Weekly review

ThreatNoir Morning Brief — July 13

2026-07-13Morning4 articles
Audio
Listen to the episode

Morning Review in IT Security — July 13, 2026

The cybersecurity landscape continues to evolve with emerging threats spanning mobile platforms, open-source ecosystems, state-sponsored espionage, and API abuse. Today's briefing covers critical developments that organizations and developers must address to maintain security posture across their infrastructure and supply chains.

RedHook Android Malware Exploits Wireless ADB for Unauthorized Shell Access

A newly identified variant of the RedHook Android malware has adopted a sophisticated approach to gaining shell-level privileges by abusing the Android Wireless Debugging mechanism, commonly known as Wireless ADB. This technique represents a significant evolution in mobile malware capabilities, as it enables attackers to establish unauthorized access without requiring a physical computer connection to the compromised device. The malware's ability to leverage this built-in Android feature demonstrates how legitimate debugging tools can be weaponized by threat actors to escalate privileges and maintain persistent access on infected systems.

Source: RedHook Android malware now uses Wireless ADB for shell access

Malicious jscrambler npm Package Delivers Rust-Based Infostealer

The jscrambler npm package, version 8.14.0, was compromised and released with a preinstall hook that automatically executes a native infostealer binary during installation. Published on July 11, 2026, the malicious release included platform-specific payloads targeting Windows, macOS, and Linux systems. Security researchers at Socket detected the compromised version within six minutes of its publication, highlighting the speed at which supply chain attacks can propagate through the open-source ecosystem. This incident underscores the critical importance of monitoring npm package releases and validating the integrity of dependencies before deployment.

Source: Compromised jscrambler 8.14.0 npm Release Drops Rust Infostealer During Install

State-Sponsored Actors Target Pakistani Law Enforcement Through Portal Compromise

Cybersecurity researchers have revealed sustained cyber espionage campaigns targeting Pakistani law enforcement organizations, with activity spanning from February 2024 through April 2026. The compromised infrastructure at Balochistan Police included servers hosting web applications managing sensitive police and citizen data, including criminal records. Threat actors believed to be aligned with both China and India deployed multiple advanced tools including Cobalt Strike, PlugX, Remcos RAT, and ShadowPad to maintain persistent access and exfiltrate intelligence. This multi-year campaign demonstrates the persistent threat posed by state-sponsored actors targeting critical government institutions in South Asia.

Source: Hackers Weaponize Balochistan Police Portal in Multi-Group Espionage Campaigns

Ghost Accounts Conduct Mass Reconnaissance Against GitHub Organizations

Multiple threat campaigns are leveraging ghost accounts to systematically map GitHub organizations, including their repositories and member structures. This reconnaissance activity represents a critical precursor to supply chain attacks, as threat actors gather intelligence on potential targets within the software development community. The use of anonymous accounts to probe GitHub's API infrastructure allows attackers to conduct large-scale enumeration while evading traditional detection mechanisms based on account reputation or historical behavior patterns.

Source: Ghost Accounts Abuse GitHub API in Mass Recon Campaign

Conclusion

Today's threat landscape reflects a convergence of attack vectors targeting mobile platforms, developer tools, government infrastructure, and open-source ecosystems. Organizations must implement comprehensive security strategies that address both emerging malware families and supply chain vulnerabilities while maintaining vigilance against state-sponsored reconnaissance activities.

Sources & IOCs

Source articles and extracted indicators (defanged where appropriate).

Hackers Weaponize Balochistan Police Portal in Multi-Group Espionage Campaigns
Malware4
  • Remcos RAT
    Malware family linked to an India-nexus threat actor.
  • PlugX
    Malware family deployed by China-nexus threat actors.
  • ShadowPad
    Malware family deployed by China-nexus threat actors, successor to PlugX.
  • Cobalt Strike
    Malware family deployed by China-nexus threat actors.
IP Address1
  • 142.171.183.8
    Command-and-control (C2) server used by Cobalt Strike activity cluster.