iCagenda and Balbooa Forms Joomla Flaws Reportedly Exploited as Zero-Days
CISA added two maximum-severity flaws affecting the iCagenda and Balbooa Forms extensions for Joomla to its Known Exploited Vulnerabilities catalog after reports of zero-day exploitation in the wild. Both bugs, rated 10.0 on the CVSS scale, allow unauthenticated attackers to upload arbitrary files through form and event-submission features, leading to PHP code execution on affected sites. iCagenda’s flaw has reportedly been exploited since mid-June, while the Balbooa Forms issue was found following a live attack on a customer site; patched versions are available for both, and federal agencies have been given a tight deadline to remediate.
Progress Prompts ShareFile Storage Zone Controller Shutdown Amid Security Concerns
Progress Software told customers running ShareFile Storage Zone Controllers to manually power down the servers hosting them after identifying a “credible external security threat” targeting the on-premises file-sharing component. The company disabled cloud access to affected accounts as a precaution, later restored that access, but is telling customers to keep the physical servers off while its investigation continues. Progress says it currently has no evidence of unauthorized access to customer accounts or data, though speculation has centered on a pair of critical remote-code-execution flaws patched earlier this year.
Hackers backdoor Jscrambler npm package with infostealer malware
A threat actor used compromised publishing credentials to push malicious versions of the Jscrambler npm package, embedding an infostealer that ran automatically during installation via a preinstall hook. The tainted releases were downloaded nearly 1,500 times in the roughly two-hour window before Jscrambler deprecated them and shipped a clean version. The malware targeted a wide range of sensitive data, including cloud credentials, developer secrets, cryptocurrency wallets, and browser-stored logins, and affected users are being told to treat their environments as compromised and rotate all secrets.
Russian hackers are targeting routers to infiltrate critical infrastructure, CISA warns
CISA, the FBI, the NSA and cybersecurity agencies from eight allied nations issued a joint advisory warning that Russian state-sponsored hackers, tracked under names including Berserk Bear and Static Tundra, are exploiting vulnerable and poorly configured routers to gain long-term footholds inside critical infrastructure networks. The actors scan for devices using default or weak SNMP credentials and outdated firmware, then harvest configuration files that expose credentials, VPN settings, and internal network layouts. Communications, energy, defense, financial services, and healthcare organizations are named as favored targets, and defenders are urged to treat edge devices as high-value assets requiring the same scrutiny as core systems.
DHS network intrusion was twice ruled a false positive before breach confirmed
Department of Homeland Security staff dismissed two separate rounds of suspicious activity inside the Homeland Security Information Network as harmless before finally declaring a breach, according to an internal incident readout, giving intruders roughly three weeks of undetected access. FEMA analysts first spotted the hackers altering files and wiping activity logs in mid-to-late May, but that activity was written off as a false positive; a second wave of similarly disguised behavior in late May and early June was again dismissed before the attackers installed hidden backdoors and stole credential data on June 4, prompting officials to finally confirm an active compromise. Investigators still have not determined who was behind the intrusion or what, if anything, was taken from the network, which is currently being used to help coordinate security for World Cup matches being hosted across the country.