β‘ Microsoft patched RoguePlanet weeks after the Defender flaw was publicly disclosed.
CVE-2026-50656 affects the #Microsoft Malware Protection Engine and could let local attackers gain SYSTEM-level privileges, according to the researcher who disclosed it.
Full story here β https://thehackernews.com/2026/07/microsoft-patches-rogueplanet-defender.html
CVE-2026-50656 affects the #Microsoft Malware Protection Engine and could let local attackers gain SYSTEM-level privileges, according to the researcher who disclosed it.
Full story here β https://thehackernews.com/2026/07/microsoft-patches-rogueplanet-defender.html
π10π4π₯3
β οΈ GodDamn ransomware is using the PoisonX kernel driver to disable endpoint defenses before encryption.
Symantec says attackers also used AnyDesk, PsExec, and a NirSoft-based credential harvesting toolkit in a June attack.
Read the full story: https://thehackernews.com/2026/07/goddamn-ransomware-uses-poisonx-driver.html
Symantec says attackers also used AnyDesk, PsExec, and a NirSoft-based credential harvesting toolkit in a June attack.
Read the full story: https://thehackernews.com/2026/07/goddamn-ransomware-uses-poisonx-driver.html
π4π₯3π1
A #vulnerability clearinghouse is just a place to collect bugs.
Chainguard says the real work is what happens next: turning those bugs into rebuilt, tested, signed fixes people can use.
Athena has taken in 20K+ findings and shipped 2K+ patches across 500 projects.
Why the fix pipeline matters: https://thehackernews.com/2026/07/summer-of-clearinghouses.html
Chainguard says the real work is what happens next: turning those bugs into rebuilt, tested, signed fixes people can use.
Athena has taken in 20K+ findings and shipped 2K+ patches across 500 projects.
Why the fix pipeline matters: https://thehackernews.com/2026/07/summer-of-clearinghouses.html
π8π₯2π1
AI attacks move in minutes. Your SOC is still on the first alert.
Next week we're hosting a free WEBINAR with Zscaler on defending at machine speed: shrink the attack surface, kill lateral movement, contain the attack before it spreads.
Save your seat π https://thehackernews.com/2026/07/ai-attacks-move-in-minutes-join-this.html
Next week we're hosting a free WEBINAR with Zscaler on defending at machine speed: shrink the attack surface, kill lateral movement, contain the attack before it spreads.
Save your seat π https://thehackernews.com/2026/07/ai-attacks-move-in-minutes-join-this.html
π€4π₯2
This media is not supported in your browser
VIEW IN TELEGRAM
Cyber teams own continuity planning at most organizations but only 22% rate their program as strategic.
Can your continuity program survive real-world disruption? Discover why resilience programs fail under pressure β and what leading teams do differently. Read the new report to explore:
β Insights from 500+ leaders across North America, the UK, Germany, and the UAE.
β How leaders feel prepared, yet fewer than 4 in 10 actually met recovery targets when disruption hit.
β Why resilience programs break down at dependency mapping, third-party risk, and AI governance.
Get the report - https://thn.news/business-continuity-report
Can your continuity program survive real-world disruption? Discover why resilience programs fail under pressure β and what leading teams do differently. Read the new report to explore:
β Insights from 500+ leaders across North America, the UK, Germany, and the UAE.
β How leaders feel prepared, yet fewer than 4 in 10 actually met recovery targets when disruption hit.
β Why resilience programs break down at dependency mapping, third-party risk, and AI governance.
Get the report - https://thn.news/business-continuity-report
π₯2π2
π¨ Cybercrime did not need one big break this week. It used the usual doors: cloud storage, browser trust, support calls, package names, weak defaults, and exposed admin paths.
This weekβs #ThreatsDay covers:
β’ Cloud bucket hijacking
β’ Windows LPE chain
β’ Global fraud bust
β’ Chrome extension abuse
β’ npm/PyPI typosquats
β’ Fake IT support scams
β’ Meta phishing abuse
β’ Tax-themed RAT lures
β’ Remcos loader campaign
β’ Ransomware tooling links
β’ Realtek driver flaws
β’ ADFS key exposure
β’ AI/cloud exfiltration risks
β’ Teams phishing
β’ Taiwan espionage case
β’ Scattered Spider/0ktapus links
β’ Process Parameter Poisoning
β’ Esri ArcGIS flaw
β’ Claude warning in China
Read the full bulletin: https://thehackernews.com/2026/07/threatsday-cloud-bucket-hijacking.html
This weekβs #ThreatsDay covers:
β’ Cloud bucket hijacking
β’ Windows LPE chain
β’ Global fraud bust
β’ Chrome extension abuse
β’ npm/PyPI typosquats
β’ Fake IT support scams
β’ Meta phishing abuse
β’ Tax-themed RAT lures
β’ Remcos loader campaign
β’ Ransomware tooling links
β’ Realtek driver flaws
β’ ADFS key exposure
β’ AI/cloud exfiltration risks
β’ Teams phishing
β’ Taiwan espionage case
β’ Scattered Spider/0ktapus links
β’ Process Parameter Poisoning
β’ Esri ArcGIS flaw
β’ Claude warning in China
Read the full bulletin: https://thehackernews.com/2026/07/threatsday-cloud-bucket-hijacking.html
π₯6β‘2
πͺ npm 12 now turns off install scripts by default.
Dependency lifecycle scripts, implicit node-gyp builds, Git dependencies, and remote URL dependencies no longer run or resolve unless explicitly allowed.
GitHub is also phasing out npm tokens that bypass 2FA.
Read the article: https://thehackernews.com/2026/07/npm-12-disables-install-scripts-by.html
Dependency lifecycle scripts, implicit node-gyp builds, Git dependencies, and remote URL dependencies no longer run or resolve unless explicitly allowed.
GitHub is also phasing out npm tokens that bypass 2FA.
Read the article: https://thehackernews.com/2026/07/npm-12-disables-install-scripts-by.html
π₯8π3π2
π Microsoft has detailed GigaWiper, a Windows backdoor that can spy on a machine and destroy it on command.
It can wipe disks, overwrite the Windows drive, or run fake #ransomware that encrypts files without saving a recovery key.
No decryptor. Just dead machines.
Read about it here π https://thehackernews.com/2026/07/new-gigawiper-windows-backdoor-bundles.html
It can wipe disks, overwrite the Windows drive, or run fake #ransomware that encrypts files without saving a recovery key.
No decryptor. Just dead machines.
Read about it here π https://thehackernews.com/2026/07/new-gigawiper-windows-backdoor-bundles.html
π₯24π1
π¨ Attackers are using 50+ dormant #GitHub βghostβ accounts and exposed PATs to map corporate orgs through the GitHub API.
Datadog says the campaigns enumerate repos, users, gists, followers, and org memberships. In select cases, actors cloned private repos.
Read the article - https://thehackernews.com/2026/07/dormant-github-accounts-help-attackers.html
Datadog says the campaigns enumerate repos, users, gists, followers, and org memberships. In select cases, actors cloned private repos.
Read the article - https://thehackernews.com/2026/07/dormant-github-accounts-help-attackers.html
π₯11π2β‘1
A #ransomware negotiator got 70 months in prison for betraying five clients to BlackCat operators.
Angelo Martino shared confidential insurance limits and negotiation strategy to drive up ransoms, then helped deploy BlackCat against more U.S. victims.
Authorities seized $10 million in assets.
Hereβs how the scheme worked: https://thehackernews.com/2026/07/ransomware-negotiator-gets-70-months-in.html
Angelo Martino shared confidential insurance limits and negotiation strategy to drive up ransoms, then helped deploy BlackCat against more U.S. victims.
Authorities seized $10 million in assets.
Hereβs how the scheme worked: https://thehackernews.com/2026/07/ransomware-negotiator-gets-70-months-in.html
π11π€―10π1π1
π WARNING - Hackers exploited the "Ill Bloom" flaw to drain $3.1 million from 431 #cryptocurrency wallets.
Weak recovery phrase generation left some older mobile wallets created between 2016 and 2018 exposed, potentially allowing attackers to reconstruct private keys and gain unauthorized access.
Check the details on THN π https://thehackernews.com/2026/07/attackers-exploit-ill-bloom.html
Weak recovery phrase generation left some older mobile wallets created between 2016 and 2018 exposed, potentially allowing attackers to reconstruct private keys and gain unauthorized access.
Check the details on THN π https://thehackernews.com/2026/07/attackers-exploit-ill-bloom.html
π₯10β‘1
UPDATE π Latest MS Defenderβs RoguePlanet patch may have introduced a new problem.
Researcher 'Chaotic Eclipse' says Defender can cache a massive Zone.Identifier ADS file and exhaust disk space when a system visits a custom SMB server.
They reproduced it on Windows 11 25H2 and Windows Server 2025.
Read: https://thehackernews.com/2026/07/microsoft-patches-rogueplanet-defender.html
Researcher 'Chaotic Eclipse' says Defender can cache a massive Zone.Identifier ADS file and exhaust disk space when a system visits a custom SMB server.
They reproduced it on Windows 11 25H2 and Windows Server 2025.
Read: https://thehackernews.com/2026/07/microsoft-patches-rogueplanet-defender.html
π10π₯4
π¨ Hackers are using fake #Microsoft Entra passkey pages to target Microsoft 365 accounts.
The vishing campaign steals credentials and MFA responses, then attempts to register attacker-controlled passkeys while adapting to prompts in real time.
Read how the attack works: https://thehackernews.com/2026/07/hackers-use-fake-microsoft-entra.html
The vishing campaign steals credentials and MFA responses, then attempts to register attacker-controlled passkeys while adapting to prompts in real time.
Read how the attack works: https://thehackernews.com/2026/07/hackers-use-fake-microsoft-entra.html
π5π₯3π1
π ALERT - A VPN is supposed to hide your traffic. A new study says many free #Android VPN apps do not.
Researchers tested 281 popular apps with 2.4B+ installs:
β 29 leak traffic, including visited sites
β 246 contact ad/tracking servers
β 5 could let a same-Wi-Fi attacker hijack the tunnel
The app still says βconnected.β
Check whether yours is listed: https://thehackernews.com/2026/07/study-of-281-free-android-vpn-apps.html
Researchers tested 281 popular apps with 2.4B+ installs:
β 29 leak traffic, including visited sites
β 246 contact ad/tracking servers
β 5 could let a same-Wi-Fi attacker hijack the tunnel
The app still says βconnected.β
Check whether yours is listed: https://thehackernews.com/2026/07/study-of-281-free-android-vpn-apps.html
π11π₯6β‘2π1
π¨ They hacked thousands of sites. Then forgot to lock their own front door.
For 3 weeks, this crew left its server wide open, spilling the whole operation: WP-SHELLSTORM. Inside were 27 known plugin bugs, target lists over 1.4M domains, and thousands of backdoors planted.
Some may still be open on your site.
See what to patch: https://thehackernews.com/2026/07/exposed-hacker-server-reveals-wp.html
For 3 weeks, this crew left its server wide open, spilling the whole operation: WP-SHELLSTORM. Inside were 27 known plugin bugs, target lists over 1.4M domains, and thousands of backdoors planted.
Some may still be open on your site.
See what to patch: https://thehackernews.com/2026/07/exposed-hacker-server-reveals-wp.html
π7π€―7β‘2π₯2
This media is not supported in your browser
VIEW IN TELEGRAM
π¨ XRING has no patch or CVE.
This new unpatched #vulnerability can let a remote, unauthenticated client crash HTTP/3 servers built on Alibaba's XQUIC with about 260 bytes of legal QPACK traffic.
It affects every release through v1.9.4. A public PoC is available.
Read details on THN π https://thehackernews.com/2026/07/unpatched-xring-flaw-in-xquic-lets.html
This new unpatched #vulnerability can let a remote, unauthenticated client crash HTTP/3 servers built on Alibaba's XQUIC with about 260 bytes of legal QPACK traffic.
It affects every release through v1.9.4. A public PoC is available.
Read details on THN π https://thehackernews.com/2026/07/unpatched-xring-flaw-in-xquic-lets.html
π₯10π6
π¨ A Silver Fox-linked #malware distributor is selectively deploying a new backdoor called MODBEACON.
It uses encrypted gRPC streaming for command-and-control and loads additional plugins directly in memory.
Read the full story: https://thehackernews.com/2026/07/new-modbeacon-rat-uses-grpc-streaming.html
It uses encrypted gRPC streaming for command-and-control and loads additional plugins directly in memory.
Read the full story: https://thehackernews.com/2026/07/new-modbeacon-rat-uses-grpc-streaming.html
π₯7
Lumen thought it had 17,000 cyber assets. Then it found 500,000 devices. Today, it tracks about 1.1 million.
The lesson is simple: you cannot fix what you cannot see.
Read how Lumen rebuilt its asset inventory: https://thehackernews.com/2026/07/from-17000-to-11-million-assets-how.html
The lesson is simple: you cannot fix what you cannot see.
Read how Lumen rebuilt its asset inventory: https://thehackernews.com/2026/07/from-17000-to-11-million-assets-how.html
π₯5β‘1π€1
β‘ A researcher showed how three #OpenClaw flaws could have let an external #WhatsApp message trigger host code execution.
The bugs could also expose credentials or enable sandbox escape in vulnerable configurations.
Read the full story on THN π https://thehackernews.com/2026/07/researcher-details-whatsapp-to-host.html
The bugs could also expose credentials or enable sandbox escape in vulnerable configurations.
Read the full story on THN π https://thehackernews.com/2026/07/researcher-details-whatsapp-to-host.html
π11π₯4β‘1π1
β οΈ Not dramatic, just worth your attention!
A single laser pulse can reset a Tangem hardware wallet's password and let an attacker drain the funds, no old password or backup card needed.
It can't be patched, but the attack needs the physical card and a $250K lab, and it destroys the card to get in.
Read the full story π https://thehackernews.com/2026/07/laser-attack-resets-tangem-wallet.html
A single laser pulse can reset a Tangem hardware wallet's password and let an attacker drain the funds, no old password or backup card needed.
It can't be patched, but the attack needs the physical card and a $250K lab, and it destroys the card to get in.
Read the full story π https://thehackernews.com/2026/07/laser-attack-resets-tangem-wallet.html
π€―9π₯7π5
This media is not supported in your browser
VIEW IN TELEGRAM
π¨ Six new flaws in U-Boot, the software that boots everything from routers to servers.
A booby-trapped firmware image can crash the device, or on some, run the attacker's code, all before startup finishes and before anything checks the image is safe.
Read details here: https://thehackernews.com/2026/07/six-new-u-boot-flaws-could-let.html
A booby-trapped firmware image can crash the device, or on some, run the attacker's code, all before startup finishes and before anything checks the image is safe.
Read details here: https://thehackernews.com/2026/07/six-new-u-boot-flaws-could-let.html
π₯4π3β‘1