- Memory corruption vulnerability in SAP NetWeaver Application Server ABAP due to out-of-bounds write
- Default credentials vulnerability in SAP Commerce Cloud allowing token access and API data manipulation
- HTTP Request Smuggling vulnerability in SAP AppRouter (Node.js middleware)
ThreatNoir Afternoon Brief — July 14
Afternoon Review in IT Security — July 14, 2026
The security landscape continues to face sustained pressure from multiple threat vectors, ranging from critical enterprise software vulnerabilities to coordinated supply chain attacks targeting open source ecosystems. Today's briefing covers urgent patches from major vendors, compromised development packages, and nation-state infrastructure targeting that demands immediate attention from security teams worldwide.
SAP Warns of Critical Flaws in NetWeaver and Commerce Cloud
SAP has released security updates addressing 16 vulnerabilities across multiple products in its July 2026 patch cycle. The advisory includes three critical flaws affecting NetWeaver, Commerce Cloud, and AppRouter that require immediate remediation. The identified vulnerabilities carry significant risk for organizations operating SAP infrastructure, particularly those exposed to external networks. Source: SAP warns of critical flaws in NetWeaver and Commerce Cloud
The critical CVEs identified are CVE-2026-27690, CVE-2026-44747, and CVE-2026-44761. Organizations running affected SAP products should prioritize testing and deploying these patches within their change management windows to prevent exploitation.
Multiple Jscrambler Packages Impacted by Supply Chain Attack
A threat actor successfully poisoned multiple versions of Jscrambler NPM packages to distribute a cross-platform credential stealer. The attack represents a significant supply chain compromise affecting developers who depend on this code obfuscation tool for their projects. Source: Multiple Jscrambler Packages Impacted by Supply Chain Attack
The malicious packages deployed credential harvesting capabilities alongside command execution functionality. Any organization using affected Jscrambler versions should immediately audit their development environments for signs of compromise and rotate all credentials that may have been exposed, including npm tokens and CI/CD secrets.
Compromised npm Packages in the AsyncAPI Namespace Deliver Miasma Botnet Loader
Socket's Threat Research Team discovered three compromised npm packages within the @asyncapi namespace distributing a multi-stage botnet loader identified as Miasma. The affected packages are @asyncapi/generator-helpers (v1.1.1), @asyncapi/generator-components (v0.7.1), and @asyncapi/generator (v3.3.1). These packages are commonly used in development workflows to generate API documentation and client code, meaning the malicious payload executes automatically when the packages are imported during normal development or continuous integration processes. Source: Compromised npm Packages in the AsyncAPI Namespace Deliver Miasma Botnet Loader
The attack employs a sophisticated two-stage delivery mechanism. The first stage, injected into src/utils.js and hidden behind whitespace, executes at require time and spawns a detached Node.js process that downloads an encrypted second-stage payload from IPFS at the address hxxps://ipfs[.]io/ipfs/QmQobZSp1wRPrpSEQ56qnyq7ecZh5Bg5k1fnjt4SUwwHb9. The decrypted second stage persists as sync.js in platform-specific directories (~/Library/Application Support/NodeJS/sync.js on macOS, ~/.local/share/NodeJS/sync.js on Linux, and %LOCALAPPDATA%\NodeJS\sync.js on Windows) and provides botnet capabilities including shell command execution, file operations, credential harvesting, persistence mechanisms, and multi-protocol command and control. Organizations should immediately verify whether they installed these packages, rotate all exposed credentials including npm tokens, GitHub tokens, cloud credentials, and SSH keys, and monitor for suspicious Node.js child processes and network connections to 85[.]137[.]53[.]71.
US, Allies Warn of Russian Cyberattacks Targeting Critical Infrastructure Routers
The United States and allied nations have issued a coordinated warning regarding state-sponsored Russian cyberattacks targeting critical infrastructure networks. Multiple advanced persistent threat groups are actively compromising poorly secured router devices across the critical infrastructure sector. Source: US, Allies Warn of Russian Cyberattacks Targeting Critical Infrastructure Routers
The threat actors are exploiting aging vulnerabilities including CVE-2008-4128 and CVE-2018-0171, underscoring the persistent risk posed by unpatched legacy equipment in operational technology environments. Organizations managing critical infrastructure should conduct comprehensive inventories of network edge devices, prioritize patching of known vulnerabilities, and implement enhanced monitoring for unauthorized administrative access.
The convergence of enterprise software vulnerabilities, supply chain compromises, and nation-state infrastructure targeting demonstrates the multifaceted threat environment facing organizations today. Security teams must balance immediate patch management with broader supply chain visibility and infrastructure hardening initiatives.
Sources & IOCs
Source articles and extracted indicators (defanged where appropriate).
- MiasmaName of the botnet loader
85[.]137[.]53[.]71Network connection target for monitoring
hxxps://ipfs[[.]]io/ipfs/QmQobZSp1wRPrpSEQ56qnyq7ecZh5Bg5k1fnjt4SUwwHb9IPFS URL for second-stage payload download
- Exploited vulnerability in Cisco devices leading to arbitrary code execution.
- Exploited vulnerability in Cisco devices leading to arbitrary code execution.