Cyber Briefing – July 6, 2026
TODAY’S TOP 5
AI SECURITY LOOMS OVER NATO SUMMIT: President Donald Trump enters the annual NATO leaders’ summit in Ankara this week with powerful leverage over the military alliance: The U.S. has the world’s most advanced artificial intelligence technology and can decide which of its allies gets access, POLITICO reports. Tech companies such as Anthropic and OpenAI have recently announced a new wave of sophisticated AI models capable of finding and exploiting security flaws better than most human minds. These tools can be used to fortify cyber defense systems — or to help adversaries launch cyberattacks at an unprecedented scale. “AI is fundamentally changing the threat landscape, and NATO needs to adapt accordingly,” said Helen Popp, Estonian ambassador-at-large for cyber policy. “Every capability AI provides to our adversaries is also available to us — the key question is whether we are prepared to move first and make effective use of it.”
- The Trump administration’s latest restrictions on private AI model releases are ramping up the push for open-source alternatives, The Hill reports. Supporters of open-source models, which are easily accessible and draw from public data, say the White House’s unprecedented reach into frontier AI labs could be a blessing for China, which offers cheaper, open-source models for people and companies around the world. The situation, according to AI experts, is highlighting the need for more open-source development in the U.S. to prevent China from taking advantage of a lack of American frontier models.
- New job postings from DeepSeek show the Chinese AI lab plans to build an agentic model that can find vulnerabilities in code. These details, buried in a hiring round, show DeepSeek’s new strategy following the attention garnered by Anthropic’s Mythos. DeepSeek has listed dozens of roles as part of a June commitment to nearly double its workforce. An ASPI analysis of the postings shows the company shifting from being a research-oriented lab to a commercially oriented AI developer, with stronger international ambitions and heavier investment in frontier models. These include a planned “code agent” trained by data engineers who can “discover attack surfaces and construct attack paths in real-world products,” according to one listing.
INSIDE RUSSIA’S ‘UAV CAMPAIGN OVER EUROPE’: Between August 2024 and February 2026, Uninhabited Aerial Vehicles (UAVs) were flown in the airspace of a dozen NATO member states and Ireland, forcing repeated closures of major commercial aviation hubs, disrupting military operations and penetrating the perimeters of some of Europe’s most sensitive defence installations – among them nuclear-sharing sites hosting American B61-12 gravity bombs and France’s ballistic-missile submarine base at Île Longue. A new IISS report assesses it is highly likely that the Kremlin conducted a UAV campaign over Europe and it is likely that Russian-linked vessels and the ‘shadow fleet’ were used as launch/recovery platforms for UAVs as part of the Kremlin’s wider unconventional war on Europe. The UAV campaign (largely in the latter part of 2025) operated with substantial impunity across European airspace – representing both a series of tactical successes for the Kremlin and a strategic failure of allied air defense. The Kremlin’s success rests on a basic strategic insight: Europe’s air-defense architecture was designed to detect and defeat conventional air threats operating in a recognizable battlespace. It was not built for, by comparison, relatively low-cost UAVs and deniable incursions with the aim of exposing gaps in detection, decision-making and legal authority – all while remaining below the threshold of a collective allied response.
- The report said about 170 sightings were reported between Nov. 20-26, 2024, over three air bases used by the United States Air Force (USAF), BBC reports. The drones entered the air bases at low altitude with their lights visible and departed at higher altitudes, the report continued. There were swarms of up to 20 drones at a time and some were said to be flying low over runway approaches. A police helicopter sent to investigate reported a near-miss with what was later identified as a US F-15 fighter jet.
HACKERS BREACH UK’S FOREIGN OFFICE: Russian hackers are suspected of gaining access to Foreign Office and council systems using stolen logins, The Times reports. The cybercriminals breached security firewalls provided by Fortinet, a cyber security company, in an attack nicknamed FortiBleed by researchers. The hackers gained access by reusing old leaked passwords that had not been changed, which gave them access to compromised networks. About 80,000 firewall accounts were breached, including for Foreign Office staff in Mauritius and Thailand and workers at Derbyshire and Waltham Forest councils.
- Britain’s National Cyber Action Plan, the government’s forthcoming strategy for defending the wider economy against state-backed and criminal hacking, has been delayed again following Prime Minister Keir Starmer’s resignation, according to multiple sources with knowledge of the matter. The plan had been due for publication today, the sources said. It has been postponed amid the uncertainty over the governing Labour Party’s leadership contest, which opens July 9. A government spokesperson told Recorded Future News it remained committed to publishing the National Cyber Action Plan.
HUGE DEMAND STRAINS BAKED GRID: The soaring temperatures pushed the Mid-Atlantic’s electrical grid to the brink on Thursday, when it was feared that air-conditioning units across 13 states – combined with data centers’ unprecedented demand for electricity – might max out the regional power supply., the Prince William Times reports. That could have required grid operator PJM to cut power to at least some of the region’s hundreds of data centers, forcing them to rely on their air-polluting diesel generators to keep the computer servers that operate the internet up and running. But it didn’t happen. Even though PJM’s emergency procedures dashboard lit up like a Christmas tree all day on Thursday, July 2 – with more than 40 ominous-sounding alerts and warnings – data centers were never ordered to disconnect from the grid.
- America’s rickety electric grid is entering the hottest months of the year with a record-setting amount of new power generation — but plenty of problems, The Wall Street Journal reports. An influx of 58.5 gigawatts of new resources, dominated by solar and battery storage, has reduced the widespread blackout risks the country faced in recent years. That is according to the North American Electric Reliability Corporation, a nonprofit tasked with monitoring the reliability of the U.S. power system. The estimate suggests the U.S. should have plenty of power supplies under normal summer conditions. Forecasts, though, call for a hotter-than-usual season, and a heat dome has much of the country in its grip.
- The Federal Emergency Management Agency, the Department of Housing and Urban Development and the Department of Energy have obligated about $14 billion for Puerto Rico’s grid recovery and modernization since 2017, but limited funding has been disbursed, according to a new Government Accountability Office report. About $2.7 billion of about $11.1 billion obligated by FEMA has been disbursed since 2017, largely for equipment and materials and architecture and engineering. In addition to FEMA, HUD and DOE obligated about $2.3 billion and $937 million respectively. However, most of these funds have not been disbursed. Moreover, DOE has reallotted or canceled about $715 million originally for community and low-income households’ solar projects to address grid stability and other needs yet to be determined. Limited progress has been made toward grid stability in key areas using federal assistance, with nine large FEMA projects complete. Key areas include repairing select transmission lines; modernizing operations; and clearing vegetation from transmission and distribution lines. Stakeholders cited clearing vegetation as an urgent priority; however, as of February 2026, about 400 miles had been cleared using federal funds out of 16,000 miles planned for vegetation clearing.
THE ALGORITHM WILL SEE YOU NOW: What began as an experiment in conversational tech has evolved into a widespread coping mechanism. For millions, AI is no longer just being used as a productivity tool and it has become the “first stop” for emotional guidance. Recent data highlights this reality, stating roughly one in five young people now turn to AI chatbots for mental health advice: A 2026 study published in JAMA Pediatrics confirmed that 19.2% of young people ages 12 to 21 have used AI chatbots for mental health advice. That’s roughly 8.2 million adolescents and young adults in the United States alone. As a mental health professional, Bonnie Mitchell, writing at Threat Beat, looks at this shift with a mixture of optimism and profound caution. We are standing at a crossroads where accessibility meets automation, and the long-term implications for our collective psychological well-being are still being written.
| OSINT YOU NEED TO START YOUR DAY: The Cyber Briefing is brought to you by the McCrary Institute for Cyber and Critical Infrastructure Security at Auburn University. SUBSCRIBE |
| WE WANT TO HEAR FROM YOU: What would you like to see in your morning briefing? Reach out to Executive Editor Bridget Johnson with your comments and suggestions |
CYBER FOCUS PODCAST
(Watch on YouTube or click the player above)
Army Principal Cyber Advisor Brandon Pugh joins Frank Cilluffo on this replay episode of Cyber Focus to address a stark reality: if critical infrastructure fails, the Army cannot mobilize. To meet this “no fail” mission, Pugh explains how the service is aggressively merging cyber with electronic warfare and cutting red tape to field new technology in days rather than years. They also discuss the Army’s unique edge in this digital fight — reservists who bring high-level private-sector expertise directly to the battlefield. The conversation also explores how AI and operational technology are reshaping the Army’s cyber battlefield and threat landscape.
SUBSCRIBE TO CYBER FOCUS: YouTube | Spotify | Apple Podcasts
CYBER AND CI UPDATES
ATTACKS AND INCIDENTS
Agriculture
The operational challenge: What the Mackay Sugar cyber attack reveals about Australia’s cyber readiness
In early June, a nightmare scenario occurred at a vital sugar mill in North Queensland: a ransomware attack not only breached Mackay Sugar’s network but also disrupted operations at two of the company’s sugar mills. Within days, Mackay Sugar was able to get operations back online, but the outcome could have been far more catastrophic. A similar attack on carmaker Jaguar Land Rover last year saw the UK government forced to provide an emergency bailout to the tune of £1.5 billion. The attack was so damaging to car production that the country’s gross domestic product (GDP) was impacted. In many ways, Mackay Sugar got off lightly, yet the incident is illustrative of the cyber readiness of Australia’s critical infrastructure operators. (CYBERDAILY.AU)
Chemicals
Chemical accidents rise as Trump administration proposes weakening safety rules
Physicist Ronald Koopman appeared at a Southern California Air District meeting in 2018 to talk about what seemed like an arcane scientific topic: hydrofluoric acid dispersion and water mitigation testing. Hydrofluoric acid, also known as hydrogen fluoride or HF, is used to manufacture a range of materials, including refrigerants, gasoline, fluorine-based pesticides and fluoropolymers like those used to make Teflon. It’s also one of the most corrosive and dangerous chemicals known. Koopman conducted experiments with the chemical in the 1980s that warned about the potential of deadly accidents at facilities that use the hazardous materials. (INSIDECLIMATENEWS.ORG)
Cybercrime
NetNut cracked as Google and FBI target 2 million-device botnet
Tech companies working with US law enforcement “significantly degraded” the NetNut residential proxy network as part of an ongoing effort to disrupt the tools cybercriminals use to conceal their activity, say researchers. The work was carried out by Google, Lumen, Shadowserver, the FBI, and others, and marks a continuation of the IPIDEA proxy network disruption from January. According to Google Cloud, those working on the operation believe NetNut was among the most popular residential proxy network providers and had at least 2 million devices enrolled in its botnet, comprising mainly small TV-streaming hardware. Crims often use residential proxy networks to make it look like their traffic is actually coming from legit homes and businesses. (THEREGISTER.COM)
15-year-old arrested over Bandai Channel cyberattack using a ChatGPT-assisted tool
Japanese police have arrested a 15-year-old high school student from Tokorozawa City, Saitama Prefecture, on suspicion of fraudulent obstruction of business after he allegedly used a ChatGPT-assisted program to launch a sustained cyberattack against Bandai Channel, a popular anime and tokusatsu streaming service operated by Bandai Namco Filmworks. Investigators say the teenager, who was still in his third year of junior high school as of last November 2025, gained unauthorized access to Bandai Channel’s backend servers and systematically canceled the registrations of 46,812 members, forcing mass account withdrawals. (CYBERSECURITYNEWS.COM)
Energy
New APT group hits power grids in three countries with AI-crafted malware
Kaspersky has publicly named a previously undocumented threat actor — Armored Likho — behind an ongoing cyber-espionage campaign hitting government agencies and electric power operators across Russia, Kazakhstan, and Brazil. The disclosure, published Thursday on Kaspersky’s Securelist threat intelligence platform, documents a novel Python-based infostealer called BusySnake Stealer that is still active, still unattributed to any named nation-state, and equipped with technical capabilities that make both detection and forensic recovery exceptionally difficult. Security teams in the targeted sectors need to patch CVE-2025-9491 and audit scheduled tasks immediately — not next quarter. (TECHTIMES.COM)
Government
Man arrested for making threats to use fireworks to damage generators supplying federal buildings in Sacramento on the Fourth of July
On July 1, 2026, federal authorities arrested Trevon McDaniel, aka “The_wild_wolfspider,” 19, of Elk Grove, Calif., for making threats concerning an attempt to damage or destroy buildings or property by means of fire or explosives, U.S. Attorney Eric Grant announced. According to court documents, McDaniel came to the attention of law enforcement because of an investigation into a plot to carry out attacks against federal property and officials, including an attack at a June 14, 2026, Ultimate Fighting Championship event on the South Lawn of the White House and additional coordinated attacks. McDaniel communicated directly with one of the principal conspirators in the UFC plot, Abraham Hermosillo Alvarez. After Alvarez’s arrest in Nebraska, investigators reviewed data from Alvarez’s cellphone, which contained TikTok messages between Alvarez and the account “the_wild_wolfspider” from April 17 to June 7, 2026. The FBI later identified the account as McDaniel’s. (JUSTICE.GOV)
Pennington County, S.D., closes most public-facing offices Monday amid cybersecurity incident
Most Pennington County public-facing offices will be closed Monday as officials respond to a cybersecurity incident affecting portions of the county’s network. County officials said the closures will allow staff to assess the situation and safely restore affected systems. Several essential services will remain operational, including 911 Dispatch, the Pennington County Jail, the Juvenile Services Center, the Care Campus and other public safety operations. Court operations, the 24/7 Program and early voting at the Pennington County Auditor’s Office will also continue as scheduled from 7 a.m. to 4 p.m. (KOTATV.COM)
Health care
AdaptHealth discloses June cyberattack resulting in patient data exposure
In a Form 8-K filed with the Securities and Exchange Commission (SEC) on July 2, the provider of home-based medical devices including continuous positive airway pressure (CPAP) machines said a threat actor reached out on 15 June, claiming to have obtained certain data from AdaptHealth’s systems. AdaptHealth confirmed that a breach had occurred, resulting in the exposure of patient data, including stored password files associated with insurance billing mandates and certain personally identifiable and protected health information (PHI). The cyber attacker had gained access through the company’s cloud-based applications, including certain patient management and document storage platforms. (MEDICALDEVICE-NETWORK.COM)
Ransomware
Kairos ransomware: Data-extortion case study involving a U.S. government entity
This report examines a successful ransom payment by a U.S. government body following a data-only extortion incident involving Kairos, an actor that should not be treated as a confirmed ransomware group on the available evidence. Kairos claimed access to more than 2 TB of data, including approximately 1.6 million files. The group’s initial demand was $3 million, later reduced to a successful final ransom payment of $1 million. The affected entity’s recorded offers increased from $100,000 to $430,000 before Kairos issued a hard deadline. Kairos later claimed the intrusion was achieved through a brute-force credential attack. (RANSOM-ISAC.ORG)
Qilin dominates ransomware market amid growing cybercrime consolidation
The ransomware ecosystem is moving from fragmentation back to consolidation, with Qilin emerging as the dominant ransomware-as-a-service (RaaS) operation after the disruption of major groups including LockBit and RansomHub. Yet despite Qilin’s strong position, the rapid emergence of other groups, such as The Gentlemen, demonstrates how quickly the cybercrime landscape continues to evolve. Lotem Finkelstein, VP research at Check Point, highlighted that based on the cybersecurity firm’s research in their 2026 Cyber Security Report, Qilin now holds around 16% of the cybercriminal market share. (INFOSECURITY-MAGAZINE.COM)
First AI ransomware attack? Sysdig details the autonomous JADEPUFFER threat
Cybersecurity firm Sysdig says it has documented the first known ransomware attack carried out end-to-end by an AI agent. The threat actor, which Sysdig calls JADEPUFFER, did not rely on a human operator at every step. Instead, the attack used an LLM-driven agent to exploit a vulnerable Langflow server, harvest credentials, move deeper into the environment, encrypt a production database, and leave a ransom note. That matters because the individual techniques were not new. The bigger concern is that an AI agent chained them together at machine speed. (THEPCENTHUSIAST.COM)
Spyware
Spyware used against MEP investigating Pegasus abuses, report finds
NSO Group’s hacking software was repeatedly used against a member of the European parliament while he was conducting an investigation of spyware abuses in Europe, according to a new report. Researchers at the Citizen Lab at the University of Toronto said they could not attribute the attacks against Stelios Kouloglou to any particular government operator of Pegasus spyware. But their investigation found the attack against the Greek now-former MEP bore the hallmarks of a previous hacking campaign against exiled Russian and Belarusian journalists in Europe. (THEGUARDIAN.COM)
Trends
Aussies face reduced cybercrime risk, as pressure shifts to SMBs
Individuals in Australia faced fewer cybercrimes in 2025 compared with 2024 and experienced relatively few consequences from them. Except, that is, the owners and operators of small and medium-sized businesses (SMBs), more of whom experienced legal and staffing fallouts. Earlier this week, the Australian Institute of Criminology (AIC) published the results of a survey in which 10,593 Australians were asked about the cybercrimes they faced in 2025. Their responses were positive in some ways. Cybercrime was down overall. The financial costs of cybercrimes were also low. And that’s despite some countervailing factors. (DARKREADING.COM)
Most cybersecurity workers have been told to conceal a breach, report finds
Slightly more than half of cybersecurity professionals think AI is helping attackers more than defenders, the security firm Bitdefender found in a new report. Malware improvements, social-engineering techniques and attack behavior (such as lateral movement and automatic vulnerability scanning) topped the list of AI-related threat vectors worrying respondents to Bitdefender’s survey. The report also highlights shadow AI concerns, breach cover-ups and security confidence gaps between leaders and workers. (CYBERSECURITYDIVE.COM)
WATCH: White House National Cyber Director Sean Cairncross, CISA Acting Director Nick Andersen and more top leaders at the recent McCrary Cyber Summit
THREATS
Malware
New Java-based QuimaRAT MaaS built to run on Windows, Linux and macOS
According to LevelBlue, the cross-platform malware is advertised under a malware-as-a-service (MaaS) model, costing anywhere between $150 for one month to $1,200 for lifetime access. Other subscription tiers include $300 for three months, $500 for six months, and $700 for twelve months. “Built around a modular architecture, the RAT supports dynamic capability expansion through encrypted plugins that can be delivered, loaded, unloaded, and updated directly from its command-and-control (C2) infrastructure,” the cybersecurity company said in an analysis of the malware. (THEHACKERNEWS.COM)
Newly discovered PamStealer isn’t your typical macOS malware
Researchers have found a never-before-seen piece of macOS malware that combines a series of clever tradecraft to infect Macs with stealthy, custom-developed credential-stealing code. The malware is delivered in two stages. The first is distributed in a disk image that masquerades as Maccy, a clipboard manager for Macs. It’s compiled as AppleScript that is notable for the way it delivers the second stage. The malware is named PamStealer because the Rust-written infostealer uses the Pluggable Authentication Modules interface built into macOS to validate the target’s login password before sending it to an attacker-controlled server. (ARSTECHNICA.COM)
Avalon malware uses legal document lure to deliver CrownX ransomware capabilities
A previously undocumented malware framework, tracked as Avalon, that uses a spoofed legal-document lure and a multi-stage, fileless-oriented chain to deliver a ransomware component internally labeled CrownX. The campaign demonstrates a shift toward consolidation of multiple offensive capabilities into a single recovered payload and highlights how modern development practices including likely AI assistance are lowering the bar for threat actors to field sophisticated, modular toolsets. (GBHACKERS.COM)
Agent skill malware evades static scanners using self-extracting skill packing
To combat hreats, the industry heavily relies on static skill scanners that use pattern matching, regex rules, or LLM-as-judge analysis to audit skills before installation. However, a new evasion framework, SKILLCLOAK, demonstrates that these static defenses are highly vulnerable to payload-preserving evasions. Attackers do not have to expose their malicious payloads in the exact format the scanner expects. Instead, they can keep the attack semantics entirely intact while heavily transforming their visible form to bypass detection. (CYBERPRESS.ORG)
Phishing
Cybercriminals pose as Interpol in phishing emails to infect victims with ransomware
Cybercriminals are posing as international law enforcement agencies in a phishing campaign designed to deliver ransomware attacks. As detailed by Bitdefender Antispam Lab in a blog post published on July 1, the phishing attacks target small businesses across Europe, Asia, the Middle East and North America with emails which claim to come from the ‘Cybercrime Investigation Unit’ at Interpol. The fake Interpol email claims that businesses which received it have potentially been involved with or subject to suspicious or fraudulent activity and that the victims should urgently open a file which purports to contain evidence to be reviewed. (INFOSECURITY-MAGAZINE.COM)
Tactics
New TrojPix attack leaks data from air-gapped systems via video cable emissions
Researchers at Shandong University have shown a fast new way to pull data off computers that are cut off from every network. The technique, called TrojPix, tweaks on-screen pixels in ways the eye cannot see, so that the video cable carrying them radiates a faint radio signal a nearby receiver can decode. But TrojPix works only once malware is already on the target machine, so it is a way for stolen data to get out, not a way in. In the researchers’ tests, TrojPix hit a peak throughput of 8.1 Mbps and reached as far as 208 meters, the two measured separately rather than together. Most air-gap covert channels crawl along at bits or kilobits per second; at 8.1 megabits, roughly a megabyte a second, TrojPix could move a 100 MB file in under two minutes. (THEHACKERNEWS.COM)
Vulnerabilities
Opera browser adds native paste protect to stop clipboard hijacking and code injection attacks
Opera has announced a new native security feature called “Paste Protect,” which aims to combat clipboard hijacking and command injection attacks directly within the browser. This marks a significant advancement in proactive endpoint protection at the user interaction level. Introduced on July 2, 2026, the feature is enabled by default. It addresses a rapidly growing type of social engineering attack, particularly “ClickFix”-style campaigns. According to Huntress threat intelligence data, these campaigns accounted for over 53% of malware loader activity in 2025. (GBHACKERS.COM)
Unpatched flaws disclosed in filesystem bundled Into millions of embedded devices
Security firm runZero has disclosed seven vulnerabilities in FatFs, a small filesystem library that lets a device read and write the FAT and exFAT formats used on USB drives and SD cards. The flaws matter because FatFs is nearly everywhere. It ships inside the firmware that runs security cameras, drones, industrial controllers, hardware crypto wallets, and other devices built on real-time operating systems. On the worst-affected systems, an attacker who gets a booby-trapped USB drive, SD card, or update file onto a device can corrupt its memory and run their own code. (THEHACKERNEWS.COM)
PHP TLS flaw lets remote server trigger DoS and crash entire FPM process
A newly disclosed high-severity vulnerability in PHP, tracked as CVE-2026-12184, poses a significant risk to web applications by allowing a remotely triggerable denial-of-service (DoS) condition. This vulnerability can cause entire PHP-FPM process pools to crash. Details of the issue are outlined in the GitHub advisory GHSA-mhmq-mmqj-2v39. It affects multiple supported PHP branches, including versions before 8.3.32, 8.4.21, and 8.5.6. The flaw lies in the HTTP stream-handling logic, specifically in the php_stream_url_wrap_http_ex function. (GBHACKERS.COM)

ADVERSARIES
China
China test fires long-range ballistic missile in the Pacific, angering neighbors
China test fired a long-range ballistic missile with a dummy warhead in the Pacific Ocean on Monday, the first such launch in almost two years, which set off alarm from countries in the region that criticized the move as “destabilizing.” The missile was launched from a Chinese nuclear-powered submarine and sent a “mock warhead” into the Pacific Ocean, according to a report from Xinhua, China’s official news agency. “The missile landed accurately in the designated area,” the report said. The test launch at 12:01 p.m. Beijing time, Xinhua said, was “not directed against any specific country or target.” (NYTIMES.COM)
China says it will hold naval drill with Russia this month
China and Russia will conduct a naval exercise in waters and airspace near Qingdao in July, followed by a joint maritime patrol in the Pacific Ocean, China’s Ministry of National Defense said in a statement on Sunday. The “Joint Sea 2026” activities are part of an annual cooperation plan between the nations’ militaries to address security challenges and help maintain regional peace and stability, the Chinese ministry said. It did not provide details on the timing of the drills or the forces involved. (BLOOMBERG.COM)
Suspected China-nexus hackers use fake Indian tax filing utility to deploy DcRAT
A suspected China-nexus threat activity cluster has been observed targeting Indian taxpayers, tax professionals, and corporate finance teams to deliver a remote access trojan designed to steal sensitive data from compromised hosts. The multi-stage campaign, codenamed Operation DragonReturn by Seqrite Labs, involves sending spear-phishing emails impersonating the Income Tax Department of India. It was first observed on May 18, 2026. The activity, per the cybersecurity company, coincides with the annual income tax filing season in the country. (THEHACKERNEWS.COM)
Troubled straits: Analyzing trade chokepoints in the South China Sea
Each year, trillions of dollars of goods flow through the South China Sea, making it the world’s most consequential maritime corridor. The region is also a hotbed of geopolitical tensions that threaten to upturn global commerce. Despite the enormous stakes, the sea’s critical chokepoints have been poorly understood — until now. This CSIS brief and its companion interactive dashboard offer groundbreaking insight into the value and types of goods transiting eight different South China Sea chokepoints. The new data reveals the extent of each country’s reliance on each chokepoint and challenges existing notions about the importance of these chokepoints. (CSIS.ORG)
North Korea
North Korean PolinRider supply chain attack targets npm, Packagist, Go modules and Chrome extensions
The PolinRider campaign represents a significant escalation in supply chain attacks orchestrated by North Korean threat actors, specifically those associated with the Lazarus Group and APT37. In this campaign, adversaries have published at least 108 malicious packages and browser extensions across major open-source ecosystems, including npm, Packagist, Go modules, and the Chrome Web Store. The attackers leveraged sophisticated techniques to compromise legitimate developer accounts and repositories, injecting highly obfuscated malware loaders into widely used packages. These loaders are designed to evade detection, establish covert command-and-control (C2) channels, and deploy multi-stage payloads capable of credential theft, source code exfiltration, and further lateral movement. The campaign is ongoing, with new malicious artifacts surfacing regularly, posing a critical risk to organizations and individuals relying on open-source software for development and production environments. (RESCANA.COM)
North Korea-linked npm packages mimic rollup Polyfills to steal developer secrets
Threat actors with ties to North Korea have been linked to a fresh set of malicious npm packages that masquerade as Rollup polyfill tooling to facilitate remote access and data theft. According to JFrog, the packages “rollup-packages-polyfill-core” and “rollup-runtime-polyfill-core” mimic the legitimate “rollup-plugin-polyfill-node” project, down to the description, repository metadata, and package shape. “The lookalike packages place themselves in the same rollup, polyfill, core, and node naming space, which can look plausible during a quick dependency review,” JFrog said in a technical write-up of the campaign. (THEHACKERNEWS.COM)
Russia
Russian blood and treasure: The ballooning costs of Putin’s war
Russia has lost the military initiative in Ukraine as costs continue to mount. The Russian military has suffered 1.4 million battlefield casualties and as many as 450,000 deaths since its February 2022 full-scale invasion, according to new CSIS data. Russia’s territorial control in Ukraine shrank in the spring of 2026, with a net loss of roughly 400 square kilometers in April and May. In addition, Ukraine has orchestrated an increasingly successful campaign of short-, medium-, and long-range strikes against Russian military and economic targets using AI-enabled systems and a new paradigm for air power. (CSIS.ORG)

GOVERNMENT AND INDUSTRY
Artificial intelligence
Big tech has suddenly flipped on the AI jobs wipeout scenario
A year ago, the message from many business leaders was that AI was going to wipe out jobs. For the past month or so, tech CEOs have been striking a more optimistic tone. In late May, OpenAI Chief Executive Sam Altman — who has long predicted that AI will lead to seismic shifts in the workforce — said during a conference, “We’ve been roughly right on technological predictions and pretty wrong on the social and economic implications.” Soon after, he told CNBC, “Our industry underestimated how much we’re going to be able to keep people at the center of everything.” (WSJ.COM)
Collaboration
Washington aims to get cyber collaboration back on track
OPINION: After more than a year without a formal framework for government-industry coordination on critical infrastructure cybersecurity, the Department of Homeland Security (DHS) finally unveiled the Alliance of National Councils for Homeland Operational Resilience-Critical Infrastructure (ANCHOR-CI) on July 1. ANCHOR-CI comes at a critical time, as Chinese cyber actors are seeking persistent access to U.S. critical infrastructure. U.S. officials have warned that these intrusions are intended not only for espionage but also to provide options to disrupt critical services during a future crisis. Trusted forums for rapidly exchanging threat information and coordinating responses are essential for thwarting the worst-case scenarios. (FDD.ORG)
Defense
DoD issues guidance as ban on Chinese companies takes effect
The first phase of the Pentagon’s effort to eliminate Chinese military-linked companies from the defense industrial base supply chain takes effect this week, barring defense contractors from working directly with companies on the department’s blacklist. Section 805 of the fiscal 2024 defense authorization bill prohibits the Defense Department from entering into, renewing or extending a contract for the procurement of goods, services or technology with firms designated by the Pentagon as Chinese military companies under its Section 1260H list. This “direct” ban went into effect June 30. (FEDERALNEWSNETWORK.COM)
Weapon systems annual assessment: Requiring mature technologies could enable shift to rapid delivery
DOD is again working to reform its acquisition processes to help deliver innovative weapons rapidly. But in this year’s annual report, GAO found DOD struggled to fully enact existing reforms to achieve speed. Key decisions are delayed for some of the costliest weapon programs — raising questions about how realistic their schedules are. Consistently following leading practices for product development could speed it up. Some programs began on a rapid acquisition pathway with tech that requires more time to develop — slowing on-time delivery of needed weapons. (GAO.GOV)
Air Force, Space Force combine multiple AI tools in latest battle management experiment
The Air Force recently experimented with multiple artificial intelligence tools designed to improve battle management, expanding on and validating the service’s past work to test the technology for future operations. The Department of the Air Force’s Advanced Battle Management System (ABMS) Cross-Functional Team hosted its inaugural Multi-Decision Advantage Sprint for Human-Machine Teaming (MASH) experiment in May. Held in Las Vegas, Nevada, the two-week event was the latest in a series of wargames designed to develop and test industry’s AI-enabled battle management tools. According to the service, MASH marked an evolution in the Air Force’s experimentation campaign by successfully integrating disparate capabilities and having Space Force guardians actively participate alongside airmen. (DEFENSESCOOP.COM)
A Catholic security scholar’s case for responsible military AI
OPINION: Much of the time, these two identities — my professional role and my faith — coexist in a delicate but manageable truce, but sometimes they are in intense conflict. The recent publication of Pope Leo XIV’s first encyclical, Magnifica Humanitas, has become such an occasion. As with many ethical conundrums, there may be no convenient or elegant answer, and perhaps getting those who work at the intersections of security and technology, such as myself, to experience internal conflict was partly the pope’s goal. Yet I do not ultimately believe that the Catholic and security scholar in me need to remain in perpetual conflict. There is a point where these two identities can come together with a shared purpose and plan: to continue developing AI-enhanced military capabilities, but with much better, stronger guardrails. (WARONTHEROCKS.COM)
Drones
Ukraine’s drone war: The rise of machine-speed adaptive hyperwar
OPINION: As unmanned systems, combat data, and human command have fused into kill chains that operate at unprecedented speed, drone warfare in the conflict between Russia and Ukraine has evolved from a narrow contest of platforms to a battle fought at machine speed and dictated by algorithms. Constant surveillance and precision lethality have altered the traditional military philosophies of maneuver and attrition, while combat drones have enabled lean formations to achieve outsized operational effects relative to their personnel strengths. The exponential growth of the internet of battlefield things has turned combat data into a sovereign strategic asset. Ukraine’s corpus of battlefield data constitutes an unparalleled operational dataset, primed for its Western allies’ use in training artificial intelligence–driven battle networks and next-generation autonomous systems. (HUDSON.ORG)
The Blue Helmet’s new battlefield: Drones, proxies and weak intelligence
OPINION: In December 2025, six Bangladeshi United Nations (UN) peacekeepers were killed in a drone strike on a UN facility in Kadugli, Sudan, amid the country’s ongoing civil war. The attack was not an isolated battlefield tragedy. It exposed how the spread of inexpensive drones, proxy forces, inadequate intelligence sharing, and declining mission resources has rendered traditional UN peacekeeping force-protection assumptions increasingly obsolete. Drawing on interviews with peacekeeping-intelligence officers, this article argues that Bangladesh and other major troop-contributing countries must press for stronger early-warning systems, counter-unmanned aerial vehicle (UAV) capabilities, revised training and rules of engagement, and greater influence over how peacekeeping missions assess and respond to emerging threats. (SMALLWARSJOURNAL.COM)
These lightweight power cells run on nuclear waste and could power next-gen drones
How many missions could a drone or satellite fly with a battery pack that can last decades? And what if that battery could be fueled by nuclear waste? That’s the future scientists are working toward in DARPA’s “Rads to Watts” program, which aims to create lightweight batteries with a high energy density. And a recent $3.37 million contract award aims to fund a viable proof-of-concept device that can produce more than 10 watts per kilogram with a yearslong shelf life. “Solar cells directly convert sunlight into electricity…Ours directly convert radiation into electricity,” said Stafford Sheehan, CEO and founder of Project Omega, which describes their radioisotope power sources as mini-generators that replace traditional batteries. (DEFENSEONE.COM)
Emergency services
One year after devastating Texas floods, adoption of warning systems remains uneven
A year after catastrophic flooding in Texas Hill Country exposed critical gaps in emergency warning systems, state and local officials are expanding efforts in flood detection technology, outdoor sirens and real-time emergency communications designed to give residents more time to evacuate before fast-moving floodwaters arrive. The floods last July 4th killed more than 130 people across Central Texas, including more than two dozen campers and counselors at Camp Mystic, an all-girls Christian summer camp. Heavy rains caused the Guadalupe River to rise by more than 26 feet in what’s known as “flash flood alley, making the incident one of the state’s deadliest natural disasters in decades. (STATESCOOP.COM)
Nuclear
NRC looks to speed up reactor build-out, scrap decades-old radiation standard
The Nuclear Regulatory Commission unveiled new proposals Wednesday geared toward speeding up the construction of new reactors and overhauling the way the agency regulates radiation safety. The regulator said it wants to give nuclear applicants the chance to use “modern, risk-informed approaches” for their safety analyses and model updates. Further, the NRC said that it would allow “certain early site activities under a general license” after an applicant applies for a license to start construction on a new reactor. (EENEWS.NET)
Trump DOE hits its target on small nuclear reactors. Now comes the hard part
The Trump administration announced Wednesday that three advanced nuclear reactors built by U.S. companies had reached key operational milestones, meeting its July 4 goal to advance the nascent technology it hopes will revolutionize the power sector. A reactor from Houston-based Deployable Energy became the third during Trump’s term to reach criticality, in which it produces a stable nuclear chain reaction, as part of a program sponsored by the Energy Department. The administration’s focus on deploying smaller nuclear technologies comes as U.S. energy demand is soaring, driven in part by the rise of power-hungry data centers. (EENEWS.NET)
Nuclear waste cleanup: Changes needed to ensure DOE is not prematurely excluding less expensive options for large projects
GAO has previously found that the Department of Energy’s (DOE) Office of Environmental Management (EM) has not followed its standards for defining mission need for some large projects. A mission need statement documents DOE’s identification of a mission-related need and, according to DOE standards, should not identify a particular solution. This ensures that DOE does not limit potential solutions at the project initiation stage. However, the majority of mission need statements that GAO reviewed for EM’s large projects identify a particular solution. For example, the mission need statement for the Outfall 200 Mercury Treatment Facility project at the Oak Ridge Reservation proposed “a new mercury treatment facility.” EM officials said they did not see an issue with identifying a solution at the mission need stage because other solutions are explored in later planning stages. However, GAO found instances where EM did not consider or pursue potential cost-saving options as project planning continued because a preferred solution was identified in the mission need stage. (GAO.GOV)
Recovery
Economic Development Administration: Actions needed to assess disaster recovery outcomes
After natural disasters, the Economic Development Administration helps communities recover by coordinating federal agencies and funding projects. In FY 2014–2024, the agency awarded $2.1 billion for economic recovery projects. Projects included flood mitigation at ports, and programs like business incubators — which provide entrepreneurship support. But it’s unclear how these efforts affect local economies because the agency doesn’t have a process or effective measures to assess them. For example, it measures job gains, but doesn’t capture the agency’s contributions to disaster recovery. (GAO.GOV)
Supply chain
NIST updates system-plan guidance for security, privacy, supply chain risk
The National Institute of Standards and Technology (NIST) released updated system-planning guidance that broadens federal cybersecurity documentation to cover security, privacy, and cybersecurity supply chain risk management (C-SCRM). The revision – titled Developing Security, Privacy, and Cybersecurity Supply Chain Risk Management Plans for Systems – consolidates information on how organizations develop and maintain key risk management documentation for information systems. NIST said system plans consolidate information about assets, individuals, authorization boundaries, interconnected systems, data flows, responsible personnel, internal and external environments, and risk-management controls. (MERITALK.COM)
LEGISLATIVE UPDATES
Does Space Force have enough lawyers for tomorrow’s wars? Senators want to know
As Space Force leaders push for more orbital warfighting capabilities and even potential moon operations, senators want to make sure they have enough space-focused military lawyers for future conflicts. The Defense Department would be required to assess its “space law requirements” to face rising threats and examine “options for establishing a dedicated legal organization within the Air Force, Space Force, or Space Command,” under the Senate Armed Service Committee’s version of the National Defense Authorization Act, released last month. “The committee recognizes that operational demands in the space domain have grown, including reliance on commercial integration, allied and partner cooperation, and dual-use technologies,” says the SASC’s NDAA report. (DEFENSEONE.COM)
House, Senate Dems ringing alarm bells over draft grants rewrite
The Office of Management and Budget is expecting to receive thousands of comments about its proposed rewrite of federal grants management. Since OMB issued the update to 2CFR Part 200 on June 1, it has received 3,648 comments and there still are 11 days left to submit feedback. Congresswoman Rosa DeLauro (D-Conn.), ranking member of the Appropriations Committee, said she fears OMB already is implementing the rewrite despite OMB still accepting comments. (FEDERALNEWSNETWORK.COM)
ALERTS AND ADVISORIES
Cyber criminal group TeamPCP
The Federal Bureau of Investigation (FBI) is releasing this FLASH to highlight the tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) associated with the cyber criminal group TeamPCP. TeamPCP actors have conducted large-scale software supply chain compromises by targeting widely used developers and security tools, gaining access to victim environments and extracting sensitive data, including but not limited to cloud access tokens, SSH keys, and Kubernetes secrets. The FBI encourages organizations to contact the FBI if they have been compromised, and to implement the actions in the Recommendations section to reduce the likelihood and impact of compromise by TeamPCP actors. (IC3.GOV)
Vulnerability impacting Citrix NetScaler CVE-2026-8451
The Cyber Centre is aware of a vulnerability impacting NetScaler ADC (formerly Citrix ADC), NetScaler Gateway (formerly Citrix Gateway) and NetScaler ADC FIPS (Federal Information Processing Standards). In response to the vendor advisory released on June 30, 2026, the Cyber Centre released AV26-645 on June 30, 2026. Tracked as CVE-2026-8451, this vulnerability is an insufficient input validation (CWE-125) vulnerability affecting many NetScaler ADC and NetScaler Gateway versions. If exploited, this vulnerability can lead to memory overread, if NetScaler ADC or NetScaler Gateway is configured as a Security Assertion Markup Language (SAML) Identity Provider (idP). (CYBER.GC.CA
Events
TO BE INCLUDED IN THIS CALENDAR, SUBMIT YOUR SECURITY-FOCUSED EVENT FOR CONSIDERATION
DEFENSE TECH: On the sidelines of the 2026 NATO Summit in Ankara, GMF will host a July 7 sectoral Defense Tech Trilateral that brings together roughly 40 government and military officials, private sector leaders, and subject matter experts. This exclusive event will serve as the venue for releasing guidelines for advancing transatlantic defense tech collaboration that capture initial findings from ongoing research. The discussion will directly inform future GMF work focused on the global allied defense tech ecosystem that offers comprehensive analysis and targeted recommendations for governments and the private sector to leverage a new industrial base comprising national-security-aligned investors, startups, and commercial companies to secure future military advantage.
SOUTH CHINA SEA: The CSIS Southeast Asia Program and Asia Maritime Transparency Initiative are pleased to present the Sixteenth Annual CSIS South China Sea Conference. This full-day conference July 7 will feature keynote addresses and in-depth panel discussions on recent developments in disputed waters and the importance of the 10-year anniversary of the landmark South China Sea arbitration. Panels will address the state of play, legal developments and dispute management, evolving alliance networks, and the role of global stakeholders.
COMMUNICATIONS: Join the American Enterprise Institute on July 8 for an exclusive look into the questions defining the Federal Communications Commission (FCC). This public event will begin with a fireside chat, featuring the FCC’s Arpan Sura and AEI’s Shane Tews, to examine the most pressing issues before the commission.
CHINA: Join Hudson Institute’s China Center on July 10 as Miles Yu hosts a panel examining Taiwan’s experience in handling national security cases, foreign interference, technology theft, election influence, proxy networks, and gray-zone legal warfare. The discussion will explore how authoritarian influence exploits democratic openness, social trust, local networks, and legal ambiguity.
CONNECTED CARS: Join Chris Miller, the author of Chip War and a nonresident senior fellow at AEI, alongside Senator Bernie Moreno and Chairman John Moolenaar of the Select Committee on China for a July 13 discussion on how Congress is addressing the threat posed by Chinese data collection through connected vehicles.
RESEARCH SECURITY: Congress, federal agencies, and some university leaders have taken important steps in recent years to strengthen research security and improve transparency surrounding foreign funding, talent recruitment programs, and research partnerships. However, significant vulnerabilities remain. To discuss the evolving research security landscape, please join FDD for a July 14 conversation featuring House Select Committee on China Chairman John Moolenaar (R-Mich.) and Senator Jim Banks (R-Ind.). Moderated by FDD Senior Fellow Craig Singleton, the conversation will examine the challenges posed by the Chinese Communist Party’s efforts to leverage American universities for strategic gain and potential safeguards in this year’s National Defense Authorization Act.
AI CYBER DEFENSE: Join the CSIS Economic Security and Technology Department on July 15 for a discussion on the growing role of artificial intelligence in cyber defense and what it means for the future of national security, critical infrastructure protection, and digital resilience. As cyber threats become more sophisticated and persistent, governments and industry are increasingly turning to AI-enabled tools to detect intrusions, automate threat analysis, strengthen network defense, and respond to attacks at machine speed.
AI AND EDUCATION: On July 16, the Center for Universal Education at Brookings will host a conversation to examine the effects of AI slop on young children’s learning, development, and well-being, as well as the incentives driving its production. As the third event in the Generation AI Starts Early webinar series, the discussion will bring together perspectives from health, media, and policy to explore what AI-generated content means for young children, caregivers, policymakers, and the broader media ecosystem.
AI HEALTH CARE: The AI in Health Conference from Sept. 15 to Sept. 17 bridges the gap between artificial intelligence and real-world health outcomes — focusing not just on what AI can do, but on what it should do to improve patient care. Hosted by the Ken Kennedy Institute at Rice University, the fifth annual AI in Health Conference will explore the current landscape of artificial intelligence in health and present a research-driven outlook for the future of computational health innovation. The program is designed to connect researchers and innovators with engineers, clinicians, and entrepreneurs at the forefront of AI in healthcare and public health.
FOLLOW THE McCRARY INSTITUTE ON LINKEDIN | X | BLUESKY
SUBSCRIBE TO THE CYBER FOCUS PODCAST: YOUTUBE | SPOTIFY | APPLE PODCASTS