The numbers coming out of Redmond this week are almost hard to believe — 570 security holes sealed in a single Tuesday, more than triple what was already a record-breaking June. Microsoft says AI is the reason, and they are probably telling the truth. But the subtext is harder to ignore: if AI finds bugs at this rate for defenders, it is doing the same for attackers, and the gap between disclosure and exploitation is shrinking to hours.

That tension, acceleration on both sides of the fence, ran through everything I read this week, from SonicWall zero-days exploited three weeks before the vendor went public, to CISA’s own mea culpa about credentials left exposed on GitHub for six months. This is the shape of things to come, and it is not entirely comfortable.

cover

In brief

  • Microsoft shipped 570 patches in a single Patch Tuesday, three times last month’s record, and admitted AI is the accelerant behind the numbers.
  • CISA published a rare public postmortem of its own GitHub credential leak — and the gaps it identified should make every security team re-evaluate their incident response playbook.
  • Chinese and Indian espionage actors were found operating against the same Pakistani law enforcement targets, each drawn by different stakes in the country’s internal security.
  • SonicWall SMA1000 appliances are being hit by two chained zero-days, exploited in the wild since June 22 — and CISA has added both to the KEV catalog.
  • Samsung threatened to delete users’ health data if they refused AI training consent, then rapidly backtracked under user pressure.
  • Scattered Spider leaders were sentenced to 66 months in a UK prison, though researchers warn the group’s brand is still being used in new attacks.

Digital forensics & DFIR

  • Lessons Learned from CISA’s Recent GitHub Leak — Krebs on Security — CISA issued a postmortem after a contractor published internal credentials, including AWS GovCloud keys, in a public GitHub repo for six months before Krebs himself alerted the agency. The report acknowledges it took over 48 hours to rotate exposed keys, admits the reporting channels were broken, and confirms nine automated alerts from GitGuardian went unanswered. The most damning line is buried in the analysis: “Letting nine notification emails go unanswered is how a one-day incident becomes a six-month exposure.” If a national cybersecurity agency can miss this, everyone else should probably assume they are missing it too.

  • HollowByte DDoS flaw bloats OpenSSL server memory with 11-byte payload — BleepingComputer — An unauthenticated attacker can trigger a DoS condition on OpenSSL servers by sending just 11 bytes. The vulnerability, dubbed HollowByte, exploits how OpenSSL handles specific TLS handshake sequences. The elegance is in the asymmetry: a trivial amount of input causes disproportionate resource exhaustion on the server side. Worth checking your TLS termination layers.

Threat intelligence & APT

  • HelloNet campaign — new malicious modules launched through the ViPNet update system — Securelist — Kaspersky discovered an active APT campaign using DLL sideloading via the ViPNet VPN update system to deploy a suite of custom tools (HelloInjector, HelloProxy, HelloBackdoor) against large Russian organizations in government, energy, and transport. The attackers hid a Rust-based backdoor behind an MD5 hash handshake on port 443 and used renamed PuTTY binaries for SSH tunneling. Attribution points toward an unknown Chinese-speaking group, but the researchers note the possibility of deliberate false flags.

  • GoSerpent: a persistent threat evolves with sophisticated data collection and exfiltration — Securelist — A detailed breakdown of a Go-based backdoor ecosystem that has been targeting government and diplomatic entities in Southeast Asia since 2021. The latest evolution includes ThumbcacheService (a DLL that quietly collects .doc, .pdf, and .xlsx files into an encrypted database), credential dumping via Mimikatz, and a two-phase exfiltration chain using Stowaway and TmcLoader. The toolset integration is genuinely impressive — the actors let ThumbcacheService collect data silently for weeks before deploying the exfiltration layer.

  • Leading members of Scattered Spider sentenced in UK to 66 months in jail — CyberScoop — Thalha Jubair and Owen Flowers, two core members of the Scattered Spider / Com collective, were sentenced after pleading guilty to the Transport for London attack and numerous other intrusions. The UK’s National Crime Agency calls this its largest cybercrime prosecution, though researchers pointed out the sentence is “remarkably lenient considering the period of continuous reoffending lasted longer than the sentence.” The FBI noted the group’s brand is still being used in ongoing attacks.

  • Russian trio indicted for allegedly running bulletproof hosting providers that spurred cybercrime — CyberScoop — Three Russian nationals behind Media Land and ML.Cloud were indicted for operating bulletproof hosting services that supported ransomware, phishing, and brute-force attacks against victims across 21 US states and several countries, causing over $62 million in losses. The FBI called it “another step in our broader campaign to shrink the space in which these actors can operate.”

  • Abbott Laboratories probes two cyber incidents amid extortion claims — BleepingComputer — Abbott is investigating unauthorized access to legacy Exact Sciences systems in its Cancer Diagnostics business alongside a separate claim that its LabCentral portal was breached. The timing is worth watching: healthcare continues to be the most targeted critical infrastructure sector, and Abbott’s market position means this will attract regulatory scrutiny.

Privacy & surveillance

  • Security researchers find stalkers abusing Chrome’s sync feature — CyberScoop — Certo Software documented a surge in stalkers exploiting Chrome’s sync capability to silently copy browsing history, stored passwords, and search activity from a victim’s phone by briefly signing into a Google account of their own during unattended access. Eva Galperin from EFF noted this is “an important reminder that tech-enabled abuse isn’t limited to stalkerware.” The sync feature was designed for convenience, but the security model assumes a single user — and that assumption breaks in domestic abuse scenarios.

  • Shark vacuum flaw exposes cameras, home maps and Wi-Fi passwords — Malwarebytes — A researcher extracted an AWS IoT certificate from a Shark robot vacuum and found the MQTT policy was so permissively configured that it could publish and subscribe to any other Shark device’s shadow in the same AWS region. In a 24-hour sample period, the researcher observed 1.5 million unique device serial numbers in a single region. Shark has not patched the issue despite being notified over six months ago. This is a textbook case of device identity isolation failure.

  • Samsung backs down on threat to delete health data — Malwarebytes — Samsung Health users were presented with a stark choice: consent to AI training on their intimate health data (including body measurements, sleep, medications, and menstrual data) or lose the ability to sync and have their data deleted. After user backlash, Samsung backtracked — but the pattern is becoming predictable: ask for forgiveness, not permission, then retreat when caught. The underlying privacy policy still authorizes human review of health data with no explicit anonymization guarantee.

Policy & legislation

  • Senator calls on Rubio, Blanche to push back against Canadian surveillance legislation — The Record — Senator Ron Wyden asked the Trump administration to pressure Canada against enacting a lawful access proposal that would “weaponize American technology infrastructure” for surveillance. The Canadian bill would require telecom providers to build intercept capabilities into their networks — essentially a backdoor mandate by another name. Wyden’s intervention is notable because it crosses partisan lines on surveillance, which is increasingly rare.

  • UK investigates TikTok for alleged age-verification lapses, exposing kids to online harms — The Record — Ofcom launched an investigation into TikTok’s age-verification practices after the UK’s Online Safety Act came into force. “Age checks are a cornerstone of the UK’s online safety laws,” said the Chief Executive. The investigation will test whether the regulatory framework has teeth, or whether platforms can continue to rely on self-declared birth dates.

Tools & research

  • Don’t eat the ChocoPoCs! How vulnerability researchers were repeatedly targeted by trojanised exploits — Sekoia — Sekoia’s TDR team documented a campaign that poisoned Python dependencies with a persistent RAT and targeted vulnerability researchers who are under pressure to quickly test Proof-of-Concept exploits. The attackers embedded malware inside fake PoC repositories, preying on the very timeline pressure that makes the researcher community productive. This is a worrying evolution of supply chain attacks — instead of going after end users, the attackers go after the people who decide which vulnerabilities are real.

  • Update now: 7-Zip fixes RCE flaw exploitable with malicious archives — BleepingComputer — Version 26.02 of 7-Zip addresses a remote code execution vulnerability triggered by opening specially crafted compressed files. The archive format is so universally used that this deserves a wider audience than the usual Patch Tuesday roundups.

  • WordPress Core “wp2shell” RCE flaws get public exploits, patch now — BleepingComputer — Public exploit code has been released for critical WordPress Core RCE vulnerabilities, making it imperative for administrators to update. If you are running a WordPress site and have not applied the latest patch, this is the nudge you need.

Extra

  • Microsoft Patches a Record 570 Security Flaws — Krebs on Security — Brian Krebs covers the staggering July Patch Tuesday that fixed 570 CVEs (59 critical), including three zero-days, two already exploited in the wild. Microsoft’s Pavan Davuluri wrote that AI discovery tools are the direct cause of the higher volume. Tenable’s Satnam Narang pointed out the uncomfortable corollary: Microsoft’s exploitability index, designed for human-speed analysis, rated one of the exploited zero-days as “less likely” to be exploited. AI-assisted vulnerability discovery breaks both ways.

  • SonicWall customers under threat as attackers exploit 2 zero-days — CyberScoop — Two zero-days in SonicWall SMA1000 appliances (CVE-2026-15409 and CVE-2026-15410) were first exploited on June 22, three weeks before the vendor disclosed them. Rapid7 observed a single threat group chaining the vulnerabilities for complete system compromise, likely for ransomware deployment. SonicWall has now had 17 CVEs added to CISA’s KEV catalog since 2021.

  • CISA urges immediate action on actively exploited Fortinet flaws — BleepingComputer — CISA ordered federal agencies to patch two actively exploited Fortinet FortiSandbox vulnerabilities. The deadline-driven language, “by Sunday”, signals a sharpened enforcement posture that has become the norm under the current administration.

If I had to pick one piece of writing from this week that will stick with me, it is the CISA postmortem on its own GitHub leak. The agency deserves credit for publishing it at all — too many organizations would have swept this under the rug. But the substance is sobering: ignored alerts, broken reporting channels, a 48-hour key rotation window, and a playbook that simply did not account for cloud services like GitHub. If your organization has not tested what happens when a researcher finds one of your secrets in a public repo, the CISA report is the case study you did not ask for but definitely need.

FAQ

  • Why did Microsoft patch 570 vulnerabilities in July 2026? Microsoft attributed the explosion in patch counts to AI-assisted vulnerability discovery, which allows security researchers to find more bugs faster across more code. July’s Patch Tuesday tripled the previous record set just a month earlier.
  • What are the most important cybersecurity events of the week of July 12, 2026? Microsoft’s record-breaking 570-patch Patch Tuesday dominated the week, alongside active exploitation of SonicWall SMA1000 zero-days, Fortinet FortiSandbox flaws, and WordPress core RCE vulnerabilities. Scattered Spider leaders were sentenced in the UK, and CISA published a postmortem of its own credential leak on GitHub.
  • How are articles selected for the Weekly Wire? Articles are curated from a fixed set of security-focused RSS feeds weighted by source reliability and relevance to DFIR, threat intelligence, privacy, policy, and research. Vendor marketing and press releases without technical depth are discarded.