
Patching Speeds Up: Linux, NetScaler Bugs and Supply-Chain Attacks
Coverage: 03 Jul 2026 – 05 Jul 2026 (UTC)
< view all daily briefs >Security teams faced a dense mix of urgent patching, software supply-chain threats, and ransomware developments. Adobe is moving to a faster advisory cadence, while new kernel and embedded-filesystem flaws raise the stakes for Linux and device maintainers. Concurrently, researchers detailed large-scale package poisoning and advanced phishing services against Microsoft 365, as law enforcement disrupted a major residential proxy network. Organizations should align change windows, harden developer tooling, and review identity controls to reduce exposure.
Patch Cadence and Critical Vulnerabilities
Adobe will add a second scheduled security release each month to accelerate remediation, according to CSO Online. Beginning July 14, advisories will continue on the second Tuesday and expand to the fourth Tuesday for bulletins that include formally published CVEs requiring customer action. Adobe positions the shift as a response to a higher volume and speed of vulnerability discovery and exploitation, enabled by new investments in internal discovery and intended to reduce customer exposure windows. Security and patch-management teams should plan for two recurring Adobe update windows and align testing and deployment workflows accordingly.
A newly disclosed Linux kernel vulnerability, dubbed Bad Epoll (CVE-2026-46242), enables local privilege escalation to root via a narrow use-after-free race in the epoll subsystem, per The Hacker News. The flaw affects kernels built on 6.4 and newer, with some Android devices also impacted; 6.1-based kernels are not affected. A researcher achieved approximately 99% reliable exploitation by widening the race window. There is no evidence of in-the-wild exploitation. The advised fix is to apply upstream commit a6dc643c6931 or install distribution backports when available; there are no viable workarounds beyond patching.
Researchers at runZero disclosed seven unpatched vulnerabilities in the FatFs filesystem library used broadly across embedded and RTOS-based devices, reported by The Hacker News. Triggered by malformed FAT/exFAT volumes or firmware images, impacts range from crashes and data corruption to memory corruption enabling code execution. High-severity issues include CVE-2026-6682 (FAT32 mount integer overflow) and exFAT-related overflows (CVE-2026-6687, CVE-2026-6688). One GPT partition hang was fixed in FatFs R0.16, but other memory-corruption problems lack upstream fixes; exploit material, test harnesses, and a QEMU example are public. Affected platforms named include Espressif ESP-IDF, STM32Cube, Zephyr, MicroPython, ArduPilot, RT-Thread, Mbed, Samsung TizenRT, and SWUpdate. Builders should locate bundled copies, harden wrapper code handling filenames/sizes, limit physical-media exposure, and prioritize downstream vendor updates.
Citrix patched a NetScaler memory overread vulnerability (CVE-2026-8451) that can leak fragments of protected process memory from appliances configured as SAML Identity Providers, with exploit attempts seen in the wild within 24 hours, according to CSO Online. Citrix assigned CVSS 8.8 and released fixes in an update that also addressed two additional high-severity memory overflows (CVE-2026-8452, CVE-2026-8655), an unauthenticated arbitrary file read (CVE-2026-10816), another out-of-bounds overread (CVE-2026-10817), and an HTTP/2 denial-of-service issue (CVE-2026-13474). WatchTowr published a Python detection script, and Citrix’s guidance outlines preconditions and mitigation steps, including configuration changes for the HTTP/2 issue. NetScaler SAML IdP deployments should prioritize patching and scanning to mitigate potential data leakage and chaining risks.
Supply Chain and SaaS Account Compromise
Researchers tied a long-running package poisoning operation to North Korea–aligned actors in a cluster tracked as PolinRider, detailed by The Hacker News. The group published 162 release artifacts across 108 packages spanning npm, Composer, Go modules, and a Chrome extension, using obfuscated JavaScript loaders and developer tooling—such as VS Code runOn: 'folderOpen' tasks and malicious extensions—to trigger execution. The chain retrieves encrypted second stages from blockchain-based infrastructure (TRON, Aptos, BNB Smart Chain), yielding payloads like DEV#POPPER RAT and OmniStealer. Actors often gain maintainer control via expired domain takeovers and other recovery paths. Recommended actions include removing affected versions, rotating secrets from a clean environment, rebuilding from trusted lockfiles, and auditing for suspicious VS Code tasks, altered config files, and rewritten Git history.
A phishing-as-a-service platform named ARToken, linked to the EvilTokens toolkit, automates theft and management of Microsoft 365 authentication tokens, per BleepingComputer. The React-based panel, deployed via Cloudflare Workers, supports refreshing and elevating access to persistent Primary Refresh Tokens, enables full mailbox and file access, and offers business email compromise tooling such as sending mail as victims, creating inbox rules, and monitoring for keywords. Researchers found multiple technical overlaps with EvilTokens, including device code flow and PRT endpoints. The service operates as a multi-tenant affiliate platform and incorporates features to share or import tokens and adapt content dynamically, reflecting the rise of device code phishing and AI-assisted automation to bypass MFA.
Huntress observed a high-volume password spray against Microsoft 365 tenants that generated roughly 81 million login attempts between June 12 and 26 and led to at least 78 account compromises among its customers, reported by CSO Online. The campaign used the OAuth Resource Owner Password Credentials flow to replay valid username/password pairs and mint user-delegated tokens. Success correlated with incomplete MFA coverage, where protections were scoped to specific apps, groups, or sign-in methods, leaving others (such as the Azure CLI) unprotected. The traffic traced to an IPv6 range whose ISP has since terminated the customer. Recommended mitigations include enforcing MFA for All Cloud Apps and all users, reviewing authentication flows that allow credential replay, monitoring for high-volume attempts, and restricting suspicious IP ranges.
Ransomware Ecosystem and Tools
Blackpoint Cyber described a modular threat framework named Avalon that delivers an integrated ransomware module called CrownX, according to The Hacker News. The multi-stage chain starts with a spoofed legal document and a password-protected Proton Drive archive, proceeding through a malicious ISO and Windows Shortcut to run an MSBuild project that tampers with Event Tracing for Windows and downloads further payloads. Avalon aggregates credential and cookie theft, crypto-wallet harvesting, SSH/RDP collection, and C2 polling to helloxcherry[.]com. CrownX uses the Windows Cryptography API for file encryption, enforces deadlines with escalating demands, terminates Volume Shadow Copy Service, deletes shadow copies, and performs anti-forensic cleanup. The framework features evasion techniques against multiple endpoint products and includes routines that can interact with disk structures, increasing the risk of system corruption.
Sophos identified a partnership between the Vect ransomware group and TeamPCP, a credential-theft actor known for software supply-chain compromises, as covered by Infosecurity. TeamPCP’s access to developer credentials and cloud tokens is being paired with Vect’s ransomware-as-a-service model, creating an “industrialized” pipeline from initial compromise to deployment. Sophos validated at least one incident where Vect used TeamPCP-sourced credentials. The FBI issued a FLASH the same day enumerating TeamPCP-linked malware, including CanisterWorm, Sandclock, Mini Shai-Hulud, and Miasma. The collaboration underscores the need to treat development environments and third-party updates as high-risk and to implement rapid exposure assessment and response processes.
Researchers reported continued consolidation in the ransomware market, with Qilin emerging as a leading operation following disruptions to major competitors, per Infosecurity. Estimates attribute roughly 16% market share to Qilin, with 1,496 victims listed over the past year, ahead of Akira and The Gentlemen. High affiliate payouts, technical maturity, and expanded extortion services have drawn experienced operators to the platform, though consolidation may invite increased law enforcement focus. Analysts note that AI-enabled tools are lowering barriers for affiliates, and vendors are accelerating scanning and review processes after Qilin was observed targeting a Check Point VPN product in a limited incident.
Disruption and Targeted Intrusions
The FBI and Google’s Threat Intelligence Group led an international operation to disrupt NetNut, a large residential proxy service that ran on the Popa botnet, reported by Infosecurity. Popa leveraged a malicious SDK to conscript over two million consumer devices—largely Android-based smart TVs, streaming boxes, and unofficial apps—turning them into proxy exit nodes without clear consent. The proxy network supported password spraying, credential stuffing, ad fraud, data scraping, and distribution of Mirai DDoS variants. Partners including Lumen, Shadowserver, and the IRS Criminal Investigation division assisted; Google disabled accounts used for C2, updated Play Protect, and removed affected apps. Although some domains briefly remained accessible, authorities and researchers indicate backend C2 infrastructure was targeted, significantly degrading operations.
Jamf Threat Labs documented a macOS infostealer named PamStealer that impersonates the Maccy clipboard manager via lookalike sites and an AppleScript dropper, as detailed by The Hacker News. The two-stage chain uses a JXA downloader to fetch a Rust-based binary that harvests browser data, wallet extensions, iCloud Keychain entries, and clipboard contents, then exfiltrates them encrypted. PamStealer presents a native password prompt validated through the macOS PAM API, repeating until the correct credential is entered, and uses environment checks tied to host fingerprinting to avoid analysis and non-targeted regions. The Maccy developer warns that maccy.app is the only official source.
Kaspersky attributed a previously undocumented actor, Armored Likho, to intrusions against government agencies and the electric power sector in Russia, Brazil, and Kazakhstan, reported by The Hacker News. The group blends financially motivated activity with targeted espionage using modular RATs and a Python-based stealer dubbed BusySnake. Initial access relies on spear-phishing RAR/EXE droppers or weaponized LNK files exploiting CVE-2025-9491, with payloads fetched from GitHub and persistence via VBScript and scheduled tasks. BusySnake supports clipboard capture, file enumeration, screenshots, keystroke logging, browser credential theft, Telegram session exfiltration, and crypto-wallet harvesting, and can create reverse SSH tunnels using integrated Go2Tunnel. Overlaps with BI.ZONE’s Eagle Werewolf include persistence and C2 patterns, and indicators suggest AI-assisted code generation in early loaders.