
Today’s 5 PM recap for Monday, July 13, 2026: the big technology story is not one single breach or product launch. It is the same practical pattern showing up across several headlines: attackers are still getting in through neglected edge devices, software supply-chain trust is still fragile, and AI is moving deeper into work tools while businesses are still trying to decide which platforms they can safely trust.
For home users and small businesses, the useful takeaway is simple: keep routers and website software patched, do not install random “helper” apps on Macs or phones, review what AI tools are allowed to see, and treat package updates, browser extensions, and vendor portals as real security decisions rather than background noise.
Quick Good And Bad
- Good: CISA added a Cisco IOS vulnerability to the Known Exploited Vulnerabilities catalog, which gives administrators a concrete patching deadline and a reminder to check exposed network gear.
- Good: UK authorities charged suspects tied to the Russian Coms caller-ID spoofing platform, and EU/UK sanctions targeted Russian hacking infrastructure. Enforcement does not stop scams overnight, but it raises the cost for groups that enable them.
- Good: Waze is rolling out new AI-powered navigation and customization features, a reminder that practical AI features are becoming more normal in everyday apps.
- Bad: A backdoored Jscrambler npm package reportedly reached almost 1,500 downloads before disclosure, showing how quickly developer supply-chain incidents can spread.
- Bad: New macOS malware called CrashStealer is posing as an Apple crash-reporting tool to steal credentials, Keychain data, and crypto wallets.
- Bad: Japan’s largest taxi operator shut down part of its systems after a cyberattack, another example of digital incidents turning into real-world service disruption.
1. Router And Network Gear Warnings Are Back In The Spotlight
CISA’s Known Exploited Vulnerabilities catalog added CVE-2008-4128, a Cisco IOS cross-site request forgery vulnerability, on July 13. CISA’s required action date is July 16, 2026, which is a short window because the issue is being tracked as exploited in the wild. The important local-business lesson is not that every office has this exact Cisco IOS exposure. The lesson is that routers, firewalls, and managed switches are not “set it and forget it” devices.
BleepingComputer also reported that U.S. and allied cybersecurity agencies warned about Russian state hackers targeting vulnerable or poorly configured routers to reach critical infrastructure networks. Even if your business is not critical infrastructure, the same weak points matter: default passwords, exposed management interfaces, old firmware, weak SNMP settings, and forgotten remote-access rules.
What to do today: check whether your router/firewall has current firmware, turn off public-facing admin access unless it is absolutely required, replace default community strings such as “public” and “private,” and make sure any remote management is protected by a VPN or a vendor-supported secure access method. If you have multiple locations, document the model, serial number, firmware version, and who is responsible for updates.
Need help with a router, Wi-Fi, or office network review? The IT Guys can help with small business IT service and at-home tech support.
2. Joomla Extension Exploits Are A Reminder To Audit Website Plugins
CISA warned that attackers are exploiting remote-code-execution flaws in the iCagenda and Balbooa Forms extensions for Joomla through arbitrary file uploads. This is the kind of issue that hits small organizations because plugins are often installed once, then forgotten. A contact form, event calendar, gallery, backup tool, SEO plugin, or file-upload add-on can become the weakest point of the website.
For WordPress, Joomla, Drupal, and other CMS sites, the practical checklist is the same: remove plugins you do not use, update the ones you keep, disable upload features that are not needed, use strong administrator passwords with MFA, and keep a backup that is separate from the hosting account. If your site accepts customer forms or file uploads, treat it as a higher-risk system and review it more often.
3. A Backdoored npm Package Shows Why Developer Machines Need Security Too
Jscrambler disclosed that a malicious version of its npm package was published and downloaded almost 1,500 times, according to BleepingComputer. This matters beyond software companies. Many small businesses now rely on a website developer, automation consultant, marketing contractor, or internal power user who installs packages and scripts to build tools. One compromised package can steal tokens, environment variables, SSH keys, or browser session data from a developer machine.
Defensive move: developers should pin dependencies, review unexpected package updates, rotate credentials after a suspected supply-chain incident, and avoid storing production secrets directly on everyday laptops. Business owners should ask vendors whether they use MFA, password managers, code review, and separate production credentials. That is not overkill anymore; it is basic vendor-risk hygiene.
4. Mac Users Should Watch For Fake Apple Utility Prompts
A new macOS infostealer called CrashStealer is posing as an Apple crash-reporting tool. Reports say it is designed to steal credentials, Keychain data, and crypto wallets. The tactic works because users are trained to trust system-looking prompts, especially when an app appears to have crashed or needs “diagnostics.”
Mac users should be skeptical of unexpected downloads, browser pop-ups, “required” support tools, and any app asking for accessibility, screen recording, or full disk access without a clear reason. Install software from trusted sources, keep macOS updated, and do not approve security prompts just to get rid of them. If a business Mac handles banking, payroll, crypto, or client data, it should have endpoint protection and a real backup plan.
5. Real-World Service Disruption: Taxi Systems And Retail Data
Japan’s largest taxi operator, Nihon Kotsu, said a cyberattack forced it to shut down part of its infrastructure. Lidl also disclosed an online-shop data breach tied to a service provider hack affecting customers in Germany, Belgium, and the Netherlands. These are different incidents, but the customer impact is familiar: service interruptions, exposed personal information, notification work, and trust damage.
Small businesses should take two lessons from this. First, downtime planning matters even if you are not a tech company. If your scheduling, payments, dispatch, invoicing, or point-of-sale system goes down, you need a manual fallback. Second, vendor security matters. If a third-party provider handles customer data, your business may still be the one explaining the problem to customers.
6. Enforcement And Privacy News Brought Some Better Signals
There was some useful good news today. UK authorities charged five people connected to Russian Coms, a caller-ID spoofing platform reportedly used for more than 1.8 million scam calls. Separately, the EU and UK announced sanctions against Russian individuals and entities tied to cyberattacks. These actions do not eliminate phishing, spoofed calls, or cybercrime, but they do make the ecosystem riskier for the people selling the tools.
TechCrunch also reported that the LAPD is letting its contract with Flock expire over civil-liberties and privacy concerns. That is not a small-business security story directly, but it is part of a larger shift: buyers are asking harder questions about surveillance, data retention, and who can access collected data. Businesses should apply the same thinking to cameras, access-control systems, employee-monitoring tools, and customer analytics platforms.
7. AI Keeps Moving Into Work, Navigation, And Enterprise Strategy
TechCrunch reported several AI-related stories today, including Microsoft CEO Satya Nadella warning enterprises about relying on proprietary models, Anthropic localizing Claude pricing for India, and Waze adding AI-powered navigation and customization features. The overall direction is clear: AI is no longer sitting off to the side as a novelty. It is moving into productivity tools, navigation, customer service, development workflows, and business decision-making.
For home users, the advice is to treat AI features like any other cloud service: check what data you are sharing and do not paste passwords, Social Security numbers, bank details, or private medical information into tools you have not reviewed. For small businesses, create a simple AI use policy. Decide which tools are approved, what information employees can enter, and when human review is required before sending AI-assisted work to customers.
Today’s Practical Checklist
- Check router and firewall firmware, especially older Cisco, Netgear, DrayTek, Zyxel, Fortinet, ASUS, and ISP-provided equipment.
- Disable internet-facing router admin panels unless there is a documented business need.
- Review CMS plugins and extensions; remove what you do not actively use.
- Make sure your Mac users know not to approve fake crash-reporting or support-tool prompts.
- Ask software vendors and developers how they protect package managers, API keys, and production credentials.
- Build a manual fallback for scheduling, payments, invoices, and customer communications.
- Write a short AI policy before employees start pasting sensitive business data into random tools.
Sources
- CISA Known Exploited Vulnerabilities Catalog
- BleepingComputer: CISA warns of actively exploited RCE flaws in Joomla extensions
- BleepingComputer: U.S. and allies warn of Russian critical infrastructure attacks
- BleepingComputer: Hackers backdoor Jscrambler npm package with infostealer malware
- BleepingComputer: CrashStealer malware poses as Apple crash reporting tool
- BleepingComputer: Japan’s largest taxi operator shuts systems after cyberattack
- BleepingComputer: UK charges suspects linked to Russian Coms
- BleepingComputer: EU sanctions Russian GRU military hackers over cyberattacks
- TechCrunch: Waze adds AI-powered features and customization updates
- TechCrunch: LAPD lets Flock contract expire over privacy concerns
- TechCrunch: Satya Nadella warning to companies using AI