Today’s roundup
Critical U-Boot Bugs Undermine Secure Boot on Millions of Devices
Compromised jscrambler 8.14.0 npm Release Drops Rust Infostealer During Install
U.S. CISA adds iCagenda and Balbooa Forms flaws to its Known Exploited Vulnerabilities catalog
Australia warns of global campaign targeting vulnerable CMS platforms
Hackers Weaponize Balochistan Police Portal in Multi-Group Espionage Campaigns
Summary
Binarly researchers uncovered six critical vulnerabilities in U-Boot, an open-source bootloader used in millions of embedded devices like routers, smart cameras, and server management controllers. Two of these flaws (BRLY-2026-037, BRLY-2026-038) allow arbitrary code execution during the boot image verification process, effectively undermining secure boot mechanisms. The vulnerabilities, present since U-Boot version v2013.07, could enable attackers to compromise devices before the operating system or security software loads, making detection and removal extremely difficult. While physical access is often assumed for bootloader exploits, remote exploitation is possible through interfaces like server BMCs. Patches for all six issues are now available in U-Boot's master branch.
Security researchers have identified a critical supply chain attack involving version 8.14.0 of the jscrambler npm package, which was compromised on July 11, 2026. Installing this malicious version automatically executes a Rust-based infostealer on the user's machine, affecting Windows, macOS, and Linux systems. The malware leverages a "preinstall" hook to drop and run a native binary. Security firm Socket detected the malicious release just six minutes after its publication, highlighting the rapid nature of the threat.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, mandating federal agencies to remediate them by July 13, 2026. The flaws, both rated CVSS 10.0, are CVE-2026-48939 in iCagenda and CVE-2026-56291 in Balbooa Forms, both Joomla extensions. These vulnerabilities enable unauthenticated arbitrary file upload, leading to full remote code execution on affected web servers. Their inclusion in the KEV catalog indicates active exploitation in the wild.
The Australian Cyber Security Centre (ACSC) has issued a global alert regarding an active exploitation campaign targeting vulnerable Content Management Systems (CMS) platforms and their associated plugins. The advisory warns organizations worldwide about the widespread nature of these attacks, urging them to identify and patch known vulnerabilities in their CMS infrastructure to prevent potential compromise and data breaches.
Cybersecurity researchers have detailed a sophisticated, multi-group cyber espionage campaign that has targeted several Pakistani law enforcement organizations, including the Balochistan Police portal, between February 2024 and April 2026. Threat actors, suspected to be aligned with China and India, weaponized compromised web application servers managing sensitive police and citizen data, such as criminal and identity records, for sustained intelligence gathering.
Want to dig deeper?
Vulnerabilities
Malware Families