Curated Cyber Threat Intelligence

Threat Feed

Daily intelligence on vulnerabilities, threat actors and geopolitical context — distilled from primary sources.

scheduleUpdated 2026-07-19 · 02:04 UTC
articleTotal: 588 reports
Cyber Threat Daily Brief — July 19, 2026satellite_altDaily Brief
Threat Intel Brief·Daily Summary

Cyber Threat Daily Brief — July 19, 2026

Today's briefing: 3 critical and 8 high-severity threats. A total of 13 detailed analyses covering vulnerabilities, threat actors, and geopolitical context.

3 Critical8 High13 analyses
schedule02:04 UTC
Read briefarrow_forward

Latest Reports

26 / 588 results
7-Zip 26.02 patches RCE flaw via malicious compressed fileshighbug_reportVulnerability
bug_reportVulnerability

7-Zip 26.02 patches RCE flaw via malicious compressed files

7-Zip versions prior to 26.02. All platforms (Windows, Linux, macOS) where 7-Zip is installed and used to open compressed archives from untrusted sources.

7-Zip17:32 UTC
WordPress Core RCE "wp2shell" exploits now public, patch immediatelycriticalbug_reportVulnerability
bug_reportVulnerability

WordPress Core RCE "wp2shell" exploits now public, patch immediately

WordPress Core (specific versions not disclosed in provided data). Scope appears to be remote code execution vulnerabilities in core WordPress installation.

WordPress15:22 UTC
ACR Stealer campaign targets Microsoft enterprise customershighbug_reportVulnerability
bug_reportVulnerability

ACR Stealer campaign targets Microsoft enterprise customers

Microsoft enterprise customers; targets browser-stored credentials, authentication tokens, and sensitive documents across enterprise environments

Microsoft12:17 UTC
WordPress 6.9–7.0 unauthenticated RCE patched, forced auto-update activecriticalbug_reportVulnerability
bug_reportVulnerability

WordPress 6.9–7.0 unauthenticated RCE patched, forced auto-update active

WordPress core versions 6.9.0–6.9.4 and 7.0.0–7.0.1. All sites running these versions are vulnerable to unauthenticated remote code execution via anonymous HTTP requests. Patched in 6.9.5 and 7.0.2.

WordPress19:20 UTC
OpenSSL "HollowByte" DoS allows 11-byte requests to freeze server memoryhighbug_reportVulnerability
bug_reportVulnerability

OpenSSL "HollowByte" DoS allows 11-byte requests to freeze server memory

OpenSSL versions prior to June 2024 patch. Affects TLS servers running on glibc-based Linux systems. Specific vulnerable versions not disclosed; patch applied without CVE or public advisory.

OpenSSL18:20 UTC
Seven malicious npm packages target Vite ecosystem with blockchain C2 RAThighbug_reportVulnerability
bug_reportVulnerability

Seven malicious npm packages target Vite ecosystem with blockchain C2 RAT

npm package ecosystem, specifically projects using Vite frontend tooling. Seven malicious packages identified in the ViteVenom campaign. Any JavaScript/Node.js development environments that installed these packages are compromised.

npm16:54 UTC
HollowByte flaw enables DoS on OpenSSL servers via 11-byte payloadhighbug_reportVulnerability
bug_reportVulnerability

HollowByte flaw enables DoS on OpenSSL servers via 11-byte payload

OpenSSL servers (specific versions not disclosed). Unauthenticated remote attackers can exploit the vulnerability. Scope includes any internet-facing OpenSSL server implementations susceptible to the malicious payload.

OpenSSL15:56 UTC
NadMesh Botnet Targets AI Services for AWS and Kubernetes Credential Thefthighperson_alertThreat Actor
person_alertThreat Actor

NadMesh Botnet Targets AI Services for AWS and Kubernetes Credential Theft

NadMesh is a Go-based botnet operation discovered in early July that specializes in compromising cloud infrastructure credentials through exploitation of exposed AI and automation services.

AWS15:12 UTC
DigiCert breach linked to Chinese APT; code-signing certs stolencriticalbug_reportVulnerability
bug_reportVulnerability

DigiCert breach linked to Chinese APT; code-signing certs stolen

DigiCert certificate authority infrastructure compromised in April 2026. Code-signing certificates stolen by CylindricalCanine (GoldenEyeDog/APT-Q-27 subgroup).

DigiCert14:39 UTC
Lazarus Deploys OtterCookie via Fake Job Lures in Contagious Interviewhighperson_alertThreat Actor
person_alertThreat Actor

Lazarus Deploys OtterCookie via Fake Job Lures in Contagious Interview

Lazarus is a North Korean state-sponsored advanced persistent threat (APT) group attributed to the Reconnaissance General Bureau (RGB). The group is financially motivated, conducting operations to generate revenue for the DPRK regime through cryptocu…

The Hacker News11:48 UTC
Windows zero-day LegacyHive enables privilege escalation on patched systemscriticalbug_reportVulnerability
bug_reportVulnerability

Windows zero-day LegacyHive enables privilege escalation on patched systems

All up-to-date Windows systems. Specific affected versions not disclosed. Exploit enables local privilege escalation from standard user to administrator level. No CVE assigned yet.

Microsoft09:05 UTC
Armenia Detains Russian National on U.S. REvil Ransomware Warranthighperson_alertThreat Actor
person_alertThreat Actor

Armenia Detains Russian National on U.S. REvil Ransomware Warrant

REvil (also known as Sodinokibi) is a Russia-linked ransomware-as-a-service (RaaS) operation that emerged in 2019 and became one of the most prolific cybercrime groups before law enforcement disruption in 2021-2022.

The Hacker News08:53 UTC
Siemens ROX II OT switches vulnerable to chained zero-day privilege escalationcriticalbug_reportVulnerability
bug_reportVulnerability

Siemens ROX II OT switches vulnerable to chained zero-day privilege escalation

Siemens ROX II industrial switches used in operational technology (OT) environments. Specific affected firmware versions not disclosed in summary. Vulnerability chain enables privilege escalation to persistent root access.

Siemens08:00 UTC
ACR Stealer campaign uses ClickFix social engineering to steal M365 datahighbug_reportVulnerability
bug_reportVulnerability

ACR Stealer campaign uses ClickFix social engineering to steal M365 data

Microsoft 365 enterprise users and organizations. ACR Stealer targets browser credentials, session tokens, and M365 documents. Active since 2024 with two documented delivery chains using ClickFix social engineering lures.

Microsoft06:56 UTC
GoSerpent Malware Targets Southeast Asian Government and Diplomacyhighperson_alertThreat Actor
person_alertThreat Actor

GoSerpent Malware Targets Southeast Asian Government and Diplomacy

GoSerpent is a previously undocumented malware family discovered by Kaspersky researchers in late 2025. The malware is designed for long-term persistent access and intelligence gathering operations.

Kaspersky06:46 UTC
CISA orders patching of actively exploited Fortinet FortiSandbox flawscriticalbug_reportVulnerability
bug_reportVulnerability

CISA orders patching of actively exploited Fortinet FortiSandbox flaws

Fortinet FortiSandbox threat detection platform. Specific versions not provided in available data. Two vulnerabilities confirmed, CVE identifiers not yet disclosed.

Fortinet05:03 UTC
CISA: Microsoft SharePoint RCE CVE-2026-58644 actively exploitedcriticalbug_reportVulnerability
bug_reportVulnerability

CISA: Microsoft SharePoint RCE CVE-2026-58644 actively exploited

Microsoft SharePoint Server (specific versions not disclosed). CVSS 9.8 critical remote code execution vulnerability.

CVE-2026-5864404:42 UTC
Mount Royal University in Calgary confirms data breach and deletionhighpublicGeopolitical
publicGeopolitical

Mount Royal University in Calgary confirms data breach and deletion

The breach of Mount Royal University represents a typical pattern in the current cyber threat landscape affecting higher education institutions across North America.

Mount Royal University19:26 UTC
Malicious npm and PyPI packages impersonate Paysafe payment SDKshighbug_reportVulnerability
bug_reportVulnerability

Malicious npm and PyPI packages impersonate Paysafe payment SDKs

Developers using npm and PyPI repositories who may have installed counterfeit packages impersonating Paysafe, Skrill, and Neteller payment SDKs. Affects development environments and potentially downstream applications integrating these malicious pack…

Paysafe17:54 UTC
China-Linked Cluster Exploits Roundcube at Universitieshighperson_alertThreat Actor
person_alertThreat Actor

China-Linked Cluster Exploits Roundcube at Universities

This China-linked threat cluster targets academic institutions in North America, focusing on credential theft and persistent access through exploitation of vulnerable Roundcube webmail servers.

Roundcube16:56 UTC
Vishing Campaign Targets Microsoft 365 Users with Entra Passkey Scamhighperson_alertThreat Actor
person_alertThreat Actor

Vishing Campaign Targets Microsoft 365 Users with Entra Passkey Scam

The threat actor behind this campaign remains unattributed. The operation demonstrates sophistication in social engineering tactics, specifically targeting Microsoft 365 environments through voice-based phishing (vishing).

Microsoft14:47 UTC
HalluSquatting attack exploits AI coding assistants to distribute malwarehighbug_reportVulnerability
bug_reportVulnerability

HalluSquatting attack exploits AI coding assistants to distribute malware

AI coding assistants (GitHub Copilot, ChatGPT, Claude, etc.) and developers using AI-generated package recommendations. All package ecosystems (npm, PyPI, Maven, etc.) are potential targets.

AI coding assistants13:07 UTC
Ubiquiti patches critical flaws in UniFi products, CVE-2026-50746 CVSS 10.0criticalbug_reportVulnerability
bug_reportVulnerability

Ubiquiti patches critical flaws in UniFi products, CVE-2026-50746 CVSS 10.0

Ubiquiti UniFi Connect, UniFi Talk, UniFi Access, UniFi Protect, and UniFi OS. Specific vulnerable versions not provided in available data. CVE-2026-50746 rated CVSS 10.0 (critical).

CVE-2026-5074612:38 UTC
EvilTokens Ghost Phishing Campaign Targets US and European Businesseshighperson_alertThreat Actor
person_alertThreat Actor

EvilTokens Ghost Phishing Campaign Targets US and European Businesses

EvilTokens is a campaign leveraging "ghost phishing" techniques to target business entities across the United States and Europe. The campaign's primary motivation appears to be credential theft and unauthorized access to Microsoft 365 environments, w…

Microsoft11:00 UTC
REF6045 targets Mexican banking sector with SCMBANKER via ClickFix lureshighperson_alertThreat Actor
person_alertThreat Actor

REF6045 targets Mexican banking sector with SCMBANKER via ClickFix lures

REF6045 is a financially motivated threat actor conducting banking fraud operations against Mexican financial institutions and their customers. The actor targets banking, fintech, and cryptocurrency exchange users in Mexico, leveraging social enginee…

The Hacker News10:52 UTC
GitHub commit verification flaw allows signature reuse on rewritten commitshighbug_reportVulnerability
bug_reportVulnerability

GitHub commit verification flaw allows signature reuse on rewritten commits

GitHub's commit verification system for GPG/SSH-signed commits. All repositories using signed commits with GitHub's "Verified" badge are potentially affected. The flaw is in GitHub's verification logic, not Git itself.

GitHub09:51 UTC