The upcoming MCP 2026-07-28 specification fundamentally reshapes the protocol's security model by moving to a stateless architecture, eliminating protocol-managed sessions, and mandating OAuth 2.1 with PKCE. While this removes historical attack vectors like session hijacking and unsolicited server prompts, it introduces new risks: client-controlled state objects and tracking IDs enable cross-agent workflow hijacking, the _meta object allows metadata-based privilege escalation, new HTTP headers create desync and data leakage opportunities, MCP Apps bring stored XSS into AI interfaces, and asynchronous tasks introduce resource exhaustion DoS vectors. Security responsibility now rests squarely on MCP server developers and platform operators to implement cryptographic state verification, input validation, output encoding, and resource quotas.
Trust Chains Broken at Scale While ClickFix Becomes a Service
This week, attackers stopped trying to kick down the front door and instead walked in through the trust chains that hold digital ecosystems together. North Korea's Sapphire Sleet compromised over 140 Mastra npm packages through a single typosquatted dependency, stealing cryptocurrency wallets and planting persistent backdoors on developer machines. The GlassWorm group trojanized Open VSX extensions with WebAssembly malware that uses the Solana blockchain as an unkillable command channel, while SmartApeSG hijacked the Okendo Reviews widget to serve malicious prompts on thousands of e-commerce sites. Even vendor integrations became a liability: the Klue breach exposed Recorded Future client data through a compromised OAuth token connecting a marketing tool to Salesforce.
Deception also became an industrial product. The ErrTraffic framework now operates as full Malware-as-a-Service, using blockchain smart contracts to hide its infrastructure and compromised WordPress sites to serve fake error prompts that trick users into running malicious commands. Attackers weaponized trusted AI platforms too—one campaign abused claude.ai's shared chat feature to deliver MacSync infostealer on macOS, while the shai_hulululud npm package uses prompt injection to blind AI-powered security scanners. On the infrastructure side, the FortiBleed campaign cracked credentials for over 73,000 FortiGate firewalls with a 45-GPU cluster, handing attackers valid keys to government and defense networks worldwide.
Defenders should immediately hunt for the easy-day-js dependency in their npm projects, reset credentials on any FortiGate firewall, enable Azure AD Graph Activity Logs to close a years-long reconnaissance visibility gap in Microsoft cloud environments, and audit OAuth tokens on all third-party vendor integrations.
The Canadian Centre for Cyber Security issued an advisory regarding multiple Denial-of-Service (DoS) vulnerabilities affecting Mitsubishi Electric MELSEC iQ-F Series EtherNet/IP and Ethernet modules. Organizations utilizing these industrial control systems should review the vendor advisories and apply the recommended updates to prevent potential operational disruptions.
Rockwell Automation FLEX I/O EtherNet/IP Adapters version 2.012 are affected by two vulnerabilities. CVE-2026-0647 allows unauthenticated account takeover via the embedded web server, while CVE-2026-0646 enables a denial-of-service condition through malformed CIP protocol requests.
Rockwell Automation Logix 5370 and 5570 controllers are affected by a high-severity denial-of-service vulnerability (CVE-2026-11317, CVSS 8.7) triggered by crafted Common Industrial Protocol (CIP) messages. Successful exploitation results in a major nonrecoverable fault (MNRF) due to improper resource shutdown or release, requiring a manual program download to restore operations.
Hitachi Energy ITT600 Explorer contains two high-severity vulnerabilities (CVE-2024-8176, CVE-2025-59375) within its libexpat library implementation. These flaws, triggered via crafted IEC61850 messages or documents during server simulation, can lead to uncontrolled recursion and resource exhaustion, resulting in Denial of Service (DoS) or memory corruption.
Session Hijacking and Developer Tool Poisoning Collapse Authentication Trust
This week, attackers proved that multi-factor authentication is no longer a reliable gatekeeper. Campaigns like Tycoon 2FA and Chinese-language PhaaS platforms intercept one-time passwords in real time and steal session tokens to maintain persistent access, while infostealers like EKZ Infostealer harvest browser cookies to bypass authentication entirely. Even when victims reset passwords and revoke sessions, attackers retain access through hidden device registrations — meaning standard incident response playbooks are now incomplete.
Developers remain the preferred entry point for supply chain compromise. The Glassworm botnet was disrupted after hiding malware in VSCode extensions and npm packages, while the Megalodon campaign poisoned GitHub Actions workflows across 5,500 repositories. A malicious Sicoob.Sdk NuGet package stole banking certificates from Brazilian developers, and North Korea's Lazarus group compromised the widely used axios npm library — a single attack touching millions of downstream applications.
Organizations must move beyond password-and-MFA reliance: adopt hardware security keys, shorten session lifetimes, delete attacker-registered devices before resetting credentials, and audit developer toolchains and CI/CD pipelines for tampering.
The 2026 FIFA World Cup presents a massive, multi-jurisdictional attack surface threatened by state-nexus disruptive operations and financially motivated cybercrime. Key risks include Iran-aligned actors targeting municipal OT infrastructure, pro-Russian hacktivists launching high-volume DDoS attacks against tournament services, and cybercriminals deploying ransomware against the hospitality supply chain.
ABB B&R Automation Runtime contains a critical Improper Resource Locking vulnerability (CVE-2025-3450) within its System Diagnostics Manager (SDM) component. An unauthenticated, remote attacker can exploit this flaw by sending a specially crafted message over the network to delete data, resulting in a denial-of-service condition that halts the affected system node.
This threat intelligence report highlights multiple high-profile breaches, including 7-Eleven and GitHub, alongside the active exploitation of vulnerabilities in Windows Defender, Trend Micro, and Drupal. It also details emerging threats such as the Kali365 phishing kit, AI-driven prompt injection attacks, the Nimbus Manticore IRGC-linked campaign deploying the MiniFast backdoor, and a supply chain attack on Laravel Lang packages.
CVE-2026-42945, dubbed 'NGINX Rift', is a critical heap buffer overflow vulnerability in the NGINX HTTP rewrite module (ngxhttprewrite_module). It allows unauthenticated attackers to cause a Denial of Service (DoS) or potentially achieve Remote Code Execution (RCE) by sending crafted HTTP requests to servers configured with specific rewrite directives containing unnamed PCRE captures and a question mark.
Model Context Protocol (MCP) servers introduce a new attack surface akin to AI-native APIs, exposing organizations to protocol-level attacks, injection vulnerabilities, and authorization bypasses. Because MCP tools often use permissive validation to accommodate LLM inputs and proactively broadcast their capabilities via plain-English descriptions, attackers can easily map business logic and exploit downstream systems or trigger resource exhaustion.
A nuance in the Entra ID Resource Owner Password Credentials (ROPC) protocol allows attackers with compromised credentials to authenticate against a permissive external tenant, generating a 'Sign-in: Success' log in the victim's home tenant. While this cross-tenant authentication does not grant access to the victim's data, it effectively poisons UEBA models and floods the SOC with false positive alerts, creating significant operational disruption and compromising log integrity.
The rapid adoption of agentic AI in enterprise environments introduces significant security risks by amplifying existing software supply chain and identity management vulnerabilities. Threat actors can leverage prompt engineering, input manipulation, and malicious packages to weaponize AI agents, necessitating zero-trust principles, robust IAM for non-human identities, and human-in-the-loop safeguards.
Security researchers identified a signal-reentrancy weakness in a signed macOS OpenSSL wrapper binary. The vulnerability arises from the intersection of legacy TLS capabilities and async-unsafe POSIX functions, which can be exploited via race conditions and forced TLS downgrades to cause Denial of Service (DoS) or potential memory corruption.
The Canadian Centre for Cyber Security released a daily digest highlighting recent security updates for Microsoft Edge, HashiCorp Vault, and JetBrains YouTrack. Organizations are advised to apply the necessary patches to address vulnerabilities including Denial-of-Service and Server-Side Request Forgery.
The Canadian Centre for Cyber Security released a daily digest highlighting recent security advisories from WatchGuard, Siemens, FreeBSD, and Ericsson. The advisories cover critical vulnerabilities including remote code execution, denial of service, and insecure deserialization across various operating systems, network appliances, and control system products.