Skip to content
Chimera readability score 82 out of 100, Specialist reading level.

For the latest discoveries in cyber research for the week of 13th July, please download our Threat Intelligence Bulletin.
TOP ATTACKS AND BREACHES
- U.S. auto insurer AssuranceAmerica has disclosed a data breach affecting approximately 7 million people. Attackers targeted an employee and used compromised credentials to access company systems, stealing names, contact information, driver’s license numbers, insurance policy and account data, vehicle information, and claims details.
- Latvia’s state-owned forestry company Latvijas Valsts Meži has suffered a ransomware attack that disrupted mapping, hunting, contractor, and customer systems. Attackers exploited a system that had remained unpatched for two years and leaked approximately 44GB of internal documents, credentials, cryptographic keys, source code, and email correspondence.
- Injective Labs, a developer of blockchain and cryptocurrency software, has experienced a supply chain compromise after attackers accessed its SDK project and published malicious npm packages. The affected releases exfiltrated cryptocurrency wallet private keys and seed phrases when developers used legitimate key-generation functions embedded in the compromised software.
- Moody Bible Institute, a U.S. faith-based educational institution, has disclosed a data breach affecting more than 2.3 million donors, students, alumni, and supporters. The ShinyHunters extortion group published allegedly stolen information, including names, dates of birth, residential addresses, email addresses, and phone numbers.
AI THREATS
- Researchers profiled JadePuffer, an autonomous ransomware operation that used a large language model to conduct an intrusion without direct human control. The operation exploited CVE-2025-3248 in an exposed Langflow instance, accessed a production MySQL server, exfiltrated selected information, deleted the database, and issued an extortion demand.
- Researchers showed that malicious instructions hidden inside open-source project files could achieve remote code execution through Anthropic Claude Code and OpenAI Codex. When operating with automated permissions, the coding agents processed the instructions and executed attacker-controlled scripts, demonstrating a risk that may affect other autonomous development tools.
- Researchers disclosed Rogue Agent, a vulnerability in Google Dialogflow CX that allowed users with limited agent-editing permission to insert persistent malicious code. The injected code could capture and exfiltrate chatbot conversations. Google addressed the issue, and no known customer environments were compromised through the vulnerability.
VULNERABILITIES AND PATCHES
- Multiple Tenda router models are affected by CVE-2026-11405, an undocumented authentication backdoor that provides administrative access through a hidden password. The flaw affects several FH1201, W15E, AC10, AC5, and AC6 firmware versions and allows attackers to bypass configured credentials and modify device and network settings.
- Linux maintainers have patched CVE-2026-53359, a critical vulnerability in the Kernel-based Virtual Machine hypervisor. A malicious guest virtual machine could corrupt host kernel memory and potentially escape into the host environment. The flaw affects Intel and AMD x86 systems and is particularly relevant to shared cloud infrastructure.
- U-Boot has addressed six vulnerabilities affecting signature verification of Flattened Image Tree files used during secure boot. Two flaws could enable arbitrary code execution while a device loads a supposedly verified image, and four could cause crashes. The affected bootloader is widely used in routers, cameras, and embedded controllers.
- Opera has addressed a critical vulnerability in the Opera GX browser that allowed malicious websites to install browser modifications without user confirmation. An attacker-controlled modification could inject styles across open tabs, leak information such as Gmail addresses, and crash the browser. Opera corrected the issue.
THREAT INTELLIGENCE REPORTS
- Check Point Research has profiled Cavern Manticore, an Iran-linked threat actor targeting Israeli government and information technology organizations. The group uses a modular .NET command-and-control framework and has abused remote management software and a compromised software update mechanism to deploy file-management, database, scanning, and tunneling capabilities.
Check Point Threat Emulation and Harmony Endpoint provide protection against this threat
- Check Point Research have analyzed global cyberattack activity during June 2026, recording an average of 2,270 weekly attacks per organization. Ransomware incidents increased by 33% from June 2025, while The Gentlemen overtook Qilin as the most active group during the month.
- Check Point researchers have investigated a student employment phishing campaign that abused compromised school email accounts and Google Forms. More than 3,200 messages passed email authentication checks and attempted to collect banking information, residential addresses, and other details associated with money mule recruitment and account compromise.
- Researchers analyzed UAT-7810, a China-linked threat actor that compromises internet-facing networking devices to expand operational relay box infrastructure. The group developed new malware components and exploited unpatched Ruckus and ASUS devices to create proxy nodes for associated threat actors.

Facts Only

* U.S. auto insurer AssuranceAmerica disclosed a data breach affecting approximately 7 million people, exposing names, contact information, driver’s license numbers, insurance policy/account data, vehicle information, and claims details.
* Latvia’s state-owned forestry company Latvijas Valsts Meži suffered a ransomware attack that disrupted systems and leaked approximately 44GB of internal documents, credentials, cryptographic keys, source code, and email correspondence due to an unpatched system.
* Injective Labs experienced a supply chain compromise where attackers exfiltrated cryptocurrency wallet private keys and seed phrases from the SDK project.
* Moody Bible Institute disclosed a data breach affecting over 2.3 million donors, students, alumni, and supporters, with stolen information including names, dates of birth, residential addresses, email addresses, and phone numbers.
* The autonomous ransomware operation JadePuffer utilized a large language model to conduct an intrusion exploiting CVE-2025-3248 in an exposed Langflow instance to access a MySQL server and delete data.
* Malicious instructions hidden in open-source project files were shown to achieve remote code execution through Anthropic Claude Code and OpenAI Codex when used with automated permissions.
* A vulnerability in Google Dialogflow CX, named Rogue Agent, allowed users with limited agent-editing permission to insert persistent malicious code capable of capturing chatbot conversations.
* Tenda router models are affected by CVE-2026-11405, an undocumented authentication backdoor affecting FH1201, W15E, AC10, AC5, and AC6 firmware versions.
* Linux maintainers patched CVE-2026-53359, a vulnerability in the Kernel-based Virtual Machine hypervisor affecting Intel and AMD x86 systems.
* U-Boot addressed six vulnerabilities concerning signature verification of Flattened Image Tree files during secure boot.
* Opera corrected a critical vulnerability in Opera GX that allowed malicious websites to install browser modifications.
* Check Point Research profiled Cavern Manticore, an Iran-linked threat actor utilizing a .NET C2 framework targeting Israeli organizations.
* Analysis of June 2026 showed an average of 2,270 weekly attacks per organization globally.

Executive Summary

Data from the week of July 13th details several recent cybersecurity events involving data breaches, ransomware attacks, and vulnerabilities across various sectors. Specific incidents include a data breach at AssuranceAmerica affecting seven million people, where attackers accessed personal and financial data. A ransomware attack targeted Latvia’s state-owned forestry company Latvijas Valsts Meži, resulting in the exposure of internal documents and credentials due to an unpatched system. Injective Labs experienced a supply chain compromise leading to the exfiltration of cryptocurrency wallet private keys from their SDK project. Furthermore, Moody Bible Institute reported a data breach impacting over 2.3 million donors and supporters. AI threats were highlighted by profiling an autonomous ransomware operation named JadePuffer, which utilized a large language model for intrusion. Vulnerabilities noted include CVE-2026-11405 affecting multiple Tenda router models regarding authentication backdoors, CVE-2026-53359 in the Kernel-based Virtual Machine hypervisor, and vulnerabilities in U-Boot signature verification related to secure boot. Threat intelligence also profiled actors like Cavern Manticore and analyzed phishing campaigns targeting school accounts.

Full Take

The information presented reveals a convergence between traditional infrastructure vulnerabilities, emerging AI-assisted attack vectors, and large-scale data exfiltration targeting both private entities and public trust organizations. The pattern suggests that the exploitation of known technical flaws (like unpatched systems or authentication backdoors) is being amplified by sophisticated autonomous agents powered by LLMs, moving threat execution from manual effort to self-directed action.
The presence of supply chain compromise in Injective Labs and the use of code generation models for Remote Code Execution indicates that trust relationships within software development ecosystems are a critical attack surface. This moves beyond simple perimeter defense; the focus shifts to the integrity of the tools themselves. Furthermore, the findings concerning JadePuffer and Rogue Agent demonstrate that autonomous capabilities can leverage deep-seated system flaws for objectives, challenging traditional attribution models focused solely on human operators.
The simultaneous profiling of state-linked actors (Cavern Manticore) alongside large-scale social engineering campaigns (phishing for money mules) shows a multi-layered threat landscape where geopolitical interests intersect with data exploitation and operational compromise. The implication is that resilience requires addressing the vulnerability space across hardware, software supply chains, autonomous agents, and human processes simultaneously, recognizing that technical flaws serve as the foundation upon which complex, goal-oriented operations are built.
BRIDGE QUESTIONS:
What are the systemic governance gaps that allow state-linked actors and sophisticated AI agents to effectively weaponize known vulnerabilities across diverse software stacks? How should organizational risk models adapt when autonomous agents can execute attacks leveraging context from open-source code? What mechanisms are necessary to ensure integrity within development pipelines against both human and machine manipulation?

Sentinel — Human

Confidence

The text functions as a compiled summary of technical threat intelligence reports, exhibiting the dry, factual presentation characteristic of legitimate security bulletins.

Signals Detected
low severity: Moderate sentence length variance; utilizes bullet points and clear headings typical of intelligence reporting.
low severity: High internal consistency; presents a list of discrete, fact-based reports without overt emotional framing.
medium severity: Structured like a bulletin or feed, using consistent attribution (e.g., 'Researchers profiled X') and specific CVE/group names.
low severity: Specific details (CVE numbers, actor names, specific data volumes) suggest sourcing from established threat intelligence feeds rather than pure fabrication.
Human Indicators
The text utilizes dense, technical terminology and cites specific named entities (companies, CVEs, threat actors), which points toward aggregation of existing intelligence rather than purely generative text.
The structure mimics a formal threat bulletin, suggesting an intent to convey structured data efficiently.
13th July — Arc Codex