Weekly review

ThreatNoir Morning Brief — July 16

2026-07-16Morning4 articles
Audio
Listen to the episode

Morning Review in IT Security — July 16, 2026

The threat landscape continues to intensify as attackers exploit zero-day vulnerabilities across enterprise infrastructure and supply chains. Today's briefing covers critical threats affecting SonicWall appliances, npm package repositories, cryptocurrency hardware wallet users, and Microsoft SharePoint deployments, all requiring immediate attention from security teams.

SonicWall Customers Under Threat as Attackers Exploit 2 Zero-Days

Researchers have identified a coordinated attack campaign targeting SonicWall customers through two chained zero-day vulnerabilities. The attackers began exploiting these defects approximately three weeks before SonicWall disclosed and released patches for the vulnerabilities. The coordinated exploitation of multiple flaws in succession demonstrates a sophisticated attack methodology designed to maximize impact before vendor remediation becomes available. Source: CyberScoop

The vulnerabilities tracked as CVE-2026-15409 and CVE-2026-15410 represent a significant risk to organizations relying on SonicWall SMA1000 appliances for network security. The chaining of these zero-days enables attackers to achieve full system compromise, making immediate patching a critical priority for affected organizations.

AsyncAPI npm Packages Infected with Credential-Stealing Malware

A supply-chain attack has compromised the Node Package Manager repository with five malicious versions of AsyncAPI packages designed to deliver credential-stealing capabilities. The attack delivered the Miasma backdoor, a remote access trojan with information-stealing functionality, to developers who installed the affected packages. This incident underscores the ongoing vulnerability of open-source software ecosystems to sophisticated supply-chain attacks. Source: Bleeping Computer

Organizations using AsyncAPI packages should immediately audit their dependencies and update to patched versions. The attack highlights the critical importance of verifying package sources and monitoring for suspicious behavior in development environments.

OkoBot Malware Framework Injects Seed Phrase Phishing Into Ledger and Trezor Apps

The OkoBot malware framework has been operating on Windows machines since April 2025 with a specialized module designed to steal cryptocurrency recovery phrases from hardware wallet users. The SeedHunter module within OkoBot performs sophisticated phishing attacks by injecting malicious prompts directly into legitimate Ledger and Trezor desktop applications, creating a convincing social engineering attack that originates from within trusted software. The malware framework includes additional modules such as HDUtil, TookPS, and Volume2, expanding its capabilities across multiple attack vectors. Source: The Hacker News

The attack methodology is particularly insidious because users see the phishing request emerge from their legitimate wallet application, dramatically increasing the likelihood of successful credential theft. The malware infrastructure utilizes the domain moonsand[.]store for command and control operations. Cryptocurrency users should exercise heightened caution when prompted for recovery phrases and consider isolating hardware wallets on dedicated systems.

CISA Urges Immediate Patching of Exploited SharePoint Vulnerabilities

The Cybersecurity and Infrastructure Security Agency has issued an urgent advisory regarding three actively exploited vulnerabilities affecting Microsoft SharePoint, including two that were previously unknown zero-day flaws. The vulnerabilities tracked as CVE-2026-32201, CVE-2026-45659, CVE-2026-55040, CVE-2026-56164, and CVE-2026-58644 represent an immediate threat to organizations running vulnerable SharePoint instances. Source: SecurityWeek

Organizations operating SharePoint environments should prioritize immediate patching of all identified vulnerabilities. The active exploitation of these flaws in the wild indicates attackers are actively targeting SharePoint deployments, making rapid remediation essential to prevent unauthorized access and data compromise.

Security teams should treat all four threats reported today with equal urgency, implementing patches and monitoring controls across SonicWall appliances, npm development environments, cryptocurrency infrastructure, and SharePoint deployments. The convergence of multiple active exploitation campaigns underscores the heightened threat environment facing organizations across all sectors.

Sources & IOCs

Source articles and extracted indicators (defanged where appropriate).

OkoBot Malware Framework Injects Seed Phrase Phishing Into Ledger and Trezor Apps
Malware5
  • OkoBot
    Malware framework name.
  • SeedHunter
    Module within OkoBot responsible for stealing recovery phrases.
  • TookPS
    PowerShell downloader used by OkoBot.
  • HDUtil
    VMProtect-packed launcher used by OkoBot.
  • Volume2
    Open-source utility used to deliver malicious payloads.
Domain1
  • moonsand[.]store
    Command and Control (C2) server for OkoBot's SeedHunter module.