Here are today’s top cybersecurity stories for Wednesday, July 1, 2026.
Adobe Patches Seven Maximum-Severity Flaws in ColdFusion and Campaign Classic
Adobe released patches addressing eleven vulnerabilities across ColdFusion and Campaign Classic, seven rated CVSS 10.0. The ColdFusion flaws stem from unrestricted file upload, improper input validation, and path traversal weaknesses, while a Campaign Classic authorization flaw allows arbitrary code execution. Adobe reports low complexity exploitation with no user interaction and no known active exploitation at disclosure.
BleepingComputer
Password Spray Campaign Hits Microsoft 365 Through Azure CLI, Compromises 78 Accounts
A threat actor using infrastructure tied to LSHIY LLC made more than 81 million login attempts against Microsoft 365 tenants between June 12 and June 26, compromising at least 78 accounts across 64 organizations. The campaign authenticated through a deprecated OAuth flow called Resource Owner Password Credentials, bypassing Conditional Access policies scoped incorrectly or left in report-only mode.
BleepingComputer
DHS Confirms Breach of HSIN Information-Sharing Platform
The Department of Homeland Security is investigating a compromise of the Homeland Security Information Network, a platform federal, state, local, and private-sector partners use to share threat information. The intrusion, believed to have occurred between late May and early June, also touched a connected SharePoint collaboration system. DHS says it isolated affected systems and found no evidence classified networks were reached.
BleepingComputer
Oracle E-Business Suite Instances Remain Exposed to Ongoing Attacks
Researchers report more than 900 Oracle E-Business Suite instances remain reachable online and exposed to continuing exploitation of CVE-2026-46817, the unauthenticated file transmission flaw disclosed in June. Organizations running unpatched EBS environments face active scanning and takeover attempts weeks after Oracle shipped a fix.
BleepingComputer
Researchers Detail “Phantom Squatting” Attacks Using AI-Hallucinated Domains
Palo Alto Networks Unit 42 analyzed 913 brands across two large language models, generating 2.1 million candidate URLs and confirming more than 13,000 malicious domains registered on web addresses the models invented. Researchers identified roughly 250,000 hallucinated domains still unregistered, warning attackers monitor AI output to pre-register names before legitimate brands or unsuspecting developers do.
The Hacker News
SEO-Poisoned Download Sites Deploy AsyncRAT Through ScreenConnect
An ongoing campaign active since October 2025 uses more than 90 look-alike domains across ten languages to distribute trojanized installers for popular software including OBS Studio and DS4Windows. Victims who run the installer receive a legitimate ScreenConnect deployment preconfigured for unattended remote access, followed by an AsyncRAT variant with keylogging, clipboard hijacking, and cryptocurrency-clipping functions.
The Hacker News
VEIL#DROP Campaign Abuses Blogger Pages to Deliver PureLogs Stealer
Securonix documented a multi-stage attack chain named VEIL#DROP, which uses social engineering and legitimate Blogger pages to host and deliver the PureLogs information stealer. The technique relies on trusted Google infrastructure to evade domain reputation checks before dropping the final payload.
The Hacker News
China-Linked Group Expands From Taiwan Into Southeast Asian Critical Infrastructure
A China-linked threat group tracked as CL-STA-1062 has moved from targeting web-hosting infrastructure in Taiwan to compromising critical infrastructure operators across Southeast Asia, including electricity and water providers, using a new backdoor called TinyRCT. Government and military organizations across the region were also affected.
Dark Reading
CISA Releases Eight Industrial Control Systems Advisories
CISA published eight ICS advisories covering products from Mitsubishi Electric, Schneider Electric, Delta Electronics, Frangoteam, StoneFly, and B&R, the latter tied to an XZ Utils vulnerability. Several advisories, including one for StoneFly Storage Concentrator, describe flaws allowing unauthorized access and root-level command execution.
CISA
DHS Establishes ANCHOR-CI to Replace Disbanded Critical Infrastructure Council
The Department of Homeland Security published a Federal Register notice establishing the Alliance of National Councils for Homeland Operational Resilience-Critical Infrastructure, a new advisory framework connecting government agencies with critical infrastructure owners and operators. ANCHOR-CI replaces the Critical Infrastructure Partnership Advisory Council, disbanded in March 2025, and will run in two-year renewable terms.
CyberScoop
Stay tuned for today’s in-depth analysis posts.






