Here are today’s top cybersecurity stories for Wednesday, July 15, 2026.
SonicWall SMA1000 Zero-Days CVE-2026-15409 and CVE-2026-15410 Actively Exploited — Federal Deadline July 17
SonicWall confirmed attackers are exploiting two zero-day vulnerabilities in its SMA1000 series remote access appliances. CVE-2026-15409 is a CVSS 10.0 unauthenticated server-side request forgery flaw in the Workplace web interface. CVE-2026-15410 is a post-authentication OS command injection flaw in the Appliance Management Console. Both vulnerabilities are being chained in confirmed incidents. Patches are available in hotfix versions 12.4.3-03453 and 12.5.0-02835. CISA has set a July 17, 2026 remediation deadline for federal agencies. — BleepingComputer
AsyncAPI npm Supply Chain Attack Delivers Multi-Stage Miasma Botnet to Over 2 Million Weekly Downloads
An attacker exploited a pull_request_target misconfiguration in the AsyncAPI generator’s GitHub Actions workflow, stole a privileged personal access token, and published five malicious package versions across four @asyncapi npm packages. The payload executes on import and steals browser credentials, SSH keys, AWS credentials, npm tokens, GitHub tokens, and cryptocurrency wallet files. Combined weekly downloads exceed 2 million. Developers who installed any affected version between July 14 and July 15 should rotate all environment credentials immediately. — The Hacker News
OkoBot Malware Framework Steals Ledger and Trezor Seed Phrases — Canada Among Top Five Most Affected Countries
OkoBot is a Windows malware framework active since April 2025 carrying more than 20 payloads. Its SeedHunter module detects running Ledger and Trezor wallet applications, hooks their Electron internals, and injects a phishing overlay requesting the user’s seed phrase. The stolen phrase is exfiltrated to a command-and-control server. Researchers identified active infections across more than 25 countries, with Canada in the top five most targeted. — The Hacker News
LegacyHive: Nightmare-Eclipse Drops Unpatched Windows Privilege Escalation PoC Hours After Patch Tuesday
Researcher Nightmare-Eclipse published proof-of-concept code for LegacyHive, a local privilege escalation vulnerability in the Windows User Profile Service. The flaw abuses arbitrary registry hive loading to mount another user’s registry — including an administrator’s — under a standard account. The PoC works on all supported Windows desktop and server versions with July 2026 updates installed. No CVE has been assigned and no patch is available. — The Hacker News
Chrome 150 and Firefox 152 Patch Critical Vulnerabilities With Public Exploit Code in the Wild
Mozilla released Firefox 152 to address two critical flaws — CVE-2026-15718 (invalid pointer in WebAssembly) and CVE-2026-15719 (site isolation flaw in DOM Navigation) — for which public exploit code exists, though no in-the-wild exploitation has been confirmed. Google’s Chrome 150 update fixes 15 vulnerabilities including two critical use-after-free bugs in the Ozone display abstraction layer (CVE-2026-15764 and CVE-2026-15765). Both browsers should be updated immediately. — SecurityWeek
GitLab Patches Code Execution and Information Disclosure Vulnerabilities Across CE and EE Editions
GitLab released security updates in versions 19.1.2, 19.0.4, and 18.11.7 addressing eight vulnerabilities. The most severe, CVE-2026-6896, is a stored XSS flaw (CVSS 8.7) in the GitLab EE vulnerability evidence table renderer allowing authenticated developers to inject scripts into other users’ browser sessions. CVE-2026-13320 introduces HTML injection through wiki markup rendering. GitLab.com was updated automatically. Self-managed instances require a manual upgrade. — SecurityWeek
ICS Patch Tuesday: Siemens, Schneider Electric, and Rockwell Automation Address Critical OT Vulnerabilities
Siemens published nine advisories for July 2026, including one for a CVSS 10.0 authentication bypass in Opencenter X granting full application access without credentials. Rockwell Automation released 12 advisories covering critical denial-of-service flaws in CompactLogix, ControlLogix, Compact GuardLogix, and GuardLogix controllers. Schneider Electric also published advisories for its industrial product lines. CISA released companion ICS advisories. Operators of affected OT environments should review each advisory and apply mitigations per vendor guidance. — SecurityWeek
292 Fake GitHub Repositories Push BoryptGrab Infostealer in Active SEO-Poisoning Campaign
A campaign active since June 26, 2026 deployed 292 brand-impersonation GitHub repositories mimicking security tools, cryptocurrency wallets, fintech apps, and developer software. Each repository directs visitors through SEO-optimized search results to a malicious download. The payload uses DLL side-loading via a trojanized libcurl.dll to reflectively execute BoryptGrab, an in-memory infostealer targeting 41 cryptocurrency wallet types and 19 browser credential stores. Hosting and language artifacts point to a Russian-speaking operator. — BleepingComputer
D1R Ransomware Group Claims Synopsys Hack and Bosch Data Theft — Synopsys Denies Breach
A newly emerged cybercrime group called D1R claimed to have accessed a 40,000-entry database at semiconductor EDA firm Synopsys and subsequently stolen intellectual property from Bosch. D1R threatened to publish the data unless a ransom is paid. Synopsys reported finding no evidence of a data breach. Evidence provided by the group included imagery consistent with publicly available documentation rather than confidential data. — SecurityWeek
Stay tuned for today’s in-depth analysis posts.






