Detection / Hunteropenrouter
By the Numbers
- Total articles: 40
- By severity: Critical: 10, High: 26, Informational: 1, Medium: 3
- By category: APT: 3, data breach: 2, general security news: 6, malware: 12, phishing/social engineering: 4, threat actor: 1, vulnerability: 12
Top Threats
Trust Chain Sabotage: Supply Chain and Third-Party Compromises
Attackers pivoted from perimeter exploitation to hijacking the trust chains organizations depend on. Sapphire Sleet poisoned 140+ Mastra npm packages through a typosquatted dependency executing malware at install time, GlassWorm embedded blockchain-backed WebAssembly payloads in Open VSX extensions, and SmartApeSG turned the Okendo Reviews widget into a ClickFix pipeline reaching thousands of e-commerce sites. Third-party integrations proved equally fragile—Klue's breach leaked Recorded Future client data via a hijacked OAuth token, and predictable Vertex AI bucket naming enabled cross-tenant remote code execution through bucket squatting.
- https://socket.dev/blog/mastra-npm-packages-compromised
- https://www.microsoft.com/en-us/security/blog/2026/06/17/postinstall-payload-inside-mastra-npm-supply-chain-compromise/
- https://socket.dev/blog/glasswasm-malware-open-vsx-extensions
- https://www.zscaler.com/blogs/security-research/smartapesg-launches-okendo-reviews-supply-chain-attack
- https://www.recordedfuture.com/blog/klue-security-incident
- https://unit42.paloaltonetworks.com/hijacking-vertex-ai-model/
Industrialized Deception: ClickFix-as-a-Service and Beyond
Deception techniques became scalable criminal services this week. ErrTraffic operates as full Malware-as-a-Service using Polygon blockchain dead-drop resolvers and compromised WordPress sites to serve ClickFix prompts, while BabaDeda, SmartRAT, and a claude.ai shared chat campaign each adapted the fake-prompt technique for different targets—from Brazilian banks to macOS users. The industrialization extends beyond ClickFix: SocGholish maintained a vast Traffic Distribution System for fake browser updates, OXLOADER distributes infostealers via malicious Google Ads, and World Cup phishing lures bypass major secure email gateways using personalized corporate branding.
- https://blog.sekoia.io/unveiling-errtraffic-inside-a-growing-clickfix-malware-distribution-framework/
- https://www.morphisec.com/blog/what-is-the-babadeda-loader-analysis-of-a-new-clickfix-malware-campaign/
- https://www.zscaler.com/blogs/security-research/clickfix-campaign-generated-ai-delivers-smartrat
- https://www.trendmicro.com/en_us/research/26/f/claudeai-shared-chat-abused-in-malvertising.html
- https://www.infoblox.com/blog/threat-intelligence/hot-take-operation-endgame-vs-socgholish/
- https://cofense.com/blog/world-cup-themed-phishing-campaign-delivers-voidrift-malware-with-highly-personalized-lures
- https://cofense.com/blog/elon-musk,-the-irs,-and-your-bank-account-anatomy-of-a-multi-stage-financial-scam
- https://www.elastic.co/security-labs/oxloader-malware-loader-infostealer
- https://www.zscaler.com/blogs/security-research/what-threatlabz-2026-phishing-and-initial-access-report-means-public-sector
Critical Infrastructure Under Active Exploitation and Credential Harvesting
Infrastructure defenders face a compounding crisis where unpatched vulnerabilities and mass-harvested valid credentials converge. FortiBleed cracked SSL VPN hashes for over 73,000 FortiGate firewalls using a 45-GPU cluster, handing attackers legitimate access to government, healthcare, and defense networks including a NATO contractor. Simultaneously, CISA added actively exploited CVEs for Cisco SD-WAN Manager and Splunk Enterprise to its KEV catalog, while Rockwell Automation, Schneider Electric, and Mitsubishi Electric disclosed critical ICS flaws enabling unauthenticated takeover and denial of service on manufacturing floors.
- https://www.recordedfuture.com/blog/critical-fortibleed-campaign
- https://cyber.gc.ca/en/daily-digest/2026-06-18
- https://www.cisa.gov/news-events/alerts/2026/06/15/cisa-adds-two-known-exploited-vulnerabilities-catalog
- https://www.cisa.gov/news-events/alerts/2026/06/18/cisa-adds-one-known-exploited-vulnerability-catalog
- https://cyber.gc.ca/en/daily-digest/2026-06-16
- https://cyber.gc.ca/en/daily-digest/2026-06-17
- https://www.cisa.gov/news-events/ics-advisories/icsa-26-167-05
- https://www.cisa.gov/news-events/ics-advisories/icsa-26-167-03
- https://www.cisa.gov/news-events/ics-advisories/icsa-26-167-02
- https://www.cisa.gov/news-events/ics-advisories/icsa-26-169-04
- https://cyber.gc.ca/en/daily-digest/2026-06-19
- https://www.cisa.gov/news-events/ics-medical-advisories/icsma-26-169-01
State-Sponsored Espionage Expands Platform Reach
Nation-state actors expanded from traditional network intrusion to compromising research platforms and porting toolkits across operating systems. UNC6508 breached REDCap servers at North American medical and defense institutions, deploying INFINITERED backdoors and silently exfiltrating emails through manipulated domain compliance rules. FishMonger ported its Linux-only SprySOCKS backdoor to Windows with kernel-level hiding via custom drivers and print processor persistence, while the UK NCSC warned that hostile states now drive 75% of critical infrastructure attacks and 31 countries deploy commercial spyware against travelers and journalists.
- https://cloud.google.com/blog/topics/threat-intelligence/prc-targets-us-medical-research/
- https://www.welivesecurity.com/en/eset-research/fishmongers-arsenal-upgraded-sprysocks-windows/
- https://www.ncsc.gov.uk/news/ncsc-ceo-hostile-states-linked-to-three-quarters-of-cyber-attacks
- https://www.recordedfuture.com/research/state-digital-surveillance-risk-landscape
AI Defenses Under Active Attack
Attackers are actively sabotaging AI security tools rather than just using AI to craft lures. The shai_hulululud npm package injects 3.5 million tokens of noise to exhaust AI malware scanner context windows, hiding its payload in the truncated tail where scanners never reach. A 300% surge in AI bot traffic is simultaneously abusing DNS misconfigurations at machine speed, while researchers demonstrated that local AI agents can automate complex reverse engineering—showing AI capabilities amplify both offense and defense depending on who deploys them.
- https://socket.dev/blog/npm-package-uses-prompt-injection-and-token-flooding-to-disrupt-ai-malware-scanners
- https://www.akamai.com/blog/security/2026/jun/dns-most-critical-most-misconfigured-security-control
- https://blog.talosintelligence.com/scripting-the-disassembler/
Ransomware Evasion Professionalized and Automated Extortion Scaled
Ransomware operators are franchising dedicated evasion toolkits while automated bots commoditize basic extortion. The Gentlemen gang provides affiliates with GentleKiller, a centralized EDR-killing framework that weaponizes newly disclosed vulnerable drivers within days and bypasses over 400 security products. At the opposite end, fully automated bots compromise exposed cloud MySQL databases within hours through brute-force, exfiltrating data and leaving ransom notes—proving basic hygiene failures enable mass extortion without human involvement.
- https://www.welivesecurity.com/en/eset-research/killing-me-gently-inside-gentlemens-edr-killer-framework/
- https://www.varonis.com/blog/encrypting-cloud-mysql
Trending CVEs
- CVE-2026-20262 (2 mentions) — Actively exploited vulnerability in Cisco Catalyst SD-WAN Manager added to CISA KEV catalog, requiring immediate remediation per BOD 26-04 Sources: 1, 2
- CVE-2026-20253 (1 mentions) — Actively exploited missing authentication vulnerability in Splunk Enterprise added to CISA KEV catalog, allowing unauthorized access to critical functions on publicly exposed assets Sources: 1
- CVE-2026-0647 (1 mentions) — CVSS 9.4 vulnerability allowing unauthenticated attackers to change Rockwell FLEX I/O EtherNet/IP Adapter web interface passwords via crafted HTTP GET requests, enabling full device takeover Sources: 1
- CVE-2026-54420 (1 mentions) — Actively exploited vulnerability in LiteSpeed cPanel Plugin added to CISA KEV catalog Sources: 1
- CVE-2024-55591 (1 mentions) — Fortinet privilege escalation and authentication bypass vulnerability exploited in the FortiBleed campaign, enabling unauthorized administrative access to FortiGate firewalls Sources: 1
- CVE-2026-6865 (1 mentions) — High-severity path traversal vulnerability in Schneider Electric EasyLogic T150 and Saitel DP RTUs allowing unauthorized access to sensitive files in energy and manufacturing sectors Sources: 1
Sector Trends
- Critical Infrastructure and ICS — Industrial control systems face compounding risk from unpatched authentication bypasses and mass credential exposure. Rockwell Automation disclosed three separate advisory sets covering FLEX I/O adapters, Logix controllers, and RSLinx software with flaws enabling unauthenticated takeover and denial of service, while Schneider Electric and Mitsubishi Electric reported path traversal and DoS vulnerabilities in RTUs and network modules. The FortiBleed campaign's exposure of 73,000+ FortiGate firewall credentials means many of these ICS networks may already be accessible to attackers using legitimate VPN logins. Sources: 1, 2, 3, 4, 5, 6, 7
- Financial Services — Financial institutions faced attacks across multiple vectors from credential theft to record-breaking denial of service. An Indian public sector bank survived a 1.78 Tbps DDoS attack targeting its login endpoints, while SmartRAT specifically targeted Brazilian banks with AI-generated clones and QR code interception capabilities. Cryptocurrency-focused attacks expanded too: a clipboard hijacker campaign used fake reputation networks to distribute Rust-based malware that swaps wallet addresses, and the IRS/Elon Musk phishing scam harvested bank routing numbers and government ID scans for identity theft. Sources: 1, 2, 3, 4
- Government and Public Sector — Government agencies experienced a 50% surge in phishing attacks despite a 20% decline in global phishing volume, with 95% of attacks now delivered over encrypted channels that bypass legacy inspection. The UK NCSC reported that hostile states drive 75% of cyber attacks on critical national infrastructure, and the FortiBleed credential leak directly impacted government and defense systems including a NATO contractor. Adversary-in-the-middle kits are increasingly bypassing traditional MFA to steal session tokens, making phishing-resistant authentication an urgent priority for public sector defenders. Sources: 1, 2, 3
- Healthcare and Medical Research — China-aligned UNC6508 systematically compromised REDCap research database servers at North American medical and academic institutions, deploying INFINITERED malware to harvest credentials and silently BCC-forward emails containing defense and medical research including Chikungunya pathogen studies. Separately, the Apollo Pharmacy Blood Glucose Monitor was found transmitting sensitive health data in cleartext over Bluetooth and vulnerable to connection hijacking, with no patch available from the unresponsive vendor. Sources: 1, 2
- Developer and Technology Sector — The developer ecosystem suffered coordinated supply chain attacks from both nation-state and criminal actors. North Korea's Sapphire Sleet compromised 140+ Mastra npm packages through a single typosquatted dependency, while GlassWorm trojanized Open VSX extensions with blockchain-backed WebAssembly malware. AI development infrastructure also proved vulnerable: Google Vertex AI's predictable bucket naming allowed cross-tenant model hijacking via a 2.5-second race condition, and a malicious npm package demonstrated that prompt injection can blind AI-powered code security scanners by exhausting their context windows. Sources: 1, 2, 3, 4, 5
Notable Incidents
- FortiBleed Campaign Exposes 73,000+ FortiGate Credentials — Largest firewall credential exposure campaign tracked this year, cracking SSL VPN hashes for over 73,000 FortiGate devices across government, healthcare, and defense sectors including a NATO contractor, using a 45-GPU cluster for offline hash cracking and enabling Active Directory enumeration and data exfiltration with valid administrative access
- Mastra npm Supply Chain Compromise by North Korean APT — North Korea's Sapphire Sleet compromised 140+ npm packages through a single typosquatted dependency, demonstrating cascading supply chain risk where one poisoned package infects an entire ecosystem and establishes persistent cross-platform backdoors that escalate to SYSTEM-level PowerShell implants on Windows
- Gentlemen Ransomware Releases Centralized EDR Killer Framework — First observed ransomware gang providing a centralized in-house EDR killer suite directly to affiliates, weaponizing newly disclosed vulnerable drivers within days and bypassing over 400 security products through BYOVD techniques paired with the OxideHarvest credential stealer
- Indian Bank Survives Record-Breaking 1.78 Tbps DDoS Attack — A major Indian public sector bank faced the largest recorded DDoS attack peaking at 1.78 Tbps and 171 Mpps targeting critical login endpoints used by multiple banking applications, successfully mitigated with zero downtime using proactive always-on cloud edge defenses