#079915 days ago12 min▤RecapJun 15 – Jun 22
Trust Chains Broken at Scale While ClickFix Becomes a Service
This week, attackers stopped trying to kick down the front door and instead walked in through the trust chains that hold digital ecosystems together. North Korea's Sapphire Sleet compromised over 140 Mastra npm packages through a single typosquatted dependency, stealing cryptocurrency wallets and planting persistent backdoors on developer machines. The GlassWorm group trojanized Open VSX extensions with WebAssembly malware that uses the Solana blockchain as an unkillable command channel, while SmartApeSG hijacked the Okendo Reviews widget to serve malicious prompts on thousands of e-commerce sites. Even vendor integrations became a liability: the Klue breach exposed Recorded Future client data through a compromised OAuth token connecting a marketing tool to Salesforce.
Deception also became an industrial product. The ErrTraffic framework now operates as full Malware-as-a-Service, using blockchain smart contracts to hide its infrastructure and compromised WordPress sites to serve fake error prompts that trick users into running malicious commands. Attackers weaponized trusted AI platforms too—one campaign abused claude.ai's shared chat feature to deliver MacSync infostealer on macOS, while the shai_hulululud npm package uses prompt injection to blind AI-powered security scanners. On the infrastructure side, the FortiBleed campaign cracked credentials for over 73,000 FortiGate firewalls with a 45-GPU cluster, handing attackers valid keys to government and defense networks worldwide.
Defenders should immediately hunt for the easy-day-js dependency in their npm projects, reset credentials on any FortiGate firewall, enable Azure AD Graph Activity Logs to close a years-long reconnaissance visibility gap in Microsoft cloud environments, and audit OAuth tokens on all third-party vendor integrations.
#079815 days ago105 min◉Engagement
Within five days of exposing an Ivanti Sentry management surface to the internet, a controlled sensor recorded ten distinct operators attempting to exploit CVE-2026-10520, the CVSS 10.0 pre-authentication command-injection flaw that CISA had added to its Known Exploited Vulnerab…
#0797
Microsoft17 days ago8 min▣LLM reportcritical Microsoft identified a large-scale npm supply chain attack by North Korean threat actor Sapphire Sleet, compromising over 140 packages in the Mastra ecosystem. The attackers used a compromised maintainer account to inject a malicious typosquat dependency that executes a cross-platform Node.js implant during installation, leading to cryptocurrency wallet theft, host reconnaissance, and persistent backdoor access.
#0796
Elastic Security Labs17 days ago5 min▣LLM reportmedium Microsoft has introduced customer-accessible logging for the legacy Azure AD Graph API (graph.windows.net), closing a significant visibility gap historically abused by adversary enumeration tools like ROADrecon and AADInternals. Defenders can now ingest AzureADGraphActivityLogs into their SIEM to detect bulk directory reconnaissance, suspicious user agents, and internal API misuse.
#0795
Canadian Centre for Cyber Security17 days ago4 min▣LLM reporthigh The Canadian Centre for Cyber Security issued an advisory regarding multiple Denial-of-Service (DoS) vulnerabilities affecting Mitsubishi Electric MELSEC iQ-F Series EtherNet/IP and Ethernet modules. Organizations utilizing these industrial control systems should review the vendor advisories and apply the recommended updates to prevent potential operational disruptions.
#0794
Varonis18 days ago5 min▣LLM reporthigh Varonis Threat Labs deployed managed MySQL honeypots across major cloud providers to observe attacker behavior. The publicly exposed GCP instance with weak credentials was compromised within hours by multiple automated ransomware operators who brute-forced access, exfiltrated data, dropped tables, and left ransom notes.
#0793
Recorded Future18 days ago6 min▣LLM reportcritical The FortiBleed campaign involves the exposure of valid administrative and SSL VPN credentials for over 73,000 FortiGate firewalls worldwide. A Russian-speaking threat group intercepted authentication hashes, likely via exported configuration files, and cracked them offline using Hashtopolis to gain initial access. Subsequent post-compromise activity targeted internal Active Directory environments with enumeration, password spraying, and SMB/DFS data collection scripts.
#0792
Zscaler ThreatLabz18 days ago5 min▣LLM reporthigh ThreatLabz identified a supply chain attack where the threat actor SmartApeSG compromised the widely used Okendo Reviews widget to inject malicious JavaScript. The loader employs environment checks, XOR deobfuscation, and staged execution to deliver ClickFix-style social engineering lures, ultimately aiming to deploy RATs and information stealers on desktop endpoints.
#0791
Recorded Future18 days ago4 min▣LLM reportmedium Recorded Future disclosed a data exposure incident resulting from a breach at their third-party marketing vendor, Klue. Attackers compromised an OAuth token used for the integration between Klue and Salesforce, granting unauthorized access to Recorded Future's Salesforce environment and exposing business data fields such as client contact details and contract information.
#0790
ESET18 days ago7 min▣LLM reportcritical ESET researchers analyzed the Gentlemen ransomware-as-a-service (RaaS) operation, highlighting their unique approach of providing an in-house developed EDR killer framework, GentleKiller, directly to affiliates. The framework leverages Bring Your Own Vulnerable Driver (BYOVD) techniques to terminate over 400 security processes and is augmented by third-party tools like HexKiller and HavocKiller, all standardized with a shared defense-evasion layer.
#0789
Elastic Security Labs18 days ago6 min▣LLM reporthigh A newly discovered Windows loader, OXLOADER, is being distributed via malicious Google Ads impersonating Node.js to deliver the CASTLESTEALER infostealer. The loader utilizes advanced evasion techniques, including control-flow flattening, anti-sandbox checks, and staging shellcode within the .reloc section of a copied system DLL, to maintain low detection rates across static engines.
#0788
Cofense18 days ago4 min▣LLM reporthigh A sophisticated phishing campaign is leveraging highly personalized FIFA World Cup 2026 lures to deliver the evasive Voidrift malware. The attackers utilize extensive reconnaissance to embed target company logos into the email lures and host payloads on legitimate domains, successfully bypassing multiple prominent Secure Email Gateways.
#0787
CISA18 days ago4 min▣LLM reporthigh Schneider Electric EasyLogic T150 and Saitel DP Remote Terminal Units are affected by a high-severity Path Traversal vulnerability (CVE-2026-6865, CVSS 7.1). This flaw allows authenticated attackers to access sensitive files on the device due to improper limitation of a pathname to a restricted directory. Firmware updates are available to patch the vulnerability.
#0786
CISA18 days ago3 min▣LLM reportcritical CISA has added CVE-2026-20253, a missing authentication vulnerability in Splunk Enterprise, to its Known Exploited Vulnerabilities (KEV) Catalog due to evidence of active exploitation in the wild. The vulnerability allows unauthorized access to critical functions, and organizations are strongly advised to prioritize remediation, particularly for publicly exposed assets that could grant total control post-exploitation.
#0785
CISA18 days ago4 min▣LLM reporthigh Two vulnerabilities in the Apollo Pharmacy Blood Glucose Monitoring System APG-01 BT allow an attacker within Bluetooth Low Energy (BLE) range to intercept sensitive health data in cleartext and perform a denial-of-service attack by monopolizing the device's connection slot. The vendor has not responded to coordination requests, meaning no official patch is currently available.
#0784
Akamai18 days ago4 min▣LLM reporthigh The updated NIST SP 800-81r3 guidelines elevate DNS to a critical security control layer, highlighting severe risks from misconfigurations such as dangling CNAMEs, lame delegations, and exposed resource records. Automated scanners and AI bots are increasingly exploiting these vulnerabilities at scale to hijack subdomains and map infrastructure, necessitating continuous DNS posture management and cryptographic protections like DNSSEC.
#0783
NCSC19 days ago4 min▣LLM reporthigh The NCSC has issued an alert regarding a global campaign targeting Fortinet firewalls and VPN gateways using brute-force and credential stuffing techniques. A threat actor has leaked a database of compromised credentials, prompting organizations to urgently check for exposure, investigate for unauthorized access or persistence, and perform factory resets on compromised devices.
#0782
Canadian Centre for Cyber Security19 days ago4 min▣LLM reportcritical The Canadian Centre for Cyber Security issued an alert regarding 'FortiBleed,' a widespread campaign involving the leak of thousands of compromised credentials for Fortinet firewalls and VPN gateways. Threat actors can leverage these credentials, alongside vulnerabilities like CVE-2024-55591, CVE-2025-59718, and CVE-2025-59719, to gain remote access, create unauthorized accounts, and modify critical security controls.
#0781
Zscaler ThreatLabz19 days ago5 min▣LLM reporthigh The ThreatLabz 2026 Phishing and Initial Access Report highlights a shift towards highly targeted, AI-enabled phishing campaigns against the public sector. Despite a 20% overall drop in phishing volume, attackers are increasingly utilizing AI site builders, encrypted delivery channels, and AiTM/BiTM techniques to bypass traditional MFA and secure initial access.
#0780
Zscaler ThreatLabz19 days ago6 min▣LLM reporthigh ThreatLabz identified a ClickFix campaign utilizing AI-generated typosquatting domains to impersonate Brazilian banks and deliver a PowerShell-based banking RAT dubbed SmartRAT. The malware establishes persistence via scheduled tasks or Windows services, communicates over a custom TCP protocol on port 51888, and features advanced capabilities including keylogging, fake banking overlays, and QR code interception for financial fraud.