
Coverage: Last 72 hours
Today’s Highlights
Attackers continue to exploit software supply chains, misconfigurations, and exposed edge applications. Active threats span phishing targeting M365, compromised npm packages delivering infostealers, zero-days in web applications, and coordinated espionage operations against sensitive institutions. Defenders must prioritize rapid incident response for supply chain compromise, harden all internet-facing assets, and stay closely aligned with vendor updates covering actively exploited vulnerabilities.
Table of Contents
- Progress Prompts ShareFile Storage Zone Controller Shutdown Amid Security Concerns
- Centers Laboratory Data Breach Affects 540,000 Individuals
- iCagenda and Balbooa Forms Joomla Flaws Reportedly Exploited as Zero-Days
- Misconfigured Server Reveals Three Evilginx Phishing Operations Targeting Microsoft 365
- Compromised jscrambler 8.14.0 npm Release Drops Rust Infostealer During Install
- URGENT – Progress Tells ShareFile Customers to Shut Down Storage Zone Controllers Over Security Threat
- Injective Labs GitHub Compromise Pushes Wallet-Key-Stealing npm Packages
- Six New U-Boot Flaws Could Let Malicious Images Crash Devices or Run Code at Boot
- Laser Attack Resets Tangem Wallet Passwords on Cards That Can’t Be Patched
Top Stories
Progress Prompts ShareFile Storage Zone Controller Shutdown Amid Security Concerns
Source: SecurityWeek | Risk: Critical | Impacted: ShareFile Storage Zone Controller operators, Healthcare, legal, and financial file transfer teams, Organizations with heavy Progress Software use
Summary: The company notified customers to manually shut down their servers while it is investigating a credible threat. The post Progress Prompts ShareFile Storage Zone Controller Shutdown Amid Security Concerns appeared first on SecurityWeek.
Why it matters: Organizations relying on Progress ShareFile for regulated or critical business workflows face immediate service disruption and potential investigative gaps while the root cause of the security threat remains unresolved.
Practitioner Perspective
Vendors instructing customers to manually shut down ShareFile Storage Zone Controllers reflects a severe enough risk that business functions must take a back seat to containment. This disruption can impact compliance deadlines, user file access, and downstream applications, so operations and security teams should prepare clear communications and documented outage management steps. While the threat specifics are still confidential, previous ShareFile vulnerabilities have been leveraged in high-profile attacks, so assume active exploitation as the default stance. The priority is system isolation and readiness to patch and recover on vendor signal.
Recommended Actions
- Confirm manual shutdown of all ShareFile Storage Zone Controllers per vendor guidance
- Document affected business processes and alert users to data access impacts
- Monitor official Progress channels for confirmed remediation steps before restoring service
- Preserve relevant logs and forensic evidence for potential post-mortem
Centers Laboratory Data Breach Affects 540,000 Individuals
Source: SecurityWeek | Risk: High | Impacted: Healthcare providers managing patient records, Incident response and legal teams in healthcare sector, Individuals whose data was held by Centers Laboratory
Summary: The WorldLeaks extortion group claimed to have stolen 720 GB of data from the healthcare testing and laboratory services provider. The post Centers Laboratory Data Breach Affects 540,000 Individuals appeared first on SecurityWeek.
Why it matters: Extortion-motivated data breaches targeting healthcare organizations can trigger regulatory scrutiny, reputational damage, and downstream fraud against impacted individuals.
Practitioner Perspective
The Centers Laboratory breach attributed to the WorldLeaks extortion group affected over half a million individuals and included exfiltration of hundreds of gigabytes of potentially sensitive data. Healthcare entities are again facing complex decisions on notification, support for impacted patients, and legal exposure to regulatory fines and class action. Defenders must focus on incident containment, rapid communication, and tightening controls on sensitive data aggregation and external exposure points. Your breach response process should explicitly anticipate extortion-motivated adversaries able to target follow-on fraud and identity theft.
Recommended Actions
- Engage legal and compliance teams to determine breach notification and regulatory requirements
- Contact affected individuals and provide clear guidance on identity monitoring and fraud response
- Initiate credential resets and increased monitoring for lateral movement in healthcare IT environments
- Preserve and review logs for evidence of WorldLeaks operational TTPs
Emerging Signals
Misconfigured Server Reveals Three Evilginx Phishing Operations Targeting Microsoft 365
Source: The Hacker News | Risk: High | Impacted: Microsoft 365 tenants, Security operations teams, Organizations relying on browser-based MFA
Summary: An attacker running a live Microsoft 365 phishing operation left a Python web server listening on a public port with directory listing switched on. The command that did it: python3 -m http.server 8080, was still sitting in the readable .bash_history. From that one lapse, French security firm Lexfo lifted the operator’s entire toolkit and pivoted through it to two more.
Why it matters: Phishing operators are prone to operational errors that can inadvertently reveal tooling and operations, offering defenders rare insights into adversary infrastructure and techniques.
Practitioner Perspective
Any organization using Microsoft 365 is a potential target for Evilginx phishing, which can defeat MFA by proxying logins and harvesting session tokens. The exposure of the attacker’s full tooling due to misconfiguration gives incident response and threat hunting teams a unique chance to study real adversary workflows, infrastructure reuse, and tradecraft. These findings reinforce the risk of targeted phishing bypassing standard second-factor controls, especially for privileged admin accounts. Defenders should proactively monitor for Evilginx kit activity and review related IOCs across their environments. The priority is understanding your MFA bypass exposure and closing external reconnaissance or phishing detection gaps.
Recommended Actions
- Hunt for Evilginx kit artifacts (e.g., proxy domains, session token exfiltration) in M365 sign-in logs
- Review alerting and investigation procedures for anomalous session creation in Microsoft 365
Compromised jscrambler 8.14.0 npm Release Drops Rust Infostealer During Install
Source: The Hacker News | Risk: Critical | Impacted: Software engineering teams using jscrambler, JavaScript/Node.js CI/CD pipelines, Developer laptops and build servers
Summary: The jscrambler npm package was compromised, and simply installing its 8.14.0 release runs an infostealer on your machine. Published on July 11, 2026, the malicious version carries a preinstall hook that drops and executes a native binary, one build each for Windows, macOS, and Linux. Socket flagged the release six minutes after it was published. If you or one of your…
Why it matters: Malicious npm package releases can compromise developer endpoints and CI/CD systems, allowing attackers to steal credentials or sensitive assets before code ever ships to production.
Practitioner Perspective
Any installation of jscrambler 8.14.0 triggers a Rust info-stealer, immediately placing software build servers and developer endpoints at risk. Supply chain attacks via widely used npm libraries continue to be both rapid and devastating as seen here, with detection within minutes not preventing potential downstream compromise. Any exposure likely includes credential theft, secret exfiltration, and staged persistence on developer workstations. Swift incident response, secret rotation, and environment rebuilds are justified for impacted teams.
Recommended Actions
- Purge all copies of jscrambler 8.14.0 npm package and confirm version provenance for 8.x installations
- Scan endpoints and build servers for infostealer binaries installed on July 11, 2026
URGENT – Progress Tells ShareFile Customers to Shut Down Storage Zone Controllers Over Security Threat
Source: The Hacker News | Risk: Critical | Impacted: ShareFile Storage Zone Controller admins, Teams transferring HIPAA/protected data via ShareFile, IT departments managing Progress Software assets
Summary: Progress Software has told ShareFile customers to shut down the Windows servers running their Storage Zone Controllers, confirming to The Hacker News that it is responding to a “credible external security threat.” The company has temporarily disabled access to the affected accounts, a step it says it took “out of an abundance of caution” while it works with internal and…
Why it matters: Mandated server shutdowns for ShareFile Storage Zone Controllers can disrupt availability of file transfer services and raise the stakes for incident response teams responsible for regulated and sensitive data.
Practitioner Perspective
A credible security threat against Progress ShareFile Storage Zone Controllers forced an urgent service suspension, preventing access for both administrators and users. Organizations depending on ShareFile for regulated file transfers must execute business continuity plans and anticipate threat actor activity leveraging recently disclosed flaws or misconfigurations. Incident response teams need to remain in close contact with Progress for up-to-date threat intelligence and post-mortem advisories. Do not resume operations until explicit remediations are validated.
Recommended Actions
- Follow Progress Software guidance to shut down all ShareFile Storage Zone Controllers
- Monitor vendor advisories and subscribe to emergency email updates for situation changes
Injective Labs GitHub Compromise Pushes Wallet-Key-Stealing npm Packages
Source: The Hacker News | Risk: High | Impacted: Cryptocurrency platform developers, Users of @injectivelabs/[email protected], Wallet operators and asset custodians
Summary: Unknown threat actors compromised the Injective Labs SDK project’s GitHub repository and leveraged it to publish a malicious package on the npm registry to steal cryptocurrency wallet private keys and mnemonic seed phrases. The compromised version, @injectivelabs/[email protected], came embedded with fake telemetry functionality that exfiltrated data from cryptocurrency wallets. The version was…
Why it matters: Compromised GitHub repos propagating malicious npm packages can instantly compromise developer assets and cryptocurrency holdings, creating systemic risks for the web3 supply chain.
Practitioner Perspective
The Injective Labs SDK GitHub compromise resulted in an npm package designed to steal wallet keys and seed phrases from any user or build environment integrating it. Cryptocurrency projects and contributors face direct crypto asset theft and potential downstream compromise where the poisoned package has already propagated. This attack illustrates continued adversary focus on software supply chains, especially in the decentralized ecosystem. Teams should conduct forensics on developer environments and wallets exposed after upgrading to the affected SDK version.
Recommended Actions
- Identify and remove all instances of @injectivelabs/[email protected] and any dependencies
- Forensically image and analyze affected developer systems for key/seed exfiltration
Six New U-Boot Flaws Could Let Malicious Images Crash Devices or Run Code at Boot
Source: The Hacker News | Risk: High | Impacted: Firmware integrators using U-Boot, IoT and smart device vendors, Enterprise infrastructure operators
Summary: Researchers at firmware security firm Binarly have found six new flaws in U-Boot, the small program that starts up hardware as varied as home routers, smart cameras, and the management chips inside data-center servers. Four of the bugs can crash a device. The other two could let an attacker who slips a malicious image in front of the bootloader run their own…
Why it matters: Exploitable flaws in U-Boot put a wide variety of embedded and data center devices at risk of denial of service or persistent compromise if attackers can insert malicious boot images.
Practitioner Perspective
Firmware bootloaders like U-Boot serve as a foundational trust anchor for hardware from consumer routers to data center management controllers. The discovery of flaws that enable either device crashes or arbitrary code execution at boot stage raises the potential for supply chain, implant, and bricking attacks. Devices managed at scale for IoT, datacenter, or industrial use should be reviewed for firmware provenance, and vendors pressed for patches or mitigation guidance. The long patch cycles for embedded environments make pre-boot image validation and robust device recovery paramount.
Recommended Actions
- Inventory platforms and appliances using U-Boot and check vendor advisories post-July 2026
- Implement signed and validated firmware image updates across device fleets
Laser Attack Resets Tangem Wallet Passwords on Cards That Can’t Be Patched
Source: The Hacker News | Risk: Medium | Impacted: Tangem cardholders, Cryptocurrency custodians using physical wallets, Physical security teams at exchanges
Summary: Researchers at Ledger’s Donjon security team have shown that a precisely timed laser pulse, aimed at the chip inside a Tangem crypto wallet card, can reset the card’s password to anything the attacker picks. No old password. No backup card. Once it is reset, whoever did it controls the wallet and can move the coins out. This is not an emergency for most…
Why it matters: Physical attacks capable of silently resetting crypto wallet passwords present non-patchable risks to hardware wallet security, especially for high-value assets held offline.
Practitioner Perspective
A laser fault injection can overwrite passwords on Tangem wallet cards, meaning anyone with brief physical access may transfer all assets even without prior credentials. Since this class of attack is unpatchable for deployed devices, users managing significant cryptocurrency funds on Tangem cards should reconsider their threat model and storage approach. While the attack demands close proximity and expensive equipment, it is realistic in targeted theft or insider scenarios. Routine physical security may be inadequate for these types of hardware vulnerabilities.
Recommended Actions
- Educate Tangem wallet users regarding physical access risks and this unpatchable vector
- Implement increased physical controls for on-premises wallet card storage
Exploits & CVEs
iCagenda and Balbooa Forms Joomla Flaws Reportedly Exploited as Zero-Days
Source: The Hacker News | Risk: Critical | Impacted: Joomla web admins, Public-facing web infrastructure, Organizations with legacy CMS deployments
Summary: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two maximum-severity security flaws impacting iCagenda and Balbooa extensions for Joomla to its Known Exploited Vulnerabilities (KEV) catalog, following reports of zero-day exploitation in the wild. The vulnerabilities, both rated 10.0 on the CVSS scoring system, are below – CVE-2026-48939 – A vulnerability in the…
Why it matters: Active exploitation of unpatched, internet-exposed Joomla extensions creates direct paths for attackers to gain privileged access or execute arbitrary code on web infrastructure.
Practitioner Perspective
Operators of Joomla sites with iCagenda and Balbooa Forms are at risk due to confirmed exploitation of zero-day vulnerabilities rated CVSS 10.0. Attackers are leveraging these flaws for initial access and persistence in environments, as evidenced by CISA’s KEV listing. Prompt remediation is essential since external web applications remain a favorite entry vector for ransomware, web shells, and data exfiltration campaigns. If these plugins are present, treat environments as potentially compromised. Root cause and containment efforts should precede patching if compromise is suspected.
Recommended Actions
- Remove or update iCagenda and Balbooa Forms Joomla extensions immediately
- Check CISA KEV catalog for advisories on CVE-2026-48939 and the corresponding Balbooa Forms vulnerability
Defensive Actions
- Eradicate any installations of jscrambler 8.14.0 npm from build environments and endpoints
- Scan for active exploitation of iCagenda and Balbooa Joomla zero-days
- Shut down and monitor Progress ShareFile Storage Zone Controllers per vendor guidance
- Assess M365 tenants for Evilginx-style phishing targeting session tokens
- Review developer build systems for evidence of malicious npm supply chain compromise
- Hunt for anomalous session creation and proxy domain access in Microsoft 365 logs
- Review web infrastructure for past evidence of Joomla plugin exploitation and web shell deployment
- Educate hardware wallet users on new classes of physical attack and recovery limitations
- Monitor firmware platforms for U-Boot bootloader compromise and validate recovery processes
- Increase incident response coordination with legal and compliance teams for healthcare data breaches
What We’re Watching
- Ongoing investigations into the source and remediation status for Progress ShareFile infrastructure following mandated shutdowns.
- Aftermath of Centers Laboratory data breach impacting over half a million individuals, with expected regulatory fallout and possible further extortion attempts.
- Additional exploitation of high-severity Joomla extension flaws (CVE-2026-48939 and others, each CVSS 10.0) as attackers weaponize web infrastructure via zero-day vulnerabilities.
- Broad supply chain risks from compromised npm libraries, especially infostealer payloads affecting developer workstations and CI/CD servers.
- The evolving methods of credential harvesting, phishing (Evilginx), malicious packages, and physical-hardware attacks, and their impact on both enterprise and consumer threat models.
Categories: Cybersecurity Blog, Cybersecurity News
Leave a Reply