Cyber security developments for Saturday the 4th of July 2026 covering articles added to the BlueTeamSec community on infosec.pub. Today we have 5 articles to cover. All attribution is by the article authors. All article analysis is automated.
Socket reports on PolinRider, a North Korean supply chain campaign that's compromised 162 artifacts across 108 packages in npm, Packagist, Go modules, and Chrome extensions. Attackers are hijacking legitimate maintainer accounts, manipulating Git history, and using VS Code task files to deploy second-stage payloads retrieved from blockchain infrastructure — which is either impressive tradecraft or a sign that open-source security is still something of a free-for-all, depending on your perspective.
Recorded Future's Insikt Group has documented TAG-182, an Iranian government-aligned group deploying MarkiRAT surveillance malware via fake VPN apps and free software tools distributed through Instagram. The group is targeting Iranian dissidents and operates alongside other Iranian surveillance units supporting the Revolutionary Guard and cyber police.
City of London Police has issued a warning following over 320 ransomware attacks on businesses in the previous year. The advisory emphasises not paying ransom demands — no surprise there — and urges organisations to implement offline backups and patch management instead.
Elastic has patched a high-severity log injection vulnerability in Kibana, tracked as CVE-2026-49091, that allows attackers to inject control sequences into logs to alter what displays in terminals. Affects versions 7.x through 7.17.14 and 8.0 through 8.11.0, fixed in 7.17.15 and 8.11.1.
And on the red team side, a researcher has released Skewrun, a toolkit for stealthy time discovery in Active Directory environments using Kerberos, SMB, NTLM, and lightweight directory protocols. One for defenders to be aware of if you're monitoring reconnaissance activity.
That concludes today's briefing.