Cyber security developments for Wednesday the 15th of July 2026 covering articles added to the BlueTeamSec community on infosec.pub. Today we have 10 articles to cover. All attribution is by the article authors. All article analysis is automated.
France's national cyber agency has officially attributed two decades of espionage operations to Russia's FSB 16th Centre, the intrusion set known as Turla. The campaign has targeted French and European government, diplomatic, defence, and technology entities since at least 2004, with operations intensifying around the Ukraine conflict.
The UK's National Cyber Security Centre and 18 international agencies have warned that FSB Centre 16 is conducting aggressive internet-wide scanning to exploit poorly configured routers and network devices. The advisory targets critical infrastructure sectors including communications, defence, energy, and healthcare, and coincides with UK sanctions on Russian cyber actors following attribution of a December 2025 attack on Poland's energy grid to the same unit.
On the same theme, a 36-year-old Russian national linked to the FSB has pleaded not guilty to charges related to a state-sponsored espionage campaign tracked as Void Blizzard. The operation targeted NATO-aligned government agencies, organisations supporting Ukraine, and at least 11 U.S. companies since 2023.
And the UK and EU have imposed sanctions on 24 individuals and entities linked to Russian intelligence services, including GRU Unit 29155 leadership and operators of the Lumma Stealer malware. Russian actors have been using credentials stolen via Lumma Stealer for global espionage campaigns, which is rather closing the loop between cybercrime and state operations.
CISA has published a post-incident report detailing how a contractor accidentally exposed credentials by uploading them to a public repository. The agency responded by revoking access, rotating all credentials globally, and implementing repository access controls — no customer or mission data was compromised.
Stripe researchers discovered a dormant surveillance and data exfiltration capability hidden within ModHeader, a legitimate Chrome extension with 900,000 users, primarily developers and IT administrators. The framework included device fingerprinting, encrypted data staging, and the ability to harvest browsing data and authentication tokens. Google removed the extension on July 10th following responsible disclosure.
The Jscrambler npm package was compromised in a supply chain attack that injected malicious code to exfiltrate credentials, tokens, and environment variables from developer systems and CI/CD pipelines. The malware used anti-analysis techniques to evade common debugging tools and employed domain generation algorithms for command and control, which is rather more sophisticated than your average npm compromise.
The Canadian Centre for Cyber Security has disclosed SharpViewStateKing, a sophisticated fileless implant framework targeting public-facing IIS servers hosting ASP.NET applications. The framework exploits ViewState parameters to achieve remote code execution, loads plugins directly into memory, and disguises command and control traffic within standard HTTP headers using AES encryption — one for anyone managing ASP.NET infrastructure.
Chimera is a userspace sandboxing framework implemented in Rust that uses dynamic binary translation to intercept system calls from untrusted binaries. It enables secure execution of AI-generated code and other untrusted programs without requiring containers, VMs, or elevated privileges, which is particularly relevant if you're running code generation tooling.
That concludes today's briefing.