All episodes
Week of Jul 13, 2026

Threat Vectr Weekly — week of Jul 13

10 min

Stories covered this week

Transcript

Narrated by two AI anchors. Lightly formatted for reading.

Marcus

Welcome to Threat Vectr Weekly, your security briefing for the week of July thirteenth. I'm Marcus, joined as always by Elena, and we have a packed episode. Coming up: a technique that lets malicious AI coding add-ons slip past every scanner tested, a silent browser hijack that needed zero clicks from the victim, and a new rent-a-malware kit that runs on Windows, Mac, and Linux from the same codebase. Plus privacy concerns in the doctor's office, a law that took far too long to pass, and some uncomfortable truths about how well your organization's risk assessment is actually working. Let's get into it.

Elena

We start in Australia, where a quiet but significant privacy debate is unfolding inside your GP's waiting room. Over the past eighteen months, AI scribe tools have spread rapidly through Australian medical clinics. These are software programs that listen to the conversation between a doctor and a patient in real time, transcribe it, and produce a ready-made clinical note. For an overworked GP, that is genuinely useful. But here is the problem. Australia has no national rules governing these tools in clinical settings. Patients may not always know their conversation is being recorded, who has access to that recording, or where it ends up. The federal health department has now formally raised concerns, and the regulator is examining whether safeguards are needed. The practical takeaway is simple: before your next appointment, ask your doctor whether an AI scribe is running. You have a right to know.

Marcus

That story is a useful reminder that when a technology is convenient enough, it gets adopted before the rules catch up. And the rules really can leave people in the lurch, as our next story makes painfully clear. Tasmania has just become the last state or territory in Australia to criminalize the non-consensual sharing of intimate images, including AI-generated deepfakes. One woman, Stephanie Nolan, went to police after her intimate images were shared online without her knowledge. Officers told her they were not sure what crime had even been committed. One charge was eventually filed, even though multiple images had been shared. Earlier in 2024, twenty-one girls at a Tasmanian private school were targeted when AI-generated pornographic images circulated in a group chat. No charges were laid. That gap is finally closing, with draft legislation expected before the end of the year. Every other jurisdiction in Australia managed this years ago. Better late than never, but the cost of waiting was real.

Elena

Moving to the UK now, and a political accountability story with a cybersecurity angle. Nigel Farage, leader of Reform UK, is facing scrutiny over support he allegedly received from George Cottrell, a thirty-two-year-old cryptocurrency entrepreneur who pleaded guilty to wire fraud in the United States in 2017 and served eight months in prison. The Sunday Times reported that Cottrell provided Farage with security staff, social media workers, and use of a London townhouse near Buckingham Palace, all in the twelve months before Farage was elected as an MP last July. UK parliamentary rules require newly elected members to declare financial benefits received in that window. Farage's team says the support was personal, not political, so no declaration was needed. The Liberal Democrats have asked the Parliamentary Standards Commissioner to investigate. That same commissioner is already looking into a separate five million pound gift Farage received from a cryptocurrency investor. We will keep an eye on how this develops.

ElenaSponsored

A quick word from our sponsor, Train2Secure. Your people are your biggest cyber risk — and your strongest defence. Train2Secure runs realistic phishing simulations and short, engaging security-awareness training your team will actually finish, with compliance-ready reporting that runs on autopilot. Turn your staff into a human firewall. Start your free trial today at Train2Secure dot com — that's Train, the number two, Secure, dot com.

Marcus

And just to add a layer there, this story matters beyond the politics. When public figures accept undisclosed support from individuals with criminal convictions, especially in the cryptocurrency space, it raises legitimate questions about influence, transparency, and who is actually shaping policy decisions. The register of interests exists precisely so the public can make those judgments. Whether the rules were technically broken or not, the principle is worth defending. Over to you, Elena, for a story that is going to matter to every developer in the audience.

Elena

This one is genuinely alarming for anyone building software right now. AI coding agents are tools that sit inside a development environment and help write code. Think of them as an automated junior developer. To extend what they can do, companies allow third parties to publish skills, small add-ons similar to browser extensions for Chrome. Researchers at the Hong Kong University of Science and Technology tested what happens when someone publishes a malicious skill. Their technique, which they call SkillCloak, repackages the harmful code so it only unpacks itself at the moment it actually runs, not while it is sitting in storage waiting to be scanned. The result: it beat static scanning tools more than ninety percent of the time. Every scanner they tested. The same research team then built a runtime checker that catches most of the malware once it executes, which shows the solution space exists. But right now, the industry's defenses are badly behind. If your team uses an AI coding assistant with third-party skills, vet those add-ons the same way you would any third-party dependency.

Marcus

From a very specific technical threat to a broader structural one. A piece in CSO Online this week pulled together seven mistakes security leaders make when running cyber risk assessments, and it is worth slowing down on because the findings are uncomfortable. The central problem is that assessments too often become a checklist: boxes get ticked, a report gets produced, auditors are satisfied, and leadership feels secure. Adriel Desautels, the chief executive of penetration-testing firm Netragard, makes a blunt point: every major breach in the past decade involved an organization that was compliant at the moment it was broken into. Compliance is not the same as security. Two specific blind spots came up repeatedly. First, AI tools connected to internal company systems are almost never included in risk assessments, even though they can access sensitive data. Second, a completed risk register, the document listing known threats and their ratings, can actually create false confidence at board level when nobody ever revisits its underlying assumptions. The fix is to measure risk in terms of business harm, not just technical findings.

Elena

Quick practical one now, and if you use Opera GX, the gaming-focused version of the Opera browser, you will want to hear this. Researchers disclosed a flaw that let a malicious website silently install a browser extension on a visitor's machine. No click required, no warning, no prompt. You visit a page, and an add-on is installed. A browser extension, for anyone unfamiliar, is a small program that can read and modify other pages you have open. In a proof of concept, the researchers were able to reconstruct a signed-in user's full Gmail address from a single visit to a malicious page. The bug worked because Opera GX trusted certain Opera-owned pages to trigger installs automatically, and the researchers found a way to spoof that trust. Opera has patched the flaw and says it found no evidence anyone exploited it in the wild. If you run Opera GX, make sure you are on the latest version, and while you are at it, audit the extensions you already have installed. If you do not recognize one, remove it.

Marcus

And we finish with a new entrant to the malware-as-a-service market that security teams should add to their watch lists. Researchers at LevelBlue have identified a remote access trojan called QuimaRAT. A remote access trojan is software that gives a criminal a hidden live connection into a victim's machine, as if they were sitting at the keyboard remotely. What makes QuimaRAT notable is two things. First, it runs on Windows, macOS, and Linux from the same codebase, because it is written in Java, a language designed to run identically across operating systems. Most desktop malware targets Windows and ignores everything else. This one does not. Second, it is being sold as a subscription. Criminals can rent access for one hundred and fifty dollars a month, up to twelve hundred dollars for lifetime access. That pricing means the barrier to entry is low, which means the pool of potential attackers is larger. The practical message: Mac and Linux users cannot assume they are safe by default anymore, and endpoint detection tools on all three platforms need to be kept current.

Marcus

That is your Threat Vectr Weekly for the week of July thirteenth. Thank you for spending ten minutes with us. If you want the full story links, deeper analysis, and early access to next week's briefing before it hits the feed, head to threatvectr dot com slash newsletter and sign up. It is free. We will see you next week, stay sharp.

© 2026 Threat Vectr