Cybersecurity Daily Briefing: July 09, 2026

Coverage: Last 24 hours

Today’s Highlights

Rapid innovation in AI coding agents and supply chain tools has created new blind spots for defenders: previously trusted channels are now being leveraged for initial access and social engineering, while legacy controls are proving insufficient to catch advanced threats and commodity malware alike. Organizations face heightened risks from flaws in software supply chains, vulnerability markets operated by convicted criminals, abuse of public media by generative AI, and advanced phishing campaigns that bypass traditional controls. Prioritizing patching, reviewing the integrity of automated code validation, and strengthening controls for AI-powered toolchains are key themes for today.

Table of Contents

  1. Felons, Fraudsters Flog Offensive Cybersecurity Startup
  2. Chrome 150 Update Patches 27 Vulnerabilities
  3. Fake 7-Zip Installers Turn Devices Into Residential Proxy Nodes
  4. SCMBANKER Malware Uses ClickFix Lures to Target Mexican Banking Users
  5. GitHub ‘Verified’ Commits Can Be Rewritten Into New Hashes Without Breaking Signatures

Top Stories


Felons, Fraudsters Flog Offensive Cybersecurity Startup

Source: Krebs on Security | Risk: High | Impacted: Security research vendors, Bug bounty platforms, Organizations purchasing research or exploits

Summary: A cybersecurity startup dangling millions of dollars to acquire zero-day security vulnerabilities in popular software is run by a pair of far-right conspiracy theorists and convicted felons whose most recent ventures included fake intelligence companies and a now-defunct AI-based lobbying platform they operated under assumed names.

Why it matters: Organizations participating in zero-day programs could inadvertently further criminal groups’ access to offensive vulnerability research, increasing risk of both targeted and widespread exploitation.

Practitioner Perspective

Any engagement with crowdsourced vulnerability markets or bug bounty platforms should require thorough diligence, including legal review, on both vendors and brokers. This story highlights how malicious actors can position themselves as legitimate buyers, creating downstream supply chain risk for defenders. Assume adversaries are pursuing the same zero-days as trusted partners; keep red team knowledge and procurement tightly compartmented and audit procurement processes for abuse. Challenge any vendor provenance, especially where prior fraud or criminal histories emerge.

Recommended Actions

  • Conduct legal and reputational due diligence on any zero-day broker or offensive security vendor before engagement
  • Implement internal controls on sourcing and procurement of vulnerability research

Chrome 150 Update Patches 27 Vulnerabilities

Source: SecurityWeek | Risk: Critical | Impacted: All managed Chrome endpoint fleets, Users with browser auto-updates disabled, Web-facing desktop infrastructure

Summary: The security refresh resolves 13 use-after-free bugs, including two critical-severity flaws found by Google. The post Chrome 150 Update Patches 27 Vulnerabilities appeared first on SecurityWeek.

Why it matters: Delaying deployment of Chrome 150 exposes endpoints to active exploitation, as multiple critical-severity use-after-free flaws are now public and may be rapidly adopted into exploit kits.

Practitioner Perspective

All enterprise Windows, Mac, and Linux fleets using Chrome must prioritize this patch: Google has issued fixes for 27 vulnerabilities, including two critical use-after-free bugs that have broad exploitation potential. Attackers frequently weaponize recent Chrome bugs for drive-by compromise and initial access. Legacy browser update delays and exceptions now carry heightened risk as web exploitation chains continue to target browsers as the primary endpoint entry vector. Automated patching and real-time fleet compliance monitoring should be considered non-negotiable standards for browser management.

Recommended Actions

  • Push Chrome 150 update to all managed Windows, macOS, and Linux endpoints and validate with inventory tools
  • Monitor fleet for Chrome versions prior to 150 and escalate patch lags as incidents

Emerging Signals


Fake 7-Zip Installers Turn Devices Into Residential Proxy Nodes

Source: The Hacker News | Risk: High | Impacted: Any organization allowing unmanaged software installs, Endpoints lacking software allowlisting, Environments with remote staff

Summary: Cybersecurity researchers have disclosed details of a new threat actor dubbed Lurking Lizard that has been operating an end-to-end malicious residential proxy business using an infrastructure comprising more than 230 lookalike domains. The activity dates back to at least August 2022, according to DNS threat intelligence firm Infoblox. Once such campaign, observed earlier this year, involved the

Why it matters: Fake installer campaigns using widely trusted utilities like 7-Zip are converting endpoints into residential proxy nodes, opening internal networks to criminal traffic and persistent access.

Practitioner Perspective

Organizations are at risk when staff download 7-Zip or similar software from search engine ads or unofficial sources; Lurking Lizard has established a large, durable infrastructure to serve weaponized installers. These proxy node infections are difficult to detect, as they often operate silently in the background and are designed to blend in with normal internet activity. Enterprises lacking software whitelisting or relying solely on user awareness are especially vulnerable. This technique often bypasses legacy network monitoring controls, so defenders should move quickly to block suspicious domains and enforce signed installer policies.

Recommended Actions

  • Add all reported Lurking Lizard lookalike domains from Infoblox research to DNS and web filter blocklists
  • Deploy software allowlisting to restrict installations to trusted sources for 7-Zip and similar software

SCMBANKER Malware Uses ClickFix Lures to Target Mexican Banking Users

Source: The Hacker News | Risk: High | Impacted: Mexican banking customers, Fintech and crypto services in Mexico, Fraud and anti-abuse teams in LATAM

Summary: A new banking fraudulent operation is targeting customers of Mexican banks, fintech, payment processors, and cryptocurrency exchanges using ClickFix lures. The activity cluster, tracked by Elastic Security Labs under the moniker REF6045, involves infecting victims through fake CAPTCHA verification pages that deceive them into running a malicious command that installs a PowerShell toolkit dubbed

Why it matters: Targeted malware embedded in fake CAPTCHA verification steps is infecting banking and fintech users in Mexico, leading to credential theft through novel PowerShell-based toolkits.

Practitioner Perspective

Mexican banks, payment and crypto platforms face growing attacks from REF6045 leveraging SCMBANKER and ClickFix-themed lures. These social engineering campaigns are diversifying, using fake verification workflows to convince users to run malicious commands. The abuse of PowerShell for infection increases persistence and blends in with legitimate IT activity. Users accustomed to cloud authentication flows are especially vulnerable. Defenders supporting financial orgs in LATAM should rapidly review web and comms workflows and investigate infection evidence across customer accounts.

Recommended Actions

  • Block distribution infrastructure for SCMBANKER and ClickFix-themed lures at email and web gateways
  • Hunt for PowerShell-based malware in endpoint logs tied to Mexican financial and crypto services

GitHub ‘Verified’ Commits Can Be Rewritten Into New Hashes Without Breaking Signatures

Source: The Hacker News | Risk: High | Impacted: Software supply chain validators, Organizations using GitHub-verified commits as trust anchors, Developers and DevSecOps teams

Summary: New research shows that a signed Git commit’s hash is not the one-of-a-kind name that much of the software world assumes it to be. Given any signed commit, someone without the signing key can mint a second commit with the same files, author, and date, and a valid signature, GitHub still stamps “Verified.” Everything a reviewer would check matches. The

Why it matters: A signer can create two commits with different hashes but identical code, author, and signature status: this undermines trust in ‘verified’ labels on GitHub and increases risk for targeted supply chain attacks.

Practitioner Perspective

The assumption that GitHub’s ‘Verified’ badge ensures one-to-one code/reviewer trust is now invalid. Attackers with access to signed commit workflows could create alternate commit histories with different hashes but matching verified signatures, tricking both humans and automation into trusting malicious code. This opens a path to subtle supply chain compromises across any ecosystem relying on GitHub signature verification. Defenders should urgently reevaluate trust models and push for explicit code review or cryptographic integrity checks beyond GitHub automated verification.

Recommended Actions

  • Rely on independent cryptographic checks (e.g., reproducible builds or hash pinning), do not trust GitHub ‘Verified’ commit status alone for supply chain validation
  • Audit CI/CD pipelines and dependency workflows for over-reliance on GitHub signature verification

Exploits & CVEs

No stories for Exploits & CVEs in this briefing.

Defensive Actions

  • Deploy Ubiquiti patches for CVE-2026-50746 and related critical UniFi OS, Connect, Talk, Access, and Protect vulnerabilities across all instances
  • Hunt for post-exploitation activity on UniFi management interfaces and logs since product release
  • Update vulnerability scanning coverage for Ubiquiti device versions supporting recent advisories
  • Restrict external access to UniFi management portals until patching is complete
  • Push Chrome 150 update to all managed Windows, macOS, and Linux endpoints and validate with inventory tools
  • Monitor fleet for Chrome versions prior to 150 and escalate patch lags as incidents
  • Rely on independent cryptographic checks for supply chain validation; do not trust GitHub ‘Verified’ commit status alone
  • Add all reported Lurking Lizard lookalike domains to DNS and web filter blocklists
  • Block distribution infrastructure for SCMBANKER and ClickFix-themed lures at email and web gateways
  • Audit CI/CD pipelines for over-reliance on GitHub signature verification

What We’re Watching

  • Ongoing weaponization of browser and code supply chain vulnerabilities
  • Expansion of AI-driven and social engineering attack techniques
  • Shifts in attacker focus from human-driven spear phishing to automated, in-browser payload delivery
  • The impact of AI-generated content and media manipulation on security awareness training and incident response
  • Vendor responses to newly disclosed risks in signed code validation workflows


Categories: Cybersecurity Blog, Cybersecurity News

Tags: , , , , , ,

Leave a comment