Cyber Threat Brief — July 7 2026

⚠️ This report is AI-generated. Always validate findings.

1. LSHIY Azure CLI Password Spray — 81M Login Attempts, ROPC MFA Bypass

TL;DR: Huntress documented a massive automated password spray campaign from LSHIY LLC (AS32167) making 81M+ Azure CLI login attempts June 12-26, compromising 78 accounts across 64 orgs by abusing the deprecated ROPC OAuth flow to bypass MFA Conditional Access Policies.

What’s New:

  • Huntress blog published June 30, widely reported July 7; attacks terminated July 2 after LSHIY suspended the responsible BYOIP customer
  • ROPC (Resource Owner Password Credentials) flow sends credentials directly to /token endpoint with no interactive MFA prompt — 15 of 23 orgs hit on June 22 spike had MFA but were misconfigured
  • Common CAP gaps: MFA scoped to specific apps (not “All Cloud Apps”), admin-only groups, trusted-location exceptions, report-only mode
  • 155x increase in credential spray volume across Huntress customer base over past 6 months
  • Threat actor used breached credential combos that were never rotated

Actionable Intel

ArtifactTypeATT&CKLog SourceAction
IPv6 range 2a0a:d683::/32Source IPT1110.003Azure AD Sign-in LogsBlock range; campaign terminated but block as precaution
AS32167 (LSHIY LLC)ASNT1110.003Firewall/proxyBlock ASN
ClientApp = Microsoft Azure CLIAuth indicatorT1078.004Azure AD Sign-in Logs, EntraAlert on Azure CLI ROPC sign-ins from non-admin users
ROPC grant type at /token endpointAuth flowT1078.004Azure AD Sign-in LogsHunt for ResourceOwnerPasswordCredential grant type
userStrongAuthClientAuthNRequired CAP settingConfig checkT1556Entra ID CAP auditVerify this setting is enforced to block ROPC

Detection

SourceRuleGap
Splunk ESCUNoneNo rule for Azure CLI ROPC password spray pattern; need SPL for grant_type=password + ClientApp=Azure CLI + high failure rate
ElasticEntra ID Brute Force (generic)Does not distinguish ROPC flow from interactive MFA; needs ROPC-specific variant
Sigmacloud_azure_ad_password_spray.yml (partial)Covers generic spray but not ROPC grant type bypass; add requestClientName filter

Sources: Huntress — No (Bad) CAP: Inside an Ongoing LSHIY Password Spray Attack · The Hacker News · BleepingComputer


2. PolinRider Supply Chain Campaign — 108 Malicious Packages Across 4 Ecosystems

TL;DR: North Korea-linked Contagious Interview / Famous Chollima actors published 108 malicious packages and extensions across npm, Packagist, Go modules, and Chrome Web Store, delivering BeaverTail RAT variants that steal developer credentials, crypto wallets, and AI assistant API keys using blockchain-based C2 resolution.

What’s New:

  • Socket Threat Research disclosed July 3-6; campaign active since at least March 2026
  • 162 malicious release artifacts across 19 npm packages, 10 Composer packages, 61 Go modules, 1 Chrome extension
  • Rollup polyfill typosquats (rollup-packages-polyfill-core, rollup-runtime-polyfill-core) mimic legitimate rollup-plugin-polyfill-node
  • Payload resolves encrypted C2 material from TRON, Aptos, BNB Smart Chain blockchain RPC — no traditional C2 domain to block
  • Targets: VS Code, Windsurf, Cursor configs; AWS, Azure, Gemini, Claude API keys; SSH keys; crypto wallets; browser data

Actionable Intel

ArtifactTypeATT&CKLog SourceAction
rollup-packages-polyfill-coreMalicious npm packageT1195.001npm audit, SBOMRemove immediately; scan lockfiles
rollup-runtime-polyfill-coreMalicious npm packageT1195.001npm audit, SBOMRemove immediately; scan lockfiles
Blockchain RPC calls to TRON/Aptos/BNB endpointsC2 resolutionT1102.002DNS, proxy logsAlert on blockchain RPC calls from CI/CD or dev workstations
.vscode/, .windsurf/, .cursor/ config exfilCredential theftT1552.001EDR file accessMonitor reads of AI IDE configs from non-IDE processes
BeaverTail JS payloadRATT1059.007Node.js process monitoringHunt for obfuscated postinstall scripts spawning node with network calls
GitHub repos with mass obfuscated JS commitsSupply chainT1195.001GitHub audit logsReview recent contributor commits against known PolinRider patterns

Detection

SourceRuleGap
Splunk ESCUNoneNo rule for blockchain-resolved C2 or malicious npm postinstall chains
ElasticNoneNo npm supply chain detection; need process tree: npm install → node postinstall → outbound blockchain RPC
SigmaNoneNo coverage for BeaverTail or PolinRider indicators

Sources: Socket — PolinRider Supply Chain Campaign · The Hacker News · BleepingComputer


Status Updates

  • CVE-2026-48907 (Joomla JCE): CISA KEV federal deadline TODAY July 7. ITW exploitation ongoing. Patch to JCE 2.9.99.5. Original brief.
  • CVE-2026-48558 (SimpleHelp OIDC): CISA KEV federal deadline TODAY July 7. Djinn Stealer/TaskWeaver campaigns ongoing. Patch to SimpleHelp 5.5.16+. Original brief.
  • FBI TeamPCP FLASH (FLASH-20260702-01): FBI published consolidated advisory July 2 covering Trivy, KICS, LiteLLM, Telnyx backdoors. New malware names: CanisterWorm, SANDCLOCK, Mini Shai-Hulud, Miasma. 1,000+ cloud environments compromised. Pin GitHub Actions to commit SHAs. FBI FLASH.
  • CVE-2026-20253 (Splunk Enterprise): Active ITW exploitation ongoing per Splunk PSIRT. No new artifacts. Upgrade to 10.4.0/10.2.4/10.0.7.
  • CVE-2026-50656 (RoguePlanet): Still UNPATCHED zero-day. Splunk ESCU Analytics Story available. WDAC/AppLocker remains primary mitigation.