In today’s cybersecurity roundup, investigators are looking into whether Microsoft’s own disclosure program may have inadvertently aided Chinese espionage groups, a gaming mouse utility was replaced with malware in a supply‑chain compromise, and BreachForums – one of the web’s largest data‑theft marketplaces – has returned from its supposed demise. Here’s what you need to know.

Microsoft MAPP leak and SharePoint zero‑day

Microsoft’s incident‑response team is investigating whether details from its Microsoft Active Protections Program were leaked. The concern is that Chinese state‑sponsored groups may have used early access to information about a SharePoint vulnerability to build the “ToolShell” exploit chain, which bypasses authentication to run arbitrary code on SharePoint servers. According to multiple reports, at least three Chinese hacking groups (Linen Typhoon, Violet Typhoon and Storm‑2603) used the flaw to compromise more than 400 organizations worldwide, including U.S. government agencies. Microsoft says MAPP participants were notified about the vulnerability on June 24 and early July, and exploit attempts began almost immediately. Investigators are now trying to determine whether anyone leaked the confidential details.

Supply‑chain breach delivers Xred malware through a gaming mouse

German peripheral maker Endgame Gear announced that attackers compromised the software distribution system for its OP1w 4K V2 gaming mouse. From June 26 to July 9, the company’s configuration utility was replaced with a trojanized version that installed a backdoor called Xred. The malware collects system information, hides itself in a fake Synaptics driver directory, logs keystrokes and can spread via infected USB drives or malicious Excel macros. Endgame Gear replaced the infected files on July 17 and says there is no evidence that its file server itself was breached, but the incident highlights the growing risk of supply‑chain attacks targeting consumer hardware.

BreachForums quietly reopens

BreachForums – an online marketplace where hackers trade stolen data and malware – has re‑opened under its original administrators. The forum vanished earlier this year after a law‑enforcement takedown, but a new message from an admin known as “NA” claims the shutdown was due to a zero‑day bug in the forum software, not any arrests. The resurrected site has restored more than 7.3 million posts across 13,000 threads, meaning operators either retained full backups or law enforcement never seized their servers. Despite promises of more transparent moderation, security researchers warn that the forum will likely remain a hub for trading breached data.

These stories underscore how valuable early vulnerability information is to attackers, why supply‑chain attacks increasingly target hardware and software vendors alike, and how difficult it is to permanently dismantle cybercrime infrastructure. Organizations should apply patches promptly, monitor vendors’ download channels for tampering, and be wary of re‑emerging dark‑web marketplaces.