Saturday, July 18, 2026 | Jonathan Lockhart
A public exploit raises the urgency of WordPress’s emergency security release
WordPress released emergency updates Friday for an unauthenticated remote-code-execution chain in WordPress core. The issue, commonly called wp2shell, affects ordinary installations without requiring a vulnerable plugin, a user account, or interaction from an administrator.
The chain combines CVE-2026-63030, a REST API batch-route confusion flaw, with CVE-2026-60137, a SQL injection issue in WordPress query handling. The distinction matters: the SQL injection supplies the underlying attack primitive, while the route-confusion flaw makes the combined chain reachable through an anonymous request.
WordPress 6.9.0 through 6.9.4 and 7.0.0 through 7.0.1 are exposed to the complete code-execution chain. WordPress 6.8.0 through 6.8.5 is affected by the SQL injection but is not listed as vulnerable to the complete unauthenticated chain.
Fixed releases are WordPress 6.8.6, 6.9.5, and 7.0.2, with the beta branch fixed in 7.1 Beta 2. WordPress enabled forced automatic updates because of the severity, but administrators should verify the installed version rather than assume the update succeeded. A working proof of concept is now public. BCG found no reliable confirmation of exploitation in the wild as of publication.
Defenders should also inspect recent REST API traffic and verify site integrity. A successful attack would affect the server, not merely the WordPress application, so unexpected administrator accounts, modified PHP files, unfamiliar plugins, scheduled tasks, and outbound connections all matter.
Watch for: Scanning, first-stage web shells, or a CISA Known Exploited Vulnerabilities addition would move wp2shell from an urgent exposure problem to a presumed incident risk for unpatched sites.
Sources: WordPress 7.0.2 security release, July 17, 2026; GitHub Security Advisories GHSA-ff9f-jf42-662q and GHSA-fpp7-x2x2-2mjf, July 17, 2026; Searchlight Cyber, “wp2shell: Pre Authentication RCE in WordPress Core,” July 18, 2026; Rapid7 Labs analysis of CVE-2026-63030, July 17, 2026.
CISA confirms attackers are exploiting two FortiSandbox command-injection flaws
CISA has added CVE-2026-39808 and CVE-2026-25089 to its Known Exploited Vulnerabilities Catalog after confirming exploitation of both vulnerabilities in Fortinet’s FortiSandbox malware-analysis platform. Federal civilian agencies have until July 19 to remediate affected systems.
Both flaws allow an unauthenticated attacker to execute commands through crafted HTTP requests. CVE-2026-39808 affects FortiSandbox 4.4.0 through 4.4.8 and is fixed in 4.4.9. CVE-2026-25089 affects FortiSandbox 4.4.0 through 4.4.8 and 5.0.0 through 5.0.5, with corresponding cloud and platform-as-a-service versions also affected. The fixes are 4.4.9 and 5.0.6.
Threat-intelligence provider Defused reported observing exploitation in June, although it characterized at least one circulating exploit attempt as potentially faulty. CISA’s decision independently establishes that real exploitation has occurred, even though Fortinet’s advisory pages still listed the vulnerabilities as not known to be exploited when checked.
FortiSandbox is itself a privileged security platform. A compromise can expose submitted files, malware samples, network configuration, integration credentials, and connections to other security infrastructure. Administrators should upgrade, review management-interface access, preserve relevant web and system logs, and examine the appliance for configuration changes or unfamiliar outbound traffic.
Watch for: Disclosure of the exploitation chain, victimology, or post-compromise activity would show whether attackers are using FortiSandbox primarily for initial access, intelligence collection, or movement into connected security systems.
Sources: CISA Known Exploited Vulnerabilities Catalog entries for CVE-2026-39808 and CVE-2026-25089, July 16, 2026; Fortinet advisories FG-IR-26-100 and FG-IR-26-141; Defused exploitation observations, June 16, 2026.
The DigiCert breach has now been linked to a long-running Chinese cybercrime operation
Expel has attributed the April compromise of DigiCert support systems to CylindricalCanine, a subgroup of the Chinese cybercrime cluster GoldenEyeDog. Expel assesses that the group operates malware it calls Golden Gh0st Loader and Golden Gh0st RAT and has used stolen code-signing certificates to help malicious software pass reputation checks.
DigiCert’s incident report shows how the attack crossed from ordinary support activity into the certificate trust system. An attacker sent ZIP files disguised as customer screenshots through a support channel. One analyst’s endpoint was contained, but a second compromised endpoint had a missing or malfunctioning endpoint-detection sensor. Access inherited through that machine allowed the attacker to view initialization codes for pending Extended Validation code-signing orders.
DigiCert revoked 60 potentially affected certificates, 27 of which were explicitly linked to the attacker. Some had already been used to sign malware previously identified as Zhong Stealer. DigiCert found no misuse of other certificate types and subsequently masked initialization codes, tightened multifactor authentication, and restricted support-channel file handling.
The broader lesson is that certificate issuance was reached through a support workstation and an internal portal function, not through a direct attack on a hardware security module. Systems with an indirect path to issuing or activating credentials are control-plane systems, regardless of how they were originally classified.
Watch for: Additional certificate authorities identifying the same malware or operator would indicate that CylindricalCanine is systematically targeting code-signing workflows rather than exploiting a single provider.
Sources: Expel, “Introducing CylindricalCanine: The GoldenEyeDog subgroup responsible for the April DigiCert incident,” July 16, 2026; DigiCert full incident report in Mozilla Bugzilla issue 2033170; community certificate-abuse reporting cited in the DigiCert investigation.
NadMesh is turning exposed AI services into a route toward cloud credentials
Qi’anxin XLab reported Friday that it has been tracking a Go-based botnet called NadMesh since early July. The botnet combines internet scanning, exploitation, credential harvesting, persistence, and propagation, with exposed artificial-intelligence services deliberately placed near the top of its target queue.
NadMesh searches for ComfyUI, Ollama, n8n, Open WebUI, Langflow, and Gradio deployments while also probing Docker, Kubernetes, Redis, Elasticsearch, Jenkins, Webmin, and other administration services. Its controller contains more than 20 exploitation paths, ranging from unprotected container APIs and weak credentials to callable Model Context Protocol tools that expose command or database execution.
Once inside, the malware searches environment variables and configuration files for cloud access keys, Kubernetes service-account tokens, Docker credentials, model access, and available AI tools. It establishes overlapping persistence through SSH authorized keys, hidden files, and cron watchdogs. Removing only the visible agent may therefore leave the system reinfectable.
XLab’s findings are based on detailed analysis of the controller and malware code, but independently verified infection totals remain limited. Defenders should nevertheless treat unauthenticated AI interfaces as internet-facing administrative services. Exposed deployments should be isolated, access-controlled, and reviewed for stolen credentials as well as local malware.
Watch for: Independent telemetry confirming successful NadMesh infections—and showing which exploitation paths work most often—would clarify whether the botnet is already operating at scale or remains in an early deployment phase.
Sources: Qi’anxin XLab, “NadMesh Botnet Analysis: A Product-Grade Threat for the AI Service Era,” July 17, 2026; related NadMesh technical reporting by The Hacker News, July 17, 2026.
GoSerpent gave an espionage operator months to collect and stage government documents
Kaspersky has documented a previously undisclosed espionage operation targeting government and diplomatic organizations in Southeast Asia. Researchers discovered the activity in February 2026, determined that the current campaign had been active since late 2025, and found older GoSerpent samples dating to 2021.
GoSerpent is a Go-based remote-access and proxy tool capable of opening shells, transferring files, forwarding ports, and turning infected systems into SOCKS5 proxies. Operators used it to deploy credential-dumping tools and a malicious Windows service called ThumbcacheService, which collects documents, spreadsheets, PDFs, and even selected files from the Recycle Bin.
The operation was deliberately patient. Collected material was staged locally for weeks while the attackers obtained credentials. In May, they returned with the Stowaway tunneling tool and a separate in-memory payload that used network-share credentials to remove the archived data.
Kaspersky has not made a firm attribution. It identified possible similarities to TetrisPhantom but said more evidence is required. That distinction matters: the target selection and long-term intelligence collection are consistent with espionage, but they do not by themselves establish a government sponsor.
Watch for: A confirmed initial-access method or stronger attribution would determine whether regional defenders should concentrate on a shared external vulnerability, targeted phishing, or an already-compromised technology provider.
Sources: Kaspersky Global Research and Analysis Team, “GoSerpent: A persistent threat evolves with sophisticated data collection and exfiltration,” July 16, 2026; Kaspersky indicators-of-compromise appendix.
North Korean operators hid malware across the flag images in a coding challenge
Elastic Security Labs disclosed Saturday that a North Korea-aligned Contagious Interview campaign is distributing backdoored coding projects through fake job offers. Elastic discovered the activity after a supposed recruiter posted in its community Slack workspace and moved interested developers into private conversations.
The offered coding challenge was a functioning e-commerce project. Malicious data was divided into Base64 fragments and hidden inside comments across ordinary SVG country-flag images. A JavaScript file collected the images alphabetically, reconstructed the payload, and executed it when the developer started the server.
The resulting toolkit shares infrastructure and behavioral similarities with OtterCookie. It steals browser credentials, cryptocurrency-wallet data, local files, and clipboard contents while installing a Socket.IO remote-access backdoor. Elastic said the trojanized repositories it collected had no antivirus detections at the time of analysis.
This is not simply another malicious attachment campaign. Developers routinely execute unfamiliar dependencies and demonstration code as part of interviews and contract work, often on machines holding source repositories, signing keys, cloud credentials, and production access. Coding tests from unknown parties should be opened only inside isolated, disposable environments.
Watch for: Reuse of the same SVG-fragment technique in public repositories or package registries would indicate that the campaign is expanding beyond direct recruiter-to-developer contact.
Sources: Elastic Security Labs, “New North Korean campaign uses fake coding interviews to steal developer credentials,” July 18, 2026; Elastic REF9403 indicators and detection guidance; earlier Microsoft, NTT Security, and JFrog reporting on Contagious Interview and OtterCookie.
Abbott confirms two investigations but disputes the attackers’ most serious claims
Abbott Laboratories confirmed Friday that it is investigating unauthorized access involving a limited number of systems in its Cancer Diagnostics business. Abbott said the affected legacy Exact Sciences environment is separate from its wider systems and that manufacturing, laboratory operations, product availability, and patient services were not disrupted.
The ShinyHunters extortion group claims it obtained access through voice phishing that compromised a Microsoft Entra single-sign-on account. It has made extensive claims about stolen customer and medical information, but those claims have not been independently verified. Abbott has not confirmed the asserted access method or the claimed volume and sensitivity of the data.
A second actor separately claimed to have accessed Abbott’s externally hosted LabCentral portal using compromised customer credentials. Abbott said the portal contains public product-reference material—including operating manuals, troubleshooting checklists, and specifications—and denied that it contains sensitive customer or proprietary business information.
The two investigations should not be merged without evidence. What is confirmed is unauthorized access to the Cancer Diagnostics environment and Abbott’s investigation of the separate LabCentral claim. The amount of sensitive data obtained, the exact access paths, and any relationship between the actors remain unresolved.
Watch for: Regulatory notifications, validated data samples, or Abbott confirmation of identity-system compromise would materially change the current assessment of both scope and patient-data exposure.
Sources: Abbott public cyber-incident statements, July 17, 2026; Reuters, “Abbott investigates two separate cyber incidents, says no operations affected,” July 17, 2026; BleepingComputer reporting on the ShinyHunters and ShadowByt3$ claims, July 17, 2026.
An 11-byte TLS message can leave unpatched OpenSSL servers starved of memory
Okta’s Red Team has disclosed HollowByte, an unauthenticated denial-of-service weakness in older OpenSSL releases. A malicious TLS message as small as 11 bytes can declare a much larger body, causing OpenSSL to allocate memory before the body has actually arrived and then leave a worker waiting for data that never comes.
The individual allocation can reach roughly 131 kilobytes. Repeated connections can hold worker threads and fragment memory, causing the process’s resident memory use to keep growing even after connections close. Okta demonstrated the effect against NGINX and found that ordinary connection limits did not necessarily stop the attack.
OpenSSL silently shipped the repair in June as a hardening change. There was no CVE, security advisory, or changelog entry identifying the security impact. That means vulnerability scanners and patch systems looking for a CVE or conventional vendor bulletin may not identify an exposed installation.
The fix appears in OpenSSL 4.0.1 and was backported to 3.6.3, 3.5.7, 3.4.6, and 3.0.21. Systems using distribution packages may receive the repair under different package versions, so administrators should verify the vendor backport and restart affected processes rather than rely on a clean vulnerability scan.
Not every application linked to OpenSSL will be equally exposed; the practical effect depends on how it accepts TLS connections and manages processes and memory. Internet-facing web servers, proxies, databases, and language runtimes deserve priority review.
Watch for: A formal OpenSSL advisory, CVE assignment, scanner coverage, or independent exploitation telemetry would establish whether HollowByte remains a quiet hardening issue or becomes a practical denial-of-service technique.
Sources: Okta Red Team, “OpenSSL HollowByte: A DoS Hiding in 11 Bytes,” July 16, 2026; OpenSSL pull requests 30792, 30793, and 30794; OpenSSL releases 4.0.1, 3.6.3, 3.5.7, 3.4.6, and 3.0.21.
ClickFix campaigns are stealing live browser sessions and synchronized work files
Microsoft reported Thursday that it observed increased ACR Stealer activity across customer environments from late April through mid-June. The campaigns use ClickFix prompts that persuade users to paste and run attacker-supplied commands, avoiding the need to exploit a software vulnerability.
Microsoft documented two delivery chains. One uses WebDAV-hosted files, Rundll32, obfuscated PowerShell, Python loaders, scheduled-task persistence, and sometimes blockchain-based command-and-control resolution. The second uses MSHTA, PowerShell, steganography, and in-memory execution.
Both chains ultimately target saved browser passwords, session tokens, authentication artifacts, PDFs, Microsoft 365 documents, and files synchronized through OneDrive or SharePoint. Stolen session material may give an attacker access beyond the infected endpoint, especially when cloud sessions are not explicitly revoked during remediation.
An ACR Stealer infection should therefore trigger more than malware removal. Responders should invalidate active sessions, rotate credentials stored or used on the endpoint, review cloud sign-ins and downloads, and determine what synchronized corporate data was locally available.
Watch for: Evidence that operators are using the stolen sessions for follow-on cloud intrusion would show whether ACR Stealer is functioning primarily as an infostealer or as an access pipeline for broader enterprise compromise.
Sources: Microsoft Defender Experts, “ACR Stealer: Two observed intrusion chains amid increased threat activity,” July 16, 2026; Microsoft detection and hunting guidance accompanying the report.
SuccessKey used seven fake Vite packages to deliver a remote-access trojan
Checkmarx has identified seven malicious npm packages targeting developers who use the Vite frontend build ecosystem. The operation, called ViteVenom, used scoped names that resembled the legitimate @vitejs and @vitest namespaces, making the packages look more credible during a quick dependency review.
Checkmarx attributes ViteVenom to the SuccessKey activity cluster, which it also connects to the earlier ChainVeil campaign. The assessment is based on shared blockchain wallets, encryption material, command infrastructure, deployment tooling, and an identical final remote-access trojan. Checkmarx expressed high confidence in the operational link, although shared infrastructure cannot be ruled out entirely without identity-level evidence.
The seven packages contained nine malicious versions published between approximately June 29 and July 3. Checkmarx recorded 2,420 combined downloads, but download counts include automated and nonhuman activity and should not be treated as 2,420 confirmed infections.
The malware resolved command-and-control instructions through a four-tier system spanning the Tron, Aptos, and Binance Smart Chain networks before delivering a remote-access trojan capable of credential theft, file exfiltration, command execution, and persistence.
The packages have been removed, but the underlying infrastructure remained online when Checkmarx published its report. Organizations should search lockfiles and dependency caches for @uw010010/vite-tree, @vite-tab/tab, @vite-ln/build-ts, @vite-mcp/vite-type, @vite-pro/vite-ui, @vitets/vite-ts, and @vite-ts/vite-ui. An identified installation should be treated as a workstation or build-system compromise.
Watch for: New package clusters resolving through SuccessKey’s existing blockchain wallets or command servers would confirm that removing individual npm packages is interrupting delivery without dismantling the operation.
Sources: Checkmarx Zero, “Sequel to ChainVeil npm Malware Targets Vite Ecosystem,” July 14, 2026; Checkmarx ViteVenom attribution, package, version, infrastructure, and remediation appendix; npm package-removal records.
Search Tags: WordPress, FortiSandbox, NadMesh, DigiCert, GoSerpent, North Korean hackers, OpenSSL, software supply chain
Introduction: Today, we examine how trust breaks at the edges—from a public WordPress exploit and compromised security platforms to stolen signing credentials, exposed AI services, and developers targeted through the code itself.
Jonathan Lockhart is a cybersecurity researcher and investigative journalist at bordercybergroup.com.
If you would like to support our work — useful, well-researched, ad-free cybersecurity intelligence — subscribe, comment, or buy us a coffee! Thanks.
Member discussion: