β‘ THN Recap: Before you start the week, know what's out there:
βͺοΈ ShareFile servers pulled offline
βͺοΈ npm package hijacked to drop infostealer
βͺοΈ Critical Zimbra email flaw patched
βͺοΈ GigaWiper backdoor wipes disks
βͺοΈ 1.4M WordPress sites targeted
βͺοΈ Citrix Bleed 2 leads to ransomware
βͺοΈ AI coding assistants tricked into malware
βͺοΈ Django flaw actively exploited
βͺοΈ Fake VPN installer drops RAT
βͺοΈ Helix crew hits SharePoint data
Full recap β https://thehackernews.com/2026/07/weekly-recap-sharefile-threat-citrix.html
βͺοΈ ShareFile servers pulled offline
βͺοΈ npm package hijacked to drop infostealer
βͺοΈ Critical Zimbra email flaw patched
βͺοΈ GigaWiper backdoor wipes disks
βͺοΈ 1.4M WordPress sites targeted
βͺοΈ Citrix Bleed 2 leads to ransomware
βͺοΈ AI coding assistants tricked into malware
βͺοΈ Django flaw actively exploited
βͺοΈ Fake VPN installer drops RAT
βͺοΈ Helix crew hits SharePoint data
Full recap β https://thehackernews.com/2026/07/weekly-recap-sharefile-threat-citrix.html
β‘4π₯1π1π€1
π¨ Google and Microsoft pulled ModHeader after researchers found a dormant browsing-history collector inside its genuine store build.
The extension had roughly 1.6 million installs across Chrome and Edge, with most of the collection pipeline already in place.
Here's how it stayed hidden - https://thehackernews.com/2026/07/google-and-microsoft-pull-modheader.html
The extension had roughly 1.6 million installs across Chrome and Edge, with most of the collection pipeline already in place.
Here's how it stayed hidden - https://thehackernews.com/2026/07/google-and-microsoft-pull-modheader.html
π₯7
CrashStealer uses a signed and Apple-notarized macOS dropper to pass Gatekeeper checks.
Once launched, it can steal browser credentials, wallet data, password manager records, files, and keychain material.
How the attack chain works: https://thehackernews.com/2026/07/crashstealer-macos-malware-uses.html
Once launched, it can steal browser credentials, wallet data, password manager records, files, and keychain material.
How the attack chain works: https://thehackernews.com/2026/07/crashstealer-macos-malware-uses.html
π6π₯2
π¨ Hackers spent a year stealing data from #Salesforce environments without exploiting a single platform flaw.
#Microsoft mapped the ShinyHunters-linked activity to trusted OAuth apps, stolen vendor tokens, and misconfigured guest access while sign-in monitoring stayed quiet.
How the three attack paths worked: https://thehackernews.com/2026/07/microsoft-maps-year-long-shinyhunters.html
#Microsoft mapped the ShinyHunters-linked activity to trusted OAuth apps, stolen vendor tokens, and misconfigured guest access while sign-in monitoring stayed quiet.
How the three attack paths worked: https://thehackernews.com/2026/07/microsoft-maps-year-long-shinyhunters.html
π€―14π₯4π€4π2
π¨ 148 npm packages disguised as student web proxies turned visitorsβ browsers into a DDoS botnet.
The code never ran at install time. It waited inside working proxy sites, beyond scanners focused on install-time behavior.
Here's how the campaign worked: https://thehackernews.com/2026/07/148-npm-packages-disguised-as-student.html
The code never ran at install time. It waited inside working proxy sites, beyond scanners focused on install-time behavior.
Here's how the campaign worked: https://thehackernews.com/2026/07/148-npm-packages-disguised-as-student.html
π7π₯7π2
πͺ U.S. sanctions hit First VPN, its administrator, and a cryptor seller over support for #ransomware attacks on American businesses, hospitals, financial firms, and local governments.
The VPN was dismantled in May 2026 after allegedly helping attackers hide their origins.
How the operation worked: https://thehackernews.com/2026/07/us-sanctions-first-vpn-service-and.html
The VPN was dismantled in May 2026 after allegedly helping attackers hide their origins.
How the operation worked: https://thehackernews.com/2026/07/us-sanctions-first-vpn-service-and.html
π₯9π3π€3
π Grok Build uploaded entire Git repositories, full commit history and all, to xAI storage, not just the files the agent read.
A captured bundle contained a file the agent had been explicitly told not to open.
What was uploaded, and which secrets users should rotate: https://thehackernews.com/2026/07/grok-build-uploads-entire-git.html
A captured bundle contained a file the agent had been explicitly told not to open.
What was uploaded, and which secrets users should rotate: https://thehackernews.com/2026/07/grok-build-uploads-entire-git.html
π16π€―10π₯4π€2π1
β οΈ Attackers can validate stolen #Microsoft Entra credentials without generating a successful sign-in event.
Researchers tracked two campaigns using spoofed OAuth client IDs, including one that targeted over 2 million users. App-scoped detections may miss it.
Read why Entra logs may miss it: https://thehackernews.com/2026/07/oauth-client-id-spoofing-lets-attackers.html
Researchers tracked two campaigns using spoofed OAuth client IDs, including one that targeted over 2 million users. App-scoped detections may miss it.
Read why Entra logs may miss it: https://thehackernews.com/2026/07/oauth-client-id-spoofing-lets-attackers.html
π8
π¨ Researchers tested 85 browser crypto wallets representing 35.16 million Chrome Web Store users.
Some linked separate addresses, kept exposing previously granted addresses after logout, or enabled tracking across unrelated sites.
How it works: https://thehackernews.com/2026/07/study-of-85-crypto-wallet-extensions.html
Some linked separate addresses, kept exposing previously granted addresses after logout, or enabled tracking across unrelated sites.
How it works: https://thehackernews.com/2026/07/study-of-85-crypto-wallet-extensions.html
π₯8
This media is not supported in your browser
VIEW IN TELEGRAM
π 11 old Microsoft-signed UEFI shims could let attackers with admin access bypass Secure Boot and run code before the OS starts.
Microsoft revoked the vulnerable shims in June 2026, but systems without the revocation update may still accept them.
Read how the bypass works: https://thehackernews.com/2026/07/11-old-microsoft-signed-linux-uefi.html
Microsoft revoked the vulnerable shims in June 2026, but systems without the revocation update may still accept them.
Read how the bypass works: https://thehackernews.com/2026/07/11-old-microsoft-signed-linux-uefi.html
π5π3π₯1
β οΈ A RabbitMQ flaw can leak an OAuth client secret in one unauthenticated request, potentially giving attackers full broker control in affected setups.
A second bug lets logged-in users read queue and exchange metadata beyond their permissions.
Details: https://thehackernews.com/2026/07/rabbitmq-flaws-could-leak-oauth-secrets.html
A second bug lets logged-in users read queue and exchange metadata beyond their permissions.
Details: https://thehackernews.com/2026/07/rabbitmq-flaws-could-leak-oauth-secrets.html
π5
β‘ Penteraβs MCP Server gives AI assistants validated attack paths, not just scanner scores.
A critical finding may be unreachable, while a medium-severity flaw may be the one that leads to privileged access.
How validation changes the workflow: https://thehackernews.com/2026/07/how-pentera-turns-ai-security-workflows.html
A critical finding may be unreachable, while a medium-severity flaw may be the one that leads to privileged access.
How validation changes the workflow: https://thehackernews.com/2026/07/how-pentera-turns-ai-security-workflows.html
π4π3
UPDATE: Progress has restored ShareFile Storage Zone Controllers.
Progress Software told The Hacker News it patched a high-severity flaw in versions 5.x and 6.x. It found no evidence of account or data access and no active threat.
No CVE or actor was named.
Read: https://thehackernews.com/2026/07/urgent-progress-tells-sharefile.html
Progress Software told The Hacker News it patched a high-severity flaw in versions 5.x and 6.x. It found no evidence of account or data access and no active threat.
No CVE or actor was named.
Read: https://thehackernews.com/2026/07/urgent-progress-tells-sharefile.html
π₯1
β οΈ LabubaRAT masquerades as NVIDIA software on Windows.
The Rust-based RAT profiles 12 security products and can run commands, move files, capture screenshots, and proxy traffic through the infected host.
Here's how it stays connected: https://thehackernews.com/2026/07/labubarat-masquerades-as-nvidia.html
The Rust-based RAT profiles 12 security products and can run commands, move files, capture screenshots, and proxy traffic through the infected host.
Here's how it stays connected: https://thehackernews.com/2026/07/labubarat-masquerades-as-nvidia.html
π₯6
π Claude for Chrome still lets another extension running on claude[.]ai trigger tasks that read Gmail, Docs, and Calendar.
One approval click remains by default. With βAct without askingβ enabled, the same task runs silently.
Eight releases later, the path is still open.
How it works: https://thehackernews.com/2026/07/claude-for-chrome-flaw-lets-other.html
One approval click remains by default. With βAct without askingβ enabled, the same task runs silently.
Eight releases later, the path is still open.
How it works: https://thehackernews.com/2026/07/claude-for-chrome-flaw-lets-other.html
π₯4
SAP patched a CVSS 9.9 NetWeaver ABAP flaw that could let an authenticated attacker access or modify data, or knock systems offline.
The same update fixes a Commerce Cloud issue tied to publicly documented sample OAuth credentials left unchanged in production.
Read : https://thehackernews.com/2026/07/sap-patches-cvss-99-netweaver-abap-flaw.html
The same update fixes a Commerce Cloud issue tied to publicly documented sample OAuth credentials left unchanged in production.
Read : https://thehackernews.com/2026/07/sap-patches-cvss-99-netweaver-abap-flaw.html
π₯1
π₯ Microsoft patched a record 622 CVEs, including two exploited zero-days in SharePoint Server and AD FS.
The SharePoint flaw allows remote, unauthenticated privilege escalation. The AD FS bug lets authenticated attackers elevate privileges locally.
Here's what to patch first: https://thehackernews.com/2026/07/microsoft-patches-record-622-flaws.html
The SharePoint flaw allows remote, unauthenticated privilege escalation. The AD FS bug lets authenticated attackers elevate privileges locally.
Here's what to patch first: https://thehackernews.com/2026/07/microsoft-patches-record-622-flaws.html
π₯5π€5π2π1
π Two SonicWall SMA 1000 zero-days are under active attack, the company says.
One could let authenticated attackers run OS commands as administrator. The other is a CVSS 10.0 SSRF flaw.
What to patch and check: https://thehackernews.com/2026/07/two-sonicwall-sma-1000-zero-days.html
One could let authenticated attackers run OS commands as administrator. The other is a CVSS 10.0 SSRF flaw.
What to patch and check: https://thehackernews.com/2026/07/two-sonicwall-sma-1000-zero-days.html
π6π€―2
π¨ Five poisoned versions of four AsyncAPI npm packages shipped a multi-stage botnet loader.
They carried valid provenance attestations, and the malware ran when affected modules were loaded, not at install time.
How trusted releases carried the malware: https://thehackernews.com/2026/07/compromised-asyncapi-npm-packages.html
They carried valid provenance attestations, and the malware ran when affected modules were loaded, not at install time.
How trusted releases carried the malware: https://thehackernews.com/2026/07/compromised-asyncapi-npm-packages.html
β‘2
π¨ Cursor on Windows can silently run an attacker-supplied binary when a developer opens a cloned repository.
A repo-root git.exe is enough. No prompt, agent, approval, or prior access. It runs as the logged-in user.
Reported in December. Still unpatched.
How it works and what stops it: https://thehackernews.com/2026/07/cursor-flaw-lets-malicious-cloned.html
A repo-root git.exe is enough. No prompt, agent, approval, or prior access. It runs as the logged-in user.
Reported in December. Still unpatched.
How it works and what stops it: https://thehackernews.com/2026/07/cursor-flaw-lets-malicious-cloned.html
π±3π2
One approved marketing tag can quietly load unvetted fourth-party code into your site.
Those scripts can access forms, checkout fields, and customer data long after the original vendor review.
How the approval gap forms: https://thehackernews.com/2026/07/new-webinar-closing-approval-gap-in-ai.html
Those scripts can access forms, checkout fields, and customer data long after the original vendor review.
How the approval gap forms: https://thehackernews.com/2026/07/new-webinar-closing-approval-gap-in-ai.html