Microsoft Patch Tuesday record: 622 fixes, 2 zero‑days active
Microsoft released its biggest monthly patch ever, closing 622 CVEs, more than triple June’s high. Two of those are zero‑day flaws already under active exploitation, highlighting escalating attack pressure and the need for swift remediation.
CISA added CVE‑2026‑48939 for iCagenda and CVE‑2026‑56291 for Balbooa Forms to its Known Exploited Vulnerabilities catalog after confirming active zero‑day attacks that let attackers upload arbitrary files and achieve remote code execution. Federal agencies must patch by July 13 2026, and any Joomla site using these extensions faces immediate compromise risk.
ESET discovered 11 Microsoft‑signed shim binaries (version 0.9 and older) that let attackers execute arbitrary code before the OS loads, effectively breaking Secure Boot on most UEFI systems. Microsoft responded by adding the binaries to the DBX revocation list, but unpatched machines remain vulnerable.
Dutch intelligence warns Russian agents are hijacking internet‑connected cameras across Europe to watch NATO supply routes and pinpoint Ukrainian troops. The hack lets them scan video feeds for military vehicles, feeding targeting data that could shape future attacks on logistics and personnel.
Blackpoint Cyber uncovered LabubaRAT, a new Rust‑written remote access trojan that pretends to be NVIDIA's container runtime. It can profile security tools, steal files, capture screenshots and proxy traffic via HTTPS, WebView2 or DNS, making it a stealthy, potentially as‑a‑service threat to Windows environments.
Blackpoint Cyber discovered LabubaRAT, a Rust‑based remote access trojan that pretends to be NVIDIA software, letting attackers maintain persistent, hands‑on control of Windows machines. The masquerade evades typical defenses and highlights the need for stricter software provenance checks.
JFrog uncovered 148 npm packages masquerading as student web proxies that hijacked visitors’ browsers into a coordinated DDoS botnet for about two weeks in May‑June 2026. The payload, delivered via a mutable loader, let attackers swap code on the fly and also served adware, showing a new supply‑chain threat that targets end‑users instead of developers.
Microsoft’s research shows ShinyHunters‑linked actors have spent a year breaching Salesforce tenants by abusing trusted OAuth relationships rather than exploiting any software flaw. The campaigns rely on voice‑phishing‑driven consent abuse, compromised SaaS supply‑chain integrations, and mis‑configured Experience Cloud guest access, giving attackers persistent read access to CRM data across many industries.
The Grok Build command‑line tool ships code that copies an entire repository, including its full commit history, to an xAI‑managed Google Cloud Storage bucket, not just the files needed for a task. This data‑exfiltration risk exposes proprietary source code and could give attackers a complete project snapshot.
Subscribe free