Top 5 Cybersecurity News Stories July 10, 2026
The five stories in this week’s Cybersecurity News Stories July 10, 2026 share a structural property: in each case, the system that was compromised or weaponised is one that the organisation had placed into a category other than “security risk.” An AI workflow orchestration platform is operational infrastructure for teams experimenting with automation — it is not, in most governance frameworks, modelled as an entry point for ransomware — until an autonomous AI agent completes a full attack operation, from initial access to ransom demand, without a human operator involved at any stage. A legacy web application server carrying a CVSS 10.0 vulnerability is a patching priority — it is not modelled as a system that can be weaponised before the organisation has time to read the advisory — until active exploitation is confirmed 120 minutes after the patch is published. An ERP payment module is protected by enterprise authentication — it is not expected to be compromised before public proof-of-concept code exists — until nation-state-grade attackers reverse-engineer the patch faster than the research community can document the flaw. An endpoint protection agent is the security control — it is not the privilege escalation path — until a 12-week-old unpatched vulnerability gives ransomware operators a reliable route to SYSTEM on every managed endpoint in an environment. And a development dependency for a popular Telegram automation framework is a productivity tool — it is not a backdoor — until eight trojanised variants have been silently exfiltrating credentials and data through Telegram’s own infrastructure for eight months without detection. The pattern this week is not about patching failures. It is about the gap between the attack surface that security programmes model and the one that attackers are actually using.
1) JADEPUFFER — The First Fully Autonomous AI Ransomware Agent, and Why Every Incident Response Runbook Written Before 2026 Is Now Incomplete
On July 1, 2026, Sysdig’s Threat Research Team published documentation of what they characterise as the first fully end-to-end AI-agent-driven ransomware operation, which they named JADEPUFFER — classifying its operator as an Agentic Threat Actor (ATA), a category in which the attack is delivered by an autonomous AI agent rather than a human-operated toolkit. The operation began with an internet-facing Langflow instance, an open-source platform for orchestrating AI workflows, which the agent compromised by exploiting CVE-2025-3248, a known remote code execution flaw. From that foothold, the agent harvested cloud credentials and LLM provider API keys from the environment, then identified and pivoted to a production server running a MySQL database and an Alibaba Nacos configuration management service. It exploited CVE-2021-29441, a 2021 authentication bypass in Nacos, to access the configuration server, then used MySQL’s native AES_ENCRYPT() function to encrypt 1,342 configuration items in place. The ransom demand arrived via a Bitcoin address and Proton Mail contact. No human operator was present at any point in the operation.
The detail that distinguishes JADEPUFFER from every prior ransomware documentation is the 31-second self-correction. When an admin account login failed mid-operation, the agent diagnosed the failure, generated a working fix, and continued without interruption. Over 600 individual payloads across the operation carried plain-language reasoning comments in which the agent documented its own decision-making, producing a fully auditable attack chain after the fact. Every incident response model built before 2026 assumes a human attacker: one who makes timing errors, requires sleep, misreads outputs, and introduces behavioural patterns that detection systems can surface over time. JADEPUFFER exhibited none of those characteristics. The 31-second recovery is not an anomaly particular to this operation — it is the expected behaviour of an adaptive AI agent operating within its design parameters.
The exposure this campaign targets is not exotic. Langflow and Nacos are increasingly common in organisations building AI workflow automation and microservice configuration management infrastructure, and the CVEs involved are well-documented. CVE-2025-3248 is patched in the current Langflow release; Nacos CVE-2021-29441 is addressed in versions 1.4.2 and 2.0.3 and above. The more important operational question is not whether those patches have been applied — it is whether either platform is internet-accessible without authentication and network access controls. JADEPUFFER did not require a novel zero-day. It required an internet-facing Langflow instance with a known flaw. The difference between this attack and the next one is not the sophistication of the agent. It is whether the entry point is still there.

Read more on: Sysdig Threat Research · BleepingComputer · The Hacker News
2) Adobe ColdFusion CVE-2026-48282 — CVSS 10.0, and Active Exploitation Two Hours After Adobe Published the Fix
On June 30, 2026, Adobe published APSB26-68, patching 11 vulnerabilities in ColdFusion, seven of them rated CVSS 10.0. CVE-2026-48282 is the most critical: an unauthenticated directory-traversal flaw in the RDS FILEIO handler that chains directly to remote code execution. The exploitation condition requires RDS to be enabled with RDS authentication disabled — a configuration present in a meaningful number of production deployments, particularly in legacy and development environments where RDS was enabled for convenience and the authentication step was never enforced. CISA added the vulnerability to the Known Exploited Vulnerabilities catalog on July 7, under BOD 26-04, with a federal agency remediation deadline of July 10 — the publication date of this post. According to KEVIntel threat intelligence, active exploitation was confirmed approximately two hours after Adobe’s advisory was first published.
Two hours is the fastest weaponisation timeline DIESEC has tracked in 2026. The median enterprise patch deployment cycle, as measured in the Verizon DBIR 2026, is 43 days. SharePoint CVE-2026-45659 — which we covered in last week’s Top 5 — was weaponised within days of its advisory. ColdFusion was two hours. The broader 2026 data context makes this a pattern rather than an outlier: 28.3% of CVEs tracked by CISA were exploited within 24 hours of disclosure. For CVE-2026-48282, the window was not 24 hours. It was 120 minutes. That gap — between “advisory published” and “active exploitation confirmed” — is not a gap that a 30-day or even a 7-day patching cycle can close. It is a gap that requires continuous exposure monitoring and the organisational capacity to act in hours when the risk justifies it.
The affected versions are ColdFusion 2023 before Update 21 and ColdFusion 2025 before Update 10. If immediate patching is not possible, disabling RDS or enabling RDS authentication eliminates the exploitation condition for this specific vulnerability, though it does not address the six other CVSS 10.0 flaws in the same advisory. ColdFusion deployments in development and staging environments are disproportionately likely to have RDS enabled and unprotected, because those configurations were set up for developer convenience rather than production security posture — and they are also disproportionately likely to be overlooked in patch deployment pipelines. The federal deadline of July 10 has passed. Any ColdFusion instance in scope for CISA’s BOD 26-04 that is not yet patched should be treated as potentially compromised until confirmed otherwise.

Read more on: Adobe APSB26-68 · CISA KEV
3) Oracle E-Business Suite CVE-2026-46817 — The Payment Module Was Under Active Attack Before Any Public Proof-of-Concept Code Existed
CVE-2026-46817 is a CVSS 9.8 unauthenticated remote code execution vulnerability in the File Transmission component of Oracle Payments within Oracle E-Business Suite, affecting versions 12.2.3 through 12.2.15 — a range that covers the majority of active EBS deployments worldwide. The flaw is in the ibytransmit endpoint, where an unauthenticated attacker with HTTP network access can call an internal Oracle Java function directly, redirecting it to read arbitrary files from the server filesystem. In observed exploitation, attackers accessed /etc/passwd and configuration files containing database credentials, encryption keys, and payment processor API keys. The same technique extends to full system takeover. Oracle shipped patches in its May 2026 Critical Patch Update. At time of public disclosure, the Shadowserver Foundation and Validin identified approximately 950 internet-exposed EBS instances.
The timing of active exploitation is the most operationally significant aspect of this story. The Register reported on July 2, 2026, that production honeypots were already being hit before any public proof-of-concept code for CVE-2026-46817 had been released. This is not unusual in the 2026 threat landscape — nation-state actors and well-resourced criminal groups routinely reverse-engineer vendor patches to develop working exploits faster than the public research community can document them — but it directly undermines the risk-management frameworks that many organisations use to triage patching decisions. If an organisation’s response to a CVSS 9.8 ERP vulnerability is to wait for active exploitation to be publicly confirmed before accelerating patching, the practical outcome in this case would have been patching after an attack that was already underway. The signal that gates the priority decision arrived after the attack had started.
Oracle E-Business Suite is widely deployed in German large enterprises across manufacturing, financial services, and retail — precisely the sectors where the Payments module directly handles financial transaction processing, accounts payable and receivable workflows, and banking integration. A successful exploitation of CVE-2026-46817 gives an attacker read access to payment processor credentials and database encryption keys — the most sensitive data category in any ERP environment. Oracle’s May 2026 CPU contains the fix, and any unpatched instance with the ibytransmit endpoint accessible over HTTP should be patched immediately and its access logs reviewed for evidence of prior exploitation, rather than treated as a clean system pending the next maintenance window.

Read more on: The Hacker News · BleepingComputer · The Register
4) BlueHammer CVE-2026-33825 — Twelve Weeks After the Patch, Microsoft Defender Is Confirmed as the Ransomware Escalation Path on Tens of Thousands of Endpoints
CVE-2026-33825, named BlueHammer, is a local privilege escalation vulnerability in Microsoft Defender that was publicly disclosed on April 2, 2026, by a researcher known as Nightmare Eclipse — alongside working proof-of-concept code — following a dispute with Microsoft’s Security Response Center over the handling of the disclosure timeline. The vulnerability exploits how Defender handles inter-process communications and file operations during real-time scanning: a locally authenticated attacker can trigger a race condition or plant a symbolic link that causes Defender to perform file operations in attacker-controlled directories under the SYSTEM account, producing a reliable privilege escalation path from standard user to full SYSTEM access on any Windows endpoint running an unpatched Defender version. Microsoft released patches on April 14, 2026. CISA added the vulnerability to the Known Exploited Vulnerabilities catalog on April 22, with a federal deadline of May 7.
The reason BlueHammer is a top story this week rather than an April story is a July 1, 2026, update to CISA’s KEV entry specifically flagging confirmed active use by ransomware operators. The patch is now twelve weeks old. BleepingComputer and SecurityWeek both report that tens of thousands of Windows endpoints remain unpatched. The strategic implication of that combination — a reliable SYSTEM escalation vulnerability in the endpoint protection agent itself, confirmed in active ransomware chains, with a twelve-week-old patch that has not yet been applied across large portions of enterprise estates — is precise. Organisations that have endpoint security deployed on every managed machine, with Defender as the primary or co-installed protection engine, and that have deferred their April Windows update rollout for operational reasons, have handed ransomware operators a privilege escalation path to SYSTEM on every machine in scope. The security control has become the attack vector.
This is the third consecutive story in a pattern that has been building across 2026: FortiClient EMS in June gave attackers management-plane access to push malware across all managed endpoints; FortiSandbox in June gave attackers access through the security analysis platform; BlueHammer gives attackers SYSTEM privileges through the endpoint protection agent itself. The consistent finding is that security tooling — the layer that organisations deploy precisely to reduce risk — is now a prioritised target for attacker investment, because it runs with elevated privileges, it is trusted by the operating system, and its compromise reaches across the entire environment rather than a single asset. The April 14 Windows Update covering CVE-2026-33825 should be applied as a priority, and the Defender version should be verified across the full endpoint estate before the next ransomware deployment confirms the exposure.

Read more on: BleepingComputer · SecurityWeek · Threat-Modeling.com
5) Operation Navy Ghost — Eight Malicious PyPI Packages, Telegram as Covert Command and Control, Eight Months Undetected
On June 24, 2026, Checkmarx Zero published research into a supply chain campaign they named Operation Navy Ghost, active since November 2025, in which a single threat actor published at least eight trojanised forks of the Pyrogram Telegram client library on PyPI. Pyrogram is a widely used Python framework for building Telegram bots and automation tools, and the malicious packages — vlifegram, vlife-gram, kelragram, pyrogram-navy, sepgram, pyrogram-styled, pyrogram-zeeb, and pyrogram-kelra — were designed to appear as legitimate Pyrogram variants. Despite being published from different PyPI accounts, Checkmarx attributes all eight to a single threat actor based on shared OWNERS metadata, identical backdoor code, and overlapping infrastructure. Each package contains a complete backdoor that gives the attacker the ability to read any file on the server, dump stored secrets, access the victim’s own Telegram chats and contacts, download the application database, and install persistent access — all conducted over Telegram’s own infrastructure as the command and control channel.
The Telegram-as-C2 design is the technical detail that explains eight months of undetected operation. The attacker’s traffic is structurally indistinguishable from the legitimate operation of the Telegram bot the developer built — the same connections, the same API calls, the same destination. Standard network monitoring approaches that detect covert channels — DNS inspection, egress filtering, TLS inspection at the perimeter — cannot distinguish between a Telegram bot executing legitimate business logic and one being used as a data exfiltration path by an attacker sharing the same process. The campaign did not persist for eight months because detection was hard in a general sense. It persisted because the specific detection technique required — behavioural analysis of Telegram bot traffic at the application layer — is not a control that most organisations have in place for development and automation environments.
All eight packages have been removed from PyPI following the Checkmarx disclosure, but removal from the public index does not clean the exposure. Packages that were installed before June 24 may persist in private package registries such as JFrog Artifactory, Sonatype Nexus, and GitHub Packages; in developer workstation pip caches and active virtual environments; in container images built before the disclosure date; and in any application that includes a Pyrogram variant as a bundled dependency. For any organisation where Python development work involves Telegram bot automation, the correct action is to search all codebases, container images, and internal registries for the eight package names, verify that any Pyrogram dependency resolves to the official package maintained by devgagan on GitHub, and audit server credentials and Telegram bot tokens on any system where these packages were installed and executed.

Read more on: Checkmarx Zero · BleepingComputer
If this week’s Cybersecurity News Stories July 10, 2026 tells us anything, it’s this:
The five stories this week describe organisations being compromised through systems they were managing for operational continuity, not security. Langflow and Nacos exist because teams need to orchestrate AI workflows and manage microservice configuration at scale — they are not infrastructure that anyone reviewed through the lens of ransomware exposure when they were deployed. ColdFusion exists in thousands of environments because it underpins applications built over decades, and the RDS configuration that enables the vulnerability was set to make development easier rather than to create an attack surface. Oracle’s ERP payment module exists because enterprise finance requires it, and the ibytransmit endpoint is an internal plumbing component that no security review modelled as a path to full system access until attackers demonstrated it was. Defender exists because every endpoint needs protection, and the race condition in its scanning process was not visible to the organisations whose patch cycles created the window. The Pyrogram packages existed in development environments because developers building Telegram bots needed a framework, and the decision to install a PyPI variant rather than the official package is the kind of decision that happens dozens of times a day in every engineering team without a security review.
The operational implication is one of scope rather than capability. The organisations exposed this week had security programmes. Most of them had patching processes, endpoint protection, vulnerability management, and vendor risk frameworks. What those programmes did not model was the specific layer each of these attacks used: the AI orchestration platform as a ransomware entry point, the two-hour exploitation window as the realistic response time requirement, the ERP internal endpoint as an unauthenticated access path, the security agent as the privilege escalation tool, and the development dependency as the persistent covert channel. Closing the exposure these stories reveal is not a question of more controls on the infrastructure that is already being defended. It is a question of whether the inventory of what needs to be defended has been updated to match the attack surface that adversaries are actually using — and whether the response timelines embedded in patch management and incident response processes have been calibrated against the 120-minute exploitation windows that characterise the 2026 threat landscape, rather than the 30-day cycles that were reasonable assumptions five years ago.
For more information, please contact us now!

