could widen reuse across deployments.

Progress Software ShareFile Storage Zone Controller path traversal patch release

Security Patch Release

Updated: 14.07.2026 19:08 · First: 14.07.2026 19:08 · 📰 1 src / 1 articles · H score: 38

Progress Software released 5.12.5 and 6.0.2 for ShareFile Storage Zone Controller after a high-severity zero-day path traversal vulnerability forced last week’s shutdown. The updates cover all 5.x and 6.x versions and let customers bring controllers back online once installed. Progress said it has no indication of unauthorized access to customer accounts or data. A CVE has been reserved and will be published later.

Progress ShareFile Storage Zone Controllers shutdown guidance

Advisory/Mitigation

Updated: 10.07.2026 19:26 · First: 10.07.2026 19:26 · 📰 3 src / 4 articles · H score: 44

Progress Software has told ShareFile customers using Storage Zone Controllers to shut down their servers immediately after detecting a credible external security threat. The instruction affects on-premises Windows servers that bridge the cloud service and customer-managed storage. Progress says it has no indication of unauthorized access to ShareFile accounts or data, but it has temporarily disabled access for affected customers while it investigates.

ShareFile Storage Zone Controller path traversal zero-day path traversal flaw

Vulnerability

Updated: 14.07.2026 19:08 · First: 14.07.2026 19:08 · 📰 1 src / 1 articles · H score: 1

Progress confirmed a high-severity path traversal zero-day in ShareFile Storage Zone Controller, exposing all 5.x and 6.x versions to arbitrary file read and write risk until customers install the fix. The flaw can let an authenticated administrative user read files available to the service account, write attacker-controlled content, or enumerate the server filesystem layout. Progress has released 5.12.5 and 6.0.2 and told customers to update immediately before bringing controllers back online.

Progress ShareFile Storage Zone Controller access disruption

Service Disruption

Updated: 10.07.2026 19:30 · First: 10.07.2026 19:30 · 📰 2 src / 2 articles · H score: 53

ShareFile Storage Zone Controller customers lost access when Progress Software temporarily disabled affected accounts and marked them not operational while investigating a credible external security threat. The disruption affects the Windows servers that run the controllers, not standard cloud-only ShareFile accounts. Customers were told to keep the controllers offline, so the service remains constrained until the threat is understood.

LastPass and Bitwarden users targeted by fake-security-notice phishing campaign

Campaign

Updated: 14.07.2026 18:31 · First: 14.07.2026 18:31 · 📰 1 src / 1 articles · H score: 31

An ongoing phishing campaign is using fake security notices to lure LastPass and Bitwarden users to fraudulent websites, creating immediate credential theft risk for anyone who submits passwords or vault access details. The operation uses impersonated service emails, malicious compliance domains, and a DocuSign lookalike landing page to push victims into interacting with attacker-controlled infrastructure. Some infrastructure has already been flagged as malicious and the website was taken offline, but the targeting remains active enough to affect both user groups.

US Department of Defense (DoD) Cybersecurity Maturity Model Certification (CMMC) Phase II Suspended the Phase II requirements pending review and announced a 60-day program review

Public Sector Action

Updated: 14.07.2026 18:28 · First: 14.07.2026 18:28 · 📰 1 src / 1 articles · H score: 67

The US Department of Defense suspended CMMC Phase II requirements pending review, delaying a planned November 10, 2026 compliance step for defense contractors and subcontractors handling FCI and CUI. The pause affects the move from self-attestations to independent assessments by C3PAOs, which had been intended to verify compliance with NIST SP 800-171. The review could reshape cybersecurity obligations across the defense industrial base and slow the rollout of stricter certification enforcement.

Broadcom VMware Avi Load Balancer security update release

Security Patch Release

Updated: 14.07.2026 16:55 · First: 14.07.2026 16:55 · 📰 1 src / 1 articles · H score: 26

Broadcom released VMware Avi Load Balancer updates that patch seven potentially serious vulnerabilities, including authentication bypass, remote code execution, directory traversal, and privilege escalation flaws. The update package reduces risk for a hybrid and multi-cloud load-balancing platform, and Broadcom says it has no in-the-wild exploitation for these issues.

RabbitMQ OAuth client secret leak security flaw (CVE-2026-57219)

Vulnerability

Updated: 14.07.2026 16:48 · First: 14.07.2026 16:48 · 📰 1 src / 1 articles · H score: 32

RabbitMQ disclosed CVE-2026-57219, a management API flaw that can leak an OAuth client secret from GET /api/auth and enable full broker takeover in affected deployments. The vulnerability affects installations using management.oauth_client_secret and raises the risk of administrator token theft, message exposure, and broker control.

RabbitMQ maintainers security patch release for CVE-2026-57219

Security Patch Release

Updated: 14.07.2026 16:48 · First: 14.07.2026 16:48 · 📰 1 src / 1 articles · H score: 29

RabbitMQ maintainers released fixed versions for multiple supported release lines, closing two access-control flaws that could expose OAuth client secrets and cross-tenant messaging data. The patch set addresses CVE-2026-57219 and CVE-2026-57221 in releases from 3.13.0 and later.

Microsoft Entra ID makes passkeys the default authentication method and retires SMS/voice MFA

Security Tool/Service

Updated: 14.07.2026 15:49 · First: 14.07.2026 15:49 · 📰 1 src / 1 articles · H score: 26

Microsoft Entra ID will make passkeys the default authentication method starting September 2026, reducing reliance on phishable second factors across enterprise accounts. SMS and voice authentication will be retired in February 2027, pushing tenants toward phishing-resistant sign-in methods. The shift raises the baseline for account security while forcing organizations still using phone-based MFA to migrate before disruption.

Microsoft 365 device-code phishing campaign using Jalisco and OmegaLord

Campaign

Updated: 14.07.2026 15:49 · First: 14.07.2026 15:49 · 📰 1 src / 1 articles · H score: 37

The Jalisco and OmegaLord campaign is targeting Microsoft 365 accounts with MFA-bypass phishing, putting credentials, sessions, and downstream data at risk. Jalisco uses device-code phishing while OmegaLord uses a fake PDF Reader login page to steal login details and phone numbers. Once an account is taken over, attackers can quickly reach SharePoint and other SaaS data, then press for extortion.

Jalisco and OmegaLord Microsoft 365 phishing kits

Malware Activity

Updated: 14.07.2026 15:49 · First: 14.07.2026 15:49 · 📰 1 src / 1 articles · H score: 27

The Jalisco and OmegaLord phishing kits were discovered targeting Microsoft 365 accounts with methods that bypass MFA, increasing the risk of credential theft and account takeover. Jalisco uses device-code phishing, while OmegaLord impersonates a PDF Reader login page to collect login credentials and phone numbers. The activity also supports rapid session abuse after compromise, making the kits more effective against modern account defenses.

UEFI shim Secure Boot bypass (multiple vulnerabilities)

Vulnerability

Updated: 14.07.2026 15:46 · First: 14.07.2026 15:46 · 📰 1 src / 1 articles · H score: 1

Researchers identified 11 old, Microsoft-signed UEFI shim bootloaders that can bypass Secure Boot on systems trusting the Microsoft Corporation UEFI CA 2011 certificate, creating a path to arbitrary code execution during boot. The affected shims can let an attacker load malicious code before the operating system starts, enabling UEFI bootkits and other persistent malware. Microsoft revoked the impacted shims in June 2026 Patch Tuesday after responsible disclosure earlier in February 2026. The issues are tracked as CVE-2026-8863 and CVE-2026-10797.

CrashStealer analysis of client-side AES-GCM encryption and anti-analysis techniques

Technical Analysis

Updated: 14.07.2026 15:00 · First: 14.07.2026 15:00 · 📰 1 src / 1 articles · H score: 28

Researchers published a technical analysis of CrashStealer that adds reusable detail on client-side AES-GCM encryption and layered anti-analysis behavior, making the macOS payload harder to inspect and detect. The findings show how the malware protects collected files and resists reverse engineering. Those techniques increase the effort needed to recover stolen data and build reliable detections.

CISA-led joint advisory on Russian router targeting

Public Sector Action

Updated: 14.07.2026 15:00 · First: 14.07.2026 15:00 · 📰 1 src / 1 articles · H score: 32

CISA and partner agencies released a joint cybersecurity advisory warning that Russian state-sponsored actors are targeting vulnerable networking devices in critical infrastructure worldwide. The advisory says attackers are abusing poorly configured routers and known CVEs to gain unauthorized access and exfiltrate configurations. It also directs defenders to tighten access controls, authentication, encryption, and monitoring.

KU Leuven DistriNet crypto wallet browser-extension privacy leaks and cross-site tracking

Technical Analysis

Updated: 14.07.2026 14:55 · First: 14.07.2026 14:55 · 📰 1 src / 1 articles · H score: 24

KU Leuven DistriNet published technical findings on 85 crypto wallet browser extensions that leak enough data to link addresses and track users across sites, creating identity-reconstruction risk for about 35 million listed installs. The study shows that wallet design choices can expose installed-wallet fingerprints, preserve stale permissions, and enable cross-site tracking without any exploit. It also matters because the same leak chain can turn a pseudonymous wallet into a named identity when a site already knows an email or name.

SAP July 2026 security updates

Security Patch Release

Updated: 14.07.2026 14:42 · First: 14.07.2026 14:42 · 📰 1 src / 1 articles · H score: 31

SAP's July 2026 security updates address 16 vulnerabilities across NetWeaver, Commerce Cloud, and AppRouter, including three critical flaws. The release closes a memory-corruption issue in NetWeaver AS ABAP, an HTTP request smuggling flaw in Approuter, and a default-credentials problem in Commerce Cloud. The patch bundle reduces risk of unauthorized data access, data modification, and denial of service in core SAP environments.

Pentera MCP Server brings validation data into MCP-compatible AI assistants

Security Tool/Service

Updated: 14.07.2026 14:30 · First: 14.07.2026 14:30 · 📰 1 src / 1 articles · H score: 11

Pentera introduced the MCP Server to feed validated attack evidence into MCP-compatible AI assistants, letting AI-driven security workflows prioritize exploitable risk instead of isolated scanner output.

SAP July 2026 security patch day

Security Patch Release

Updated: 14.07.2026 14:17 · First: 14.07.2026 14:17 · 📰 1 src / 1 articles · H score: 40

SAP released 19 new and updated security notes for its July 2026 security patch day, covering NetWeaver, Approuter, Commerce Cloud, and other products with fixes for critical flaws.

SAP NetWeaver Application Server ABAP memory corruption memory corruption flaw (CVE-2026-44747)

Vulnerability

Updated: 14.07.2026 14:17 · First: 14.07.2026 14:17 · 📰 2 src / 2 articles · H score: 35

SAP's July 2026 security patch day resolved CVE-2026-44747, a memory corruption bug in NetWeaver Application Server ABAP that could let attackers access and modify data and cause system unavailability.

1VPNS takedown in Operation Saffron

Law Enforcement

Updated: 14.07.2026 12:40 · First: 14.07.2026 12:40 · 📰 1 src / 1 articles · H score: 26

French and Dutch authorities took down 1VPNS, seized 33 servers, and arrested its administrator in Operation Saffron, disrupting a VPN service used by ransomware and fraud actors.

OFAC sanctions First VPN Service and two individuals

Regulatory/Legal Action

Updated: 14.07.2026 11:02 · First: 14.07.2026 11:02 · 📰 2 src / 2 articles · H score: 27

OFAC sanctioned First VPN Service (1VPNS), Dmytro Rashevskyi, and Yegeniy Vladimirovich Silayev for enabling ransomware attacks and helping malicious software evade detection. The action targets a VPN provider and a cryptor seller tied to activity that hid attack origins, masked malware as legitimate software, and supported attacks on U.S. businesses, financial services firms, hospitals, and municipal governments. Officials linked the ecosystem to billions of dollars in losses to U.S. organizations and critical infrastructure providers, and said the underlying 1VPNS infrastructure was dismantled in May 2026 by European and North American authorities.