This website uses cookies

Read our Privacy policy and Terms of use for more information.

🚨 What Mattered This Week

ColdFusion exploitation moved a legacy web platform into the emergency queue

Adobe updated APSB26-68 on July 7 to say CVE-2026-48282 had been exploited in limited attacks against Adobe ColdFusion. The path-traversal vulnerability can lead to arbitrary code execution and carries a CVSS score of 10.0. ColdFusion 2025 Update 9 and earlier and ColdFusion 2023 Update 20 and earlier are affected; Adobe lists Update 10 and Update 21 as the corrected releases.

The operational risk is larger than the patch itself. ColdFusion often supports older business applications that are poorly inventoried, externally reachable, and difficult to retire. Teams should identify every instance, confirm whether it was reachable during the exposure window, apply the corrected update, and review web, application, file-write, and process telemetry before treating the work as complete.

Key Takeaway: Patch ColdFusion 2025 to Update 10 and ColdFusion 2023 to Update 21, then hunt for evidence of pre-patch access.

A compromised jscrambler release executed malware inside developer and CI environments

Socket reported that multiple malicious releases of the jscrambler npm package introduced cross-platform native binaries targeting Linux, macOS, and Windows. The initial malicious release, 8.14.0, used a preinstall hook, while later malicious versions shifted execution into imported package code to evade defenses focused only on install scripts. Socket identified 8.14.0, 8.16.0, 8.17.0, 8.18.0, and 8.20.0 as malicious and reported 8.22.0 as clean.

Because the package is used in application build pipelines, execution could occur on developer workstations or CI systems with access to source code, cloud credentials, deployment tokens, AI-assistant configuration, and MCP secrets. This is a true supply-chain compromise: a legitimate publishing credential was used to ship malicious versions through the normal package channel.

Sources: Socket

Key Takeaway: Remove affected versions, move to verified-clean 8.22.0, inspect build hosts, and rotate every credential available to the npm process.

UAT-7810 expanded covert relay infrastructure through unpatched routers

Cisco Talos reported that the China-nexus actor UAT-7810 is expanding Operational Relay Box infrastructure by exploiting known vulnerabilities in unpatched Ruckus and ASUS routers. The actor deploys updated LONGLEASH and DOGLEASH backdoors to build resilient proxy networks that can conceal the origin of follow-on activity by other threat groups.

The defensive problem is visibility. Edge devices commonly have long replacement cycles, sparse logging, and weaker monitoring than endpoints or servers. That makes them attractive as durable relay nodes. Organizations should patch supported routers, replace end-of-life devices, review unexpected proxying and outbound sessions, and include compromised appliances in credential-rotation and incident-scoping decisions.

Sources: Cisco Talos

Key Takeaway: Treat routers as monitored compute assets and investigate unusual relay behavior instead of relying only on IP reputation.

🔎 Other Signals

Langflow authorization bypass entered active exploitation

CISA added CVE-2026-55255, an authorization-bypass flaw in the open-source AI flow-builder Langflow, to its Known Exploited Vulnerabilities catalog on July 7 after confirming exploitation in the wild. An authenticated user can run any flow belonging to another user by supplying the victim's flow ID — a multi-tenant isolation break in a widely deployed tool.

Sources: CISA KEV

Key Takeaway: Patch Langflow to the current fixed release, restrict its network exposure, and review flow-execution logs for cross-user access.

Dialogflow CX disclosure exposed a managed AI execution trust gap

Varonis disclosed Rogue Agent, a now-remediated weakness in Google Dialogflow CX Playbook Code Blocks. A user with dialogflow.playbooks.update on one agent could inject persistent code, exfiltrate conversations, and affect agents sharing the same managed Cloud Run execution environment. Varonis said Google fully resolved the issue in June and that it was not aware of in-the-wild exploitation.

Sources: Varonis

Key Takeaway: Audit historical Dialogflow Playbook updates, review who has agent-edit permissions, and monitor managed AI execution paths that can make outbound connections.

npm v12 disables install scripts by default

npm v12 became generally available with install scripts disabled by default and began deprecating publishing tokens that bypass two-factor authentication. GitHub calls install-time lifecycle scripts the single largest code-execution surface in the npm ecosystem; v12 makes that execution opt-in, though malicious code can still run later through imports or CLI use.

Key Takeaway: Adopt the safer default, commit an explicit allowlist for required scripts, and do not assume blocking install scripts stops every package execution path.

Payment-SDK typosquats hit npm, PyPI, and NuGet

Socket flagged a wave of payment-SDK typosquats across three ecosystems — including 17 npm and PyPI packages impersonating Paysafe, Skrill, and Neteller, plus a malicious .NET package typosquatting the Braintree SDK — built to steal credentials, API keys, and live card data from developer and production environments.

Key Takeaway: Block lookalike packages, verify exact ownership and provenance, and rotate secrets from any environment where the malicious names appeared.

Operation Muck and Load used 222 repositories as malware lures

Socket documented a malicious Go module campaign using commit farming, public dead drops, and 222 GitHub repositories to distribute protected archives containing Windows RAT and infostealer payloads.

Sources: Socket

Key Takeaway: Do not treat repository age, commit volume, or apparent contributor activity as proof of legitimacy; verify maintainer identity and release provenance.

📈 Defender Trend

Automatic execution is becoming the common failure point

Adobe ColdFusion, the compromised jscrambler package, and UAT-7810's router malware all turned trusted execution paths into attacker leverage. The actively exploited Langflow authorization bypass and Varonis's Dialogflow CX disclosure extend the same lesson to AI tooling: code that runs inside a provider-controlled or multi-tenant environment can reach conversations, APIs, flows, and shared resources even when customers cannot directly inspect the runtime. The broader control is not simply "patch faster." Defenders need to know what executes automatically, which secrets and systems that execution can reach, and what evidence proves the environment remained clean after remediation.

⚔️ Actionable Defense Move of the Week

Audit automatic execution paths

Action: Identify software, packages, scripts, and managed services that can execute code automatically during installation, startup, build, import, or agent workflow changes.

Who runs it: Application security leads with DevOps, cloud platform, endpoint engineering, vulnerability management, and SOC support.

Check these specifically: ColdFusion servers and exposure; jscrambler versions and npm logs; install and lifecycle scripts; CI environment variables; MCP and AI-assistant configuration; Dialogflow Playbook and Langflow flow-execution history; router firmware and unexpected proxy behavior; NuGet, npm, PyPI, and Go dependencies added during the research window.

Evidence you're done: A dated report listing each automatic-execution path, owner, reachable secrets, affected versions, remediation action, credential rotations, log queries, and the evidence used to verify a clean state.

🧠 Final Word

Trusted automation saves time until defenders lose track of what it can execute and what it can reach. This week's incidents crossed very different technologies, but the failure was consistent: a web platform, package, router, or AI workflow inherited more trust than its monitoring justified.

The useful question is not only whether a component is patched. It is whether the organization can prove what ran, which credentials were available, and whether the same trust path remains open somewhere else.

Keep Reading