Toggle light / dark theme

11 Old MicrosoftSigned Linux UEFI Shims Could Let Attackers Bypass Secure Boot

Cybersecurity researchers have discovered 11 old, Microsoft-signed, Unified Extensible Firmware Interface (UEFI) applications that could be abused to bypass Secure Boot on most systems using the modern firmware standard.

“An attacker exploiting one of these vulnerable applications can execute untrusted code during system boot, enabling deployment of malicious UEFI bootkits or other malware,” ESET researcher Martin Smolár said in a report published today.

The UEFI shim bootloaders expose any UEFI-based machine that trusts Microsoft’s “Microsoft Corporation UEFI CA 2011” third-party UEFI certificate authority (CA) certificate, irrespective of the installed operating system. The certificate is used to sign third-party boot components intended to run under Secure Boot. It expired as of June 27, 2026, and has been replaced by Microsoft UEFI CA 2023 and Microsoft Option ROM UEFI CA 2023.

Nearly 300 GitHub repos pose as legit software to push malware

A threat actor has published hundreds of fake GitHub repositories impersonating legitimate software and security projects to distribute infostealer malware.

The campaign drew traffic from search results for security products, cryptocurrency services, financial tools, developer utilities, secure email providers, macOS utilities, and gaming software.

The malware collects data from more than 19 web browsers, steals info from 32 cryptocurrency wallets, and exfiltrates sensitive details from messaging and social media apps.

New CrashStealer malware poses as Apple crash reporting tool

A new macOS information-stealing malware called CrashStealer pretends to be Apple’s crash-reporting tool to steal credentials, keychain data, and crypto wallets.

Malware researchers started tracking the malware in May, when it appeared to still be in development, but observed it being used in attacks in early July.

CrashStealer has a typical infostealer capability set that seems to focus on password managers and more than 80 crypto wallet extensions.

CISA warns of actively exploited RCE flaws in Joomla extensions

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is warning that attackers are exploiting vulnerabilities in the iCagenda and Balbooa Forms extensions for Joomla to achieve remote code execution through arbitrary file uploads.

The agency has categorized the flaws as a maximum priority, ordering federal agencies to apply available security updates and/or mitigations within three days, with the deadline set for today.

The first flaw, tracked as CVE-2026–48939, is an arbitrary file upload flaw impacting the iCagenda extension used for registering and scheduling events and creating calendars.

RedHook Android malware now uses Wireless ADB for shell access

A new version of the RedHook Android malware abuses the Android Wireless Debugging (Wireless ADB) mechanism in a novel way to gain shell-level privileges without requiring a computer connection.

Researchers at cybersecurity company Group-IB analyzed the new release of the mobile malware and say that it significantly expands its capabilities compared to the previous variant documented in 2025.

At the same time, the malware retains its remote access trojan (RAT) features, allowing it to stream the screen, intercept keystrokes, automate UI interactions, and steal credentials.

New U-Boot flaws could enable stealthy firmware attacks

Six vulnerabilities in the widely used U-Boot bootloader have been discovered that could allow attackers to execute malicious code during device boot, potentially enabling stealthy firmware attacks that compromise security protections and install persistent malware.

U-Boot is one of the world’s most widely used open-source bootloaders and is found in many embedded Linux devices, including enterprise servers’ Baseboard Management Controllers (BMCs), networking equipment, industrial systems, IoT devices, and other appliances.

Because U-Boot is responsible for loading the operating system, vulnerabilities in the bootloader can allow attackers to compromise a device before the operating system and its security software have a chance to start.

/* */