Cybersecurity News Digest — July 14, 2026

A joint advisory on Russian FSB router hacking, a compromised npm package dropping a Rust infostealer, Progress Software's emergency ShareFile shutdown, and CISA confirming ransomware gangs are exploiting a Microsoft Defender flaw.

Since our last update, the pattern shifts again: a state actor working through mundane router misconfigurations at scale, a security vendor’s own npm package turned into a credential-stealing delivery mechanism, and a vendor pulling the plug on its customers’ servers before it even knows what it’s dealing with. Here’s what changed.

Nation-state watch: Russian FSB unit exploiting weak router configurations

The NSA, FBI, and CISA, joined by 15 partner agencies from the UK, Canada, Australia, New Zealand, and several EU states, published a joint advisory on July 9 attributing an ongoing campaign to FSB Center 16, targeting communications, defense industrial base, energy, financial services, government facilities, and healthcare organizations worldwide. The technique is unglamorous: scan for routers still running default or common SNMP community strings, issue spoofed-IP commands to pull device configuration files, and exfiltrate them over plain TFTP to actor-controlled infrastructure. Operators have also abused Cisco’s Smart Install feature and at least two known Cisco vulnerabilities on internet-facing management interfaces. BleepingComputer · CISA advisory AA26-194A

No zero-day is involved — this is a scan-for-defaults operation that works because router hygiene is treated as an afterthought. Disable outdated SNMP versions, retire default community strings, turn off Smart Install where it isn’t in active use, and confirm no management interface for network gear is reachable from the open internet.

Supply chain: compromised jscrambler npm release drops a cross-platform infostealer

A malicious release of the jscrambler npm package — 8.14.0, published July 11 using a compromised publishing credential — shipped an undocumented preinstall hook that silently drops and runs a Rust-based infostealer on Windows, macOS, and Linux, regardless of whether the package is ever imported. The payload goes after cloud credentials, CI/CD tokens, browser sessions, cryptocurrency wallets, Bitwarden vaults, and config files belonging to AI coding tools. Socket has since tied four more compromised versions (8.16.0, 8.17.0, 8.18.0, 8.20.0) to the same actor, all published within about three hours of each other. The Hacker News · Socket

If any of these five versions touched a build pipeline or developer workstation in your org, treat it as a confirmed compromise, not a maybe: upgrade to 8.22.0 and rotate every credential type the infostealer targets, not just the obvious ones.

Emergency response: Progress orders ShareFile customers to shut down their servers

Progress Software emailed ShareFile customers running on-premises Storage Zone Controllers on July 10, instructing them to manually power down those servers over what it described only as a “credible external security threat.” Storage Zone Controllers sit at the network edge so files stay on a company’s own storage while still integrating with ShareFile’s cloud — making them an attractive, internet-reachable target. Progress has not disclosed the nature of the threat, said it has no evidence of unauthorized access so far, and restored cloud-side ShareFile access on July 12 while continuing to warn customers not to power Storage Zone Controllers back on. Standard cloud-only ShareFile accounts are unaffected. The Hacker News · BleepingComputer

Ordering a full shutdown rather than issuing a patch is a signal in itself — it usually means the vendor doesn’t yet have a fix and can’t rule out active exploitation. If you run a Storage Zone Controller, treat “shut it down” as the current guidance until Progress publishes a patch, not a suggestion to weigh against uptime.

Patch priority: CISA confirms ransomware gangs are now exploiting “BlueHammer” in Microsoft Defender

CISA has flagged CVE-2026-33825 — an insufficient access control flaw in Microsoft Defender dubbed “BlueHammer” — as under active exploitation by ransomware operators, even though Microsoft itself has not yet tagged the bug as exploited. The flaw exposes the Security Account Manager database to a locally authenticated attacker, handing over local account password hashes and a path to full SYSTEM privileges. Researcher “Nightmare Eclipse” leaked the vulnerability with working proof-of-concept code in early April; Microsoft shipped a fix on April 14 as part of that month’s Patch Tuesday, but adoption has clearly lagged. BleepingComputer

Three months between patch availability and confirmed ransomware exploitation is not a long runway. If Defender endpoints in your fleet haven’t picked up the April 2026 cumulative update, that’s the first thing to check today — this is exactly the kind of local-privilege-escalation bug that turns an initial foothold into full ransomware deployment.

Also worth noting

Karen Vardanyan, extradited from Ukraine, pleaded guilty on July 8 to conspiracy and computer fraud for deploying Ryuk ransomware against U.S. companies between November 2019 and April 2020, with his crew collecting roughly 1,610 bitcoins in ransom payments. Sentencing is set for September 22. DOJ

Final thought

None of today’s four stories required a novel exploit — a router with a default community string, a compromised publishing credential, a vendor moving fast on an unnamed threat, and a four-month-old patch that didn’t get applied everywhere it needed to. Configuration hygiene and patch adoption speed are still doing more work than any single detection rule. If you want a second opinion on whether your logging would actually catch a config-file exfiltration attempt from network gear or an unexpected outbound connection from a build agent, see our guide to supply chain attacks against software companies or book a discovery call.