CrewCrew
FeedSignalsMy Subscriptions
Get Started
Cybersecurity Radar

Cybersecurity Radar — 2026-07-07

  1. Signals
  2. /
  3. Cybersecurity Radar

Cybersecurity Radar — 2026-07-07

Cybersecurity Radar|July 7, 2026(2h ago)4 min read9.1AI quality score — automatically evaluated based on accuracy, depth, and source quality
0 subscribers

North Korea launched the largest npm supply chain attack of 2026, poisoning 140+ Mastra AI packages in 19 minutes. Meanwhile, CISA added SharePoint Server RCE CVE-2026-45659 to its known exploited vulnerabilities list after active attacks, and device code phishing has surged 37x in detections. Critical infrastructure faces mounting pressure from AI-enhanced ransomware and nation-state proxies.

Cybersecurity Radar — 2026-07-07

North Korea npm supply chain attack 2026
North Korea npm supply chain attack 2026

tech-insider.org

tech-insider.org


🔴 Critical Alerts

SharePoint RCE CVE-2026-45659 Actively Exploited – CISA KEV Mandate Microsoft SharePoint Server Remote Code Execution CVE-2026-45659 was added to CISA's Known Exploited Vulnerabilities (KEV) catalog following confirmed exploitation in the wild. U.S. federal agencies are required to patch by July 4, 2026. Severity: Critical RCE allowing unauthenticated attackers to execute arbitrary code on affected systems. Action: Prioritize patching all SharePoint Server instances. Apply Microsoft security updates immediately.

CISA SharePoint advisory
CISA SharePoint advisory

Device Code Phishing Commoditized – 37x Spike in Detections Device code phishing—a technique that bypasses multi-factor authentication by capturing OAuth device codes—has evolved from espionage-grade exploit to criminal commodity. Detection volume spiked 37x, with 18 attack kits now available and major AiTM (Adversary-in-the-Middle) vendors adding it to their platforms. This represents a critical shift in attacker accessibility. Action: Implement conditional access policies to block suspicious device code flows. Monitor OAuth token issuance. Educate users on refusing unexpected device code verification requests.


Threat Landscape

North Korea's Sapphire Sleet Executes Largest npm Supply Chain Attack of 2026 In a devastating 19-minute window, North Korean state-linked threat group Sapphire Sleet poisoned 140+ malicious packages in the npm registry under the Mastra AI namespace. The attack demonstrates nation-state capability to weaponize public software repositories at scale. Defenders had minimal time to detect and respond before packages propagated to developer systems. Affected: JavaScript/Node.js developers using Mastra AI components. TTP: Typosquatting, dependency confusion, code obfuscation. Status: First-of-its-kind volume attack on npm.

npm supply chain attack campaign
npm supply chain attack campaign

AI-Generated Browser Ransomware Weaponizes Chromium API Without Native Payload Researchers discovered an AI-generated ransomware variant that exploits the Chromium File System Access API to encrypt files across Windows, Linux, macOS, and Android—without requiring a traditional binary payload. After obtaining user permission, the malware uses browser APIs to traverse and encrypt local filesystems. No in-the-wild abuse reported yet, but the technique poses significant evasion potential. Severity: High – evades traditional endpoint detection. Attack Surface: Any user granting file system permissions to a malicious web application.

AI-generated browser ransomware screenshot
AI-generated browser ransomware screenshot

AI Agent JADEPUFFER Automates Database Ransomware via Langflow RCE Threat group JADEPUFFER exploited CVE-2025-3248 (Langflow RCE) to deploy an AI-powered agent that automates intrusion, credential theft, database encryption, and data wipe operations. The attack demonstrates AI agents being used to orchestrate end-to-end ransomware campaigns with minimal manual intervention. CVE: CVE-2025-3248 – Langflow Remote Code Execution. Target: Organizations using Langflow for LLM orchestration. Impact: Fully automated ransomware pipeline.

AI agent ransomware automation
AI agent ransomware automation

tech-insider.org

tech-insider.org


Vulnerabilities & Patches

BlueHammer (CVE-2026-33825) Exploited by Ransomware Groups The Microsoft Defender privilege escalation vulnerability CVE-2026-33825, dubbed "BlueHammer," is now being exploited by active ransomware campaigns. Originally a zero-day before patches were released, CISA confirmed ransomware gangs are weaponizing this flaw to elevate privileges post-compromise. CVSS: High (elevation of privilege). Affected: Windows Defender. Mitigation: Apply Microsoft Defender security updates.

BlueHammer ransomware alert
BlueHammer ransomware alert

securityweek.com

securityweek.com


Breaches & Incidents

River Bank & Trust Hit by Ransomware Following Network Compromise River Bank & Trust, a U.S. financial institution, suffered a ransomware incident after an unauthorized actor accessed the parent company's network. Details on scope and ransom demands remain limited, but the breach underscores ongoing targeting of regional financial institutions.


Industry & Policy

Check Point Intelligence: June 2026 Threat Report Check Point Research released its weekly threat bulletin for the period ending July 6, 2026, documenting ransomware campaigns, breach trends, and emerging vulnerabilities. Financial and manufacturing sectors continue to see elevated ransomware activity.


What to Watch

  • npm Registry Vigilance: Developers should audit dependencies for Mastra AI packages and any newly published modules from unfamiliar authors. Nation-state supply chain attacks are likely to increase.
  • Device Code Phishing Normalization: As attack kits proliferate, expect device code phishing to become default in credential theft campaigns. Conditional access policies are now critical baseline controls.
  • AI-Powered Ransomware Automation: Watch for rapid adoption of LLM agents in ransomware operations. Expect attackers to use AI for reconnaissance, lateral movement, and data exfiltration with minimal operator involvement.

Reader Action Items

  1. Patch SharePoint Server immediately – CVE-2026-45659 is actively exploited. Apply Microsoft updates today and verify all instances are updated.

  2. Audit npm dependencies for Mastra AI packages – Run npm audit and check package-lock.json for any malicious Mastra AI packages from July 5–6, 2026. Rotate credentials used in affected environments.

  3. Implement conditional access rules blocking device code flows – Configure Azure AD / Entra ID to restrict device code authentication to trusted networks and devices. Deploy user education on OAuth phishing awareness.

Sources:

thehackernews.com

thehackernews.com

securityweek.com

securityweek.com

thehackernews.com

thehackernews.com

thehackernews.com

thehackernews.com

tech-insider.org

tech-insider.org

research.checkpoint.com

research.checkpoint.com

This content was collected, curated, and summarized entirely by AI — including how and what to gather. It may contain inaccuracies. Crew does not guarantee the accuracy of any information presented here. Always verify facts on your own before acting on them. Crew assumes no legal liability for any consequences arising from reliance on this content.

Explore related topics
  • QHow can developers check for the compromised npm packages?
  • QWhat specific SharePoint versions are vulnerable?
  • QHow do browser APIs bypass endpoint security?
  • QAre there tools to detect OAuth device code phishing?

Powered by

CrewCrew

Sources

Want your own AI intelligence feed?

Create custom signals on any topic. AI curates and delivers 24/7.