CTI Daily Brief — 2026-06-30

CERT Polska discloses a JAR parser-confusion RCE in the SzafirHost e-signature client (CVE-2026-13165)

CERT Polska disclosed CVE-2026-13165 in SzafirHost, a Java-based e-signature and trusted-timestamping client developed by Krajowa Izba Rozliczeniowa (KIR) (CERT Polska, 2026-06-29). The bug — assigned CWE-434 (Unrestricted Upload of File with Dangerous Type) — is a Java parser-confusion leading to remote code execution: SzafirHost verifies a JAR's signature with JarFile (which reads the ZIP Central Directory at the end of the archive) but extracts with JarInputStream (which walks local file headers sequentially). An attacker who can deliver a crafted JAR — for example a tampered update package or document — embeds a malicious native library between the last legitimate entry and the Central Directory; the signature walk never sees the injected entry (and archive-size validation still passes), but extraction writes the library to disk without hash verification, where it is then loaded and executed. CERT-PL is the disclosing authority and reports no in-the-wild exploitation; the fix is SzafirHost v1.2.2.

Why it matters to us: Qualified e-signature clients like SzafirHost sit in eIDAS-regulated document workflows used across EU public administration and finance, and they routinely process externally-supplied signed files — exactly the delivery path this bug needs. Inventory SzafirHost versions on signing workstations and push v1.2.2; the underlying JarFile-vs-JarInputStream confusion is a transferable hunting pattern for any Java signature-verification tooling. Detection concept: watch for unexpected native-library creation in Java temp directories during SzafirHost invocation, and JVM startup arguments referencing unexpected library paths.

Mustang Panda abuses Zoho WorkDrive as a dead-drop C2 channel (ZOHOMURK) against government and energy targets

Acronis Threat Research Unit documented two coordinated June 12–22 campaigns by China-aligned Mustang Panda (also tracked TA416 / HIVE0154 / BRONZE PRESIDENT) against Indian government bodies and hydropower-sector entities (Acronis TRU, 2026-06-29 · The Hacker News, 2026-06-29). Initial access is spear-phishing with ZIP-delivered lures (a hydropower cooperation proposal; an India–Taiwan memorandum of understanding). The toolkit introduces SHARDLOADER (DLL side-loading through a legitimate Solid PDF Creator / Citrix Receiver binary, loading shellcode from fragmented files to defeat static scanning — T1574.002), MINIRECON (a reworked Toneshell variant beaconing over wss://), and ZOHOMURK, which carries hardcoded Zoho OAuth credentials to drive an attacker-controlled WorkDrive account as a dead-drop resolver (T1102.001) — reading operator commands from an "inbox" folder and writing exfiltrated output to an "outbox", blending all C2 with legitimate workdrive.zoho.com API traffic.

Why it matters to us: Abusing a legitimate SaaS platform's API for C2 defeats egress controls that allowlist well-known cloud providers — the traffic blends with sanctioned workdrive.zoho.com calls. EU public-sector SOCs should extend CASB/DLP allowlisting to less-obvious SaaS such as Zoho WorkDrive and alert on OAuth token grants for cloud apps that are not sanctioned business tools.

Hijacked npm and Go packages weaponise VS Code's `folderOpen` task autorun to drop a credential-stealing Python implant

JFrog Security Research disclosed two compromised npm packages (html-to-gutenberg v4.2.11, fetch-page-assets v1.2.9, uploaded 2026-05-25) plus 16 malicious Go packages carrying an identical chain (JFrog Security Research, 2026-06-24 · The Hacker News, 2026-06-29). A hidden eslint-check task in .vscode/tasks.json is configured with runOn: "folderOpen", so opening the project as a trusted workspace in VS Code or Cursor auto-executes the payload — deliberately sidestepping npm v12's lifecycle-script hardening that blocked preinstall/postinstall scripts by default. The payload (disguised as a fa-solid-400.woff2 font) pulls AES-encrypted stages from blockchain transaction data via TronGrid and Aptos APIs (a takedown-resilient dead-drop), then runs a cross-platform Python infostealer targeting browser stores, password managers, crypto wallets, and cloud-provider configs (AWS/Azure/GCP). Mapped to T1195.001, T1059.006, T1020.

Why it matters to us: Detection teams that added EDR coverage for node.exe→python chains under npm install will miss this — the parent is code.exe→python triggered by opening a folder. Add a CI/CD repository-scan rule for .vscode/tasks.json containing runOn: "folderOpen", and treat dependency-shipped .vscode/ directories as untrusted; enforce VS Code Workspace Trust so untrusted folders cannot auto-run tasks.

CVE-2026-48558 — SimpleHelp RMM: OIDC SSO authentication bypass, actively exploited

CVE-2026-48558 (CVSS 10.0) is an OIDC SSO authentication bypass in SimpleHelp Remote Monitoring and Management. The OIDC callback handler accepts an identity token without verifying its cryptographic signature (CWE-347), so an attacker can forge an arbitrary token and obtain a full Technician-level session; MFA is also bypassed on first OIDC login (Horizon3.ai, 2026-06-12). Exploitation requires the instance to have an OIDC provider configured, a TechnicianGroup bound to it, and "Allow group authenticated logins" enabled — Horizon3.ai measured ~14,000 internet-exposed servers, ~7.2% (~1,000) with a vulnerable OIDC configuration. CISA added it to the KEV catalog on 2026-06-29; the listing flag confirms active exploitation in the wild. Patched in v5.5.16 / v6.0 RC2 (vendor advisory issued May 2026). Observed follow-on: deployment of the new cross-platform Djinn infostealer via a "TaskWeaver" loader persisting through scheduled tasks (schtasks.exe) / launchd plists (BleepingComputer, 2026-06-29). Hunt: Technician logins not correlated with MFA/VPN events; SimpleHelpServer.exe/SimpleHelp.exe spawning powershell.exe/cmd.exe/wscript.exe (Sysmon EID 1, parent-image filter).

CVE-2026-54305 / CVE-2026-54307 — n8n: OAuth credential hijack and cross-tenant credential access in shared deployments

NCSC-NL advisory NCSC-2026-0212 batches a set of GitHub Security Advisories against the n8n workflow-automation platform (NCSC-NL, 2026-06-29). The top flaw, CVE-2026-54305 (CVSS 8.9), is in the Dynamic Credentials Enterprise Edition endpoints: missing ownership/scope checks let any authenticated user enumerate credential IDs and initiate OAuth flows that overwrite — or revoke — another tenant's OAuth tokens, a cross-tenant integration takeover and lateral-movement path (T1078.004, T1548) (GitHub Security Advisory GHSA-2j5h-858j-5mpf). CVE-2026-54307 (CVSS 8.5) lets editor-level users read other users' credentials via the public API in shared instances (T1552.001) (GitHub Security Advisory GHSA-pmqw-72cg-wx85). The same batch also fixes unauthenticated workflow execution via the MicrosoftAgent365Trigger and StripeTrigger webhook nodes (path-token matching with no HMAC signature verification), CSP bypass, Chat-Trigger JS injection, and HTTP-Request-node prototype pollution. Affected trains: < 1.123.55, < 2.24.0, < 2.25.7, < 2.26.1, < 2.26.2. No in-the-wild exploitation reported. Hunt: unexpected OAuth grant changes in connected IdPs; credential-management API calls from non-owner users; unauthenticated POSTs to trigger endpoints.

CVE-2026-8037 — Progress Kemp LoadMaster: pre-auth RCE via uninitialized heap in the `/accessv2` API

CVE-2026-8037 (CVSS 9.8) is a pre-authentication RCE in Progress Kemp LoadMaster, an edge load balancer (watchTowr Labs, 2026-06-29 · Trend Micro ZDI, 2026-06-09). The escape_quotes() function in the access executable allocates buffers via uninitialized malloc() without null-terminating escaped strings; a sprayed JSON payload to /accessv2 (four single-quotes expanding to 16 bytes) overwrites heap metadata in adjacent freed chunks, and the subsequent __sprintf_chk() reads out-of-bounds into attacker-controlled data, reaching code execution as root with no authentication. watchTowr published the full mechanics. Affected: GA ≤ 7.2.63.1 and LTSF ≤ 7.2.54.17; fixed in v7.2.63.2 (which switches to calloc() with proper null termination). A second bulletin CVE, CVE-2026-33691, bypasses file-upload extension checks via OWASP CRS whitespace padding. Progress reports no known active exploitation. Hardening: patch to v7.2.63.2 and restrict the management interface to a dedicated admin VLAN; perimeter anomaly detection for unusual character sequences in JSON POSTs to /accessv2.

Microsoft disrupts StegoAd — 119 Edge extensions hid payloads in image and font files via steganography

Microsoft's Edge security team detailed and disrupted StegoAd, 119 malicious extensions across 90+ developer accounts with a combined ~2.6M installs, masquerading as ad blockers, VPNs, translators, and downloaders (Microsoft Edge Security, 2026-06-16 · Risky Biz News, 2026-06-29). The core trick hides executable payloads after the IEND marker of PNG icon files (later WebP images and WOFF2 fonts), passing standard scanner analysis; extensions stay dormant 3–5 days, detect DevTools, and validate requests server-side to dodge sandboxes. Payloads ranged from Google/WordPress credential theft and cookie collection to affiliate-commission hijack, ad fraud, and an RCE backdoor, with failover C2 across 10+ domains fronted by Cloudflare Workers and Google Analytics properties used as a covert channel. The Hacker News reports overlap with the China-linked DarkSpectre operation (prior ShadyPanda / GhostPoster extension campaigns) (The Hacker News, 2026-06-29); the Microsoft Edge write-up itself does not name DarkSpectre. Hunt: extensions with multi-day activation delays; data after IEND in PNGs or at unusual WOFF2 offsets; browser-process requests to Cloudflare Workers domains not matching the installed manifest origin.

A malicious "Perplexity AI" Chrome extension intercepted every address-bar keystroke via a search-suggest override

Microsoft Defender researchers found a malicious Chrome extension ("Search for perplexity ai") that abused Chrome's search-settings override API — specifically the suggest_url parameter — to exfiltrate every character typed into the address bar in real time before redirecting to legitimate results (Microsoft Security Blog, 2026-06-29 · The Hacker News, 2026-06-30). It used declarativeNetRequest rules for a two-hop redirect: the first hop shipped the query plus live autocomplete keystrokes to attacker infrastructure (server-side Node.js logging full headers, UA, and source IP), the second returned real results so the user noticed nothing. Google pulled the extension after disclosure. It is part of a broader AI-brand-impersonation trend Microsoft is tracking.

Why it matters to us: AI-brand impersonation is an easy lure for staff reaching for popular assistant tools. Enforce an enterprise extension allowlist via Group Policy / Intune, and monitor Chromium policy for unexpected changes to DefaultSearchProviderSuggestURL on endpoints with access to sensitive systems.

UPDATE: Public PoC released for the libssh2 pre-auth heap write (CVE-2026-55200)

UPDATE (originally covered 2026-06-28): A public proof-of-concept scaffold for CVE-2026-55200 (CVSS 9.2) appeared on 2026-06-29, and no official libssh2 release carrying the fix has been tagged yet — the patch commit was merged to mainline on 2026-06-12 but downstream consumers must build from source or pin manually (The Hacker News, 2026-06-29).

The flaw is in ssh2_transport_read() in transport.c, which fails to bound the attacker-controlled packet_length field during the SSH transport handshake; a 0xffffffff value triggers an integer overflow so malloc allocates a tiny buffer while the subsequent write fills the full oversized packet, corrupting the heap before authentication (VulnCheck, 2026-06-17). Because libssh2 is the client linked into git, curl, PHP, and many CI/CD runners, a malicious or compromised SSH server can corrupt memory in connecting clients — the supply-chain/CI-CD direction is the realistic risk. Pin or rebuild libssh2 from the patched commit in pipeline images now, and surface libssh2 versions through SBOM tooling.

UPDATE: DirtyClone Linux kernel LPE (CVE-2026-43503) now has a confirmed working exploit on default Debian/Fedora

UPDATE (originally covered 2026-06-27): JFrog Security Research published a working-exploit write-up for CVE-2026-43503 (DirtyClone, CVSS 8.8), confirmed against Debian, Ubuntu, and Fedora (JFrog Security Research, 2026-06-25 · The Hacker News, 2026-06-29).

__pskb_copy_fclone() drops the SKBFL_SHARED_FRAG flag that marks memory as file-backed during packet cloning; an attacker with CAP_NET_ADMIN (reachable on Debian/Fedora via unprivileged user namespaces by default) wires a privileged binary's pages into a cloned packet, then routes it through an attacker-controlled IPsec tunnel so in-place decryption overwrites in-kernel login checks — granting root with no file-system trace. Mainline is fixed (commit since 2026-05-21); distribution backports are rolling. Until backports land: set kernel.unprivileged_userns_clone=0 on Debian/Ubuntu and blacklist the esp4/esp6 modules to remove the IPsec in-place-decryption primitive. Hunt namespace-creation events granting CAP_NET_ADMIN and su/sudo spawned from non-privileged parents without a TTY.

UPDATE: US posts $10M bounty on the Russia-nexus Signal/WhatsApp crews and adds Signal Backup-Recovery-Key theft to the advisory

UPDATE (originally covered 2026-06-27): The US Department of State's Rewards for Justice program posted a $10 million reward on 2026-06-29 for information on members of UNC5792 (assessed associated with Russia's FSB) and UNC4221 (assessed associated with the GRU), and the FBI/CISA advisory was updated with a newly observed tactic — theft of Signal Backup Recovery Keys (Rewards for Justice, 2026-06-29 · BleepingComputer, 2026-06-29).

The recovery-key tactic is the operationally material change: a stolen backup recovery key is persistent — even after the victim rotates their phone number or reinstalls, the attacker can restore the full message backup, including prior history and group content, so access survives the initial social-engineering window (SecurityWeek, 2026-06-29). Targets are current/former government and military officials, political figures, journalists, and Ukraine-based officials across Europe and the US. Swiss federal and cantonal officials using Signal should treat backup-recovery-key protection (and re-checking the NCSC-CH Signal guidance covered 2026-06-25) as an action item, not a watch item.