The week's dominant signal wasn't a clever exploit. It was the quiet realization that across FortiBleed, the Klue OAuth heist, North Korea's npm campaign, and a wave of living-off-trusted-services C2, attackers spent far less effort breaking through defenses than replaying the trust already inside them.
Cyber Security News
FortiBleed Exposes 86,644 Fortinet Firewalls as CISA Confirms Active Exploitation
A Russian-speaking criminal syndicate harvested verified administrator and VPN credentials from 86,644 internet-facing FortiGate firewalls across 194 countries (roughly half the global Fortinet perimeter population) in a campaign that surfaced June 13 after researcher Volodymyr "Bob" Diachenko found the hosting server. CISA issued an emergency alert on June 18 (citing ~74,000 devices) confirming actors are actively using the leaked credentials worldwide. Crucially, FortiBleed has no CVE: Fortinet attributes it not to a new flaw but to credential reuse from prior incidents (FG-IR-26-060, FG-IR-25-647) and brute-forcing of weak-password, no-MFA devices, with eight years of unpatched CVEs cashed in at once.
Why it matters: This is a perimeter-collapse event, not a point exploit: attackers hold valid credentials, so "patch the CVE" guidance misses the threat and only credential rotation plus forced VPN re-auth remediates it.
Sources: Shattered.io | Security Affairs | BleepingComputer
North Korea's Sapphire Sleet Backdoors 144 npm Packages in the Mastra AI Ecosystem
Microsoft attributed with high confidence a supply-chain attack compromising 140-plus packages in the @mastra npm organization to Sapphire Sleet (a.k.a. BlueNoroff), a North Korean state actor. The attackers hijacked a dormant maintainer account and, within an 88-minute window on June 17, republished 144 packages with a single malicious dependency to harvest developer credentials, API keys, and crypto wallet data across Windows, Linux, and macOS. Socket documented the full package list and IOCs; Leitwacht noted that an egress block on the dropper's callout neutralized the threat.
Why it matters: npm's trust model offers almost no window for human review once a maintainer account falls, so the practical defense is dependency pinning, maintainer-account MFA, and outbound egress controls, not package reputation.
Sources: BleepingComputer | TechTimes | Leitwacht
Klue OAuth Breach Cascades Into Salesforce Data Theft at Huntress and Recorded Future
Market-intelligence platform Klue confirmed attackers stole long-lived OAuth tokens that customers used to connect their Salesforce and Gong CRMs via Klue's Battlecards integration, then replayed those tokens to bulk-exfiltrate data directly from victim tenants. CEO Jason Smith traced initial access to a compromised legacy credential detected June 12; Salesforce disabled the Battlecards app across affected instances June 17. The newly emerged "Icarus" group (overlapping with UNC6395) claimed the campaign, with confirmed downstream victims including security vendors Huntress and Recorded Future.
Why it matters: Pre-authorized OAuth grants generate no failed logins and bypass MFA entirely: token inventory, scope minimization, and aggressive revocation now matter more than perimeter patching.
Sources: BleepingComputer | Dark Reading | Recorded Future
Novo Nordisk Refuses $25M Ransom as FulcrumSec Leaks 1.3TB of Pipeline Data
The Danish maker of Ozempic and Wegovy confirmed a breach (initial access via a leaked GitHub token in March) in which FulcrumSec exfiltrated more than 1.3TB: drug pipeline data, source code, 30 trained AI models, cell-painting microscopy, and records tied to ~11,500 clinical-trial participants. Novo Nordisk refused FulcrumSec's $25M demand and a separate $50M demand from a second group, TheUSERS007; with payment declined, the data is now being shopped privately rather than dumped publicly.
Why it matters: Refusing to pay is increasingly the corporate norm, but it redistributes the threat toward private brokerage and long-tail espionage exploitation of pharma IP and clinical PII rather than ending it.
Sources: Security Affairs | Cybernews | GBlock
ShinyHunters Runs a Multi-Sector Extortion Spree Powered by an Oracle PeopleSoft Zero-Day
ShinyHunters (tracked as UNC6240) drove a high-tempo "pay or leak" campaign all week. It published 297GB / 429,000 documents from the Council of Europe (15 years of payroll, medical, and personnel records for 10,000-plus staff) after a June 16 deadline lapsed, and dumped 368,418 JCPenney employee records (SSNs, DOBs, addresses) exfiltrated via the actively exploited Oracle PeopleSoft zero-day CVE-2026-35273. Eastman Kodak confirmed a breach tied to a 2.2M-record claim, and the University of Nottingham disclosed theft of 454,600 student records from the same Oracle-linked wave. The group also vowed to make every file it has ever stolen permanently public.
Why it matters: One actor weaponizing a single ERP zero-day across government, retail, and education shows ShinyHunters is running a productized exploitation chain, not opportunistic smash-and-grabs. Treat exposed PeopleSoft as presumed compromised.
Sources: TechTimes | RedPacket Security | Cyber Era
CISA Orders Emergency Patch of Splunk Enterprise RCE (CVE-2026-20253)
CISA added CVE-2026-20253 to its KEV catalog after Splunk confirmed in-the-wild exploitation, ordering federal agencies to remediate by Sunday, June 21. The CVSS 9.8 missing-authentication flaw lets unauthenticated attackers reach a critical function via an exposed PostgreSQL sidecar endpoint, enabling remote code execution on Splunk Enterprise.
Why it matters: Splunk sits at the center of an organization's security telemetry, so an unauthenticated RCE on the SIEM itself hands attackers both a foothold and the ability to blind defenders.
Sources: Security Affairs | Rescana
Maximum-Severity Joomla JCE Flaw (CVE-2026-48907) Used to Drop Web Shells
CISA ordered federal agencies to patch CVE-2026-48907, a perfect CVSS 10.0 unauthenticated RCE in the Widget Factory Joomla Content Editor plugin. The bug chains improper access control in JCE's profile-import with unrestricted file upload, letting any remote attacker upload and execute arbitrary PHP; exploitation is confirmed, public exploit code is circulating, and attackers are planting web shells against affected versions 1.0.0 through 2.9.99.4.
Why it matters: With working exploit code public and zero authentication required, patching alone is insufficient: defenders must update to 2.9.99.7 and actively hunt for attacker-created editor profiles and uploaded PHP.
Sources: BleepingComputer | The Hacker News | Security Affairs
The Gentlemen RaaS Scales to 504 Victims on 90% Affiliate Cuts and the GentleKiller EDR-Killer
ESET detailed GentleKiller, a centralized EDR-disruption suite the fast-rising RaaS operation The Gentlemen hands to affiliates, unifying components named HexKiller, ThrottleBlood, and HavocKiller across at least eight BYOVD variants that target roughly 400 security processes before encryption. Active since late 2025, the group has claimed ~504 victims fueled by an unusually generous 90% revenue split, and disrupted milling at Australia's second-largest sugar producer, Mackay Sugar, for over a week.
Why it matters: A turnkey EDR-killer plus a 90% cut lowers the barrier to entry and makes defense-impairment a productized, pre-encryption standard, raising the bar for endpoint efficacy across every estate.
Sources: SecurityAffairs | The Record | Help Net Security
DragonForce Hides Backdoor.Turn C2 Inside Microsoft Teams Relays
Operators tied to DragonForce ransomware used a custom Go-based RAT, Backdoor.Turn, to tunnel command-and-control traffic through Microsoft Teams relay infrastructure, per Symantec and Carbon Black. The backdoor obtains an anonymous Teams visitor token to blend malicious traffic with legitimate collaboration channels, and operators dwelled one to two months inside an undisclosed major U.S. services firm before deploying ransomware.
Why it matters: Routing C2 through allow-listed enterprise SaaS that defenders rarely inspect is a maturing evasion trend that defeats conventional network detection and lengthens dwell time.
Sources: Security Affairs | SecurityWeek | Cybernoz
HazyBeacon Weaponizes AWS Lambda Function URLs as Covert C2
Qualys tracked HazyBeacon (CL-STA-1020), a cyber-espionage campaign targeting Southeast Asian government networks that abuses AWS Lambda Function URLs as command-and-control relays. Leveraging misconfigured serverless features and stolen cloud credentials, the operation blends malicious C2 into trusted AWS infrastructure, defeating detection that relies on flagging attacker-owned domains and IPs.
Why it matters: Serverless-function C2 erodes the value of IP and domain reputation defenses entirely: the same living-off-trusted-cloud pattern as the Teams-relay and claude.ai-shared-chat abuse surfacing across the cycle.
Sources: Cybersecurity Beat | Cybernoz
Hackers Hijack Brazil's National Emergency Alert System
Attackers breached Brazil's civil-defense alert platform overnight, pushing fake "Extreme Alert" notifications containing the word "misantropi4" to millions of phones across at least seven states. Authorities took the Civil Defense Alert system offline at 1:30 a.m. Saturday, and the Ministry of Integration opened an investigation.
Why it matters: Compromise of a cell-broadcast warning system is an attack on public trust in critical communications. A future actor could weaponize the same access for disinformation during a real crisis rather than a juvenile prank.
Sources: The Next Web | IBTimes
France's "Sovereign" Tchap Messaging App Breached, Exposing 73,000 Officials
Tchap, the messaging platform marketed to the French public sector as sovereign and secure, was compromised on June 7, with DINUM disclosing the incident the next day. The breach exposed personal details of 73,467 of more than 825,000 registered government agents, framed by DINUM as under 9% of users.
Why it matters: The damage is as much reputational as technical: a breach of a flagship digital-sovereignty platform undercuts the premise that domestically controlled tools are inherently safer, and hands state-aligned actors a ready-made phishing target list.
Sources: OPSEC Insider
Three Critical FortiSandbox Flaws (CVSS 9.1) Draw Active Exploitation
Threat-intel firms Defused and VulnCheck reported in-the-wild exploitation of three critical FortiSandbox vulnerabilities (CVE-2026-39813, CVE-2026-39808, and CVE-2026-25089, each CVSS 9.1) which let unauthenticated attackers bypass authentication and execute arbitrary commands. Fortinet patched two in April and the third more recently, having reported no known exploitation at disclosure.
Why it matters: Compromising a sandbox, a device built to detonate malware, gives attackers a foothold inside defensive tooling itself, and it opens a second Fortinet front alongside FortiBleed in the same news cycle.
Sources: CyberSecureFox | CyberScoop
APT37 Deploys Undocumented NarwhalRAT as G7 Elevates DPRK Crypto Theft
North Korea's ScarCruft (APT37) launched a spear-phishing campaign impersonating Microsoft account security and OTP alerts to deliver a previously undocumented RAT, NarwhalRAT, via malicious LNK files, per South Korea's Genians Security Center. The activity lands alongside a G7 communiqué from the Evian summit formally naming Pyongyang's crypto thefts (more than $6.75B drained since 2017) as a global security priority and weapons-financing threat.
Why it matters: Three simultaneous DPRK tracks (Sapphire Sleet's npm campaign, APT37 phishing, and the G7's diplomatic escalation) confirm North Korea is running specialized revenue and espionage operations in parallel, with credential-anxiety lures exploiting the exact reflex MFA was meant to reassure.
Sources: CyberSecureFox | Blockchain Sphere
One Medical Confirms Cyberattack at Amazon's Healthcare Arm
One Medical, the Amazon-owned primary-care provider, confirmed a cyberattack with attackers threatening to leak stolen data, and is in the early stages of investigation as of June 21. ShinyHunters separately listed the firm on its leak site, with one claim alleging more than 8.8TB exfiltrated.
Why it matters: A confirmed intrusion at an Amazon-owned health service places HIPAA-grade liability at the center of an extortion play, fitting a week of coordinated pressure on healthcare and pharma where sensitive PHI maximizes leverage.
Sources: heise online | DeXpose
AI News
The U.S. Government Forces Anthropic's Fable 5 and Mythos 5 Offline Under Export Control
Anthropic released Claude Fable 5 (and the unguarded, partner-only Mythos 5 via Project Glasswing) on June 9, posting frontier-leading scores. Then on June 12 a Commerce Department export-control directive ordered both disabled worldwide, including for Anthropic's own foreign-national staff. Commerce Secretary Howard Lutnick cited fears of diversion to foreign military intelligence; reporting ties the trigger to Mythos's demonstrated autonomous vulnerability discovery, including a bug that sat undetected for 27 years. NSA breach testimony this week deepened the standstill, and as of Day 9 the models remained dark even as the "Claude Fable 5" name briefly reappeared in the Android app's coding selector.
Why it matters: This is the first time a frontier model has been pulled from global availability by government order rather than commercial choice: a precedent that turns model weights into a controlled export and release timing into a state decision.
Sources: Corner for AI | TechTimes | The Straits Times
GPT-5.6 Stages an Imminent Launch Into Anthropic's Vacuum
OpenAI is preparing the GPT-5.6 family (Mini/Standard/Pro), with a release-candidate build codenamed kindle-alpha briefly surfacing in the Codex API staging layer on June 12. Chief scientist Jakub Pachocki called it a "meaningful improvement" over GPT-5.5 (the first on-record executive framing) and reporting points to an agentic-first design, a ~1.5M-token context window, a "Codex UltraFast" mode, and pricing rumored near one-third of Claude's. Polymarket put a June 22 to 28 launch at ~83% on roughly $960K in volume.
Why it matters: The agentic-first framing and aggressive pricing read as a direct margin attack on Anthropic's coding franchise, timed to ship precisely while Fable 5 sits offline, though benchmark and pricing specifics remain unconfirmed until OpenAI publishes.
Sources: TestingCatalog | TechTimes | DEV Community
"Claude Sonnet 5" Surfaces as the Mid-Tier Model War Escalates
A claude-sonnet-5 identifier appeared on an Anthropic partner platform June 21, drawing 59,000-plus views in two hours before commentators split on whether it signaled an imminent launch or premature noise (the slug reportedly misfired once before). Coverage framed Sonnet 5 and OpenAI's rumored GPT-5.6 as approaching release windows simultaneously, intensifying competition in what it called the industry's "most commercially important tier."
Why it matters: The mid-tier, not the flagship, is where the volume economics of AI live, and both leading labs converging on it signals the battleground has shifted from raw capability to price-performance for everyday production workloads.
Sources: Crypto Briefing | Fable Knows
U.S. Senate Passes the AI Accountability Act in a 68 to 29 Vote
The Senate passed the AI Accountability Act, sending to the House what reporting called the most significant federal AI legislation to date. The bill requires federal contractors to document high-risk AI systems, mandates incident reporting within 72 hours, and creates a civil cause of action for discriminatory automated decisions.
Why it matters: A 72-hour reporting clock and a private right of action move U.S. policy from voluntary frameworks toward enforceable liability and, paired with the EU AI Act's August threshold, raise the binding compliance floor on both sides of the Atlantic in the same window.
Sources: Credence Wire
EU Parliament Amends the AI Act as the August Transparency Deadline Holds
On June 16 the European Parliament voted 423 to 57 (174 abstentions) to amend the AI Act via the Digital Omnibus, postponing the heaviest stand-alone high-risk obligations to December 2, 2027, and adding a "nudifier" ban. The Commission separately published draft high-risk classification guidelines that read the conformity test broadly. Critically, the Article 50 transparency deadline of August 2 is unaffected, even as AlgorithmWatch criticizes the package as a rollback "before safeguards even apply."
Why it matters: The Act is being loosened and broadened at once (the Omnibus eases obligations while the guidelines pull more systems into the high-risk net), leaving builders with planning whiplash but a near-term August transparency clock that keeps ticking.
Sources: Oliver Patel | Osborne Clarke | AlgorithmWatch
DeepMind's Brain Drain: Nobel Laureate Jumper to Anthropic, Shazeer to OpenAI
John Jumper, who shared the 2024 Nobel Prize in Chemistry for AlphaFold, announced he is leaving Google DeepMind after nearly nine years to join Anthropic. The same week, Gemini co-lead and transformer co-architect Noam Shazeer left DeepMind for OpenAI, less than two years after Google paid ~$2.7B to bring him back, and Andrej Karpathy reportedly joined Anthropic to work on self-improving training.
Why it matters: Losing a Nobel laureate and a Gemini co-lead in the same week is a concentrated talent shock to the lab that currently holds the frontier by availability, and a signal that scientific prestige and core model leadership are now the contested currency of the race.
Sources: TechCrunch | The Verge | TechTimes
Google Ships Gemini 3.5 Pro to GA, Defaults Flash Worldwide, and Opens Managed Agents
Gemini 3.5 Pro reached general availability with a 2M-token context window and a "Deep Think" mode, landing into the vacuum left by Fable 5's removal. Google made Gemini 3.5 Flash the default behind AI Mode for searchers across nearly 200 countries and 98 languages, moved Managed Agents in the Gemini API into public preview (autonomous agents inside Google-hosted isolated Linux sandboxes), and shipped Nano Banana 2 and Nano Banana Pro image models to GA.
Why it matters: Defaulting the highest-volume surface to a cheap, fast model while productizing sandboxed agent execution shows Google compounding advantages in distribution and managed runtime: the platform layer, not just the model.
Sources: DEV Community | Invasion24 | Gemini Lab
Gemini Omni Turns Conversation Into a Video-Editing World Model
At Google I/O 2026, DeepMind CEO Demis Hassabis demoed Gemini Omni by generating a claymation explainer of protein folding live on stage, refining it turn-by-turn through dialogue rather than re-prompting. Google positions Omni as a "world model" that edits video through natural conversation, the way one would direct a human editor.
Why it matters: The advance is the interaction model, not just the output: iterative conversational refinement collapses the prompt-engineering loop into creative direction, staking DeepMind's claim to the multimodal frontier as rivals compete on reasoning depth.
Sources: Whiskai Labs
DeepMind Publishes an AI Control Roadmap, Stress-Tested Across a Million Agent Tasks
Google DeepMind released an AI Control Roadmap on June 18, authored by Rohin Shah and Four Flynn, arguing that alignment training alone cannot guarantee agents stay under human control and that structural containment must be engineered before more capable models arrive. The lab paired the document with reported testing of its control mechanisms across roughly one million agent tasks, treating loss-of-control as an engineering requirement and emphasizing defense-in-depth detection.
Why it matters: A frontier lab publicly conceding that its primary safety lever is insufficient, and validating containment at million-task scale, reframes safety from a behavioral problem to a systems-engineering one, just as capability outruns assurance.
Sources: TechTimes | WinBuzzer
Chain-of-Thought Safety Monitoring Collapses Outside English
A new paper, "The Fragility of Chain-of-Thought Monitoring Across Typologically Diverse Languages," reports a 95.9% unfaithfulness rate for CoT monitoring across 13 languages and 16 frontier models: the reasoning traces safety teams rely on do not reliably reflect actual model reasoning outside English.
Why it matters: CoT monitoring is a load-bearing alignment technique, and a near-total failure rate in non-English languages exposes a structural blind spot precisely as labs deploy globally, raising the stakes on transparency mandates that may be harder to satisfy than their text implies.
Sources: UBOS
OpenAI Acquires Ona to Keep Codex Agents Running for Days
OpenAI announced the acquisition of Ona (formerly Gitpod), a Kiel-based startup, to give Codex agents secure, persistent environments inside enterprise cloud infrastructure, letting agents run uninterrupted for hours or days within a customer's own network rather than in ephemeral sessions.
Why it matters: This is a direct bet that the enterprise bottleneck is no longer model quality but durable, secure execution, and a signal that the runtime, not just the model, is becoming a strategic asset labs buy rather than rent.
Sources: Sentinel
GLM-5.2 Lands as a Strong MIT-Licensed Coding Contender
Z.ai released GLM-5.2 on June 16, a 753B-parameter mixture-of-experts model under an MIT license with a 1M-token context window. It scores 62.1 on SWE-bench Pro (topping GPT-5.5's 58.6), 81.0 on Terminal-Bench 2.1, and 74.4 on FrontierSWE (trailing Claude Opus 4.8 by under a point at roughly 72% lower cost via OpenRouter), with the open-weight frontier now increasingly a China-vs-China race among GLM, MiniMax M3, and DeepSeek V4.
Why it matters: A permissively licensed model competing on the exact agentic-coding evals builders care about erodes the closed-flagship moat where enterprises feel lock-in most, shifting the question from "can it match quality" to "is the gap worth the premium."
Sources: Eden AI | The Decoder
LLM-Driven Vulnerability Discovery Crosses From Research Into Working Exploits
Academic work this week sharpened the offensive curve: a Praetorian team used Claude Code on Opus 4.6 to drive end-to-end FreeBSD kernel bug discovery, producing two working privilege-escalation exploits over a weekend, while Microsoft's "AutoJack" research showed a single malicious web page can RCE the host running an AI agent in AutoGen Studio. Knostic.ai's OpenAnt pipeline pairs code decomposition with adversarial verification to scale vulnerability discovery across large repositories.
Why it matters: The barrier to kernel 0-day discovery and exploitation is collapsing toward off-the-shelf LLM agents driven by small teams. Defenders should fold the same pipelines into their SDLC and assume any disclosed patch is now a near-instant roadmap to a working exploit.
Sources: Security Boulevard | Microsoft Security Blog | arXiv
Active Exploitation Watchlist + Notable CVEs
| CVE | Product | Severity | Status | Action |
|---|---|---|---|---|
| CVE-2026-48907 | Widget Factory Joomla Content Editor (JCE) | 10.0 Critical | POC Public | Patch Now |
| CVE-2026-20253 | Splunk Enterprise | 9.8 Critical | Actively Exploited | Patch Now |
| CVE-2026-35273 | Oracle PeopleSoft (PeopleTools) | 9.8 Critical | Actively Exploited | Patch Now |
| CVE-2026-39813 | Fortinet FortiSandbox | 9.1 Critical | Actively Exploited | Patch Now |
| CVE-2026-39808 | Fortinet FortiSandbox | 9.1 Critical | Actively Exploited | Patch Now |
| CVE-2026-25089 | Fortinet FortiSandbox | 9.1 Critical | Actively Exploited | Patch Now |
| CVE-2026-54420 | LiteSpeed cPanel Plugin | 8.5 High | Actively Exploited | Patch Now |
| CVE-2026-20262 | Cisco Catalyst SD-WAN Manager | 6.5 Medium | Actively Exploited | Patch Now |
| CVE-2025-34291 | Langflow (AI workflow platform) | N/A Critical | Actively Exploited | Patch Now |
| CVE-2026-34926 | Trend Micro Apex One | N/A High | Actively Exploited | Patch Now |
The Edge
The interesting thing about this week is what didn't happen. There was no EternalBlue moment, no novel zero-day that rewrote the threat model. The two genuinely wormable, pre-auth Windows RCEs that shipped in June's record Patch Tuesday have no confirmed exploitation yet. The flaws actually being weaponized are old, boring, and, in the case of the week's marquee event, FortiBleed, not flaws at all. FortiBleed is "an audit result," the cumulative product of eight years of unpatched Fortinet CVEs and absent MFA, finally cashed in as 86,644 sets of valid credentials. Attackers didn't break the perimeter. They logged into it.
That is the pattern under everything. The Klue breach reached Huntress and Recorded Future not through a Salesforce vulnerability but through a pre-authorized OAuth token that generates no failed logins and bypasses MFA by design. Sapphire Sleet didn't exploit npm; it hijacked a maintainer account and rode the registry's own trust to 144 packages in 88 minutes. DragonForce hid its C2 in Microsoft Teams visitor tokens; HazyBeacon hid its in AWS Lambda URLs; Dropping Elephant hid its in claude.ai shared chats. None of these were detected by reputation filters because none of them used attacker-owned infrastructure. The adversary's central insight, repeated across a dozen unrelated campaigns, is that trust is cheaper to steal than encryption is to break, and far harder to revoke than to grant.
Here is the uncomfortable part for defenders: almost every control budget is still pointed at the wrong layer. Signature detection, CVE patching, perimeter hardening: these address the kill chain attackers have largely abandoned. The work that actually maps to this week's incidents is unglamorous and organizationally awkward: a full inventory of every OAuth grant and connected app, aggressive token expiry and revocation, MFA enforcement on edge devices that "already patched," maintainer-account hardening across your dependency tree, and egress controls that sever a dropper's callout even after a malicious install succeeds. The Leitwacht detail in the Mastra compromise is the tell: an egress block neutralized a nation-state supply-chain attack that had already landed. The breach happened; the consequence didn't, because someone controlled the trust at the exit, not the entrance.
Watch the next quarter for two accelerants. First, the LLM-driven exploit pipelines that turned a FreeBSD weekend into two working privesc exploits are about to compress the patch-to-weaponization window for the boring CVEs to near zero, which means the credential-and-trust replay above will increasingly arrive chained behind same-day exploitation of whatever you didn't patch this morning. Second, the same governments now treating frontier model weights as controlled exports (Fable 5, dark for nine days) have not yet noticed that the trust-replay tradecraft hollowing out enterprises needs no frontier model at all. The capability that should scare you this week isn't the one Commerce shut down. It's the stolen token nobody thought to expire.