Storylines
Track continuity across signals: what changed, what held, and what to keep watching next.
How to use: Track continuity → open one storyline → inspect the current sources and key turns.
- Canadian Centre for Cyber Security - Alertscyber.gc.ca · cyber.gc.ca
- openexr: CVSS (Max): 8.8portal.auscert.org.au · AusCERT - Bulletins
- rust-keylime: CVSS (Max): Noneportal.auscert.org.au · AusCERT - Bulletins
Sorted by momentum. Use the chevron to expand a card. Use the action button for the full drawer.
No investment advice. Research signals and sources only. EarlyNarratives provides informational signals derived from public sources. It does not provide financial, legal, or tax advice.
Editorial weekly synthesis. Use the tracker below for continuity between issues.
Multiple critical Linux kernel and Juniper Junos OS vulnerabilities prompt urgent patches
Recent security advisories reveal numerous critical vulnerabilities affecting the Linux kernel across various architectures and subsystems, as well as severe flaws in Juniper Junos OS.
Details
- Multiple advisories were released simultaneously in early July 2026, indicating coordinated disclosure.
- The vulnerabilities affect core system components and networking devices used globally.
- Active exploitation potential necessitates immediate attention from system administrators.
- These vulnerabilities enable privilege escalation and container escapes, risking system compromise.
- Juniper Junos OS flaws can cause device crashes and denial-of-service, impacting network availability.
- Timely patching is critical to prevent exploitation in widely deployed infrastructure components.
Multiple high-severity vulnerabilities disclosed in Open WebUI and XWiki Platform
Several critical security flaws have been identified in Open WebUI, including multiple stored cross-site scripting (XSS) vulnerabilities and a blind server-side request forgery (SSRF) issue.
Details
- These vulnerabilities have been recently disclosed and assigned CVEs, prompting urgent patching.
- High severity ratings indicate significant exploitation risk if unaddressed.
- Affected software versions are in active use, increasing the urgency for remediation.
- Stored XSS vulnerabilities can enable attackers to hijack user accounts and execute arbitrary code.
- Blind SSRF flaws may allow attackers to access internal resources or cause denial of service.
- Path traversal vulnerabilities can lead to unauthorized file access and compromise of the affected system.
Track what changed, what held, and what to watch next across recent runs. Sorted by momentum.
Chromium: CVE-2026-14393 Use after free in V8
This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see [Google Chrome Releases](https://chromereleases.googleblog.com/2025) for more information.
Details
Armenian man pleads guilty to deploying Ryuk ransomware
Bleeping Computer reports that Karen Serobovich Vardanyan, a 34-year-old Armenian national, has pleaded guilty in the United States to charges related to deploying the Ryuk ransomware.
Details
IBM security advisory (AV26-684)
Serial number: AV26-684 Date: July 13, 2026 Between July 6 and 12, 2026, IBM published security advisories to address vulnerabilities in multiple products. Included were critical updates for the following: IBM Aspera Enterprise WebApps – versions 1.0.0 to 1.0.3 IBM Cloud Pak System – versions prior to 2.3.5.0 IBM Cloud Pak for Data System (CPDS) – versions 1.0.0.0 to 1.0.10.0 IBM Guardium Data Pro
Details
Tesla has decompression bomb on response body
Tesla has decompression bomb on response body Severity: high Identifiers: [{"cve_id": "CVE-2026-48594"}, {"identifiers": [{"value": "GHSA-mc85-72gr-vm9f", "type": "GHSA"}, {"value": "CVE-2026-48594", "type": "CVE"}]}]
Details
Severe vulnerability in misp-modules
Classification: Severe, Solution: Official Fix, Exploit Maturity: Not Defined, CVSSv4.0: 8.3, CVEs: CVE-2026-62143, Summary: CVE-2026-62143 8.3 Server-Side Request Forgery protection bypass in misp-modules html_to_markdown via IPv4-mapped IPv6 addresses
Details
Kimai: Timesheet PATCH/POST allows assigning to project outside user's team via query_builder OR-bypass
Kimai: Timesheet PATCH/POST allows assigning to project outside user's team via query_builder OR-bypass Severity: medium Identifiers: [{"cve_id": "CVE-2026-52820"}, {"identifiers": [{"value": "GHSA-vrr2-g9gh-c3jc", "type": "GHSA"}, {"value": "CVE-2026-52820", "type": "CVE"}]}]
Details
Jscrambler npm Breach Exposes Developers to Malware
Malware Harvested Cloud Credentials, Source Code and Deployment Tokens Attackers used a compromised npm publishing credential to release five malicious versions of Jscrambler's Code Integrity package, deploying a Rust-based infostealer that harvested developer, cloud and AI tool credentials while evolving its delivery methods to evade detection.
Details
13th July – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 13th July, please download our Threat Intelligence Bulletin. TOP ATTACKS AND BREACHES U.S. auto insurer AssuranceAmerica has disclosed a data breach affecting approximately 7 million people. Attackers targeted an employee and used compromised credentials to access company systems, stealing names, contact information, driver’s license num
Details
CISA shares postmortem of GitHub credential leak
CISA credentials and code were uploaded to a public repository on a contractor’s personal GitHub account in May.
Details
Vulnerability impacting Roundcube Webmail – CVE-2025-49113 – Update 1
Number: AL25-007 Date: June 11, 2025 Updated: July 10, 2026 Audience This Alert is intended for IT professionals and managers of notified organizations. Purpose An Alert is used to raise awareness of a recently identified cyber threat that may impact cyber information assets, and to provide additional detection and mitigation advice to recipients. The Canadian Centre for Cyber Security ("Cyber Cen
Details
Critical vulnerability in OpenPLC v3
Classification: Critical, Solution: Unavailable, Exploit Maturity: Not Defined, CVSSv3.1: 9.9, CVEs: CVE-2026-14480, Summary: Successful exploitation of this vulnerability could allow an authenticated attacker to write arbitrary files to the filesystem and escalate this into arbitrary native code execution through the normal OpenPLC program compilation process, potentially resulting in code execut
Details
Okta warns of vishing scheme that extorts data
Attackers pose as IT and tell employees to enroll an MS passkey, but the bad guys register their own key and take over the user.
Details
AI coding tool hole illustrates a big problem with human in the loop
A security hole within AI dev tools has allowed attackers to escape sandboxes by misleading the humans in the loop who were supposed to knowingly approve the tool’s actions, according to cybersecurity research firm Wiz. “We discovered GhostApproval, a systematic vulnerability pattern affecting six of the top AI coding assistants: Amazon Q Developer, Anthropic Claude Code, Augment, Cursor, Google A
Details
Recent public storylines
Crawlable detail links for recent public storyline pages, so search engines can discover more than the live brief.
- Critical vulnerabilities found in FFmpeg and AVideo media processing components
Two high-severity vulnerabilities have been disclosed affecting widely used media processing software.
- Microsoft warns of large-scale phishing campaign targeting thousands globally
Microsoft has disclosed a sophisticated phishing campaign that targeted over 35,000 users across more than 13,000 organizations in 26 countries, primarily in the US.
- British cyber agency warns of patch wave amid Windows vulnerability exploitation
The UK National Cyber Security Centre and British cyber agency have issued warnings about an impending wave of software patches driven by accelerated vulnerability discovery through AI.
- AI-assisted npm malware targets crypto wallets and macOS developers
Recent discoveries reveal that threat actors, including DPRK-linked groups, are increasingly using AI-assisted commits to insert malicious code into npm packages. These packages serve as infection vectors for sophisticated malware such as the Minirat macOS RAT, which targets developer machines and crypto wallets. The combination of AI-driven supply chain attacks and stealthy remote access trojans underscores the urgent need for enhanced security practices in software development environments.
- Vulnerability management tools often miss critical risks despite high scan scores
Security teams frequently face a disconnect between vulnerability scan results and actual risk exposure.
- Critical flaw causes Vect ransomware to act as a destructive wiper
Researchers have identified a critical flaw in Vect 2.0 ransomware that causes it to wipe large files instead of encrypting them. This flaw effectively turns the ransomware into a data-destroying wiper, making file recovery impossible even by the attackers themselves.
- GlassWorm malware campaign escalates with new fake extensions in Open VSX marketplace
The GlassWorm threat actor has significantly increased its activity by uploading 73 additional fraudulent extensions to the Open VSX code marketplace.
- FBI and Indonesian authorities dismantle global phishing network linked to $20 million fraud attempts
Coverage discusses speculative scenarios around ~$20M; treat as market chatter and see linked sources.
- March 2025 supply chain attacks compromise open source tools and IoT devices
In March 2025, multiple supply chain attacks targeted prominent open source application security organizations and IoT devices. Three organizations—Xygeni, Aqua/Trivy, and Checkmarkx—were compromised via GitHub Actions.
- New ClickFix malware variant uses macOS Script Editor to deliver Atomic Stealer
A new variant of the ClickFix malware campaign bypasses Apple’s Terminal security warnings by exploiting the macOS Script Editor via the applescript:// URL scheme.
- Credential monitoring gaps and recurring incidents raise hidden security costs
Recent analysis reveals that relying solely on breach monitoring is insufficient to combat credential-based attacks due to a critical gap between detection by security operations centers (SOC) and identity and access management (IAM) response processes such as session...
- Hackers use fake claude code leak to spread malware
Researchers at Zscaler's ThreatLabz uncovered a deceptive GitHub repository that masquerades as a leak of Anthropic's Claude Code CLI source code. Hackers are leveraging this fake leak as bait to spread malware, tricking users into downloading malicious software under the guise of accessing legitimate code. This tactic highlights the ongoing use of popular software leaks as vectors for malware distribution.
- Recent developments in ransomware tactics and operations
Recent reports highlight evolving ransomware tactics including the Yurei double extortion toolkit, the rise of multi-extortion attacks leveraging stolen data leaks, and accelerated intrusion methods by the Akira ransomware group.
- UNC1069 social engineering leads to Axios npm supply chain attack linked to North Korean TA444 group
The maintainer of the Axios npm package confirmed that a targeted social engineering campaign by North Korean threat actors UNC1069 compromised the supply chain.
- Major malware campaigns and evolving attacker tactics in early 2026
Recent reports highlight significant malware activity in early 2026, including campaigns deploying advanced stealers and RATs targeting various sectors.
- TeamPCP supply chain campaign expands with new PyPI compromise and ransomware ties
The TeamPCP supply chain campaign has broadened beyond the initial Checkmarx report, now including a PyPI compromise via Telnyx and a partnership with the Vect ransomware affiliate program. The campaign has entered a monetization phase with no new compromises detected in the past 48 hours.
- Critical vulnerabilities patched in n8n, GitLab, and Mattermost
Multiple severe security vulnerabilities have been addressed in popular software platforms n8n, GitLab, and Mattermost. n8n fixed critical remote code execution and credential theft flaws affecting workflow nodes and LDAP authentication.
- CISA flags multiple critical vulnerabilities actively exploited in 2025-2026
In March 2026, cybersecurity authorities and researchers reported active exploitation of several high-severity vulnerabilities affecting widely used systems.
- Oracle patches critical unauthenticated remote code execution vulnerability in Identity Manager
Oracle has issued a critical security advisory and patch for CVE-2026-21992, a severe vulnerability affecting Oracle Identity Manager and Oracle Web Services Manager. This flaw allows unauthenticated attackers to remotely execute code, making it highly dangerous. With a CVSS score of 9.8, the vulnerability demands immediate attention and remediation. Oracle's official fix addresses this issue to prevent exploitation and protect enterprise environments relying on these products.
- Updated CISA exploited flaws list adds SharePoint, Zimbra bugs
Coverage centers on: Updated CISA exploited flaws list adds SharePoint, Zimbra bugs.
- New AI-written and .NET AOT malware campaigns use advanced evasion techniques
Recent analyses reveal two distinct malware campaigns employing sophisticated evasion methods.
- Multi-agent large language models enhance automated malware analysis
Recent advancements show that combining multiple reverse engineering tools with large language models (LLMs) significantly improves the accuracy and reliability of automated malware analysis.
- RondoDox botnet and new malware strains intensify targeting of network infrastructure and vulnerabilities
The RondoDox botnet has sharply increased its activity, conducting up to 15,000 exploitation attempts daily and focusing on 174 specific vulnerabilities with greater precision.
- FBI Calls for Help to Track Steam Malware Campaign
The FBI wants to hear from gamers who have downloaded Steam titles containing malware.
- Starbucks discloses data breach affecting hundreds of employees
Starbucks recently disclosed a data breach that compromised the accounts of hundreds of its employees. The attackers gained access by executing phishing attacks aimed at the Starbucks Partner Central employee portal. This breach highlights the ongoing risks that phishing campaigns present to employee data security, emphasizing the need for robust internal security measures and heightened employee awareness in large enterprises.
- Telus Digital confirms massive data breach with 1 petabyte stolen
Telus Digital, a Canadian business process outsourcing provider, confirmed a multi-month cyberattack resulting in the theft of nearly 1 petabyte of data. The extortion group ShinyHunters, known for targeting SaaS vendors and conducting vishing attacks, claimed responsibility.
- Security gaps challenge effectiveness of ai guardrails in production environments
Recent discussions highlight significant challenges in deploying effective AI guardrails to prevent sensitive data leaks and jailbreaks in generative AI tools.
- Russian man pleads guilty in Phobos ransomware case
Evgenii Ptitsyn, a Russian national, has pleaded guilty to charges related to the Phobos ransomware attacks, potentially facing up to 20 years in prison. Another Russian ransomware administrator has also pleaded guilty to wire fraud conspiracy, highlighting ongoing legal actions against cybercriminals.
- Tycoon 2FA Goes Boom as Europol, Vendors Bust Phishing Platform
Major phishing-as-a-service platform Tycoon 2FA has been disrupted following a Microsoft-led operation that involved Europol and half a dozen law enforcement authorities, as well as 11 security organizations, including Proofpoint, Intel 471, and Trend Micro, CyberScoop reports.
- Emerging cybersecurity threats: Ransomware and phishing attacks
Recent cybersecurity incidents have revealed new ransomware families and sophisticated phishing techniques. A brute-force attack exposed a ransomware infrastructure, while new threats like GREENBLOOD and BQTLock emerged, highlighting the evolving landscape of cyber threats.
- Emerging remote access trojans: moonrise and steaelite
Recent analyses reveal two new RATs: Moonrise, a Golang-based malware for live control and surveillance, and Steaelite, which combines ransomware with data theft for double extortion attacks.
- Marquis sues SonicWall over backup breach leading to ransomware attack
Marquis Software Solutions has sued SonicWall, alleging that a backup breach led to a ransomware attack affecting 74 U.S. banks. The lawsuit claims SonicWall's negligence allowed the breach, which exposed sensitive firewall configuration files.
- Former l3harris executive sentenced for selling zero-day exploits to russian broker
Peter Williams, a former executive at L3Harris, has been sentenced to over seven years in prison for selling zero-day exploits to a Russian broker. His actions, which resulted in significant financial losses for the defense contractor, have prompted U.S. sanctions against the broker involved in the transaction.
- Emerging cybersecurity threats: moonrise RAT and RDP vulnerabilities
The Moonrise RAT poses significant risks to endpoint security with low detection rates and full remote control capabilities. Additionally, RDP vulnerabilities expose organizations to potential attacks, necessitating proactive security measures.
- Lazarus group targets healthcare with medusa ransomware
The Lazarus Group has begun using Medusa ransomware to target healthcare organizations in the US and the Middle East. This marks a new phase in their cyber operations, which also involve other malicious tools.
- Critical vulnerability in grandstream GXP1600 VoIP phones exposes calls to interception
A critical vulnerability, tracked as CVE-2026-2329, has been identified in Grandstream GXP1600 VoIP phones. This flaw allows unauthenticated remote code execution, posing a significant risk of call interception. The vulnerability has been addressed, and users are urged to update their devices immediately to mitigate potential exploitation.
- Data breach at french bank registry impacts 1.2 million accounts
A significant cybersecurity breach has occurred at a French bank registry, affecting 1.2 million accounts. The incident was disclosed by the French Ministry of Finance, revealing that hackers gained access to sensitive banking data through stolen credentials from a government official. This breach highlights the vulnerabilities within national databases and raises serious concerns about data security in financial institutions.
- AI assistants as covert C2 proxies; 'numero malware' threatens AI tool installers
Check Point Research warns that AI assistants can be exploited as covert C2 proxies, complicating detection of malicious activities. Meanwhile, 'Numero Malware' is identified as a threat targeting AI tool installers, highlighting supply chain vulnerabilities.
- Signals highlight JavaScript supply-chain risk across NPM and CDN paths
SecurityWeek reports that “PackageGate” flaws could allow bypassing protections against NPM supply-chain attacks, potentially leading to arbitrary code execution.
- Nike investigates potential cyber incident after WorldLeaks leak claims
Nike says it is assessing a “potential” cybersecurity incident after the WorldLeaks extortion group publicly claimed it stole and leaked company data. Reporting centers on the alleged size and sensitivity of the exposed files, while Nike’s public statement provides limited clarity on scope or whether customer information was affected.
Free gives current signals and storylines with source links. Upgrade for archive, alerts, watchlists, exports, API, and workflow tools.