π¨ ALERT - Attackers are trying to exploit CVE-2026-8037 in Progress Kemp LoadMaster.
The CVSS 9.6 flaw enables unauthenticated OS command injection and arbitrary code execution on vulnerable appliances.
eSentire says the attempts it saw failed, but PoC details are now public.
Read: https://thehackernews.com/2026/07/latest-progress-kemp-loadmaster-pre.html
The CVSS 9.6 flaw enables unauthenticated OS command injection and arbitrary code execution on vulnerable appliances.
eSentire says the attempts it saw failed, but PoC details are now public.
Read: https://thehackernews.com/2026/07/latest-progress-kemp-loadmaster-pre.html
π₯4π3
π Two Cursor vulnerabilities could let hidden prompt-injection instructions escape the editorβs terminal sandbox and run commands on a developerβs machine.
Tracked as CVE-2026-50548 and CVE-2026-50549, they affect versions before 3.0.
See how it works: https://thehackernews.com/2026/07/critical-cursor-flaws-could-let-prompt.html
Tracked as CVE-2026-50548 and CVE-2026-50549, they affect versions before 3.0.
See how it works: https://thehackernews.com/2026/07/critical-cursor-flaws-could-let-prompt.html
π±7
π¨ Adobe patched 9 flaws in ColdFusion and Campaign Classic, 7 rated CVSS 10.0.
ColdFusion issues enable RCE, privilege escalation, file read, and bypass.
Campaign Classic CVE-2026-48286 impacts on-prem ACC v7 only.
Read: https://thehackernews.com/2026/07/adobe-patches-7-cvss-100-flaws-in.html
ColdFusion issues enable RCE, privilege escalation, file read, and bypass.
Campaign Classic CVE-2026-48286 impacts on-prem ACC v7 only.
Read: https://thehackernews.com/2026/07/adobe-patches-7-cvss-100-flaws-in.html
π₯4π€4
π Ousaban hides a ZIP payload inside an image after a fake βcorruptedβ PDF screens victims in Spain and Portugal.
The Windows banking trojan watches 24+ banks and can log keys, grab screenshots, tamper with the clipboard, and enable remote control.
How the fake PDF turns into Ousaban: https://thehackernews.com/2026/07/ousaban-banking-trojan-targets-iberian.html
The Windows banking trojan watches 24+ banks and can log keys, grab screenshots, tamper with the clipboard, and enable remote control.
How the fake PDF turns into Ousaban: https://thehackernews.com/2026/07/ousaban-banking-trojan-targets-iberian.html
π₯4π1
π’ WEBINAR - The developer who built the automation may have left months ago, but the access token hasnβt.
That AI agent is still running with standing privileges and no current human owner.
SailPoint experts show how to find every orphaned one and map it back to a real person.
π See how here: https://thehacker.news/securing-ai-use
That AI agent is still running with standing privileges and no current human owner.
SailPoint experts show how to find every orphaned one and map it back to a real person.
π See how here: https://thehacker.news/securing-ai-use
π2
PureLogs Stealer now hides behind Blogger pages and a fake PDF JavaScript file.
Experts say VEIL#DROP uses PowerShell, dynamic Blogspot URLs, fileless .NET loading, and #Microsoft-signed LOLBins to evade detection.
How the chain unfolds: https://thehackernews.com/2026/07/veildrop-malware-chain-uses-blogger.html
Experts say VEIL#DROP uses PowerShell, dynamic Blogspot URLs, fileless .NET loading, and #Microsoft-signed LOLBins to evade detection.
How the chain unfolds: https://thehackernews.com/2026/07/veildrop-malware-chain-uses-blogger.html
π3π₯2π2π€―2
90+ spoofed software domains are pushing AsyncRAT through ScreenConnect.
Kaspersky says the sites mimic OBS Studio, Bandicam, DNS Jumper, and DS4Windows, then use SEO to surface in Google and Bing.
How the fake installers turn ScreenConnect into RAT access: https://thehackernews.com/2026/07/seo-poisoned-software-sites-abuse.html
Kaspersky says the sites mimic OBS Studio, Bandicam, DNS Jumper, and DS4Windows, then use SEO to surface in Google and Bing.
How the fake installers turn ScreenConnect into RAT access: https://thehackernews.com/2026/07/seo-poisoned-software-sites-abuse.html
π₯5
π₯ Scattered Spider now has another accused member in U.S. custody.
Peter Stokes, 19-years-old, was extradited from Finland after prosecutors tied βBouquetβ to at least four alleged intrusions.
One included an $8M crypto demand.
Read - https://thehackernews.com/2026/07/19-year-old-scattered-spider-suspect.html
Peter Stokes, 19-years-old, was extradited from Finland after prosecutors tied βBouquetβ to at least four alleged intrusions.
One included an $8M crypto demand.
Read - https://thehackernews.com/2026/07/19-year-old-scattered-spider-suspect.html
π5π±2π₯1
β‘ Argo CD repo-server has an UNPATCHED code execution flaw (no CVE).
Experts say unauthenticated gRPC access can execute commands on the service.
With default Helm installs, a single compromised pod can reach it if network policies are off. That path extends to Redis cache poisoning and cluster takeover.
Repo-server attack flow explained: https://thehackernews.com/2026/07/unpatched-argo-cd-repo-server-flaw.html
Experts say unauthenticated gRPC access can execute commands on the service.
With default Helm installs, a single compromised pod can reach it if network policies are off. That path extends to Redis cache poisoning and cluster takeover.
Repo-server attack flow explained: https://thehackernews.com/2026/07/unpatched-argo-cd-repo-server-flaw.html
π€―6π4π2π₯1
β οΈ CISA added CVE-2026-45659 to KEV following active exploitation.
The SharePoint Server RCE was patched in May 2026.
Microsoft says an authenticated Site Member can execute code remotely β no admin rights required.
FCEB agencies have until July 4 to patch.
Details: https://thehackernews.com/2026/07/sharepoint-rce-cve-2026-45659-added-to.html
The SharePoint Server RCE was patched in May 2026.
Microsoft says an authenticated Site Member can execute code remotely β no admin rights required.
FCEB agencies have until July 4 to patch.
Details: https://thehackernews.com/2026/07/sharepoint-rce-cve-2026-45659-added-to.html
π₯5
π Fake GitHub PoC repos are being used to infect vulnerability researchers with ChocoPoC RAT.
The PoC may look clean. The #malware hides in Python dependencies like frint and skytext, then steals saved passwords, cookies, browser data, and files.
How the trap works: https://thehackernews.com/2026/07/new-chocopoc-rat-targets-vulnerability.html
The PoC may look clean. The #malware hides in Python dependencies like frint and skytext, then steals saved passwords, cookies, browser data, and files.
How the trap works: https://thehackernews.com/2026/07/new-chocopoc-rat-targets-vulnerability.html
π2
π¨ FortiBleed has already led to at least 12 #ransomware deployments.
Experts say one operator tied to the campaign was active in INC Ransom and Lynx negotiation panels.
The trail includes 354 completed FortiGate attack chains.
Details here: https://thehackernews.com/2026/07/fortibleed-credential-theft-linked-to.html
Experts say one operator tied to the campaign was active in INC Ransom and Lynx negotiation panels.
The trail includes 354 completed FortiGate attack chains.
Details here: https://thehackernews.com/2026/07/fortibleed-credential-theft-linked-to.html
π7
π₯ An AI agent turned Langflow RCE into automated database extortion.
CVE-2025-3248 exploited to steal secrets, move laterally, hijack Nacos, encrypt 1,342 configuration items, and drop database schemas.
Inside the attack chain: https://thehackernews.com/2026/07/ai-agent-exploits-langflow-rce-to.html
CVE-2025-3248 exploited to steal secrets, move laterally, hijack Nacos, encrypt 1,342 configuration items, and drop database schemas.
Inside the attack chain: https://thehackernews.com/2026/07/ai-agent-exploits-langflow-rce-to.html
π₯3
π AI agents donβt trigger leaver events.
No HR record.
No manager.
No offboarding date.
IGA tools may only see a service account while API access, OAuth grants, and stale credentials drift outside the human identity lifecycle.
Where the model breaks: https://thehackernews.com/2026/07/identity-lifecycle-management.html
No HR record.
No manager.
No offboarding date.
IGA tools may only see a service account while API access, OAuth grants, and stale credentials drift outside the human identity lifecycle.
Where the model breaks: https://thehackernews.com/2026/07/identity-lifecycle-management.html
π1
ToddyCatβs Umbrij can turn an active Gmail session into Google API access.
Experts say it launches Chrome or Edge in headless mode, grabs an OAuth authorization code, and lets operators exchange it for an access token.
How the STRD attack chain works: https://thehackernews.com/2026/07/toddycat-linked-umbrij-malware-abuses.html
Experts say it launches Chrome or Edge in headless mode, grabs an OAuth authorization code, and lets operators exchange it for an access token.
How the STRD attack chain works: https://thehackernews.com/2026/07/toddycat-linked-umbrij-malware-abuses.html
π₯2
#ThreatsDay Bulletin is live, and this weekβs threats were quiet, weird, and too easy to miss.
π€ Stolen AI compute
π¨ BlueHammer ransomware
π Apple email flaw
π¨ Fake INTERPOL ransomware
π ClickFix defenses
π BeepRAT espionage
𧬠Millennium RAT
π£ UNC1151 phishing
π AI search hijack
π₯ Teams bot controls
π§ GPT-5.6 Sol
π΅οΈ UNC5792 reward
π§© Prompt injection
πΆοΈ Anthropic tracking
π± Device-aware phishing
ποΈ Amazon FTC fine
ποΈ Claude sandbox root
Read the full roundup: https://thehackernews.com/2026/07/threatsday-ai-compute-hijacking-apple.html
π€ Stolen AI compute
π¨ BlueHammer ransomware
π Apple email flaw
π¨ Fake INTERPOL ransomware
π ClickFix defenses
π BeepRAT espionage
𧬠Millennium RAT
π£ UNC1151 phishing
π AI search hijack
π₯ Teams bot controls
π§ GPT-5.6 Sol
π΅οΈ UNC5792 reward
π§© Prompt injection
πΆοΈ Anthropic tracking
π± Device-aware phishing
ποΈ Amazon FTC fine
ποΈ Claude sandbox root
Read the full roundup: https://thehackernews.com/2026/07/threatsday-ai-compute-hijacking-apple.html
π1
π¨ Update - Citrix CVE-2026-8451 is now under active exploitation, less than 24 hours after disclosure.
A Frankfurt IP hit sensors for 5 hours, delivering the watchTowr exploit only after a 200 OK response and skipping 404s.
Learn the malformed SAML exploit path works: https://thehackernews.com/2026/07/citrix-patches-six-netscaler-flaws.html
A Frankfurt IP hit sensors for 5 hours, delivering the watchTowr exploit only after a 200 OK response and skipping 404s.
Learn the malformed SAML exploit path works: https://thehackernews.com/2026/07/citrix-patches-six-netscaler-flaws.html
π₯3
π Ransomware crews are stacking three ugly paths into enterprise networks.
πΈ Anubis: Citrix Bleed 2
πΈ The Gentlemen: Go backdoor + BYOVD
πΈ VECT/TeamPCP: supply-chain credential theft
How the attack paths connect: https://thehackernews.com/2026/07/ransomware-groups-turn-to-citrix-bleed.html
πΈ Anubis: Citrix Bleed 2
πΈ The Gentlemen: Go backdoor + BYOVD
πΈ VECT/TeamPCP: supply-chain credential theft
How the attack paths connect: https://thehackernews.com/2026/07/ransomware-groups-turn-to-citrix-bleed.html
π₯2
π₯ Google disrupted #NetNut, a proxy network spanning at least 2 million home devices.
In one June week, GTIG saw 316 threat clusters using suspected NetNut exit nodes to hide location and guess passwords.
The simple risk: your home IP becomes someone elseβs relay.
Learn more: https://thehackernews.com/2026/07/google-disrupts-netnut-residential.html
In one June week, GTIG saw 316 threat clusters using suspected NetNut exit nodes to hide location and guess passwords.
The simple risk: your home IP becomes someone elseβs relay.
Learn more: https://thehackernews.com/2026/07/google-disrupts-netnut-residential.html
π3