Tuesday, July 14, 2026 | Jonathan Lockhart
Introduction: Today’s edition follows the systems attackers trust most: build pipelines, file-transfer gateways, network control planes, identity flows, and the service providers that keep ransomware operations moving.
A stolen npm credential turned Jscrambler’s build tooling into a credential stealer
Jscrambler disclosed that an attacker used a compromised npm publishing credential on July 11 to distribute malicious versions of its JavaScript security tooling. The affected releases included the main jscrambler package and integrations for Webpack, Gulp, Grunt, and Metro. Jscrambler removed the affected packages and released clean replacements, including jscrambler version 8.22.
The packages installed native malware for Windows, macOS, and Linux. Socket researchers found functions targeting browser information, operating-system keyrings, cloud credentials, cryptocurrency wallets, Slack data, and configuration files associated with artificial-intelligence coding tools and Model Context Protocol services.
The attacker also adapted the delivery method while the campaign was underway. Early malicious releases executed through an npm pre-installation hook. Later versions shifted execution into normal package imports and command-line use, allowing the malware to survive defenses that merely disable lifecycle scripts or scan packages for suspicious installation hooks.
Jscrambler reported that npm counted 1,479 downloads across the affected packages during the roughly two-hour exposure window. That number should not be interpreted as 1,479 confirmed victims or unique compromised systems. Jscrambler said the figure included automated downloads triggered by dependent packages.
Organizations that installed the affected releases should treat developer workstations and continuous-integration systems as potentially compromised. Relevant cloud, source-control, package-registry, messaging, wallet, and AI-service credentials should be rotated after the affected hosts have been isolated and examined.
Watch for: Confirmation that stolen developer credentials were used to compromise downstream repositories, cloud environments, or customer software.
Sources: Jscrambler security advisory, “Unauthorized Publication of a Malicious npm Package Affecting Code Integrity,” July 11, updated July 13, 2026; Socket Research, “Jscrambler npm Package Compromised in Supply Chain Attack,” July 2026.
Two exploited Joomla upload flaws received an emergency federal deadline
CISA added two actively exploited Joomla extension vulnerabilities to its Known Exploited Vulnerabilities catalog on July 10. CVE-2026-48939 affects the iCagenda event-management extension, while CVE-2026-56291 affects Balbooa Forms. Both involve dangerous file-upload paths that can lead to remote code execution under vulnerable configurations.
The iCagenda flaw was discovered after mySites.guru received a customer access log showing an automated attacker upload a file and then request the planted PHP shell. According to the researcher’s disclosure timeline, JoomliC said automated attacks began on June 15. The developer released iCagenda 4.0.8 that day and version 3.9.15 for the legacy branch on June 16.
The most severe upload-to-shell path applies to Joomla 6 because earlier Joomla core versions block the unsafe upload by default. A related access-control bypass affects older Joomla versions as well. Balbooa Forms versions through 2.4.0 were vulnerable, with version 2.4.1 released on July 9.
CISA assigned both vulnerabilities a July 13 federal remediation date under the catalog’s emergency three-day remediation window. That was an exceptional deadline reflecting imminent exploitation risk, not the ordinary timetable applied to every KEV entry.
Installing the update prevents the next attempt but does not remove an existing web shell. Defenders should inspect affected sites for unexpected PHP files, unfamiliar administrator accounts, modified templates, scheduled tasks, unexplained outbound traffic, and suspicious files in extension upload directories.
Watch for: Evidence that the vulnerabilities have moved beyond the initially observed attacks into broad, automated campaigns against internet-exposed Joomla sites.
Sources: CISA Known Exploited Vulnerabilities catalog additions, July 10, 2026; mySites.guru, “iCagenda Zero Day File Upload RCE Fixed in 4.0.8,” June 20, 2026; iCagenda security releases 4.0.8 and 3.9.15; Balbooa Forms release 2.4.1.
Progress still has ShareFile storage controllers powered down
Progress Software told ShareFile customers on July 10 to shut down the Windows servers hosting their Storage Zone Controllers because of what the company called a credible external security threat. The controllers allow organizations to keep ShareFile data in customer-managed storage while using Progress cloud services for authentication, administration, and collaboration.
Progress temporarily restricted access to ShareFile accounts connected to those controllers. The company subsequently began restoring cloud access, but its latest public guidance available on July 14 still instructed customers to leave the controllers offline.
Progress said it had found no indication of unauthorized access to ShareFile accounts or customer data and had not identified an active threat inside its environment. It has not publicly disclosed the root cause, a new vulnerability, an affected-version range, indicators of compromise, or a safe restart procedure.
The company has also not connected the shutdown order to CVE-2026-2699 or CVE-2026-2701, two critical Storage Zone Controller vulnerabilities patched earlier this year. Current patch status therefore should not be treated as permission to return a controller to service.
The absence of technical guidance leaves customers in an incident-response posture rather than a conventional patching cycle. Internet-exposed controllers should be preserved for examination, with web, authentication, process-creation, file-system, administrative, and outbound-network records retained while Progress continues its investigation.
Watch for: A Progress advisory identifying the threat, affected versions, forensic indicators, and the conditions required to restart Storage Zone Controllers safely.
Sources: Progress ShareFile customer notice, “Service Disruption. Immediate Action Required,” July 10, 2026; ShareFile service-status incident notice, July 10, 2026; Progress statements reported by SecurityWeek, The Register, and Help Net Security, July 12–13, 2026.
Russian intelligence is still turning weak router management into critical-infrastructure access
A multinational coalition led by the NSA, CISA, and FBI warned on July 13 that Russia’s Federal Security Service continues to compromise poorly secured routers and other network devices worldwide. The campaign has affected communications, energy, finance, healthcare, government, defense, and other critical-infrastructure sectors.
Operators associated with the FSB’s Center 16 scan for devices accepting default or easily guessed Simple Network Management Protocol community strings. The attackers can then send spoofed management commands that cause a router to copy its configuration to an attacker-controlled server.
Those files may expose network topology, credentials, access-control rules, management addresses, and trusted relationships. The actors have also exploited Cisco Smart Install and older vulnerabilities including CVE-2018-0171 and CVE-2008-4128.
The router is often an intelligence-collection point rather than the final objective. Configuration theft can reveal where privileged systems are located, which networks trust one another, and how traffic can be intercepted or redirected without immediately compromising an endpoint.
Defenders should disable Smart Install, replace SNMP version 1 or 2 with authenticated and encrypted SNMP version 3, restrict management access to dedicated networks, block unnecessary TFTP and FTP traffic, and investigate unexpected configuration exports. End-of-life routers that cannot support modern controls should be replaced rather than merely monitored.
Watch for: Evidence that stolen router configurations are being used for persistent access, traffic interception, credential theft, or preparation for disruptive operations.
Sources: Joint Cybersecurity Advisory AA26-194A, “Improve Router Hygiene to Protect Against Russian State-Sponsored Targeting,” July 13, 2026; NSA, CISA, FBI, Defense Cyber Crime Center, and international partner reporting.
One authentication bypass can put attackers inside the VMware Avi control plane
Broadcom released VMSA-2026-0005 on July 14 to correct seven vulnerabilities in VMware Avi Load Balancer. The most serious, CVE-2026-47865, allows an attacker with network access to bypass authentication and enter the Avi control plane. Broadcom assigned the flaw a maximum CVSS score of 9.8 and provided no workaround.
The remaining vulnerabilities include a second authentication bypass, multiple remote-code-execution paths, local and network-based privilege escalation, and directory traversal. Some require authentication or existing local access, but the primary bypass does not.
Avi Load Balancer controls application delivery and traffic routing. Compromise can therefore affect more than the controller itself. An attacker in the control plane may be positioned to alter traffic handling, inspect application flows, disrupt published services, or use trusted connections to reach backend systems.
Broadcom’s response matrix sends version 32.1.1 to 32.1.2; versions 31.1.1 through 31.2.2 to build 31.2.2-2p3; and versions 30.2.1 through 30.2.6 to 30.2.7. Version 22.1 deployments must move to at least 30.2.7. Broadcom recommends upgrading to 32.1.2.
The unusual build notation is correct. Broadcom’s response matrix renders the 31.x fix as 31.2.2-2p3, while the linked release-note title writes it as 31.2.2-2-p3.
Broadcom has not reported exploitation in the wild. Because the advisory describes a network-reachable authentication bypass with no workaround, exposed management interfaces should be patched before public exploit development changes the assessment.
Watch for: Public proof-of-concept code, internet scanning, or the first observed attempts to bypass authentication on exposed Avi controllers.
Sources: Broadcom security advisory VMSA-2026-0005, “VMware Avi Load Balancer Addresses Multiple Vulnerabilities,” July 14, 2026; VMware Avi Load Balancer 32.1.2, 31.2.2-2-p3, and 30.2.7 release notes.
An obsolete RabbitMQ endpoint can expose the secret protecting the broker
RabbitMQ patched CVE-2026-57219, a vulnerability in its management plugin that can expose an OAuth client secret through the obsolete /api/auth endpoint. The issue affects specific RabbitMQ 3.13, 4.0, 4.1, and 4.2 releases when OAuth is configured using the management.oauth_client_secret setting.
An unauthenticated requester can retrieve that secret from a vulnerable deployment. Where the corresponding identity-provider client is allowed to obtain privileged tokens, the exposed secret may lead to administrative access to the broker. That can expose queued messages, application data, user accounts, routing rules, integration settings, and credentials carried through messaging workflows.
The flaw does not affect installations without the management plugin, systems that do not use OAuth, or OAuth deployments using different settings and grant types. Fixed versions are 3.13.15, 4.0.20, 4.1.11, and 4.2.6.
RabbitMQ published its GitHub Security Advisory and fixes on June 24. Miggo’s detailed technical explanation followed on July 13, meaning the patch was available for nearly three weeks before the broader public received a practical description of the possible broker-takeover path.
No exploitation in the wild has been reported. Administrators should nevertheless patch, restrict management ports to trusted networks, determine whether /api/auth was externally reachable, and rotate the OAuth client secret wherever exposure cannot be excluded.
Watch for: Scanning for the obsolete endpoint or attempts to reuse exposed RabbitMQ client secrets against enterprise identity providers.
Sources: RabbitMQ GitHub Security Advisory GHSA-pj24-8j6m-vq9q, June 24, 2026; CVE-2026-57219 record; Miggo Research, “Full Broker Takeover, No Login Required,” July 13, 2026.
SAP’s July fixes reach data access, request smuggling, and live sample credentials
SAP’s July Security Patch Day delivered sixteen new security notes, one GitHub Security Advisory, and updates to three earlier notes. The highest-priority issues affect SAP NetWeaver Application Server ABAP, SAP Approuter, and SAP Commerce Cloud.
CVE-2026-44747 is a critical memory-corruption vulnerability in the NetWeaver ABAP kernel. An authenticated attacker with network access and low privileges can exploit memory-management errors to cause unauthorized data access, modify information, or make the system unavailable. SAP assigned the vulnerability a CVSS score of 9.9.
CVE-2026-27690 affects SAP Approuter versions before 20.10.0 in non-Cloud Foundry environments. An unauthenticated attacker can send crafted HTTP requests that create request-and-response desynchronization, potentially exposing another user’s response or disrupting service.
CVE-2026-44761 concerns sample OAuth client credentials that may have been retained in production SAP Commerce Cloud environments. Because the credentials were publicly documented, an unauthenticated attacker may be able to use them to obtain a valid access token and then read or modify application data.
SAP has not reported active exploitation. Defenders should patch the affected kernels and packages, identify Approuter deployments outside Cloud Foundry, search Commerce environments for sample OAuth clients, rotate exposed credentials, and review historical token issuance rather than assuming that credential removal proves the environment was never accessed.
Watch for: Public exploit demonstrations, scanning against exposed Approuter deployments, or evidence that known Commerce Cloud sample credentials are being tested at scale.
Sources: SAP Security Patch Day – July 2026, published July 14, 2026; SAP Security Notes 3747367, 3720138, and 3753495; NVD record for CVE-2026-44747; Onapsis Research Labs, “SAP Security Notes: July 2026 Patch Day.”
Opening one crafted message can compromise a Zimbra Classic Web session
Zimbra released version 10.1.19 on July 7 to correct a critical vulnerability in the Classic Web Client. A specially crafted email can execute attacker-controlled code when the recipient opens the message, potentially exposing mailbox information, session data, or account settings.
SecurityWeek reported that the vulnerability is a stored cross-site-scripting flaw. The code executes in the user’s browser and authenticated web session; the available reporting does not establish unauthenticated operating-system command execution on the Zimbra server.
The vulnerability only affects users of the Classic Web Client, but that limitation should not be confused with low impact. A successful browser-session compromise may allow the attacker to read mail, modify account settings, steal session information, or use the compromised account for follow-on phishing.
Google’s Threat Analysis Group reported the flaw. That involvement makes targeted use a credible possibility because the group frequently investigates state-linked and commercial-spyware activity. It does not, by itself, confirm that this vulnerability was exploited in the wild. Zimbra has not published a CVE identifier, technical indicators, or an exploitation statement.
Organizations should update to version 10.1.19, determine which users still use the Classic interface, inspect suspicious HTML messages and external-resource requests, and invalidate sessions where a potentially malicious message was opened before patching.
Watch for: A CVE assignment, technical indicators, or confirmation from Zimbra or Google that the flaw was observed in targeted attacks.
Sources: Zimbra, “Patch Release Update: Zimbra 10.1.19,” July 7, 2026; Zimbra 10.1.19 release notes; SecurityWeek, “Zimbra Patches Critical Code Execution Vulnerability,” July 13, 2026.
New Microsoft 365 phishing kits are attacking the authorization flow and the recovery path
ReliaQuest researchers documented two phishing toolkits, Jalisco and OmegaLord, targeting Microsoft 365 accounts. The kits take different approaches, but both are designed to retain effectiveness in environments protected by conventional multifactor authentication.
Jalisco abuses Microsoft’s OAuth device-authorization flow. The attacker generates a legitimate device code and convinces the victim to enter it on Microsoft’s real authentication page. The victim may complete multifactor authentication successfully, but the resulting access is granted to the attacker-controlled device that initiated the request.
The toolkit can generate fresh codes when the victim reaches the lure, reducing the defensive value of the codes’ short expiration period. The result is token-based account access without requiring the attacker to capture the victim’s password or multifactor code directly.
OmegaLord presents a fake PDF-reading workflow that collects the victim’s email address, password, and associated telephone number. ReliaQuest assessed that the additional phone information could help an attacker intercept or hijack multifactor requests or codes. The available reporting does not establish that OmegaLord contains a specific SIM-swapping or telecommunications-interception mechanism.
Defenders should restrict or disable device-code authentication where it is not operationally required, reduce the number of devices users can register, and monitor device-code sign-ins, unfamiliar device registrations, new OAuth grants, unusual token use, and rapid SharePoint or mailbox access after authentication.
Watch for: Wider criminal adoption of Jalisco and OmegaLord, followed by changes from Microsoft that constrain device-code authorization in high-risk enterprise tenants.
Sources: ReliaQuest analysis of the Jalisco and OmegaLord phishing toolkits, July 2026; BleepingComputer, “New Phishing Kits Target Microsoft 365 Accounts, Evade MFA,” July 14, 2026; FBI public-service announcement, “Kali365 Phishing-as-a-Service Kit Hijacks Microsoft 365 Access Tokens,” May 21, 2026.
Washington is shifting ransomware pressure from brands to the criminal service layer
The U.S. Treasury Department sanctioned the VPN provider 1VPNS, its administrator Dmytro Rashevskyi, and malware-cryptor seller Yegeniy Silayev on July 13. Treasury said ransomware groups used 1VPNS infrastructure to conceal their origins, deploy malware, and manage stolen data during attacks against American businesses, financial institutions, hospitals, and municipal governments.
The FBI said at least twenty-five ransomware groups used the service, including Avaddon. European law-enforcement agencies seized infrastructure associated with 1VPNS in May with support from the FBI and other international partners.
The FBI described that action as part of Operation Riptide, its continuing campaign against the actors, infrastructure, and financial networks behind cyber-enabled crime. Operation Riptide is the broader FBI campaign, not necessarily the individual codename for the European seizure. The previously cited name “Operation Saffron” was incorrect and should not be used.
Silayev allegedly sold cryptor services that modify ransomware and other malware to reduce detection by security products. This placed him in the service layer that allows multiple criminal groups to operate without building every component of an intrusion themselves.
The strategic significance is larger than one VPN provider. Ransomware brands are disposable: crews dissolve, rename themselves, or replace a leak site while retaining many of the same operators and suppliers. Infrastructure brokers, cryptor sellers, access vendors, hosting providers, and laundering networks serve multiple groups at once. Disrupting those shared dependencies can impose costs across several operations simultaneously.
The likely result is displacement rather than elimination. Former 1VPNS customers will seek replacement infrastructure, but forced migration consumes time, money, trust, and operational security. Repeated pressure on the service layer can make ransomware activity more expensive and less reliable even when individual crews remain active.
Watch for: Additional sanctions or seizures targeting related hosting companies, payment channels, cryptor services, and replacement infrastructure adopted by former 1VPNS customers.
Sources: U.S. Treasury, “Treasury Sanctions Malware and Infrastructure Providers Supporting Ransomware Attacks Against Americans,” July 13, 2026; FBI Boston, “International Takedown of First VPN Service Used by Ransomware Actors,” June 9, 2026; FBI FLASH, “First VPN Services Infrastructure Linked to Ransomware Groups,” May 21, 2026.
Search Tags: npm supply chain, CISA KEV, ShareFile, Russian cyber operations, VMware Avi, RabbitMQ, cloud identity, ransomware infrastructure
Jonathan Lockhart is a cybersecurity researcher and investigative journalist at bordercybergroup.com.
If you would like to support our work — useful, well-researched, ad-free cybersecurity intelligence — subscribe, comment, or buy us a coffee! Thanks.
Member discussion: