SharePoint RCE CVE-2026-45659 Added to CISA KEV After Active Exploitation
Article Link: https://thehackernews.com/2026/07/sharepoint-rce-cve-2026-45659-added-to.html
- CISA added a critical SharePoint remote code execution flaw (CVE-2026-45659) to its KEV catalog following reports of active exploitation in the wild.
- The vulnerability stems from an unsafe deserialization issue where the application processes untrusted network data without proper verification. This allows any authenticated site member with even minimal permissions to send a specially crafted request over standard web ports to execute terminal commands.
- This vulnerability serves as a massive pivot point into an enterprise network because the underlying SharePoint service accounts typically run with broad system privileges. Once a foothold is gained, attackers can easily rifle through internal site collections, compromise local SQL databases, or pivot deeper into the corporate environment.
- To shut this down, security teams need to prioritize deploying Microsoft’s official security updates, audit internal site permission groups to enforce least privilege, and ensure all administrative web interfaces are restricted to trusted internal subnets.
‘Djinn’ Stealer Targets Cloud, AI Credentials
Article Link: https://www.darkreading.com/cyberattacks-data-breaches/djinn-stealer-targets-cloud-ai-credentials
- Blackpoint Cyber discovered a highly sophisticated malware operation deploying a new, cross-platform info stealer called “Djinn” that specifically targets developers and administrators.
- The attack sequence initiates by capitalizing on the recently disclosed authentication bypass flaw inside SimpleHelp remote management software. Once authenticated as a technician, the bad actor drops an obfuscated loader disguised as a legitimate JavaScript library to download the final payload directly into system memory.
- This campaign expands corporate network exposure because the payload targets portable access keys rather than standard browser credentials. The malicious code strips cloud configuration files, source code repositories, and standing tokens utilized by automated artificial intelligence coding assistants, letting adversaries pivot into databases and connected customer environments.
- This escalation demonstrates how quickly threat actors can turn a fresh vulnerability into a severe threat, weaponizing last week’s SimpleHelp auth bypass to launch this new Djinn Stealer and completely compromise cloud and AI environments.
ChocoPoC Malware Targets Researchers Through Trojanized PoC Exploits
Article Link: https://securityboulevard.com/2026/07/chocopoc-malware-targets-researchers-through-trojanized-poc-exploits/
- Joint threat intelligence has uncovered a deceptive campaign spreading a new data-stealing trojan called “ChocoPoC,” which specifically targets security researchers through weaponized proof-of-concept (PoC) repositories on GitHub.
- Threat groups capitalize on industry time pressure following major vulnerability announcements by publishing lookalike testing tools. The visible execution scripts appear entirely clean, but they secretly call trojanized Python dependencies that trigger a remote terminal pipeline upon installation.
- This supply chain trap easily compromises professional development machines by hiding within transitive libraries. The payload remains dormant inside isolated testing environments, activating only when it identifies active exploitation files to successfully steal saved enterprise passwords, browser session cookies, and local database archives.
- This campaign highlights a massive blind spot in researcher workflows: attackers are weaponizing the rush to test trending CVEs by hiding malware inside seemingly harmless package dependencies rather than the main PoC code. Because analysts often run these tools from highly privileged workstations with access to internal VPNs and vulnerability management systems, a single compromised machine can expose the entire enterprise. Ultimately, proving that we can no longer trust a GitHub or PyPI repo based on reputation alone.
New BioShocking attack manipulates AI browser into data theft
Article Link: https://www.bleepingcomputer.com/news/security/new-bioshocking-attack-manipulates-ai-browser-into-data-theft/
- LayerX researchers demonstrated a novel context-manipulation attack dubbed “BioShocking” that successfully tricks next-generation autonomous AI browsers into completely dropping their safety guardrails.
- The attack leverages specialized web pages featuring interactive puzzles modeled after video game logic. By convincing the autonomous program that it is participating in a game simulation, the interface alters its reality parameters, causing the software agent to follow external data harvesting commands.
- Because the AI treats the entire session as a game simulation, it will happily follow external data-harvesting commands—like navigating to a target’s GitHub repository or cloud environment and scraping active session credentials—all while celebrating the theft as a “victory” without flagging a single violation.
- The technique exposes a massive architectural flaw in how emerging agentic tools handle session context: by shifting the AI’s goal from “protect the user” to “win the game,” attackers can seamlessly pivot the browser into authenticated tabs, internal environments, and source repositories without triggering a single traditional security alert.
- Additional information: https://www.malwarebytes.com/blog/ai/2026/07/bioshocking-when-gaming-ai-agents-is-no-longer-a-game
No (Bad) CAP: Inside an Ongoing LSHIY Password Spray Attack
Article Link: https://www.huntress.com/blog/lshiy-password-spray-attack
- Huntress detected a massive, ongoing automated credential testing operation originating from an infrastructure block managed by hosting provider LSHIY LLC that targeted thousands of corporate cloud domains.
- The threat actors executed more than eighty-one million automated login attempts over a fourteen-day window by replaying stale, historically breached username and password combinations against the Microsoft Azure command-line interface. The campaign specifically leveraged the deprecated OAuth Resource Owner Password Credentials flow to submit account details directly to token validation endpoints without triggering an interactive authentication prompt.
- During a major single-day spike that hit 23 businesses, 15 of them had MFA enforced via Conditional Access Policies (CAP) but were compromised anyway because of critical configuration gaps. Common mistakes included restricting MFA to specific admin apps instead of “All Cloud Apps,” scoping it to “Admins Only,” relying on easily spoofed location exclusions, or leaving policies in “Report-Only” mode.
- This attack serves as a critical case study because of the illusion of security it shatters. The takeaway isn’t that MFA is broken, but that leaving legacy authentication pathways like Resource Owner Password Credentials (ROPC) active creates a gaping security blind spot if your Conditional Access rules don’t comprehensively cover every cloud application and user group.
- To effectively mitigate, teams must close these Conditional Access Policy loopholes unconditionally by enforcing MFA or outright blocking access across All Users, All Cloud Apps, and All Client App types. Specifically, enabling the userStrongAuthClientAuthNRequired setting will enforce strong authentication at the client level and completely kill ROPC flows, while restricting Azure CLI access for non-admin accounts and prioritizing detection rules based on credential validity rather than raw spray volume.
New Controller Flaws Expose Highway Signs and Billboards to Remote Hacking
Article Link: https://www.securityweek.com/new-controller-flaws-expose-highway-signs-and-billboards-to-remote-hacking/
- CISA published an Industrial Control Systems (ICS) advisory detailing three severe vulnerabilities impacting Daktronics electronic display controllers, which are used globally on highways, billboards, and sports arenas.
- The flaws include an unauthenticated path traversal bug, an authenticated arbitrary file upload vulnerability, and uncorrected factory-default credentials. If an attacker chains these weaknesses together against an internet-exposed unit, they can bypass validation checks to gain absolute root-level system access.
- This creates serious public safety risks because field inspections confirm most of these internet-facing controllers still use unedited default profiles. This allows unauthorized groups to remotely overwrite system data to broadcast fake traffic alerts or flash malicious messages across metropolitan highways.
- This threat stems from a classic systemic failure in basic OT security hygiene. Leaving critical physical infrastructure on the public internet with default passwords makes these signs incredibly soft targets, meaning teams must immediately rotate field credentials, patch the firmware, and completely isolate these control panels from public internet exposure.
