Rose debug info
---------------

Programmer’s Digest #193

07/08/2026-07/15/2026 CVSS 9.9 NetWeaver ABAP Flaw, Jscrambler npm Supply Chain Attack, Joomla Sites Running iCagenda or Balbooa Exploited in Attacks And More.

1. SAP Patches CVSS 9.9 NetWeaver ABAP Flaw That Could Expose or Modify Data

SAP’s July 2026 security updates address multiple vulnerabilities, most notably a critical flaw in SAP NetWeaver Application Server ABAP. CVE-2026-44747 (CVSS 9.9) is an out-of-bounds write bug letting an authenticated attacker trigger memory corruption, potentially leading to unauthorized data access, modification, or system unavailability. Onapsis notes SAP’s proposed workaround—disabling certain ICF nodes in transaction SICF—breaks SAP GUI for HTML transactions, so patching the ABAP Kernel is strongly advised instead.

Two other critical flaws were also fixed. CVE-2026-27690 (CVSS 9.1) is an HTTP request/response smuggling issue in SAP Approuter (non-Cloud Foundry deployments), letting unauthenticated attackers desynchronize requests to expose responses or cause denial-of-service. CVE-2026-44761 (CVSS 9.1) affects SAP Commerce Cloud, where sample configuration scripts from SAP’s documentation created OAuth 2.0 clients with hard-coded, publicly known credentials. Attackers who find these unchanged in production could obtain valid access tokens to read and modify data. Customers who removed the sample client or rotated the secret aren’t affected; others should audit and remove it. No active exploitation has been reported, but patching is recommended.

2. Microsoft Patches Record 622 Vulnerabilities, Including Two Exploited Zero-Days

Microsoft’s July 2026 Patch Tuesday addressed a record 622 vulnerabilities, including two actively exploited zero-days. CVE-2026-56155 affects Active Directory Federation Services, allowing local privilege escalation to administrator. CVE-2026-56164, in SharePoint Server, enables unauthenticated network-based privilege escalation. Microsoft also flagged CVE-2026-50661, a BitLocker bypass exploitable by attackers with physical access, which was publicly disclosed before the patch release—Tenable’s Satnam Narang suggested a possible link to prior zero-days from researchers “Nightmare-Eclipse” or “Chaotic-Eclipse,” though unconfirmed.

Windows received 416 fixes and Office 164. Other notable flaws include critical bugs in Windows VMSwitch (CVE-2026-57092, CVSS 9.9) and SharePoint (CVE-2026-50522, CVSS 9.8), an Exchange Server XSS (CVE-2026-55008), and RCE issues in RDP, Windows DHCP Server, Windows Server Network driver, and Minecraft Bedrock Dedicated Server. Updates also covered Azure, Defender, Exchange, Edge, and SQL Server.

Microsoft says AI-assisted scanning is accelerating vulnerability discovery. Separately, Adobe patched 88 vulnerabilities, including critical ColdFusion, Commerce, Experience Manager, and Illustrator flaws.

3. Jscrambler npm Supply Chain Attack Steals Developer and Cloud Credentials

A compromised release of the widely used jscrambler npm package exposed developers and CI/CD pipelines to a credential-stealing campaign after attackers hijacked the maintainer’s npm publishing credentials. Malicious versions 8.14.0, 8.16.0, 8.17.0, 8.18.0, and 8.20.0 installed hidden Rust-based infostealers targeting cloud credentials, cryptocurrency wallets, browser data, AI coding assistants, messaging apps, and OS keyrings. Initially, the malware used an undocumented preinstall script, but later versions embedded the dropper directly into the package, bypassing protections such as npm install --ignore-scripts. Stolen data was encrypted and exfiltrated over TLS to a remote server. Jscrambler confirmed the breach, revoked the compromised credentials, and released version 8.22.0 as a clean version. Organizations that installed affected releases should treat impacted systems as compromised, upgrade to 8.22.0 (or revert to 8.13.0), rotate all exposed credentials, and review systems for signs of unauthorized binaries or suspicious activity.

4. npm 12 Disables Install Scripts by Default to Reduce Supply Chain Risk

GitHub has released npm 12, introducing major security improvements by disabling install scripts and risky dependency sources by default. Dependency lifecycle scripts, Git dependencies, and remote URL packages now require explicit approval, reducing the risk of supply chain attacks. Developers can review and allow trusted scripts using npm approve-scripts --allow-scripts-pending and save the allowlist in package.json.

GitHub also announced the deprecation of npm granular access tokens (GATs) that bypass two-factor authentication (2FA). Starting in August 2026, these tokens will no longer be able to perform sensitive account, package, or organization management tasks. By January 2027, GATs will also lose the ability to publish packages directly, with GitHub recommending trusted publishing (OIDC) or staged publishing with human approval instead. Additionally, pnpm 11.10 introduces a new _auth configuration that securely binds registry credentials to specific hosts, preventing malicious project files from redirecting authentication tokens.

5. CISA Warns of Joomla Sites Running iCagenda or Balbooa Exploited in Attacks

CISA has flagged active exploitation of two unrestricted file upload vulnerabilities in Joomla extensions, allowing attackers to potentially seize control of vulnerable websites. CVE-2026-48939 affects iCagenda, an event management extension, while CVE-2026-56291 affects Balbooa Forms—both letting unauthenticated or low-privileged attackers upload executable malicious files. Exploitation can enable web shells, giving attackers remote command execution, data theft, new admin accounts, content tampering, or a foothold for further attacks.

CISA warns file-upload flaws remain a common attack vector, with internet-facing Joomla sites especially at risk from automated scanning. Federal agencies must remediate under Binding Operational Directive 26-04, and CISA urges private organizations to do the same.

Administrators should check for these extensions, apply patches or vendor mitigations, and if unavailable, disable the component or restrict uploads and access. Because exploitation is ongoing, patching alone may not remove existing attackers—teams should hunt for web shells, suspicious accounts, altered templates, and unusual traffic, then rotate credentials and restore from clean backups if compromised.

6. Grok Build Uploaded Entire Git Repositories to xAI Storage, Not Just Files It Read

Researchers discovered that xAI’s Grok Build CLI (v0.2.93) uploaded entire Git repositories—including commit history—to xAI-managed cloud storage, rather than only the files required for coding tasks. Tests showed that a 12 GB repository generated over 5 GiB of uploads, even though the AI model processed only a small fraction of the data. Researchers also confirmed that tracked files, including a .env file with unredacted test credentials, were transmitted and stored. Disabling the “Improve the model” setting did not stop repository uploads, as it controlled model training rather than data collection. On July 13, xAI disabled repository uploads via a server-side configuration without updating the client. The company stated users can run /privacy to disable retention and delete synced data. Security experts recommend rotating any credentials stored in tracked files or Git history, as deleted secrets may still exist in repository commits.

10 h   digest   programmers'