Cybersecurity Newsletter Weekly: Top 40 Biggest Cyber Stories of the Week, July 2026
Cybersecurity Newsletter Weekly: Top 40 Biggest Cyber Stories of the Week, July 2026
https://gbhackers.com/weekly-cybersecurity-newsletter-july-6-10-2026/
Publish Date: 2026-07-12 10:23:00
Source Domain: gbhackers.com
Using an unordered list, summarize the following article with between 4 and 8 key points.
Welcome to this week’s edition of the GBHackers cybersecurity newsletter — your weekly cybersecurity bulletin covering the 40 most important stories from July 6–10, 2026.
This week the security world collided with AI head-on: prompt-injection attacks turned chatbots into C2 agents, five major AI coding assistants fell to a single attack pattern, and thousands of MCP servers were found exposed.
Meanwhile, CitrixBleed 2 exploitation went from theory to DragonForce ransomware deployments, Android 17 got rooted with one click, and a ransomware negotiator went to prison for playing both sides. Here’s everything your peers are reading this week.
IN THIS ISSUE
Top Stories of the Week — 5 storiesAI Under Attack — 7 storiesCritical Vulnerabilities & Exploits — 11 stories|Ransomware & Extortion — 5 storiesPhishing & Social Engineering — 6 storiesBreaches, Malware & Supply Chain — 6 stories
🔥 TOP STORIES OF THE WEEK
1. Hackers Exploit CitrixBleed 2 to Hijack MFA-Protected Sessions and Deploy DragonForce Ransomware
July 10, 2026 • gbhackers.com
Threat actors are exploiting CVE-2025-5777 to hijack active NetScaler sessions — even those protected by multi-factor authentication. Once inside, they’re moving laterally and deploying DragonForce ransomware across enterprise networks.
2. Claude AI Prompt Injection Attack Turns Chatbot Into Stealthy C2 Agent to Achieve Remote Code Execution
July 9, 2026 • gbhackers.com
Researchers show Claude Desktop’s synced Personal Preferences feature can be abused as a covert prompt-injection channel, turning the assistant into a de facto command-and-control agent. The technique chains all the way to remote code execution on the victim’s machine.
3. 281 Android VPN Apps Expose Users to Traffic Leaks, Tracking and Tunnel Hijacking
July 10, 2026 • gbhackers.com
A sweeping security analysis found 281 Android VPN apps exposing users to traffic leaks, third-party tracking, and tunnel hijacking. The tools millions installed for privacy may be the biggest privacy risk on the phone.
4. IonStack Exploit Chain Lets Hackers Root Android 17 Phones With a Single URL Click
July 8, 2026 • gbhackers.com
Nebula Security’s “IonStack” exploit chain achieves full root access on Android 17 devices from a single malicious URL click. Even Google’s newest, most hardened Android build can fall to one tap.
5. Ransomware Negotiator Jailed for Leaking Victim Secrets to BlackCat Hackers
July 10, 2026 • gbhackers.com
A Florida ransomware negotiator has been sentenced to federal prison for conspiring with ALPHV/BlackCat operators while supposedly negotiating on victims’ behalf. He was quietly profiting from both sides of the extortion table.
🤖 AI UNDER ATTACK
6. GhostApproval Attack Impacts Amazon Q, Claude Code, Cursor, Google Antigravity, and Windsurf
July 9, 2026 • gbhackers.com
A newly disclosed vulnerability pattern dubbed “GhostApproval” breaks the human-approval trust boundary at the heart of AI coding assistants. Amazon Q, Claude Code, Cursor, Google Antigravity, and Windsurf are all affected.
7. GitHub Copilot IDE Coding Agents Vulnerable to Workflow-Level Jailbreak Attacks
July 9, 2026 • gbhackers.com
GitHub Copilot’s new IDE coding agents can be jailbroken at the workflow level, bypassing the guardrails built into the editor. Attackers can steer the agent into actions the developer never approved.
8. Google Gemini Live API Flaw Allows RCE via Unconstrained Ephemeral Tokens
July 7, 2026 • gbhackers.com
Misconfigured ephemeral tokens in Google’s Gemini Live API left integrating applications open to remote code execution. Researchers show how unconstrained tokens hand attackers far more power than developers intended.
9. Thousands of MCP Servers Found Vulnerable to File Access and Injection Attacks
July 7, 2026 • gbhackers.com
Thousands of Model Context Protocol servers — the connectors linking LLMs to external systems — are vulnerable to critical file access and injection attacks. The AI ecosystem’s fastest-growing plumbing is also its least secured.
10. Hackers Compromise AWS AI Gateway Connected to Amazon Bedrock to Deploy XMRig Cryptominer
July 10, 2026 • gbhackers.com
Attackers compromised an enterprise AI gateway linked to Amazon Bedrock and used it to deploy an XMRig cryptominer. Generative AI infrastructure has officially joined the enterprise attack surface.
11. US Cyber Agency Uses Anthropic Mythos to Audit Government Code for Bugs
July 7, 2026 • gbhackers.com
CISA has begun using Anthropic’s advanced Mythos model to audit government software for vulnerabilities. It marks the first large-scale federal deployment of a frontier AI model for code security review.
12. Microsoft Uses AI-Powered Agentic Scanning to Find Windows Security Flaws and Accelerate Patching
July 10, 2026 • gbhackers.com
Microsoft is expanding a multi-model “agentic” AI scanning system that hunts Windows security flaws before attackers find them. The company says it will meaningfully accelerate patch delivery worldwide.
⚠️ CRITICAL VULNERABILITIES & EXPLOITS
13. Microsoft Edge High-Severity Vulnerability Allows Remote Code Execution
July 7, 2026 • gbhackers.com
Microsoft has disclosed CVE-2026-57992, a high-severity remote code execution flaw in its Chromium-based Edge browser. A crafted page could hand attackers control of unpatched systems — update immediately.
14. Linux FUSE Vulnerability Allows Unprivileged Users to Pop a Root Shell
July 10, 2026 • gbhackers.com
A newly disclosed flaw in the Linux kernel’s FUSE subsystem lets unprivileged local users corrupt the page cache and escalate straight to root. Any shared or multi-user Linux system is in the blast radius.
15. Bad Epoll Linux Kernel UAF Flaw Lets Unprivileged Attackers Gain Root on Linux and Android
July 6, 2026 • gbhackers.com
CVE-2026-46242, dubbed “Bad Epoll,” is a race-condition use-after-free in the kernel’s epoll subsystem. It hands unprivileged attackers root on both Linux servers and Android devices.
16. 16-Year-Old Januscape KVM Escape Vulnerability Lets Attackers Compromise Linux Hosts
July 7, 2026 • gbhackers.com
CVE-2026-53359, named “Januscape,” exposes a flaw that sat in KVM/x86 virtualization for 16 years. A malicious guest VM can escape and fully compromise the underlying Linux host.
17. Veeam Backup BinaryFormatter Flaw Enables Remote Code Execution
July 6, 2026 • gbhackers.com
CVE-2026-44963 is a BinaryFormatter deserialization flaw in Veeam Backup & Replication that lets authenticated domain users execute remote code. Backup servers are exactly the target ransomware crews hit first.
18. Critical BeyondTrust Authentication Flaws Expose Remote Support Appliances to Attacks
July 7, 2026 • gbhackers.com
BeyondTrust disclosed multiple critical and high-severity flaws in its Remote Support and Privileged Remote Access appliances. The tools built to guard privileged access have become the doorway in.
19. Roundcube Webmail Security Update Patches Critical Zero-Click XSS and SSRF Bypass Flaws
July 10, 2026 • gbhackers.com
Roundcube 1.7.2 patches a zero-click stored XSS that fires with no user interaction at all, plus an SSRF bypass. Self-hosted webmail admins should treat this as an emergency update.
20. Critical Opera GX Vulnerability Lets Attackers Inject CSS Across Every Webpage
July 6, 2026 • gbhackers.com
A critical flaw in Opera GX’s Mods feature allowed attackers to inject malicious CSS into every webpage a user visits. A feature built for browser customization became a universal injection channel.
21. Over 70% of Public WordPress Sites Running Outdated PHP Exposed to Cyberattacks
July 8, 2026 • gbhackers.com
New analysis shows more than 70% of publicly accessible WordPress sites run outdated, unsupported PHP versions. That’s tens of millions of sites exposed to known, already-weaponized exploits.
22. Attackers Exploit WordPress Plugin Vulnerabilities for Remote Code Execution and Webshell Access
July 9, 2026 • gbhackers.com
A large-scale campaign is actively weaponizing known WordPress plugin flaws for remote code execution and webshell deployment. Unpatched plugins remain the single easiest way into the CMS ecosystem.
23. Wireshark 4.6.7 Released to Patch 12 Vulnerabilities in SSH, TLS, Wi-Fi and pcapng
July 10, 2026 • gbhackers.com
Wireshark 4.6.7 fixes 12 security flaws across SSH, TLS and Wi-Fi dissectors and pcapng file parsing. A booby-trapped capture file could compromise the very analyst investigating an incident.
🔒 RANSOMWARE & EXTORTION
24. Everest Ransomware Encryptor Uses ConfuserEx-Protected .NET Binary With Wake-on-LAN Capability
July 9, 2026 • gbhackers.com
Technical analysis of an Everest encryptor reveals a heavily obfuscated, ConfuserEx-protected .NET binary with built-in Wake-on-LAN capability. The malware literally wakes sleeping machines on the network so it can encrypt them too.
25. GodDamn Ransomware Attack Uses PsExec Lateral Movement and NirSoft Toolkit for Credential Theft
July 9, 2026 • gbhackers.com
The “GodDamn” ransomware turns out to be the latest rebrand of a long-running family rather than something new. Its operators lean on PsExec for lateral movement and NirSoft utilities for credential theft.
26. New Helix Extortion Group Targets Enterprises With MFA Abuse and SharePoint Exfiltration
July 9, 2026 • gbhackers.com
A previously unreported extortion crew dubbed “Helix” is hitting enterprises with voice phishing, MFA abuse, and automated SharePoint data theft. It’s identity-first extortion — no encryptor required.
27. TeamPCP Supply Chain Attacks Feed VECT Ransomware With Stolen CI/CD Credentials
July 7, 2026 • gbhackers.com
TeamPCP’s wide-scale supply-chain compromises have amassed a vast archive of stolen CI/CD credentials now directly fueling VECT ransomware operations. Your pipeline secrets may already be in their hands.
28. GigaWiper Uses OneDrive Update Scheduled Task for Persistent Destructive Access
July 10, 2026 • gbhackers.com
GigaWiper is a Golang-based backdoor that hides its persistence inside a scheduled task disguised as a OneDrive update. Behind its extensive C2 controls sit multiple destructive wiper payloads awaiting the trigger.
🎣 PHISHING & SOCIAL ENGINEERING
29. Forg365 PhaaS Uses Telegram and AI Lures to Hijack Microsoft 365 Accounts
July 10, 2026 • gbhackers.com
Forg365 is a commercial phishing-as-a-service platform aimed squarely at Microsoft 365, combining device-code phishing, adversary-in-the-middle workflows, and AI-assisted lures. The whole operation is run and sold through Telegram.
30. Fake Robinhood Sign-In Alerts Trick Users Into Calling Hacker-Controlled Phone Numbers
July 10, 2026 • gbhackers.com
A callback-phishing wave is sending fake Robinhood “new sign-in” alerts that pressure users into dialing attacker-controlled phone numbers. The panic is manufactured; the account takeover that follows is real.
31. Hackers Use Trusted Microsoft Domain and One-Time Codes to Hijack Corporate Accounts
July 6, 2026 • gbhackers.com
Attackers are weaponizing a legitimate Microsoft OAuth 2.0 flow and one-time codes to take over corporate accounts — no stolen passwords required. Because the lure lives on a trusted Microsoft domain, email filters wave it straight through.
32. Hackers Abuse Cross-Tenant Teams Chat to Deliver EtherRAT Through Malicious MSI Loader
July 7, 2026 • gbhackers.com
A campaign observed in late June pairs email phishing with abused cross-tenant Microsoft Teams chats to deliver the sophisticated EtherRAT via a malicious MSI loader. External Teams messages are the new phishing inbox.
33. SNOW Malware Ecosystem Uses Teams Phishing, WebSocket Tunnels, and Browser Extensions
July 9, 2026 • gbhackers.com
The SNOW malware ecosystem chains convincing Teams phishing, covert WebSocket tunnels, and rogue browser extensions into one believable intrusion path. It’s a full-stack social-engineering operation, not a single payload.
34. New Multi-Stage LNK Attack Targets Hospitality Firms With Node.js Backdoor
July 10, 2026 • gbhackers.com
Hotels and travel firms are being hit with fake booking-related emails that trigger a multi-stage LNK attack chain. The final payload is a Node.js backdoor giving attackers full remote control.
🦠 BREACHES, MALWARE & SUPPLY CHAIN
35. AssuranceAmerica Confirms Massive Data Breach Exposing Driver’s License and Insurance Data
July 9, 2026 • gbhackers.com
US auto and renters insurer AssuranceAmerica confirmed a significant breach exposing customers’ personal information and driver’s license data. Affected policyholders now face elevated identity-theft and fraud risk.
36. npm and PyPI Malware Campaign Exfiltrates CI/CD Secrets Through Fake Payment SDKs
July 9, 2026 • gbhackers.com
A coordinated campaign pushed 17 malicious npm and PyPI packages masquerading as SDKs for PaySafe, Skrill, and other payment services. Their real job: silently exfiltrating CI/CD secrets from build environments.
37. RedHook Abuses Accessibility Service to Enable Developer Options and Wireless Debugging
July 9, 2026 • gbhackers.com
The RedHook Android RAT has resurfaced with the ability to autonomously enable Developer Options and wireless debugging by abusing accessibility services. That unlocks a far deeper level of device control than before.
38. Lurking Lizard Uses Drop-Catch Domains and Lookalike Brands to Distribute Proxyware
July 8, 2026 • gbhackers.com
The long-running “Lurking Lizard” operation uses drop-catch domains and lookalike brands — including a fake 7-Zip installer — to spread proxyware. Infected PCs are silently rented out as residential proxy exit nodes.
39. ESET Threat Report H1 2026 Highlights Malicious AI Skills, ClickFix Surge, and EDR Killers
July 8, 2026 • gbhackers.com
ESET’s first-half 2026 report flags malicious AI skills, a surging ClickFix technique, and increasingly common EDR-killer tooling. Attackers aren’t inventing new playbooks — they’re supercharging old ones with AI.
40. Malicious Braintree.Net Typosquat Steals PAN, CVV, and Payment Gateway Credentials
July 10, 2026 • gbhackers.com
A malicious NuGet package typosquatting Braintree’s official .NET client was caught stealing card numbers, CVVs, and payment gateway credentials. Automated scanning flagged it as malware within minutes of its July 3 publication.
❓ FREQUENTLY ASKED QUESTIONS
What does this weekly cybersecurity newsletter cover?
Each issue of the GBHackers cybersecurity newsletter rounds up the week’s 40 most important stories — critical vulnerabilities, ransomware attacks, data breaches, AI security threats, phishing campaigns, and malware research — curated by our editorial team from everything published on gbhackers.com.
How is a cybersecurity bulletin different from daily security news?
A cybersecurity bulletin condenses hundreds of daily headlines into a single prioritized weekly briefing. Instead of monitoring feeds all day, security teams get the exploited CVEs, active campaigns, and breaches that actually matter — with direct links to the full analysis of each story.
How do I subscribe to the GBHackers weekly cybersecurity newsletter?
Visit gbhackers.com and follow us on LinkedIn or X (@gbhackers_news) to get every weekly issue. The newsletter is free and lands once a week, every week.
Found this cybersecurity bulletin useful? Get the weekly cybersecurity newsletter in your inbox — free, every week, from GBHackers.