The week the first fully autonomous AI ransomware operation was documented, four maximum-severity flaws hit CISA's KEV catalog within hours of disclosure, and the first AI-agent platform entered the exploited-in-the-wild list. Below: what happened, what's being exploited right now, and why the automation of both attack and defense is the only story that matters this week.
Cyber Security News
JadePuffer: The First Ransomware Attack Run End to End by an AI Agent
Sysdig's threat research team documented JadePuffer, a ransomware operation with no human at the keyboard: an LLM agent autonomously performed reconnaissance, credential theft, lateral movement, privilege escalation, encryption, and ransom-note delivery after breaking into an internet-facing Langflow server. The clearest proof of autonomy was a timestamp pair, a login that failed at 19:34:36 UTC after which the agent diagnosed the error and rewrote its own payload in roughly 31 seconds without operator intervention. Its flawed grasp of extortion economics meant it never saved the decryption key, making recovery impossible even if a ransom were paid.
Why it matters: Machine-speed self-correction collapses the dwell-time window human incident response depends on, and an agent optimizing for encryption rather than payment turns "ransomware" into pure destruction.
Sources: TechTarget | Dark Reading | CyberScoop
CISA Adds Four Actively Exploited Flaws to KEV, Including the First AI Agent Platform
CISA added four vulnerabilities to its Known Exploited Vulnerabilities catalog with a July 10 federal remediation deadline: Adobe ColdFusion path-traversal RCE CVE-2026-48282 (CVSS 10.0), Joomla SP Page Builder file upload CVE-2026-48908 (CVSS 10.0), Joomlack Page Builder CK access-control flaw CVE-2026-56290 (CVSS 10.0), and Langflow auth-bypass CVE-2026-55255. The ColdFusion bug saw exploitation begin within roughly two hours of public disclosure. Langflow's inclusion marks the first time an AI-agent orchestration platform has appeared in the catalog, and it is the same flaw JadePuffer weaponized.
Why it matters: Patch-Tuesday cadence is now far too slow for maximum-severity flaws, and AI development infrastructure has formally entered the exploited attack surface.
Sources: SecurityWeek | The Hacker News | Help Net Security
CitrixBleed 2 Drives a Repeatable Seven-Step DragonForce Ransomware Playbook
Huntress investigated roughly half a dozen intrusions across unrelated organizations in the first half of 2026 and found an identical seven-step attack chain, each beginning with exploitation of CitrixBleed 2 (CVE-2025-5777) and culminating in DragonForce ransomware. The uniformity of the chain across unrelated victims points to a productized initial access broker to ransomware pipeline rather than one-off compromises, with session-token theft from vulnerable Citrix appliances providing the standardized foothold.
Why it matters: Any exposed, unpatched NetScaler/Citrix appliance is now a scheduled victim, not a hypothetical exposure, and defenders should hunt for session-token abuse rather than wait.
Sources: Huntress | IT Security Guru
Oracle PeopleSoft Zero-Day Breaches 100+ Organizations, Fueling ShinyHunters' Wave
A single Oracle PeopleSoft zero-day, CVE-2026-35273, allowed the ShinyHunters extortion group to breach more than 100 organizations ranging from the University of Nottingham to Nissan, converting one shared vendor flaw into simultaneous cross-industry incidents. The campaign feeds a broader ShinyHunters spree that drove Medtronic to notify 3.8 million people, leaked 2.3 million Moody Bible Institute records, claimed 21 million Fluke Salesforce records, and dumped roughly 297GB on more than 10,000 Council of Europe personnel.
Why it matters: Shared HR/ERP software converts third-party risk into systemic risk; your exposure is set by every vendor sharing that codebase, not just your own patch cadence.
Sources: Supplier Shield | ThaiCERT | Sentinel
AssuranceAmerica Breach Exposes 6.9 Million Driver's License Numbers
U.S. auto insurer AssuranceAmerica confirmed a breach affecting up to 6.9 million people after attackers compromised an employee account, in what TechCrunch calls the largest known theft of Americans' driver's license information this year. The exposed data spans names, license numbers, and insurance records across the 14 states served through the insurer's 9,500-plus independent agents. The root cause, a single compromised credential, mirrors the social-engineering breach at AdaptHealth disclosed the same week.
Why it matters: Driver's license numbers cannot be rotated like passwords, so this dataset fuels synthetic-identity fraud and account takeover for years, and identity, not perimeter, is the dominant initial-access vector this cycle.
Sources: SecurityAffairs | TechCrunch | Malwarebytes
SharePoint RCE Exploited by Warlock Ransomware After Microsoft Rated It "Less Likely"
CISA added CVE-2026-45659, a CVSS 8.8 deserialization RCE in on-premises SharePoint Server, to KEV after confirming exploitation, despite Microsoft originally assessing the bug as lower-probability. Critically, it requires only baseline Site Member permissions, not farm-admin rights, and over the July 4 weekend the Warlock ransomware operation was observed chaining it to breach one network and pivot into a second. Shadowserver counts more than 10,000 internet-exposed SharePoint servers of unknown patch status.
Why it matters: Site Member access is trivially obtained through phishing in large enterprises, and vendor "less likely" exploitability predictions keep getting overtaken by reality, so weight KEV listing and privilege bar over predicted probability.
Sources: DIESEC | StackPulse | Petri
'GodDamn' Ransomware Deploys Microsoft-Signed PoisonX Driver to Kill EDR
Symantec's Threat Hunter Team identified GodDamn, a rebrand of the Beast/Monster lineage run by the actor tracked as Hyadina, using a malicious-but-Microsoft-signed kernel driver dubbed PoisonX to disable security software on U.S. targets in a Bring-Your-Own-Vulnerable-Driver attack. Because the driver carries a valid Microsoft signature, it loads at the kernel level and neutralizes EDR before ransomware deployment; operators also abuse AnyDesk, PsExec, and NirSoft tooling.
Why it matters: A Microsoft-signed malicious driver defeats the code-signing trust model endpoint defenses depend on, so even fully patched, EDR-equipped organizations can be blinded pre-encryption; deploy Microsoft's vulnerable-driver blocklist now.
Sources: SecurityAffairs | Dark Reading
North Korea Escalates: Kim Orders RGB Expansion as April Crypto Theft Hits $577M
Kim Jong Un directed a significant expansion and reorganization of the Reconnaissance General Bureau while TRM Talks disclosed that DPRK-linked actors stole $577 million in cryptocurrency in April 2026 alone. That figure encompasses the $285 million Drift Protocol drain, which Sanctuary attributed to UNC4736 (Citrine Sleet) and linked through a shared wallet graph to North Korea's IT-worker revenue network, exposing how offensive operations and illicit revenue laundering converge in one financial pipeline.
Why it matters: Cyber-enabled theft is now formal state strategy funding the weapons program, reframing every DPRK crypto incident as resourced nation-state activity feeding a single laundering and IT-worker infrastructure.
Sources: Bitcoin World | Crypto Briefing | Sanctuary
Former Ransomware Negotiator Sentenced to 70 Months for Extorting His Own Clients
Angelo John Martino III, a former negotiator at incident-response firm DigitalMint, was sentenced to 70 months in prison for conspiring with ransomware affiliates to extort a combined $75.3 million from five U.S. companies he was hired to protect. Per the Justice Department, Martino shared confidential material gained during his negotiator role, including victim details, with the attackers; the FBI tied related BlackCat/ALPHV activity to more than 60 breaches.
Why it matters: The trusted third party brought in at the moment of maximum leverage became the leverage itself; expect renewed scrutiny of vetting, access-segmentation, and audit logging inside IR vendors, not just at victim companies.
Sources: CyberScoop | BleepingComputer
Iranian APTs Turn Toward AI Infrastructure via ShadowRay and ActiveMQ
Analysts flagged a convergent exploitation window in which Iranian activity linked to VOID MANTICORE and OilRig targets unpatched AI/ML infrastructure through CVE-2023-48022 (the "ShadowRay" Ray flaw, KEV, CVSS 9.8) bridged to CVE-2023-46604 (ActiveMQ deserialization, KEV, CVSS 10.0). Ray clusters and ActiveMQ brokers frequently sit in the same distributed-training pipelines, and both carry long-standing maximum-severity KEV flaws often stood up by data-science teams outside standard patch governance.
Why it matters: Iranian targeting is now opportunistic by exposure rather than confined to water and power infrastructure, so external attack-surface inventory of AI systems should be prioritized before adversaries pivot from broker to compute-heavy cluster.
Sources: ThreatClaw | Dark Reading
KDDI Breach Hits 12 Million Through Shared ISP Email Infrastructure
Japanese telecom giant KDDI confirmed a June 17 breach affecting over 12 million people, stemming from unauthorized access to a KDDI-developed system underpinning the email infrastructure of five ISPs: STNet, JCOM, Chubu Telecommunications, NIFTY, and BIGLOBE. KDDI's own mobile and fixed-line email services run on separate infrastructure and were unaffected. A single compromised back-end component became the blast radius for five downstream providers.
Why it matters: Consolidated infrastructure multiplies blast radius, and telecom email is a high-value target because it enables account-recovery hijacking and large-scale phishing against a verified subscriber base.
Sources: SecurityWeek | BleepingComputer
China-Linked UAT-7810 Fields LONGLEASH Router Implant to Harden ORB Networks
Cisco Talos tracks UAT-7810, a China-based cluster that builds Operational Relay Box infrastructure other China-aligned actors route through, now upgrading its implant from SHORTLEASH to LONGLEASH against primarily unpatched Ruckus enterprise wireless routers. The new implant retains the "ff-agent" codebase but adds reverse-shell, multi-protocol proxying, and, critically, intermediate C2 relay/forwarding, letting a single compromised router forward traffic for others.
Why it matters: Adding an intermediate relay deepens the anonymization layer shielding multiple Chinese operations, hardening the ORB mesh and making upstream attribution and takedown harder; treat unpatched edge networking gear as prime relay-recruitment targets.
Sources: Cisco Talos | BleepingComputer | SecurityWeek
UNK_MassTraction Raids University Mail Servers Across the U.S. and Canada
Proofpoint disclosed a suspected Chinese espionage campaign that has, since at least May, exploited a Roundcube webmail exploit chain to breach university mail servers and steal credentials from staff in physics, engineering, and national-security research. Proofpoint directly observed fewer than ten affected universities but estimates a few dozen, with deliberate targeting of astrophysics and particle-physics faculty tied to defense-relevant research.
Why it matters: The targeting profile signals strategic intelligence collection, not financial theft, and mail-server compromise is a durable foothold that grants access to unpublished research and often outlives detection in chronically under-resourced university IT.
Sources: Proofpoint | CyberScoop
Fancy Bear (APT28) Hides Shellcode in PNGs to Launch a Fileless C# Backdoor
360 Advanced Threat Research detailed an APT28/APT-C-20 chain that begins with a macro-laden Word document targeting a defence ministry, then uses COM hijacking of explorer.exe for persistence and LSB steganography inside AES-encrypted PNG images plus reflective loading to stage a remote-control Trojan entirely in memory. The final backdoor beacons through legitimate cloud storage for C2, leaving no plaintext files on disk.
Why it matters: Combining steganographic delivery, COM-hijack persistence, and reflective in-memory loading marks a maturation toward fully fileless tradecraft; defenders relying on static and file-scanning controls have little to detect and must shift to memory and behavioral telemetry.
Sources: HEAL Security | GBHackers | CyberPress
AI News
OpenAI Ships the GPT-5.6 Family One Point Behind Anthropic's Frontier
OpenAI publicly released GPT-5.6 on July 9 in three variants: Sol (flagship), Terra (mid-tier), and Luna (budget). On Artificial Analysis's Intelligence Index, Sol at max reasoning scored 59, a single point behind Claude Fable 5's 60, while costing roughly one-third as much, and it topped the Coding Agent Index within OpenAI's Codex harness. All three tiers went live in GitHub Copilot immediately.
Why it matters: Anthropic still holds the top intelligence spot, but a one-point gap at one-third the cost reframes the frontier as a price-performance contest, making near-frontier at commodity pricing the new default expectation for builders.
Sources: Artificial Analysis | TechCrunch | GitHub Changelog
The Reality Check: Sol Tops ARC-AGI-3 With Just 7.8%
The same GPT-5.6 Sol that nearly matched the intelligence frontier became the first model to make "meaningful progress" on ARC-AGI-3, with a score of 7.8%. Commentators called the number simultaneously "scandalously bad and scandalously good": a record on a benchmark built to resist current architectures, yet a stark reminder of how far models remain from fluid, novel reasoning.
Why it matters: When a model scores 59/60 on aggregate intelligence but under 8% on genuine generalization, it maps the capability ceiling precisely, brilliant on training-distribution tasks and near-helpless out of distribution, exposing "frontier" as a marketing frame rather than a solved problem.
Sources: OfficeChai | The Algorithmic Bridge
ChatGPT Work Turns GPT-5.6 Into an Hours-Long Autonomous Agent
Alongside the model launch, OpenAI unveiled ChatGPT Work, an agent built on GPT-5.6 and Codex that can "stay with a project for hours" and turn a goal into finished output. It ships with a Codex-integrated desktop app and a hosted-sites service, effectively merging ChatGPT and Codex into one super app, and OpenAI frames it as solving the early-stopping problem that stalled last year's Atlas Agent Mode after a few minutes.
Why it matters: Sustained multi-hour autonomy, not raw intelligence, is the threshold separating a copilot from a coworker, and it shifts the product battleground from model quality to how long an agent can reliably stay on task.
Sources: The Decoder | Ars Technica
Meta Enters the Coding War With Muse Spark 1.1 and a Price Cut
Meta launched Muse Spark 1.1, a multimodal reasoning model for agentic coding and computer use with a one-million-token context window, on the same day as OpenAI and Anthropic's releases. Its paid developer API, Meta's first time charging for model access, is priced at $1.25 per million input tokens and $4.25 per million output, with $20 in free credits, deliberately undercutting incumbents.
Why it matters: Meta competing on price and monetizing a frontier model marks a strategic break from its open-weights-only posture, and three labs shipping coding-agent products on a single day confirms agentic coding as the industry's central commercial battleground.
Sources: TechCrunch | The Decoder | Quartz
A Government Greenlight Now Gates Frontier Model Releases
GPT-5.6 Sol reached wide public availability only after government sign-off, through what reporters describe as a secretive, ad hoc approval system resting on an executive order with unfilled specifics. Sol had been gated to roughly 20 federally vetted organizations since its June 26 introduction, marking the first time a U.S. lab gave the government a say in who could access its most capable model. A companion executive order expanded federal cybersecurity oversight of advanced AI.
Why it matters: Frontier U.S. releases now pass through a national-security gate rather than just internal safety evals, and the opacity of the mechanism, with no published criteria, makes governance itself a release-gating capability that builders cannot predict.
Sources: The Verge | TechCrunch | Axios
The EU's AI-Content Labeling Clock Starts Ticking Toward Article 50
The European Commission published its formal adequacy opinion on the Code of Practice on Transparency of AI-Generated Content on July 9, starting a 24-day countdown to August 2 enforcement of Article 50 transparency obligations. The Council also gave final green light to the Digital Omnibus amending the AI Act, which retains Article 50(2)'s requirement that AI-generated or manipulated content be marked in machine-readable format. Brussels unveiled a parallel AI and cybersecurity Action Plan the same week.
Why it matters: Synthetic-media watermarking moves from roadmap item to a three-week deadline for any lab shipping generative output into the EU, sharpening a transatlantic divergence where Europe codifies provenance obligations while Washington leans on discretionary cybersecurity review.
Sources: TechTimes | Lewis Silkin
Google DeepMind Releases Gemma 4 With an Encoder-Free Multimodal Design
Google DeepMind published the Gemma 4 technical report, releasing open-weight, natively multimodal models spanning 2.3B to 31B parameters in dense and MoE variants. The headline architectural choice is an encoder-free 12B unified design with a built-in reasoning mode that folds vision directly into the language backbone rather than bolting on a separate vision encoder; the 31B flagship runs unquantized on a single H100.
Why it matters: An encoder-free unified architecture collapses the multimodal stack into a single inspectable, fine-tunable open model, keeping competitive pressure on the closed labs exactly where they are most constrained by government gating: accessibility.
Sources: Oflight Inc. | xix.ai
AWS Open-Sources 'Loom' for Building Secure AI Agents at Scale
Amazon introduced Loom, an open-source framework for building and operating AI agents securely at enterprise scale, positioning agent security and governance as first-class infrastructure concerns rather than post-deployment afterthoughts. The release lands amid a broader enterprise push, alongside NVIDIA's Nemotron agent stack and IBM's Bob, toward containment and control as the binding constraint on production agents.
Why it matters: As agents graduate from demos to production, the constraint shifts from raw model capability to trust, permissions, and containment, and AWS open-sourcing its approach is a bid to make its cloud the default substrate for agentic workloads.
Sources: AWS Open Source Blog
NVIDIA Nemotron and LangChain 'Deep Agents' Undercut Closed Models by 10x
LangChain and NVIDIA launched the NemoClaw Deep Agents blueprint, a reference architecture that tunes LangChain's Deep Agents harness for the open Nemotron 3 Ultra model. LangChain reports the highest accuracy among open models on its Deep Agents benchmark while running at roughly 10x lower inference cost per run than leading closed models, with deny-by-default networking and self-owned audit trails.
Why it matters: A 10x cut in per-run inference changes the unit economics of putting agents into production, where token consumption compounds fast, and signals open models becoming viable on the axis enterprises actually care about: cost and throughput per completed task.
Sources: NVIDIA Blog | LangChain
Anthropic Identifies a 'Global Workspace' Inside Claude
A new Anthropic interpretability paper identifies internal patterns, nicknamed "J-space," that appear to let Claude reason deliberately and can reveal thoughts the model never writes down in its output. Read via a technique the company calls the Jacobian Lens, modifying concepts in J-space causally changes Claude's downstream outputs, and the framing borrows explicitly from cognitive science's global workspace theory.
Why it matters: Reading deliberative reasoning a model does not verbalize attacks the core problem that chain-of-thought text may not reflect what a model is actually doing, undercutting safety approaches that rely on reading visible outputs.
Sources: The Decoder | Anthropic
Claude Mythos Preview Tops Independent Reasoning and Math Leaderboards
Independent reasoning rankings updated July 10 place an as-yet-unshipped Claude Mythos Preview first for reasoning tasks, scored across GPQA Diamond, ARC-C, and related benchmarks, followed by Claude Fable 5, across a field of 268 models. LLM-Stats' math leaderboard similarly placed Mythos Preview first with Meta's Muse Spark second across 175 models and 82 benchmarks.
Why it matters: A preview model surfacing atop public benchmarks before any product announcement is a signal of the next competitive move, and confirms the frontier race is now measured in single-point margins across multiple independent evaluators rather than any one vendor's claims.
Meta Ships Muse Image and Opts Instagram Users In by Default
Meta Superintelligence Labs launched Muse Image on July 7, its first generative image model, deployed directly inside Meta AI, WhatsApp, and Instagram, with a Muse Video sibling teased alongside it. The model can remix and generate images from user prompts and can draw on photos published by any public Instagram profile, since all public-profile users were automatically opted in, drawing immediate privacy backlash.
Why it matters: Shipping straight to a billion-user surface is a distribution advantage no rival can match, but the default opt-in over public content runs headfirst into the EU's tightening enforcement posture, assuming consent the regulatory environment is increasingly unwilling to grant.
Sources: Meta Newsroom | TechCrunch | Axios
Agentic Security Research Piles Up: Injection, Memory Poisoning, and Spoofed Approvals
A wave of papers mapped the expanding attack surface under production agents. Seoul National University and UIUC researchers demonstrated Agent Data Injection Attacks that smuggle adversarial instructions into trusted data fields; Torres, Shrestha, and Misra showed persistent-memory agents can be poisoned so malicious "memories" survive across sessions; and Wiz disclosed GhostApproval, a trust-boundary flaw where a human "approve" signal is silently applied to a different, attacker-controlled action.
Why it matters: Every ingested field, stored memory, and human approval gate is now attack surface, so defenders granting agents write or execution privileges without provenance tagging, memory integrity controls, and cryptographically bound approvals are exposed today.
Sources: arXiv 2607.05120 | arXiv 2607.06595 | Wiz Blog
Active Exploitation Watchlist + Notable CVEs
Every CVE below had confirmed active exploitation or KEV listing flagged during the week of Jul 7 to 13, 2026, sorted by severity.
| CVE | Product | Severity | Status | Action |
|---|---|---|---|---|
| CVE-2026-48282 | Adobe ColdFusion | 10.0 Critical | Actively Exploited | Patch Now |
| CVE-2026-48908 | Joomla / JoomShaper SP Page Builder | 10.0 Critical | Actively Exploited | Patch Now |
| CVE-2026-56290 | Joomlack Page Builder CK | 10.0 Critical | Actively Exploited | Patch Now |
| CVE-2023-46604 | Apache ActiveMQ | 10.0 Critical | Actively Exploited (KEV) | Patch Now |
| CVE-2023-48022 | Ray | 9.8 Critical | Actively Exploited (KEV) | Patch Now |
| CVE-2026-12569 | PTC Windchill PDMLink / FlexPLM | 9.3 Critical | Actively Exploited | Patch Now |
| CVE-2026-45659 | Microsoft SharePoint Server | 8.8 High | Actively Exploited | Patch Now |
| CVE-2026-54420 | LiteSpeed cPanel Plugin | 8.5 High | Actively Exploited (KEV) | Patch Now |
| CVE-2026-20245 | Cisco Catalyst SD-WAN Manager | 7.8 High | Actively Exploited (No Patch) | Mitigate |
| CVE-2025-5777 | Citrix NetScaler | N/A Critical (KEV) | Actively Exploited | Patch Now |
| CVE-2026-55255 | Langflow | N/A Critical (KEV) | Actively Exploited | Patch Now |
| CVE-2026-35273 | Oracle PeopleSoft | N/A Critical (KEV) | Actively Exploited | Patch Now |
| CVE-2025-53521 | F5 BIG-IP | N/A High (KEV) | Actively Exploited | Patch Now |
Note: CISA also added an actively exploited Drupal Core SQL injection flaw and a SolarWinds Serv-U DoS flaw to KEV this cycle; specific CVE identifiers were not enumerated in this week's reporting.
The Edge
For a decade, the entire economics of intrusion rested on one scarce resource: a skilled human at a keyboard. Dwell time, tooling mistakes, the hesitation to pull the trigger on encryption, these were not bugs in the attacker's process, they were the seams defenders pried open. This week, Sysdig documented an actor that has none of them. JadePuffer planned, breached, escalated, and encrypted with no operator, diagnosing a failed login in 31 seconds and rewriting its own payload to route around it. It is easy to file this under novelty. Don't. The interesting detail is not that it worked, it is that it worked badly, and still won, encrypting 1,342 items and then failing to save the decryption key because its grasp of extortion economics was broken. An autonomous attacker optimizes for its objective function, not for the implicit pay and recover contract that made ransomware survivable. The next one will optimize better, and the one after that will not need to be told what to want.
Notice that JadePuffer entered through Langflow, an AI-orchestration platform, which landed in CISA's KEV catalog the same week as the first AI-agent tooling ever listed. That is the whole shape of the week in one sentence: the same infrastructure enterprises are racing to deploy, ungoverned, is simultaneously the weapon and the target. Armored Likho is writing malware with generative models. Iranian crews are hunting Ray clusters and ActiveMQ brokers, the AI stacks your data-science teams stood up outside patch governance. Meanwhile the academic pipeline this week, ADIA, memory poisoning, GhostApproval, MOSAIC, is a running catalog of how to subvert the agents you are about to hand write access. The attack surface and the attacker are converging on the same substrate.
The uncomfortable part is that the defensive answer everyone is reaching for is more of the same substrate. AWS shipped Loom, NVIDIA and LangChain shipped a 10x-cheaper agent stack, OpenAI shipped an agent that stays on task for hours, all in one week, all governance and containment framed. We are building autonomous defenders to fight autonomous attackers, which means the failure mode you should fear is not the flashy agentic ransomware headline. It is the boring one: an agent with kernel-adjacent privileges, a spoofable approval gate, and a poisoned memory it will trust next Tuesday. GhostApproval already showed the human-in-the-loop can be decoupled from what actually executes. The last line of defense is being quietly automated away right as the thing it defends against gets automated.
So here is what to watch and what to do before the quarter is out. Instrument your AI stack the way you instrument your DMZ, because a Langflow or Ray server your team forgot about is now indistinguishable from an internet-facing VPN gateway in an attacker's target list. Cryptographically bind every agent approval to an immutable action payload, treat every ingested field and stored memory as untrusted input, and assume the exploitation window on any newly disclosed edge flaw is now measured in hours, ColdFusion went from patch to in-the-wild in two. The perimeter conversation is over. The real question for the back half of 2026 is whether your own agents are defenders you can audit or attack surface you deployed and never watched. This week, the attackers answered first.