Here is what security teams should know from the past few days: a fresh wave of actively exploited vulnerabilities, a large driver’s license breach, a supply chain attack against a crypto SDK, and a new extortion group abusing Microsoft’s device code flow.
Actively exploited vulnerabilities
- Adobe ColdFusion path traversal (CVE-2026-48282) — Attackers began exploiting this path traversal flaw less than two hours after details went public. It can lead to arbitrary code execution and was added to CISA’s Known Exploited Vulnerabilities (KEV) catalog this week. Security Affairs, July 2026
- SharePoint Server RCE (CVE-2026-45659) — Confirmed exploitation pushed this remote code execution bug into CISA’s KEV catalog, with a July 4 patch deadline for U.S. federal agencies. The Hacker News, July 2026
- Joomlack Page Builder unauthenticated RCE (CVE-2026-56290, CVSS 10.0) and Langflow authorization bypass (CVE-2026-55255, CVSS 6.1) — Both were added to KEV alongside the ColdFusion and SharePoint flaws. The Hacker News, July 2026
- Oracle E-Business Suite Payments flaw (CVE-2026-46817, CVSS 9.8) — An improper privilege management and authentication issue under active exploitation in Oracle Payments. The Hacker News, June 2026
If any of these products are in your environment, patching status is worth checking against your asset inventory today, not at the next maintenance window.
Data breaches and exposure
- AssuranceAmerica disclosed a breach affecting roughly 6.99 million drivers. An employee’s credentials were compromised on March 16, and the attacker used that access to copy files containing names, contact details, policy and vehicle information, claims data, and driver’s license numbers. The investigation closed June 15, and notification letters started going out July 10. BleepingComputer · Security Affairs
- WP-SHELLSTORM — SOCRadar’s threat intelligence team found an unauthenticated open directory on a US-based VPS that had been sitting exposed for three weeks. It belonged to a webshell access brokerage: a crew that compromises sites at scale, plants backdoors, and resells the access. The exposed directory contained roughly 800MB of hacking tools, activity logs, and target lists spanning more than 1.4 million domains. A single Breeze caching plugin bug (CVE-2026-3844) accounted for most of the confirmed compromises, with the crew claiming over 17,000 backdoored WordPress sites from that flaw alone. The Hacker News, July 2026
Supply chain and malware
- Injective Labs SDK npm compromise — Attackers compromised the project’s GitHub repository through commits from an account with an established contribution history, then published a malicious
@injectivelabs/[email protected]package on July 8. The package shipped fake telemetry code that captured mnemonic seed phrases and private keys when wallet-key functions were called, then exfiltrated them via HTTP POST to what looked like legitimate Injective infrastructure. Seventeen additional scoped packages pinned to the compromised version were also affected before it was deprecated. The Hacker News · Socket - Free VPN apps leaking traffic — Independent testing of popular free VPN apps found 29 that let traffic leak outside the encrypted tunnel and 61 that send some data in plain text, readable to anyone on the same network path.
Emerging threat: Helix extortion group
A new data-extortion group tracked as Helix, believed to have ties to the BlackFile and ShinyHunters ecosystem, is targeting Microsoft 365 and SharePoint environments with an identity-first playbook instead of malware:
- Operators vishing employees, often spoofing a manager’s caller ID or name.
- The victim is talked into completing a Microsoft device code authorization flow — they authenticate on Microsoft’s real login page, so there’s no phishing page or credential harvesting to catch.
- The resulting access token goes straight to the attacker.
- Once inside, Helix registers a new MFA authenticator for persistence, then enumerates and exfiltrates SharePoint files for extortion.
Because the victim is genuinely authenticating through Microsoft’s own infrastructure, this technique evades classic phishing detections. Disabling device code authentication where it isn’t operationally required is the highest-leverage control against it, alongside blocking sign-ins from newly registered MFA methods without review. BleepingComputer
Also worth noting
A former ransomware negotiator was sentenced to 70 months in prison for conspiring with the now-defunct BlackCat ransomware operation to extort victims it was supposedly helping — a reminder that the incident response chain itself is a target for infiltration and vetting matters.
Final thought
The common thread this week is speed and identity: exploitation starting within hours of disclosure, and an extortion group succeeding without deploying any malware at all. If your alerting depends on signature-based detection alone, both trends work against you. For a look at building alerting that catches identity abuse and unpatched exposure before they turn into incidents, see Why Security Matters for Startups, or book a discovery call if you want a second set of eyes on your current coverage.