LodeHQSubscribe →

Microsoft Patch Tuesday record: 622 fixes, 2 zero‑days active

Infosec · 2026-07-14

Vulnerabilities & Exploits
Microsoft’s July 2026 Patch Tuesday shatters record with 622 fixes, including two active zero‑days9 MIN

Microsoft released its biggest monthly patch ever, closing 622 CVEs, more than triple June’s high. Two of those are zero‑day flaws already under active exploitation, highlighting escalating attack pressure and the need for swift remediation.

CISA flags Joomla iCagenda and Balbooa Forms zero‑day file‑upload flaws1 MIN

CISA added CVE‑2026‑48939 for iCagenda and CVE‑2026‑56291 for Balbooa Forms to its Known Exploited Vulnerabilities catalog after confirming active zero‑day attacks that let attackers upload arbitrary files and achieve remote code execution. Federal agencies must patch by July 13 2026, and any Joomla site using these extensions faces immediate compromise risk.

Legacy Linux shim bootloaders can bypass UEFI Secure Boot5 MIN

ESET discovered 11 Microsoft‑signed shim binaries (version 0.9 and older) that let attackers execute arbitrary code before the OS loads, effectively breaking Secure Boot on most UEFI systems. Microsoft responded by adding the binaries to the DBX revocation list, but unpatched machines remain vulnerable.

Threats & Malware
Russian hackers weaponise public cameras to spy on NATO logistics and Ukrainian troops2 MIN

Dutch intelligence warns Russian agents are hijacking internet‑connected cameras across Europe to watch NATO supply routes and pinpoint Ukrainian troops. The hack lets them scan video feeds for military vehicles, feeding targeting data that could shape future attacks on logistics and personnel.

Rust‑based LabubaRAT hides as NVIDIA runtime to hijack Windows PCs2 MIN

Blackpoint Cyber uncovered LabubaRAT, a new Rust‑written remote access trojan that pretends to be NVIDIA's container runtime. It can profile security tools, steal files, capture screenshots and proxy traffic via HTTPS, WebView2 or DNS, making it a stealthy, potentially as‑a‑service threat to Windows environments.

LabubaRAT Cloaks as NVIDIA Installer to Hijack Windows PCs4 MIN

Blackpoint Cyber discovered LabubaRAT, a Rust‑based remote access trojan that pretends to be NVIDIA software, letting attackers maintain persistent, hands‑on control of Windows machines. The masquerade evades typical defenses and highlights the need for stricter software provenance checks.

148 npm “student proxy” packages weaponized browsers into a DDoS botnet5 MIN

JFrog uncovered 148 npm packages masquerading as student web proxies that hijacked visitors’ browsers into a coordinated DDoS botnet for about two weeks in May‑June 2026. The payload, delivered via a mutable loader, let attackers swap code on the fly and also served adware, showing a new supply‑chain threat that targets end‑users instead of developers.

Microsoft maps three OAuth‑based Salesforce intrusion paths used by ShinyHunters11 MIN

Microsoft’s research shows ShinyHunters‑linked actors have spent a year breaching Salesforce tenants by abusing trusted OAuth relationships rather than exploiting any software flaw. The campaigns rely on voice‑phishing‑driven consent abuse, compromised SaaS supply‑chain integrations, and mis‑configured Experience Cloud guest access, giving attackers persistent read access to CRM data across many industries.

Research & Tools
Grok Build CLI silently backs up whole Git repos to xAI’s cloud storage6 MIN

The Grok Build command‑line tool ships code that copies an entire repository, including its full commit history, to an xAI‑managed Google Cloud Storage bucket, not just the files needed for a task. This data‑exfiltration risk exposes proprietary source code and could give attackers a complete project snapshot.

Get Infosec in your inbox, every issue.
Subscribe free
Privacy · Terms · About · Contact
© 2026 LodeHQ