🛡️ InfoSec Blue Team Briefing

Saturday, July 11, 2026

🎧 Audio Briefing

Download MP3

Cyber security developments for Saturday the 11th of July 2026 covering articles added to the BlueTeamSec community on infosec.pub. Today we have 14 articles to cover. All attribution is by the article authors. All article analysis is automated.

SentinelOne documented a rather crowded compromise at Pakistani law enforcement agencies, where both Chinese and Indian espionage groups independently targeted the same systems between 2024 and April this year. The Chinese side deployed PlugX and ShadowPad whilst the Indian actors used Remcos with lures focused on Afghan deportations — both after biometric records and criminal intelligence.

Socket uncovered Operation Muck and Load, a campaign involving 222 malicious GitHub repositories used to distribute dodgy Go modules. The threat actors used automated techniques to build apparent legitimacy and reputation around malicious packages — worth flagging if you vet dependencies in Go projects.

Dutch police investigation into the Odido telecom breach revealed the attackers were Dutch-speaking and used vishing to impersonate internal IT staff via customer service. They gained access and stole data that's now being exploited by third parties — a reminder that the call could be coming from inside the house, so to speak.

Datadog caught a backdoor in version 1.20.21 of an npm package for Injective, active for 49 minutes on the 8th of July. It hooked wallet initialisation functions and exfiltrated mnemonic phrases and private keys via HTTP headers to a server disguised as a testnet node.

And another supply chain story — this time a cybersecurity startup founder published infostealer malware to npm disguised as AI and security tooling in June. The packages racked up around 20,000 downloads before being spotted, complete with fake telemetry opt-outs and version backfilling to look legitimate.

Security researchers disclosed Januscape, a 16-year-old use-after-free in the Linux kernel's shadow memory management for virtual machines. It allows guest-to-host escape with potential for remote code execution as root — particularly relevant for multi-tenant cloud providers still running affected versions.

FoxIO found a memory corruption flaw in Alibaba's QUIC library that allows remote unauthenticated attackers to crash servers using perfectly valid QPACK instructions. The vendor didn't respond to disclosure, so there's no patch — mitigation requires disabling the vulnerable feature entirely.

Researchers detailed privilege escalation flaws in Realtek SD card reader drivers affecting Dell, Lenovo, and other Windows systems. The driver exposes interfaces that let unprivileged users exploit direct memory access to write arbitrary physical memory, bypassing protections and detection tooling. Patches exist but require verifying that remapping is actually enabled via registry.

Huntress wrote up active exploitation of CitrixBleed 2, a memory overread in NetScaler that enables session hijacking even with multi-factor authentication in place. Following on from the story we covered earlier this week about AI-assisted cloud attacks, this one follows a seven-step kill chain involving registry symbolic link abuse for privilege escalation, persistence via legitimate remote tools like ScreenConnect, and eventual deployment of Dragonforce ransomware.

Socket caught a coordinated typosquatting campaign on the 7th of July targeting npm and PyPI with 17 malicious packages impersonating payment SDKs for PaySafe, Skrill, and Neteller. The malware exfiltrates credentials and tokens to AWS infrastructure and includes anti-sandbox checks to avoid detection.

Researchers published details on Adversarial HalluSquatting, a technique that exploits the tendency of large language models to hallucinate non-existent resources. Attackers preemptively register fake packages or repositories that AI coding assistants are likely to hallucinate, embedding malicious prompts that trigger unauthorised actions when fetched — tested against Cursor, GitHub Copilot, and Windsurf.

Microsoft Threat Intelligence documented GigaWiper, a Golang backdoor observed in October last year that consolidates multiple destructive capabilities into one modular framework. It can wipe physical disks, encrypt data using logic derived from Crucio, and uses RabbitMQ for command and control — designed for both long-term espionage and on-demand destruction.

Winsider Seminars detailed a kernel hardening Microsoft introduced in Windows 11 23H2 that mitigates a classic privilege escalation technique involving manipulation of the PreviousMode field in thread structures. The mitigation enforces reset on system call entry and verification on exit, triggering a crash if tampering is detected — closes off a historically reliable exploitation path.

And finally, Microsoft announced they're re-engineering Windows vulnerability management processes in response to adversaries using AI to accelerate flaw discovery in large codebases. Light on specifics, but signals a strategic shift to match the speed at which AI-powered tools can now identify exploitable bugs.

That concludes today's briefing.

📰 Articles Covered