Vulnerabilities
- Seven FatFs Bugs, One Very Large Blast Radius
"Heads up! If you ship firmware that touches FAT media (think any removable storage, like USB drives and SDCards), you'll want to pay attention to this post. This work was part of runZero's research into long-tail supply chain bug hunting using LLMs. We live in the future! Today, we're publishing seven CVEs documenting several vulnerabilities in FatFs project, ranging from CVSS Medium to High (no Criticals, phew!). The affected ecosystem includes some major non-hobby platforms like Espressif ESP-IDF, STMicroelectronics STM32Cube middleware, Zephyr RTOS, MicroPython, ArduPilot, RT-Thread, Mbed, Samsung TizenRT, and SWUpdate, with downstream reach into consumer IoT, industrial controllers, drones, crypto wallets, and more."
https://www.runzero.com/blog/fatfs-bugs/
https://thehackernews.com/2026/07/unpatched-flaws-disclosed-in-filesystem.html - New "Bad Epoll" Linux Kernel Flaw Lets Unprivileged Users Gain Root, Hits Android
"A newly disclosed Linux kernel flaw called Bad Epoll (CVE-2026-46242) lets an ordinary user with no special access take full control of a machine as root. It affects Linux desktops, servers, and Android, and a fix is out. Bad Epoll sits in the same small stretch of kernel code where Anthropic's most powerful AI model, Mythos, recently found a different bug. The AI caught one flaw and missed this one. A researcher, Jaeyoung Chung, found it and built a working attack."
https://thehackernews.com/2026/07/new-bad-epoll-linux-kernel-flaw-lets.html
https://github.com/J-jaeyoung/bad-epoll - New ClamAV Security Patch Closes Seven Scanner Bugs Dating Back Two Decades
"Open source antivirus scanning sits inside mail gateways, file upload checks, and endpoint tooling at organizations of every size. Much of that work runs through ClamAV, the scanning engine maintained by Cisco’s Talos group. The project released two patch versions, 1.5.3 and 1.4.5, carrying fixes for seven security flaws along with smaller hardening changes."
https://www.helpnetsecurity.com/2026/07/06/clamav-security-patch-versions/
Malware
- Espionage Against The European Parliament: Member Of Committee Investigating Spyware Hacked With Pegasus
"We found that former Member of the European Parliament Stelios Kouloglou was hacked with Pegasus spyware while serving on the PEGA committee, which investigated Pegasus and other spyware abuses in Europe. Through forensic analysis of his device, we found that the attackers could have had access to confidential documents and committee deliberations."
https://citizenlab.ca/research/member-of-committee-investigating-spyware-hacked-with-pegasus/
https://thehackernews.com/2026/07/european-parliament-member.html
https://therecord.media/pegasus-spyware-european-parliament-pega-committee-member
https://www.bankinfosecurity.com/lawmaker-probing-pegasus-spyware-infected-using-same-malware-a-32153
https://cyberscoop.com/pegasus-spyware-pega-committee-member-targeted/
https://securityaffairs.com/194728/malware/pegasus-used-against-mep-investigating-pegasus-citizen-lab-finds.html - Verified X Ad Spreads Mac Malware, While ConsentFix Steals Microsoft Accounts
"Cybercriminals are finding new ways to trick people into compromising their own devices and accounts. One campaign used a sponsored ad on X to target Mac users, while another technique, dubbed ConsentFix, steals Microsoft 365 accounts without installing malware. Researchers have discovered a ClickFix-style attack running as a sponsored advertisement on X. The ad was posted from a verified account, adding an extra layer of credibility to the scam."
https://www.malwarebytes.com/blog/news/2026/07/verified-x-ad-spreads-mac-malware-while-consentfix-steals-microsoft-accounts - Armored Likho Digging a Snake Pit: Inside The Covert BusySnake Stealer Campaign
"During our routine threat monitoring, we uncovered a new phishing campaign tied to a previously unknown APT group that we dubbed Armored Likho (also known as Eagle Werewolf based on circumstantial evidence). This targeted campaign focuses heavily on government agencies and the electric power sector. The geographical footprint of these attacks spans Russia, Brazil, and Kazakhstan, establishing the group as a global threat actor."
https://securelist.com/tr/armored-likho-apt-with-busysnake-stealer/120292/
https://thehackernews.com/2026/07/armored-likho-targets-government.html - The Anatomy Of a Shadow AI Supply-Chain Breach: Lessons From The 2026 Vercel Incident
"The Vercel breach of April 2026 did not begin with a classic zero-day exploit, a misconfigured cloud bucket, or a sophisticated nation-state infrastructure implant. Instead, it unfolded when an unreviewed Artificial Intelligence (AI) tool became a trusted corporate connection without a standard enterprise security review. At first glance, the incident resembled a typical third-party software supply chain compromise. An AI tooling vendor, Context.ai, was breached via an employee account, allowing attackers to move downstream into a much larger technology provider: Vercel. However, the deeper architectural lesson lies in the relationship between the two entities. The breached tool was not part of an enterprise deployment; it was a consumer-grade browser extension self-adopted by an employee using a corporate identity."
https://securityaffairs.com/194709/hacking/the-anatomy-of-a-shadow-ai-supply-chain-breach-lessons-from-the-2026-vercel-incident.html - Vibe Coded Extortion: Avalon’s Path From Legal Lure To CrownX Ransom Capabilities
"Blackpoint’s Adversary Pursuit Group (APG) identified and analyzed a previously undocumented malware framework, now tracked as Avalon, delivered through a multi-stage phishing chain designed to evade conventional security controls. The attack began with a spoofed legal document email directing recipients to a password protected archive on Proton Drive. Malicious content was embedded inside an ISO image rather than attached directly, reducing the likelihood of detection at the email layer."
https://blackpointcyber.com/blog/avalons-path-from-legal-lure-to-crownx-ransom-capabilities/
https://thehackernews.com/2026/07/new-avalon-malware-framework-packs.html - Lazarus-Linked Npm Malware Masquerades As Rollup Polyfills
"The JFrog Security research team identified a malicious npm package cluster masquerading as Rollup polyfill tooling. The two entry packages, rollup-packages-polyfill-core and rollup-runtime-polyfill-core, imitate the naming, README content, repository metadata, and package shape of the legitimate rollup-plugin-polyfill-node project."
https://research.jfrog.com/post/rollup-polyfill-masquerading/
https://thehackernews.com/2026/07/north-korea-linked-npm-packages-mimic.html - PamStealer: a Rust-Based MacOS Infostealer That Validates Credentials Through PAM
"While reviewing results from our sample pipeline, Jamf Threat Labs identified a macOS infostealer distributed as a compiled AppleScript (.scpt) file impersonating “Maccy,” a legitimate open-source clipboard manager. We are tracking this malware under the name PamStealer after one of its core behaviors: validating the victim’s login password through the macOS Pluggable Authentication Modules (PAM) before harvesting it. PamStealer is delivered in two stages. The first is a compiled AppleScript distributed inside a disk image that downloads and stages a second-stage payload. The second is a Rust-based Mach-O infostealer responsible for credential theft, browser data collection, persistence and exfiltration. The dropper is hosted on the fake domain maccyapp[.]com, which impersonates the legitimate Maccy project."
https://www.jamf.com/blog/pamstealer-macos-infostealer-applescript-rust/
https://thehackernews.com/2026/07/pamstealer-uses-fake-maccy-sites-and.html
https://hackread.com/pamstealer-malware-macos-fake-maccy-clipboard-app/ - PolinRider: North Korea-Linked Supply Chain Campaign Expands Across Open Source Ecosystems
"PolinRider is a supply chain campaign linked to North Korean threat actors associated with the broader Contagious Interview / Famous Chollima activity cluster. Our latest findings show that the campaign has expanded beyond npm into additional open source ecosystems, with 162 malicious release artifacts identified across 108 unique packages, including compromise traces in 80 Go modules, 10 Packagist packages, and one Chrome extension. The campaign remains active, and new malicious packages are likely to continue appearing as threat actors compromise maintainer accounts, modify legitimate repositories, and publish infected package versions where they retain or obtain registry access."
https://socket.dev/blog/polinrider-north-korea-linked-supply-chain-campaign-expands
https://thehackernews.com/2026/07/north-korean-hackers-publish-108.html - FBI: TeamPCP Compromised Dev Tools To Steal Cloud Credentials
"On July 2, 2026, the FBI published a FLASH alert identifying the criminal group called TeamPCP and detailing how it compromised widely used developer and security tools to steal credentials from victim environments at scale. The targets weren’t end users. They were the tools developers trust every day inside their build pipelines. TeamPCP is behind multiple supply chain attacks, in the past, they targeted PyPI packages and NPM repositories, and most recently the “Mini Shai-Hulud” campaign also caught two OpenAI employees. The pattern is consistent: go after the tools developers trust, poison the supply chain, and let the downstream damage multiply."
https://securityaffairs.com/194741/cyber-crime/fbi-teampcp-compromised-dev-tools-to-steal-cloud-credentials.html
https://www.ic3.gov/CSA/2026/260702.pdf
Breaches/Hacks/Leaks
- AdaptHealth Says Attackers Sweet-Talked Their Way Into Cloud Systems And Stole Patient Data
"AdaptHealth says attackers used social engineering to breach its systems and steal sensitive patient data, including passwords associated with insurance billing. The medical equipment company disclosed the attack to the Securities and Exchange Commission (SEC) on Thursday, noting that attackers accessed internal patient management systems, document storage platforms, and external electronic health record system portals. The attack targeted an unwitting third-party contractor, through which the cybercriminals gained entry to the company's cloud environment, where they accessed business applications holding sensitive data."
https://www.theregister.com/security/2026/07/03/adapthealth-crooks-stole-our-passwords-patient-health-data/5266512 - Kairos Ransomware: Data-Extortion Case Study Involving a U.S. Government Entity
"A leaked negotiation transcript and payment-flow analysis of a successful $1 million ransom payment by a U.S. government body to Kairos — a data-extortion actor whose "ransomware group" status remains unverified — including fund tracing to ByBit, OKX, and BELQI exchange touchpoints."
https://ransom-isac.org/blog/kairos-ransomware-data-extortion-case-study/
https://thehackernews.com/2026/07/us-government-entity-paid-kairos-group.html
https://securityaffairs.com/194750/security/u-s-government-agency-paid-1m-to-data-extortion-group-kairos.html
General News
- Q2 2026 Attack Techniques Trend Report
"The second quarter of 2026 was marked by a notable increase in actual exploits that targeted public assets, identities, and AI stacks. The number of CISA KEV listings reached 75, an increase of approximately 27% compared to the same period in 2025. Primary targets included web and server applications, endpoints, network perimeter devices, and remote management tools, and also included vulnerabilities related to AI and the supply chain. The percentage of listings associated with ransomware rose from 8.5% In the same period of 2025 to 16.0%."
https://asec.ahnlab.com/en/94320/ - Chinese LLMs Broaden The Gap Between Attackers & Defenders
"Chinese companies released two new AI models in the past month that have pushed the boundaries of the nation's capabilities for vulnerabilities discovery and caused concerns among some cybersecurity experts. On June 13, Chinese firm Zhipu AI released an open-weight model, GLM 5.2, that subsequent testing found outperforms Anthropic's Opus and Open AI's GPT-5.5 on some bug-finding benchmarks and costs only $0.17 per vulnerability found. Two weeks later, another firm, 360 Security Technology, released a frontier-model-based security tool, Tulongfeng (aka "Dragon Saber"), that its founder touted as China's version of Mythos, claiming it had already found more than 3,400 vulnerabilities, according to a Reuters report."
https://www.darkreading.com/cyber-risk/chinese-llms-broaden-gap-between-attackers-and-defenders - Non-Interactive SSH Attacks Dominate After Login
"Anyone who runs a server with SSH exposed to the internet sees the same pattern in the logs. A steady stream of automated scanners tries to log in, hour after hour, from addresses all over the world. The common picture of what comes next has an attacker landing a shell, looking around the system, and typing commands. The reality recorded across eleven research honeypots looks almost nothing like that. Eleven SSH honeypots ran on cloud servers in Frankfurt, Germany, for fifteen days in late May and early June, in a study by researchers at the Czech Technical University in Prague. Together they logged 177,622 authenticated sessions, every one an attacker who got past the login."
https://www.helpnetsecurity.com/2026/07/03/research-non-interactive-ssh-attacks/
https://arxiv.org/pdf/2606.28006 - Organizations Struggle To Prioritize Known Cyber Risks
"Organizations collect more cyber risk data than ever, with many still struggling to build a unified view of their exposure. The latest State of Threat Management report from Filigran found that security teams continue to work across disconnected tools, leaving important context spread across multiple systems. Cloud infrastructure, on-premises environments, third-party services, vulnerability scanners, threat intelligence feeds, and attack surface management platforms all generate information about potential risk."
https://www.helpnetsecurity.com/2026/07/03/cyber-risk-exposure-report/ - Qilin Dominates Ransomware Market Amid Growing Cybercrime Consolidation
"The ransomware ecosystem is moving from fragmentation back to consolidation, with Qilin emerging as the dominant ransomware-as-a-service (RaaS) operation after the disruption of major groups including LockBit and RansomHub. Yet despite Qilin's strong position, the rapid emergence of other groups, such as The Gentlemen, demonstrates how quickly the cybercrime landscape continues to evolve. Lotem Finkelstein, VP research at Check Point, highlighted that based on the cybersecurity firm’s research in their 2026 Cyber Security Report, Qilin now holds around 16% of the cybercriminal market share."
https://www.infosecurity-magazine.com/news/qilin-dominates-ransomware-market/ - Which Industry & Country Has The Worst Email Security? An Analysis Of 5,800+ Domains For SPF, DMARC, DKIM & MTA-STS Protocols
"Every day, cybercriminals send around 3.4 billion phishing emails. 90 percent of successful cyber attacks originate from one of these emails. We analyzed the live DNS records for 5,849 domains across 13 sectors, scoring each domain on eight points based on its Sender Policy Framework (SPF), Domain-based Message Authentication, Reporting, and Conformance (DMARC), DomainKeys Identified Mail (DKIM), and Mail Transfer Agent Strict Transport Security (MTA-STS)."
https://www.comparitech.com/news/which-industry-country-has-the-worst-email-security-an-analysis-of-5800-domains-for-spf-dmarc-dkim-mta-sts-protocols/
https://securityaffairs.com/194677/security/government-and-healthcare-are-the-weakest-links-in-global-email-security.html
อ้างอิง
Electronic Transactions Development Agency (ETDA) 






(CTU) researchers investigated two interconnected threat groups known as Vect and TeamPCP. The two groups announced a formal operational partnership in late March 2026 to combine TeamPCP’s credential harvesting and data theft capabilities with Vect’s ransomware deployment infrastructure in a widespread campaign involving supply chain attacks and the extortion of multiple organizations."







