Cybersecurity Radar — 2026-07-07
North Korea launched the largest npm supply chain attack of 2026, poisoning 140+ Mastra AI packages in 19 minutes. Meanwhile, CISA added SharePoint Server RCE CVE-2026-45659 to its known exploited vulnerabilities list after active attacks, and device code phishing has surged 37x in detections. Critical infrastructure faces mounting pressure from AI-enhanced ransomware and nation-state proxies.
Cybersecurity Radar — 2026-07-07

🔴 Critical Alerts
SharePoint RCE CVE-2026-45659 Actively Exploited – CISA KEV Mandate Microsoft SharePoint Server Remote Code Execution CVE-2026-45659 was added to CISA's Known Exploited Vulnerabilities (KEV) catalog following confirmed exploitation in the wild. U.S. federal agencies are required to patch by July 4, 2026. Severity: Critical RCE allowing unauthenticated attackers to execute arbitrary code on affected systems. Action: Prioritize patching all SharePoint Server instances. Apply Microsoft security updates immediately.

Device Code Phishing Commoditized – 37x Spike in Detections Device code phishing—a technique that bypasses multi-factor authentication by capturing OAuth device codes—has evolved from espionage-grade exploit to criminal commodity. Detection volume spiked 37x, with 18 attack kits now available and major AiTM (Adversary-in-the-Middle) vendors adding it to their platforms. This represents a critical shift in attacker accessibility. Action: Implement conditional access policies to block suspicious device code flows. Monitor OAuth token issuance. Educate users on refusing unexpected device code verification requests.
Threat Landscape
North Korea's Sapphire Sleet Executes Largest npm Supply Chain Attack of 2026 In a devastating 19-minute window, North Korean state-linked threat group Sapphire Sleet poisoned 140+ malicious packages in the npm registry under the Mastra AI namespace. The attack demonstrates nation-state capability to weaponize public software repositories at scale. Defenders had minimal time to detect and respond before packages propagated to developer systems. Affected: JavaScript/Node.js developers using Mastra AI components. TTP: Typosquatting, dependency confusion, code obfuscation. Status: First-of-its-kind volume attack on npm.

AI-Generated Browser Ransomware Weaponizes Chromium API Without Native Payload Researchers discovered an AI-generated ransomware variant that exploits the Chromium File System Access API to encrypt files across Windows, Linux, macOS, and Android—without requiring a traditional binary payload. After obtaining user permission, the malware uses browser APIs to traverse and encrypt local filesystems. No in-the-wild abuse reported yet, but the technique poses significant evasion potential. Severity: High – evades traditional endpoint detection. Attack Surface: Any user granting file system permissions to a malicious web application.

AI Agent JADEPUFFER Automates Database Ransomware via Langflow RCE Threat group JADEPUFFER exploited CVE-2025-3248 (Langflow RCE) to deploy an AI-powered agent that automates intrusion, credential theft, database encryption, and data wipe operations. The attack demonstrates AI agents being used to orchestrate end-to-end ransomware campaigns with minimal manual intervention. CVE: CVE-2025-3248 – Langflow Remote Code Execution. Target: Organizations using Langflow for LLM orchestration. Impact: Fully automated ransomware pipeline.

Vulnerabilities & Patches
BlueHammer (CVE-2026-33825) Exploited by Ransomware Groups The Microsoft Defender privilege escalation vulnerability CVE-2026-33825, dubbed "BlueHammer," is now being exploited by active ransomware campaigns. Originally a zero-day before patches were released, CISA confirmed ransomware gangs are weaponizing this flaw to elevate privileges post-compromise. CVSS: High (elevation of privilege). Affected: Windows Defender. Mitigation: Apply Microsoft Defender security updates.

Breaches & Incidents
River Bank & Trust Hit by Ransomware Following Network Compromise River Bank & Trust, a U.S. financial institution, suffered a ransomware incident after an unauthorized actor accessed the parent company's network. Details on scope and ransom demands remain limited, but the breach underscores ongoing targeting of regional financial institutions.
Industry & Policy
Check Point Intelligence: June 2026 Threat Report Check Point Research released its weekly threat bulletin for the period ending July 6, 2026, documenting ransomware campaigns, breach trends, and emerging vulnerabilities. Financial and manufacturing sectors continue to see elevated ransomware activity.
What to Watch
- npm Registry Vigilance: Developers should audit dependencies for Mastra AI packages and any newly published modules from unfamiliar authors. Nation-state supply chain attacks are likely to increase.
- Device Code Phishing Normalization: As attack kits proliferate, expect device code phishing to become default in credential theft campaigns. Conditional access policies are now critical baseline controls.
- AI-Powered Ransomware Automation: Watch for rapid adoption of LLM agents in ransomware operations. Expect attackers to use AI for reconnaissance, lateral movement, and data exfiltration with minimal operator involvement.
Reader Action Items
-
Patch SharePoint Server immediately – CVE-2026-45659 is actively exploited. Apply Microsoft updates today and verify all instances are updated.
-
Audit npm dependencies for Mastra AI packages – Run
npm auditand check package-lock.json for any malicious Mastra AI packages from July 5–6, 2026. Rotate credentials used in affected environments. -
Implement conditional access rules blocking device code flows – Configure Azure AD / Entra ID to restrict device code authentication to trusted networks and devices. Deploy user education on OAuth phishing awareness.
Sources:
This content was collected, curated, and summarized entirely by AI — including how and what to gather. It may contain inaccuracies. Crew does not guarantee the accuracy of any information presented here. Always verify facts on your own before acting on them. Crew assumes no legal liability for any consequences arising from reliance on this content.