TL;DR
Three high-severity threats emerged: compromised jscrambler npm package installs a native infostealer on Windows, macOS, and Linux; Zimbra's stored XSS in email allows code execution; RedHook Android malware now abuses Wireless ADB to gain shell-level privileges without a computer connection.
Executive Summary
- The jscrambler npm package version 8.14.0, published July 11, 2026, was compromised and executes a malicious preinstall hook that drops a native binary infostealer for Windows, macOS, and Linux.
- Zimbra is urging customers to apply updates for a critical stored XSS vulnerability in its Classic Web Client that could result in arbitrary code execution through specially crafted emails.
- RedHook Android malware has evolved to abuse Wireless ADB (Android Debug Bridge) for shell-level access without requiring a connected computer, representing a new privilege-escalation technique.
- China- and India-aligned threat actors have separately targeted the same Pakistani police organization (Balochistan Police) with sustained espionage activity spanning February 2024 to April 2026.
- The FBI seized the NetNut residential proxy platform operated by publicly-traded Israeli firm Alarum Technologies, along with associated domains linked to the Popa botnet.
Top Threats Today
1. Compromised jscrambler npm Package Drops Native Infostealer
Severity: HIGH Affected: Technology
The jscrambler npm package version 8.14.0, published on July 11, 2026, was compromised and executes a malicious preinstall hook during installation [1]. The hook drops and runs a native binary infostealer compiled separately for Windows, macOS, and Linux ⚠[1]. Any developer or build system that installs this version will automatically execute the malware without additional user interaction [1].
Sources:[1] The Hacker News
Recommended Action
- Audit all npm package lock files and dependency trees for jscrambler version 8.14.0 or any recently installed versions
- If installed, immediately remove jscrambler and scan affected systems for the infostealer binary and signs of credential exfiltration
- Regenerate all secrets, API keys, and SSH keys used on affected machines
- Enable and review npm audit logs and implement additional preinstall script monitoring in your build pipeline
2. Zimbra Stored XSS Enables Arbitrary Code Execution
Severity: HIGH Affected: Technology
Zimbra has disclosed a critical stored cross-site scripting (XSS) vulnerability in the Classic Web Client that could allow specially crafted emails to execute arbitrary code in user sessions [1]. The vulnerability is triggered when a user views a malicious email [1].
Sources:[1] The Hacker News
Recommended Action
- Apply Zimbra security updates immediately when available
- Limit Classic Web Client access if possible until patches are deployed
- Educate users to avoid opening emails from untrusted sources pending patching
- Review email gateway logs for suspicious message formats that may indicate exploitation attempts
3. RedHook Android Malware Abuses Wireless ADB for Privilege Escalation
Severity: HIGH Affected: Technology
A new variant of RedHook Android malware now exploits Wireless ADB (Android Wireless Debugging) to gain shell-level privileges without requiring a physical computer connection [1]. This represents a novel escalation technique that bypasses traditional ADB access controls [1].
Sources:[1] BleepingComputer
Recommended Action
- Disable Wireless Debugging on all Android devices unless explicitly required for development
- Review device administration and Google an unattributed threat actor Protect logs for suspicious RedHook signatures
- Enforce mobile device management (MDM) policies restricting developer options access on corporate devices
- Update Android security patches to the latest available version for your device model
4. Separate China and India-Aligned Groups Target Same Pakistani Police Force
Severity: HIGH Affected: Government
Cybersecurity researchers have disclosed that suspected China- and India-aligned threat actors independently conducted sustained cyber espionage campaigns against the Balochistan Police organization in Pakistan between February 2024 and April 2026 [1][2]. The activity involved compromising identical systems across both campaigns, indicating overlapping targets despite geopolitical opposition [2].
Sources:[1] The Hacker News[2] The Record
Recommended Action
- Review access logs for the compromised Balochistan Police systems to identify exfiltrated data
- Coordinate with relevant law enforcement and government cyber agencies
- Audit credentials and reset access keys for all compromised accounts
- Implement network segmentation and enhanced monitoring for law enforcement systems
5. FBI Seizes NetNut Proxy Service; Popa Botnet Linked to Alarum Technologies
Severity: MEDIUM Affected: Technology
The Federal Bureau of Investigation seized hundreds of domains associated with NetNut, a residential proxy service operated by publicly-traded Israeli company Alarum Technologies (NASDAQ: ALAR) [1]. The action follows research linking the sprawling Android-based Popa botnet to the same firm; the botnet has forced millions of consumer TV boxes to relay malicious traffic linked to advertising fraud, account takeovers, and data scraping for the past four ⚠ years [1].
Sources:[1] Krebs on Security
Recommended Action
- Audit firewall and proxy logs for any outbound connections to seized NetNut domains or Alarum Technologies infrastructure
- Review TV box and IoT device inventory for signs of Popa botnet infection or unusual traffic patterns
- Implement network segmentation to isolate consumer IoT and TV devices from corporate networks
- Monitor threat intelligence feeds for any resurgence of related proxy infrastructure
Today’s Action Checklist
- ☐ URGENT: Search npm lock files and deployment artifacts for jscrambler 8.14.0; remove and audit affected systems immediately
- ☐ URGENT: Plan and schedule Zimbra Classic Web Client patching; consider temporary access restrictions pending updates
- ☐ Apply latest Android security patches across mobile device fleet; disable Wireless Debugging on user devices
- ☐ Review network egress logs for any connections to seized NetNut domains (provided by FBI) or Popa botnet indicators
- ☐ Coordinate with supply-chain partners on npm package audit procedures to catch future compromises