Weekly Security Intelligence Briefing — Week of 2026-06-22

Executive Summary

The week of June 22, 2026 presents an elevated threat posture driven by simultaneous nation-state supply chain operations, active ransomware campaigns targeting healthcare and financial sectors, and a sustained wave of identity-layer attacks exploiting OAuth token abuse and non-human identity (NHI) governance gaps. The SCC pipeline processed 70+ intelligence items this week. Critical highlights: the Sapphire Sleet (DPRK) Mastra npm campaign achieved the highest priority score (1.0), poisoning 140+ packages across the @mastra npm scope with a cross-platform infostealer—active exploitation of developer pipelines is confirmed. The FortiBleed credential exposure affecting 73,000–86,644 FortiGate devices across 194 countries is the most operationally urgent infrastructure item, with no confirmed patch timeline for all version tracks. Three separate Klue/Salesforce OAuth breach items confirm that Icarus threat actors exfiltrated CRM data from Recorded Future, Tanium, Jamf, Sprout Social, Gong, and Insurity. The Gentlemen RaaS GentleKiller framework actively terminates 400 processes across 48 security products using BYOVD techniques. EO 14409 imposes 30–60 day action windows for federal AI security mandates. The ClickOnce weaponization series (7 related items) signals broad adversarial interest in living-off-the-land (LotL) deployment mechanisms requiring immediate detection engineering attention. No new CISA KEV additions were confirmed this week; however, CVE-2023-3519 (INC Ransomware) and several ICS/OT vulnerabilities with EPSS above 90th percentile warrant urgent prioritization. Organizations running FortiGate, Oracle PeopleSoft, pgAdmin 4, F5 NGINX, Cisco ISE, or any @mastra npm dependencies should treat this week as high-urgency.

Critical Action Items

1. Mastra npm Supply Chain (Sapphire Sleet / DPRK) — IMMEDIATE: Audit all Node.js/npm dependency trees for @mastra/* packages and the easy-day-js package. Block easy-day-js at your artifact registry. Isolate any system that installed affected packages on June 17, 2026. Rotate all credentials, API keys, SSH keys, cloud IAM roles, and crypto wallet keys on affected build hosts. Rebuild CI runners from clean images. Sources: Microsoft Security Blog (2026-06-17), Kodem IOC runbook, Snyk, Orca Security.
2. FortiBleed — Rotate All FortiGate Credentials Within 24 Hours: All internet-facing FortiGate SSL-VPN credentials are considered compromised (73,000–86,644 devices across 194 countries). Rotate every VPN user and admin credential. Check for the FG-IR-25-934 symlink persistence artifact; patching alone does not remove it. Apply FortiOS 7.2.11, 7.4.8, and 7.6.1. Enforce MFA on all VPN and administrative interfaces (CIS 6.3, 6.4, 6.5). Monitor CISA and Fortinet PSIRT for confirmed IOCs.
3. F5 NGINX Critical RCE/DoS (CVE-2026-42530, -42055, -11311, -50107) — CVSS 9.5 — Emergency Patches: Apply F5’s June 18, 2026 out-of-band patches to all NGINX Plus, Open Source, Gateway Fabric, and Instance Manager instances. These are actively weaponizable and affect internet-facing load balancers and proxies universally deployed. Restrict external access while patching.
4. pgAdmin 4 Critical Vulnerabilities (CVE-2026-12048, -12046, -12045, -12044) — CVSS 9.0 — Upgrade to 9.16: Multiple CVEs including stored XSS, CSRF, SQLi, and AI assistant read-only bypass affect all pgAdmin 4 versions prior to 9.16. Restrict internet access to any pgAdmin instance immediately. Rotate all database credentials accessible through exposed pgAdmin sessions.
5. Klue/Salesforce OAuth Breach (Icarus) — Audit and Revoke Immediately: If your organization uses or has used Klue Battlecards, revoke all associated OAuth tokens in your Salesforce org via Setup > Connected Apps. Salesforce has disabled the integration at the platform level but individual org tokens may persist. Audit all third-party connected app OAuth grants for over-permissioned or unused grants. Affected confirmed victims include Recorded Future, Tanium, Jamf, Sprout Social, Gong, and Insurity.
6. INC Ransomware Active Campaign — Citrix, Fortinet, SimpleHelp, Veeam: INC has reached 830+ victims targeting healthcare, finance, and education. Patch CVE-2023-3519 (Citrix NetScaler), CVE-2025-5777 (NetScaler), CVE-2023-48788 (Fortinet EMS), and CVE-2024-57727 (SimpleHelp) immediately. CVE-2023-3519 EPSS is at the 99.9th percentile. Verify Veeam backup infrastructure is network-isolated from compromised segments. Implement BYOVD driver blocklist policies.
7. Gentlemen RaaS GentleKiller — EDR Self-Protection Audit: This toolkit targets 48 security products and 400 processes using BYOVD kernel driver techniques and exploits UEFI Secure Boot bypass vulnerabilities across 8 vendors (Acer, AMD, ASUS, ECS, Getac, GIGABYTE, Toshiba, Uniwill). Deploy the Microsoft Vulnerable Driver Blocklist, enable WDAC policy, verify EDR tamper protection is active, and apply available UEFI firmware updates from all 8 vendors.
8. ClickOnce Weaponization — Detection Engineering Required: CrowdStrike’s multi-part series documents active malware delivery via dfsvc.exe and .appref-ms files requiring no admin privileges. No patch exists. Block .application and .appref-ms at email gateways and web proxies. Create SIEM/EDR rules for dfsvc.exe spawning unexpected child processes. Where ClickOnce is not operationally required, disable via AppLocker/WDAC.

Key Security Stories

Sapphire Sleet (DPRK) Poisons 140+ Mastra npm Packages via Hijacked Contributor Account

In the highest-priority event this week (SCC priority score: 1.0), North Korean threat actors attributed to Sapphire Sleet compromised a dormant npm contributor account associated with the @mastra AI framework project and published a malicious dependency—easy-day-js—as a postinstall hook across 144 @mastra/* packages. The campaign was active for approximately 88 minutes before removal on June 17, 2026. Attribution to Sapphire Sleet was confirmed by Microsoft (Security Blog, 2026-06-17) and corroborated by Kodem, Snyk, and Orca Security.

The payload is a cross-platform infostealer targeting Windows, macOS, and Linux. On Windows it establishes Registry Run key persistence (T1547.001) and installs Windows Services (T1543.003); on macOS it creates LaunchAgent/LaunchDaemon plists (T1543.001/T1543.004); on Linux it modifies cron, systemd, and shell profiles. The payload harvests credentials from password stores, .env files, and cryptocurrency wallet directories (MetaMask, Phantom, Coinbase Wallet, Binance Wallet, TronLink) and exfiltrates over HTTP/S C2. Two confirmed attacker email addresses—ehindero2016@tutamail.com and sergey2016@tutamail.com—were associated with the compromised npm account. IOC hashes and C2 infrastructure are published at the Microsoft Security Blog and Kodem runbook.

Any organization running Node.js applications that installed or updated @mastra packages on June 17, 2026 must treat those systems as fully compromised. Because the @mastra framework is specifically an AI agent development platform, this attack directly targets organizations building and deploying AI automation—a high-value target for DPRK’s cryptocurrency theft operations. Rebuild affected CI/CD runners from clean images rather than attempting in-place remediation. Enforce SLSA provenance attestation and private registry proxies as systemic controls to prevent recurrence. Sources: Microsoft Security Blog (https://www.microsoft.com/en-us/security/blog/2026/06/17/postinstall-payload-inside-mastra-npm-supply-chain-compromise/), Kodem (https://www.kodemsecurity.com/resources/mastra-npm-packages-compromised-easy-day-js-supply-chain-attack-iocs-and-response-runbook), Snyk (https://snyk.io/blog/a-forgotten-contributor-account-compromised-the-entire-mastra-npm-package-scope/).

FortiBleed: 73,000–86,644 FortiGate Credentials Exposed Across 194 Countries

The FortiBleed campaign—tracked across multiple SCC items this week—represents the most operationally widespread credential exposure affecting network perimeter devices. Reports from BleepingComputer and Darktrace confirm that approximately 73,000–86,644 Fortinet FortiGate SSL-VPN devices across 194 countries have had credentials harvested. The specific extraction vector remains under investigation; Fortinet’s FG-IR-25-934 symlink persistence advisory from April 2025 is referenced as a related mechanism. The CISA April 2025 advisory on this issue confirmed active exploitation.

The FortiBleed dataset has been distributed to threat actors who are now using harvested credentials for T1078 (Valid Account) abuse across downstream enterprise networks. The Gentlemen RaaS group specifically references FortiGate credential exploitation as an initial access pathway. Fixed FortiOS versions are 7.2.11, 7.4.8, and 7.6.1. Critically, patching alone is insufficient—the FG-IR-25-934 symlink artifact persists after firmware updates and must be explicitly removed per Fortinet’s remediation guidance. Organizations should treat all SSL-VPN credentials as compromised regardless of whether exploitation is confirmed, and enforce MFA on all VPN entry points as an emergency control.

No confirmed public IOCs (IPs, hashes, domains) were available across the source set; behavioral detection is the primary method. Monitor FortiGate authentication logs for off-hours access, unusual source IPs, and accounts accessing resources outside their normal scope. Sources: BleepingComputer FortiBleed coverage, Darktrace FortiGate SSL-VPN analysis, Fortinet PSIRT FG-IR-25-934, CISA advisory (April 2025).

Icarus Exploits Klue OAuth Chain to Breach Salesforce CRM Across Multiple Enterprises

The threat actor group Icarus compromised Klue’s OAuth token infrastructure and used those tokens to authenticate to customer Salesforce environments as legitimate connected applications. Confirmed victims include Recorded Future, Tanium, Jamf, Sprout Social, Gong, and Insurity. Salesforce disabled the Klue integration at the platform level, but organizations must independently verify revocation within their own orgs. The attack pattern maps to T1528 (Steal Application Access Token), T1550.001 (Application Access Token), and T1199 (Trusted Relationship)—a software supply chain attack against the OAuth integration layer rather than the Salesforce platform itself.

This incident is part of a broader Salesforce third-party integration campaign also targeting Salesloft Drift, Snowflake, and Oracle PeopleSoft, attributed to ShinyHunters in separate reporting. The structural issue is that third-party SaaS integrations routinely hold OAuth tokens with broad CRM object-level read permissions, stored in the vendor’s infrastructure and subject to that vendor’s security posture. The attack requires no exploitation of a Salesforce vulnerability—it exploits the trust relationship Salesforce extends to authorized connected applications.

Immediate action: navigate to Salesforce Setup > Connected Apps OAuth Usage and revoke all Klue-associated tokens. Conduct a full OAuth grant audit across all connected applications, enforce least-privilege OAuth scoping (AC-6), and implement D3-CRO credential rotation for all OAuth tokens on a defined schedule. Query Salesforce Event Monitoring logs for bulk API access patterns from Klue client IDs. Sources: The Hacker News (https://thehackernews.com/2026/06/salesforce-disables-klue-app.html), BleepingComputer (https://www.bleepingcomputer.com/news/security/klue-oauth-breach-victim-list-grows-as-icarus-hackers-claim-attack/), Recorded Future disclosure (https://www.recordedfuture.com/blog/klue-security-incident), Tanium disclosure (https://www.tanium.com/blog/security-update-taniums-response-to-the-klue-breach-that-allowed-data-exfiltration-from-salesforce/).

AutoJack: Malicious Web Page Enables RCE via AI Agent Hijacking in Microsoft AutoGen Studio

Researchers disclosed “AutoJack,” a critical (CVSS 9.0) attack class affecting Microsoft AutoGen Studio development builds with MCP (Model Context Protocol) support. A malicious web page loaded within the agent’s browsing context can issue MCP protocol requests that cross the browser-to-local-tool boundary, enabling remote code execution on the developer’s host without any additional exploitation. The attack chains T1203 (Exploitation for Client Execution), T1059.007 (JavaScript), and T1106 (Native API) to achieve full RCE from a rendered web page.

The significance of AutoJack extends beyond this specific tool: it establishes a new attack class—AI agent browser-context privilege escalation—that applies to any agentic AI framework that exposes local privileged services to an agent with external content browsing capability. The Model Context Protocol, which enables AI agents to invoke local tools and services, creates a browser-to-system bridge that attackers can reach via prompt injection or malicious page delivery. This is not a traditional vulnerability—it is an architectural trust boundary failure in AI agent design.

Security teams should inventory all AutoGen Studio deployments (especially MCP-enabled builds), update to Microsoft’s identified patched version, run agent processes in isolated containers or VMs (NIST AC-4), disable MCP integration where not operationally necessary, and extend EDR coverage to agent process trees. Hunt for unexpected shell spawning from Python interpreters, Node.js, or Electron-based AI agent processes. Sources: Microsoft Security Blog (2026-06-18), AutoGen GitHub repository.

Gentlemen RaaS Deploys GentleKiller: 48 Security Products, BYOVD, and UEFI Persistence

The Gentlemen Ransomware-as-a-Service group operates GentleKiller, a centralized EDR destruction toolkit targeting 400 processes across 48 security vendors including CrowdStrike Falcon, SentinelOne, Microsoft Defender, Palo Alto Cortex XDR, Sophos, Trend Micro, ESET, Bitdefender, McAfee/Trellix, and Kaspersky. The toolkit uses BYOVD (Bring Your Own Vulnerable Driver) techniques to load kernel-mode code, exploits UEFI/Secure Boot bypass vulnerabilities across 8 hardware vendors (Acer, AMD, ASUS, ECS, Getac, GIGABYTE, Toshiba, Uniwill), and harvests credentials from six major browsers. The group also steals credentials from FortiGate VPN infrastructure (FortiBleed intersection).

The BYOVD technique specifically abuses signed but vulnerable drivers to escalate to kernel privilege and terminate protected security processes. Detection requires monitoring Sysmon Event ID 6 (Driver Loaded) against known-vulnerable driver hash lists (Microsoft Vulnerable Driver Blocklist, loldrivers.io). The UEFI persistence component (T1542.003) can survive OS reinstallation and requires firmware-level remediation from each affected hardware vendor. Organizations should deploy the Microsoft WDAC Vulnerable Driver Blocklist policy immediately.

Mass security process termination—multiple EDR processes stopping within a 60-second window without authorized change tickets—is the primary behavioral detection signal. The absence of a standard ransom note (observed in some Gentlemen deployments) means traditional ransomware detection rules may not fire; detection must rely on encryption behavior and mass file modification patterns. Source: BleepingComputer (https://www.bleepingcomputer.com/news/security/gentlemen-ransomware-uses-multiple-edr-killers-to-disable-defenses/).

ClickOnce Weaponization: Multi-Part CrowdStrike Disclosure Documents No-Admin-Required Persistence

CrowdStrike published a multi-part technical series this week documenting the systematic weaponization of Microsoft’s ClickOnce deployment framework (.application files, .appref-ms files, dfsvc.exe) for malware delivery and persistence. The technique requires zero administrator privileges and bypasses most enterprise security controls that focus on traditional executable file types. The core attack delivers malicious ClickOnce manifests via spearphishing links (T1566.002), which trigger dfsvc.exe to fetch and install payloads from attacker-controlled infrastructure. Persistence is established via Registry Run keys (T1547.001) and Scheduled Tasks (T1053.005). The attack also abuses rundll32.exe via dfshim.dll (T1218.011).

This is a technique-class risk, not a patched vulnerability. Microsoft will not issue a CVE for this behavior because ClickOnce is functioning as designed. The only defenses are detection engineering, policy controls, and application allowlisting. Organizations that do not use ClickOnce for legitimate business applications should disable dfsvc.exe execution via AppLocker or WDAC and block .application and .appref-ms file types at email gateways and web proxies. The CrowdStrike Part 2 disclosure (expected within days) is anticipated to contain specific IOCs, payload hashes, and Falcon-specific hunting queries.

Key detection signals: dfsvc.exe spawning cmd.exe, powershell.exe, wscript.exe, or any shell interpreter; .appref-ms files in user-writable directories; Scheduled Task creation (Event ID 4698) or Registry Run key writes originating from dfsvc.exe; outbound connections from dfsvc.exe to non-Microsoft infrastructure. Confirmed behavioral IOCs: dfsvc.exe, rundll32.exe (via dfshim.dll), .appref-ms files (high confidence). Sources: CrowdStrike Blog (Parts 1 and 2).

INC Ransomware Reaches 830+ Victims, Rewritten in Rust, Targeting Healthcare

INC Ransomware has expanded to 830+ confirmed victims since its emergence, with healthcare remaining a primary target sector. The group’s encryptor has been rewritten in Rust for cross-platform capability (Windows and Linux/ESXi). INC operators exploit a combination of known N-days for initial access—CVE-2023-3519 (Citrix NetScaler unauthenticated RCE, EPSS 99.9th percentile), CVE-2025-5777 (NetScaler), CVE-2023-48788 (Fortinet EMS), and CVE-2024-57727 (SimpleHelp RMM path traversal)—before laterally moving via RDP (T1021.001) and remote services, dumping credentials from LSASS and Veeam, disabling EDR via BYOVD, and encrypting both Windows and ESXi infrastructure.

The BlackBanshee ransomware group separately claimed an attack on a regional healthcare provider this week (SCC-CAM-2026-0526), with no CVE or specific attack vector confirmed. The convergence of INC and BlackBanshee activity against healthcare organizations this week underscores the sustained targeting of this sector, which faces HIPAA breach notification obligations under HHS OCR in addition to operational disruption costs. Healthcare organizations should treat CVE-2023-3519 as an emergency remediation—Citrix issued patches in July 2023, making any unpatched NetScaler instance over 36 months behind.

Prinz Eugen, another new ransomware group active this week (SCC-TAC-2026-0025), uses a Go-based encryptor, abuses the RemotePC RMM tool for persistence, leaves no ransom note, and prioritizes recently written files for encryption. Standard ransomware note-based detections will not fire; detection must rely on mass file modification behavioral patterns. Malwarebytes ThreatDown published IOCs: BleepingComputer (https://www.bleepingcomputer.com/news/security/new-prinz-eugen-ransomware-prioritizes-recent-files-for-encryption/). Sources: The Hacker News INC coverage, NVD entries for mapped CVEs.

AryStinger Botnet Exploits End-of-Life D-Link Routers for Global Attack Infrastructure

The AryStinger botnet (analyzed by XLab Qianxin) exploits three CVEs in end-of-life D-Link hardware—CVE-2013-3307 and CVE-2016-5681 (DIR-850L/DIR-818LW) plus CVE-2025-11837 (unspecified D-Link NAS)—to conscript compromised devices as distributed attack infrastructure. The campaign achieves DNS hijacking (T1557) and adversary-in-the-middle positioning against all clients using compromised routers as resolvers, enabling credential interception across the downstream network. The botnet also deploys Go-compiled binaries and open-source pentesting tools on NAS devices for active reconnaissance and scanning operations. EPSS for the campaign CVEs is at the 91.9th percentile.

No firmware patches exist or will be issued for end-of-life D-Link DIR-850L, DIR-818LW, or affected NAS models. The only eradication path is hardware replacement. Organizations should immediately identify these device models via asset inventory (CIS 1.1), isolate them from production, and replace them. DNS resolver changes on network clients and unexpected DNS resolution failures are primary detection signals. Source: XLab Qianxin AryStinger campaign report (blog.xlab.qianxin.com/arystinger-botnet-hijacks-legacy-routers-for-global-attacks-en/).

usbliter8: Unpatchable SecureROM Exploit Targets A12/A13 Apple Silicon via Physical USB Access

Paradigm Shift released usbliter8 on June 18, 2026—a public proof-of-concept exploit targeting a hardware-level DMA buffer underflow in the SecureROM of Apple A12 and A13 SoCs (and S4/S5 used in Apple Watch). The vulnerability exists in silicon and cannot be patched via software updates. Affected devices include iPhone XS/XR/11 series, iPad Air 3rd gen, iPad mini 5th gen, iPad 8th gen, Apple Watch Series 4/5/SE (1st gen), and HomePod mini. Physical DFU mode USB access is required, meaning this is not a remote exploitation scenario—it requires physical device custody.

The operational significance is substantial for high-assurance environments. A working BootROM exploit is analogous to checkra1n: it enables arbitrary code execution before the OS boots, making post-exploitation persistence invisible to iOS-level monitoring tools. Mobile threat defense solutions should be tuned for jailbreak artifact detection. The primary organizational response is policy-level: prohibit unescorted device repair for affected hardware, implement chain-of-custody logging for devices leaving premises, enforce MDM enrollment attestation, and plan hardware refresh cycles for affected device fleets. For organizations where A12/A13 devices access regulated data or privileged systems, treatment as permanently compromised risk items requiring hardware replacement is the appropriate disposition. Source: The Hacker News (https://thehackernews.com/2026/06/unpatchable-usbliter8-exploit-breaks.html).

EO 14409 Mandates Federal AI Security Actions with 30–60 Day Windows

Executive Order 14409 establishes AI security mandates for federal civilian agencies with 30-to-60-day action windows from June 2, 2026. Key provisions require AI security hardening against CWE-306 (missing authentication on inference inputs), CWE-284 (access control gaps on AI model boundaries), and CWE-693 (protection mechanism failures); mandatory participation evaluation for a voluntary AI vulnerability clearinghouse (operated by CISA once operational); and compliance with NSA-developed benchmarks for AI detection and response capabilities (benchmarks are classified, creating a transparency gap for non-federal organizations).

Federal agencies and FISMA/CMMC-scoped contractors face binding timelines. Critical infrastructure operators and enterprises deploying agentic AI have advisory applicability but no direct mandate. The practical implication for all organizations is that AI agents, service accounts, automation pipelines, and non-human identities with cloud or systems access represent an unaddressed identity governance gap that EO 14409 is beginning to formalize. CrowdStrike’s simultaneous announcements this week of continuous per-action authorization for AI agents (SPIFFE-based, zero standing privileges) signal vendor ecosystem alignment with this emerging requirement. Inventory all agentic AI deployments, audit NHI privilege scopes, and document compliance posture against EO 14409 provisions that are publicly available.

Google Cloud Config Connector Unpatched Account Takeover Vulnerability

Researcher Justin O’Leary disclosed an unpatched critical (CVSS 8.8) vulnerability in Google Cloud Config Connector—the Kubernetes operator that manages GCP resources declaratively via manifests. The vulnerability allows account takeover, meaning a threat actor with access to create or modify Config Connector resource manifests (IAMPolicyMember, StorageBucket, SQLInstance, etc.) can escalate to broader GCP IAM permissions. As of the June 22, 2026 briefing, no patch is available; compensating controls are the only mitigation. The vulnerability maps to T1548 (Abuse Elevation Control Mechanism) and T1078.004 (Cloud Accounts).

Organizations using Google Kubernetes Engine (GKE) or self-managed Kubernetes on GCP with Config Connector installed should immediately audit the GCP service account bound to Config Connector and remove any Owner, Editor, or broad IAM Admin bindings. Restrict which namespaces and identities can create or modify Config Connector manifests via admission control (OPA/Gatekeeper or Kyverno). Enable GCP Cloud Audit Logs for SetIamPolicy events attributed to the Config Connector service account and alert on any unexpected IAM binding changes. Monitor the googlecloudplatform/k8s-config-connector GitHub repository for a patch release. Sources: The Register (June 18, 2026), Justin O’Leary public disclosure.

CISA KEV & Critical CVE Table

CVE	Product	CVSS	EPSS	Status	KEV Deadline	Description
CVE-2026-12048 / -12046 / -12045 / -12044	pgAdmin 4 < 9.16	9.0	N/A	Patch Available (v9.16)	N/A	Multiple critical: stored XSS, CSRF, AI assistant read-only bypass, SQLi. OWASP A03/A01.
CVE-2026-42530 / -42055 / -11311 / -50107	F5 NGINX Plus, Open Source, Gateway Fabric, Instance Manager	9.5	0.50264 (50th pctile)	Emergency OOB Patch (June 18)	N/A	RCE (heap/use-after-free memory corruption) and DoS via network-accessible NGINX service.
CVE-2026-20181 / CVE-2026-20190	Cisco ISE / ISE-PIC (all releases prior to 3.3P11, 3.4P6, 3.5P3)	9.5	N/A	Partial Patch (full fix Aug 2026)	N/A	Chained: unauthenticated credential disclosure feeds authenticated RCE via path traversal.
CVE-2026-25089	Fortinet FortiSandbox 4.4.0–4.4.8, 5.0.0–5.0.5	9.8	0.83716 (84th pctile)	Patch Available	N/A	OS command injection via management interface. Critical severity; restrict access immediately.
CVE-2026-2467	RTI Connext Professional Core Libraries	9.8	N/A	Patch Pending	N/A	Heap-based buffer overflow in DDS middleware. Critical; affects OT/ICS/robotics deployments.
CVE-2026-11526	Perl GD module < 2.86	9.8	0.82304 (82nd pctile)	Patch Available (v2.86)	N/A	OS command injection via 2-argument open() with pipe metacharacters in filename parameters.
CVE-2023-3519	Citrix NetScaler ADC/Gateway (exploited by INC Ransomware)	9.8	0.99343 (99.9th pctile)	Patched July 2023 — Active Exploitation Ongoing	CISA KEV (historical)	Unauthenticated RCE; actively exploited by INC Ransomware for initial access in 2026 campaigns.
CVE-2026-35258	Oracle WebLogic Server 14.1.2.0.0 / 15.1.1.0.0	8.7	0.24159 (24th pctile)	Patch Available (Oracle CPU)	N/A	Open redirect via Console component. Enables phishing via trusted domain spoofing (CWE-601).
CVE-2026-4020 / CVE-2026-8713	Gravity SMTP WordPress plugin ≤ 2.1.4	7.5	0.85524 (86th pctile)	Patched (v2.1.5, March 17)	N/A	Unauthenticated REST API exposes live API keys and OAuth tokens. 17M+ exploitation attempts recorded.
CVE-2026-35275	Oracle VM VirtualBox 7.2.8	7.5	0.02118 (2nd pctile)	Patch Available (Oracle CPU)	N/A	Shared Folders component: low-privileged guest can escape to host, manipulate data (T1611).
CVE-2026-12348	Arc Search for Android	7.4	0.28836 (29th pctile)	Patch Pending	N/A	Address bar spoofing allows remote attacker to display trusted domain for phishing/session hijack.
CVE-2026-50656	Microsoft Defender / Malware Protection Engine (Windows)	7.5	0.30371 (30th pctile)	No Patch Available — PoC Public	N/A	Local privilege escalation to SYSTEM via MPE; public PoC released. Real-time protection state does not affect exploitability.
CVE-2026-35603	Claude Code, Cursor, Codex CLI, Gemini CLI (Windows)	7.8	0.01427 (1st pctile)	Anthropic patched; others pending	N/A	Insecure ProgramData directory permissions allow local privilege escalation (T1574.009/T1574.010).
CVE-2026-8806	Mitsubishi Electric MELSEC iQ-F FX5-ENET/IP (all versions)	7.5	N/A	No Patch — EOL Device	N/A	Remote DoS; no firmware patch will be issued. Network isolation is the only mitigation. ICS/OT critical.
CVE-2026-4827 (Schneider Electric)	30+ Easergy MiCOM, EcoStruxure, PowerLogic, Saitel devices	7.5	0.22686 (23rd pctile)	Patch Available (ICSA-26-169-07)	N/A	Session hijacking via low-entropy session token generation; affects critical infrastructure OT devices.
CVE-2025-13036 / -44019 / -36539	Rockwell FactoryTalk Historian SE ≤ 11.00	7.5	0.19991 (20th pctile)	Patch Available (ICSA-26-169-03)	N/A	Authentication bypass, DoS, and race condition in OT historian. CISA advisory published.
CVE-2023-48788	Fortinet FortiClient EMS (exploited by INC Ransomware)	9.3	N/A	Patched — Active Exploitation	CISA KEV (historical)	SQL injection in EMS; used by INC Ransomware for initial access in ongoing campaigns.
CVE-2025-20701 / -20700 / -20702	Apple Beats Studio Buds (Airoha SDK); A12/A13 BootROM	9.5	0.87294 (87th pctile)	Beats patched; BootROM unpatchable	N/A	Bluetooth auth bypass (remote eavesdropping) + unpatchable hardware BootROM exploit (usbliter8).

Supply Chain & Developer Tool Threats

npm Ecosystem: Mastra Package Scope Compromise (Sapphire Sleet / DPRK)

The most severe supply chain event this week. A dormant npm contributor account for the @mastra AI framework was hijacked and used to inject the malicious easy-day-js package as a postinstall hook into 144 @mastra/* packages. The 88-minute window (June 17, 2026, starting 01:01 UTC) is confirmed via npm publish log analysis. Any CI/CD pipeline, developer workstation, or build server that ran npm install during that window and resolved @mastra packages must be treated as compromised. The malicious payload is a cross-platform infostealer with OS-specific persistence mechanisms. IOCs: easy-day-js package name (high confidence), attacker email domains tutamail.com associated with maintainer accounts ehindero2016 and sergey2016 (high confidence), C2 infrastructure published by Microsoft and Kodem (retrieve directly from primary sources).

The attack exploited CWE-494 (Download of Code Without Integrity Check)—the Mastra npm organization permitted personal token publishes without SLSA attestation. Systemic defense requires: mandatory provenance attestation (SLSA Level 2+) for all npm organization packages your organization maintains or consumes, private registry proxies with allowlists intercepting direct public registry pulls, and MFA enforced on all npm maintainer accounts. The broader axios campaign (v1.14.1 and v0.30.4 also poisoned this week by a separate actor) confirms this is an active, multi-actor npm targeting week.

npm Ecosystem: Axios Package v1.14.1 and v0.30.4 Compromised (China-nexus / DPRK-linked)

Axios—one of the most widely downloaded JavaScript HTTP libraries—had two versions (1.14.1 and v0.30.4) trojanized with an embedded RAT. This is distinct from the Mastra campaign and attributed by CrowdStrike, Trend Micro, and Orca Security to a China/DPRK-linked actor. The npm axios GitHub repository post-mortem is published at https://github.com/axios/axios/issues/10636. Any project consuming these versions during the exposure window should be treated as compromised. Rotate all credentials accessible from affected environments and audit CI/CD pipeline logs for anomalous subprocess execution during npm install operations.

JetBrains Marketplace: 15 Malicious AI-Themed Plugins Targeting API Keys

Fifteen malicious plugins were identified in the JetBrains IDE Marketplace targeting OpenAI, DeepSeek, and SiliconFlow API keys from approximately 70,000 combined developer installs. The plugins exfiltrate credentials over plaintext HTTP (port 80, not HTTPS), making network-level detection feasible. Detection: query proxy/firewall logs for HTTP (not HTTPS) connections from JetBrains IDE processes to non-JetBrains external hosts. Audit AI provider billing dashboards for anomalous API consumption. IOC: full plugin name list and C2 indicators in Aikido Security disclosure (https://www.aikido.dev/blog/multiple-jetbrains-ide-plugins-caught-stealing-ai-keys). Mitigation: enforce approved plugin allowlists via JetBrains organizational settings; deploy Sysmon Event ID 7 (ImageLoaded) monitoring for credential-related file access by IDE processes.

Chrome Extension Supply Chain: Smart Adblocker and Adblock for Browser (PromptSnatcher)

Two malicious Chrome extensions—Smart Adblocker and Adblock for Browser—with over 100,000 combined installs were found exfiltrating AI chatbot conversation histories from eight platforms: ChatGPT, Claude, Gemini, Copilot, Perplexity, DeepSeek, xAI Grok, Meta AI, and SiliconFlow. The campaign uses malicious browser extensions to perform adversary-in-the-middle interception of AI session content. Push managed browser policies to remove these extensions from all enterprise Chrome instances. Block via Chrome Enterprise ExtensionInstallBlocklist policy using extension IDs from threat intelligence sources.

Python cryptography Package: Bundled Vulnerable OpenSSL (GHSA-537c-gmf6-5ccf)

The Python cryptography PyPI package bundles its own OpenSSL binary in wheel distributions. Specific affected versions contain a vulnerable OpenSSL version; the fixed release is documented in GHSA-537c-gmf6-5ccf. OS-level OpenSSL patching does not remediate this—only upgrading the Python package resolves the embedded binary. Query all environments for the installed cryptography version: pip show cryptography. This is a common pattern (bundled native libraries in Python wheels) that standard vulnerability scanners miss. SCA tooling capable of detecting bundled native libraries inside Python wheel packages is required for complete coverage.

Vertex AI Python SDK Bucket Squatting Enables Cross-Tenant RCE

Google Cloud Vertex AI Python SDK versions 1.139.0–1.140.0 generated predictable GCS staging bucket names during model upload operations. An external attacker could pre-register (squat) these bucket names and serve malicious pickle payloads. When the SDK later loaded model artifacts from the squatted bucket, the pickle deserialization executed arbitrary code in the context of the Vertex AI serving environment. Fixed in v1.148.0 (April 15, 2026). Any model uploaded using v1.139.0 or v1.140.0 must be treated as potentially compromised; re-upload from verified sources. Source: Unit 42 (https://unit42.paloaltonetworks.com/hijacking-vertex-ai-model/).

Nation-State & APT Activity Summary

North Korea (DPRK) — Sapphire Sleet

Targeted sectors: Technology, AI/ML development, software supply chain, cryptocurrency.
TTPs observed this week: T1195.001 (Compromise Software Dependencies and Development Tools), T1059.007 (JavaScript/postinstall hooks), T1543 (persistence via LaunchAgent/LaunchDaemon/Windows Service), T1555 (credential theft from password stores), T1041 (exfiltration over C2), T1027 (obfuscation), T1078.001 (dormant account takeover).
Summary: Sapphire Sleet executed the week’s highest-impact supply chain attack via the Mastra npm compromise. The group also conducted separate IT worker fraud operations targeting North American tech organizations (axios campaign) and continued password spraying against mail/collaboration infrastructure. A combined China/DPRK attribution is noted for the broader technology sector campaign described in SCC-CAM-2026-0508. DPRK’s financial motivation (cryptocurrency wallet targeting) distinguishes Sapphire Sleet from pure espionage operators. IOCs: Microsoft Security Blog (June 17, 2026); Kodem runbook; Snyk analysis.

China (PRC) — Multiple Groups Including FishMonger

Targeted sectors: Technology, government, mail infrastructure (East/Southeast Asia focus), defense supply chain.
TTPs observed this week: T1195.002 (Compromise Software Supply Chain), T1110.003 (password spraying), T1542.003 (bootkit/UEFI persistence), T1574.002 (DLL side-loading), T1562.001 (EDR impairment), T1547.004 (Winlogon Helper DLL), T1055.001 (DLL injection), CVE-2023-24932 (Secure Boot bypass).
Summary: FishMonger (ESET attribution) ported SprySOCKS to Windows and is exploiting CVE-2023-24932 Secure Boot bypass along with Print Spooler abuse (svchost.exe injection) and possible UEFI persistence. Previously exploited products include Fortinet, GitLab, Microsoft Exchange, Progress Telerik UI, and Zimbra—all N-days that should have been patched. The NCSC (UK) separately disclosed this week that nation-states now drive 75% of critical infrastructure attacks, with China, Russia, and Iran as primary attributees. The NCSC assessed that AI-assisted exploitation will be operationally significant by 2028.

Russia-Linked Actors

Targeted sectors: Critical national infrastructure, government, energy.
TTPs observed this week: T1190 (exploit public-facing), T1133 (external remote services), T1078 (valid accounts), T1562 (impair defenses), T1595 (active scanning), T1195 (supply chain).
Summary: The FortiBleed campaign has been linked in reporting to Russian-linked actors in some analysis streams, though definitive attribution remains unconfirmed. The NCSC UK disclosure specifically named Russia alongside China and Iran as primary CNI threatactors. The Gentlemen RaaS group—whose GentleKiller toolkit is the subject of multiple items this week—operates against Western organizations with Russian-language community ties, though RaaS attribution is inherently complex. No confirmed nation-state-quality TTPs were uniquely identified as Russian this week beyond the FortiBleed association.

Latin American Threat Actor (Hybrid Operations)

Targeted sectors: Regional Latin American organizations; specific sectors not confirmed.
TTPs observed this week: T1041 (exfiltration over C2), T1486 (data encrypted for impact), T1566 (phishing), T1078 (valid accounts), T1119 (automated collection).
Summary: SCC-CAM-2026-0518 describes a LatAm threat actor blending financial crime (ransomware) with intelligence collection operations. Attribution is low confidence; no confirmed nation-state sponsor. The hybrid monetization/espionage model is consistent with documented LatAm actor patterns. No confirmed IOCs were available in source data at time of publication.

Phishing & Social Engineering Alert

ClickFix Social Engineering: BabaDeda, Lorem Ipsum, and Potemkin Loaders (SCC-CAM-2026-0493)

Active campaigns targeting: Education, finance, enterprise across Windows and macOS.
Delivery mechanism: Compromised WordPress sites display fake CAPTCHA or browser update prompts instructing users to run commands (PowerShell, cmd) pasted from the browser window. User execution is the only required step—no exploit is involved.
Attack characteristics: ClickFix lure triggers mshta.exe or wscript.exe execution via the Windows Run dialog; delivers BabaDeda, Lorem Ipsum, or Potemkin loaders. Potemkin specifically impairs Microsoft Defender (T1562.001) and achieves domain controller reach. Lorem Ipsum has possible Vice Society attribution. BabaDeda uses DLL side-loading (T1574.002).
Evasion techniques: All three loaders use obfuscation (T1027); Node.js v7.10.1 used as staging infrastructure (any connection from node.exe v7.10.1 is a high-fidelity IOC); WordPress delivery infrastructure avoids direct attacker-controlled domains.
Detection: Alert on PowerShell or cmd.exe spawned by explorer.exe or Run dialog; encoded PowerShell arguments (-EncodedCommand, base64); mshta.exe execution from user desktop sessions; node.exe on any enterprise endpoint; POST requests to /wp-content/ or /wp-admin/ from workstations (not servers).
Affected platforms: Windows (primary), macOS (secondary). Microsoft Edge and Chromium-based browsers are delivery channels.

Operation Endgame Disrupts SocGholish / Evil Corp Infrastructure

International law enforcement (Europol Operation Endgame) dismantled SocGholish delivery infrastructure, cleaning 14,971 compromised WordPress sites. SocGholish (Evil Corp affiliate) uses fake browser update lures delivering JavaScript payloads (T1059.007) that chain to Dridex, WastedLocker, and other ransomware families. Evil Corp is OFAC-sanctioned; any ransom payment to this group carries sanctions violation risk. While the infrastructure takedown is significant, SocGholish historically rebuilds rapidly. Detection: JavaScript-wrapped .zip downloads from non-CDN domains following browser update prompts; browser processes spawning wscript.exe or cscript.exe. IOCs: Pull from Europol Operation Endgame published indicators and CISA advisories—do not use static domain lists given infrastructure reuse patterns.

USB-Borne Crypto Clipper with Tor C2 and Worm Propagation (SCC-CAM-2026-0516)

Microsoft Security Blog (June 17, 2026) describes an active USB-spread cryptocurrency clipboard hijacker detected as Trojan:Win32/CryptoBandits.A. The malware spreads via malicious LNK files on USB drives, establishes scheduled task and registry run key persistence, monitors clipboard for Bitcoin/Ethereum/Tron/Monero addresses, substitutes attacker wallet addresses, and communicates over Tor (.onion C2). It also captures screenshots (T1113) and exfiltrates data over C2. Detection signal: Trojan:Win32/CryptoBandits.A in Defender telemetry; LNK files on USB drives targeting wscript.exe/cscript.exe; outbound port 9001/9030 (Tor guard nodes); clipboard access by non-UI processes. Enforce USB device control via Group Policy immediately. Source: https://www.microsoft.com/en-us/security/blog/2026/06/17/crypto-clipper-uses-tor-worm-like-propagation-for-persistence-control/.

Indicators of Compromise

Type	Indicator	Confidence	Campaign / Story	Context
npm Package	easy-day-js (any version)	High	Mastra / Sapphire Sleet	Malicious postinstall dropper injected into 144 @mastra/* packages; any presence in dependency tree indicates exposure
npm Package	axios@1.14.1	High	Axios Supply Chain / China-DPRK	Trojanized version with embedded RAT; do not install; block at artifact registry
npm Package	axios@0.30.4	High	Axios Supply Chain / China-DPRK	Trojanized version with embedded RAT; do not install; block at artifact registry
Email Domain	tutamail.com (ehindero2016@, sergey2016@)	High	Mastra / Sapphire Sleet	Attacker email accounts associated with hijacked npm maintainer identity
Hash (Detection Name)	Trojan:Win32/CryptoBandits.A	High	USB Crypto Clipper	Microsoft Defender detection name; use as hunt string in Defender for Endpoint telemetry
Tool (Behavioral)	dfsvc.exe [spawning cmd.exe, powershell.exe, wscript.exe, or any non-ClickOnce binary]	High	ClickOnce Weaponization	ClickOnce deployment host leveraged via malicious .application/.appref-ms manifests to execute untrusted payloads; parent-child process anomaly is primary detection signal
Tool (Behavioral)	rundll32.exe [loading dfshim.dll from AppData/ClickOnce paths in non-deployment context]	High	ClickOnce Weaponization	ClickOnce DLL shim invoked via rundll32.exe outside managed deployment workflow; T1218.011
File Extension	.appref-ms (in user-writable paths: Downloads, Desktop, Temp, AppData)	High	ClickOnce Weaponization	ClickOnce application reference manifest; delivery via spearphishing link; should be treated as executable-class extension in email gateway and DLP policies
File Extension	.application (downloaded from external hosts outside known enterprise deployment infrastructure)	High	ClickOnce Weaponization	ClickOnce deployment manifest; malicious variants deliver payloads without admin privileges
Tool (Behavioral)	node.exe v7.10.1 [any network connection]	High	ClickFix Loaders (Potemkin/BabaDeda)	Outdated Node.js v7.10.1 used as staging infrastructure; any enterprise endpoint running this version with outbound connections warrants immediate investigation
Network (Behavioral)	Outbound TCP port 9001 or 9030 from endpoint processes [Tor guard relay]	High	USB Crypto Clipper / Parallel Persistence	Tor C2 channel used by multiple campaigns this week; block and alert on Tor relay traffic from enterprise endpoints
Network (Behavioral)	*.duckdns.org DNS queries from workstations	Medium	Parallel Persistence (Tailscale/OpenSSH)	DuckDNS dynamic DNS used for C2 resolution; workstation queries to this domain are anomalous in enterprise environments
Network (Behavioral)	controlplane.tailscale.com / login.tailscale.com outbound from unauthorized hosts	Medium	Parallel Persistence (Tailscale/OpenSSH)	Tailscale coordination and authentication; unauthorized host enrollment indicates attacker-controlled mesh VPN setup
Chrome Extension (Name)	Smart Adblocker	High	PromptSnatcher / AI Credential Theft	Malicious Chrome extension exfiltrating AI chatbot conversation histories; remove from all managed Chrome instances
Chrome Extension (Name)	Adblock for Browser	High	PromptSnatcher / AI Credential Theft	Second malicious Chrome extension in PromptSnatcher campaign; 100,000+ combined installs with Smart Adblocker
URL (Reference)	https://thehackernews.com/2026/06/salesforce-disables-klue-app.html	Medium	Klue / Icarus / Salesforce Breach	Primary reporting on Salesforce disabling Klue integration; review for published IOCs
URL (Reference)	https://www.bleepingcomputer.com/news/security/klue-oauth-breach-victim-list-grows-as-icarus-hackers-claim-attack/	Medium	Klue / Icarus / Salesforce Breach	BleepingComputer coverage of victim list expansion and Icarus attribution
URL (Reference)	https://www.bleepingcomputer.com/news/security/new-prinz-eugen-ransomware-prioritizes-recent-files-for-encryption/	High	Prinz Eugen Ransomware	Links to Malwarebytes ThreatDown IOC publication; retrieve current IOC list from this source
Hash/Domain (Reference)	Microsoft Security Blog June 17, 2026 (Mastra/Axios) — retrieve IOCs directly	High	Mastra / Axios Supply Chain	Primary IOC source: https://www.microsoft.com/en-us/security/blog/2026/06/17/postinstall-payload-inside-mastra-npm-supply-chain-compromise/
Tool (Exploit)	usbliter8	High	A12/A13 BootROM Exploit	Public PoC exploit released by Paradigm Shift (June 18, 2026); requires physical USB/DFU mode access; targets A12/A13/S4/S5 Apple SoCs
Network Behavioral	POST to /wp-content/ or /wp-admin/ from workstation-class hosts	Medium	ClickFix / SocGholish / Lorem Ipsum	Compromised WordPress sites used as delivery and staging infrastructure; workstation POSTs to WordPress endpoints indicate active staging or delivery

Helpful 5: High-Value Low-Effort Mitigations

1. Block .application and .appref-ms File Types at Email Gateway and Web Proxy

Why this week: CrowdStrike’s multi-part ClickOnce disclosure documents active adversarial weaponization of these file types for no-privilege malware delivery and persistence. These file types function identically to .exe from a security perspective but are not blocked by most default email security configurations. This single policy change closes the primary delivery vector for all documented ClickOnce campaigns.

How:

1. In your email security gateway (Microsoft Defender for Office 365, Proofpoint, Mimecast, etc.), add .application and .appref-ms to the blocked attachment type list alongside .exe, .msi, .bat, .vbs.
2. In your web proxy or Secure Web Gateway, add MIME types application/x-ms-application and .appref-ms to the blocked download category.
3. Verify via a test delivery that the block is active before removing from the watch list.
4. Where ClickOnce is a legitimate business requirement, create an exception policy scoped to specific internal update server domains only.

Framework alignment: NIST CSF DE.CM-01 (network monitoring), NIST 800-53 SI-3 (Malicious Code Protection), CIS v8 2.3 (Address Unauthorized Software), CIS v8 4.4/4.5 (Firewall on Servers and End-User Devices).

2. Rotate All FortiGate SSL-VPN Credentials and Remove FG-IR-25-934 Symlink Artifacts

Why this week: FortiBleed exposed credentials for 73,000–86,644 FortiGate devices. Credential rotation is the single highest-impact action available for organizations running any FortiGate SSL-VPN regardless of whether their specific device is confirmed in the leaked dataset. Patching alone is insufficient; the FG-IR-25-934 symlink artifact persists through firmware updates.

How:

1. Identify all internet-facing FortiGate SSL-VPN instances via asset inventory (CIS 1.1).
2. Force-expire all local VPN user passwords and administrative credentials via FortiGate CLI or GUI.
3. Apply FortiOS 7.2.11, 7.4.8, or 7.6.1 per your version track.
4. Follow Fortinet’s FG-IR-25-934 remediation steps to explicitly remove the symlink artifact (consult https://fortiguard.fortinet.com/psirt/FG-IR-25-934).
5. Enable MFA on all SSL-VPN and administrative interfaces before re-enabling access (CIS 6.3, 6.4).
6. Monitor authentication logs for re-use of rotated credentials as canary indicators.

Framework alignment: NIST 800-53 IA-5 (Authenticator Management), AC-17 (Remote Access), CIS v8 6.3/6.4 (MFA for external and remote access), D3FEND D3-CRO (Credential Rotation), D3-MFA (Multi-factor Authentication).

3. Audit and Revoke All Third-Party OAuth Grants in Salesforce (and Other SaaS Platforms)

Why this week: The Klue/Icarus breach demonstrates that third-party SaaS integrations holding OAuth tokens are an uncontrolled attack surface. The Klue token compromise required no Salesforce vulnerability—it exploited the trust Salesforce extends to authorized connected applications. If your organization has not reviewed OAuth grant inventories recently, assume some grants are over-permissioned, unused, or held by vendors with inadequate security controls.

How:

1. In Salesforce: Setup > Integrations > Connected Apps > Manage Connected Apps > OAuth Usage by User. Export the list and identify: unused grants (last_used = null or >90 days), grants with broad object-level read permissions, and any grant with no documented business owner.
2. Revoke all Klue Battlecards OAuth tokens immediately.
3. Revoke any grant that cannot be mapped to a documented business justification within 48 hours.
4. Apply the same review to HubSpot, Gong, Snowflake, Slack, and any CRM-adjacent SaaS platform.
5. Enforce OAuth scope minimization for all newly authorized integrations going forward (AC-6).

Framework alignment: NIST 800-53 AC-2 (Account Management), AC-6 (Least Privilege), IA-5 (Authenticator Management), CIS v8 6.1/6.2 (Access Granting and Revoking Processes), D3FEND D3-UAP (User Account Permissions), D3-CRO (Credential Rotation).

4. Deploy Microsoft Vulnerable Driver Blocklist (WDAC) to Counter BYOVD Attacks

Why this week: Both the Gentlemen RaaS GentleKiller toolkit and the FishMonger APT used BYOVD (Bring Your Own Vulnerable Driver) techniques to terminate EDR agents and achieve kernel-level execution. The Microsoft Vulnerable Driver Blocklist is an underdeployed control that directly prevents loading of known-abused drivers. This is a policy deployment, not a software installation—it can be applied without agent rollout.

How:

1. Enable the Microsoft Recommended Driver Block Rules via Windows Defender Application Control (WDAC): https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules
2. For devices not using WDAC, deploy the Microsoft Vulnerable Driver Blocklist via Group Policy (Computer Configuration > Windows Settings > Security Settings > Application Control Policies).
3. Supplement with the loldrivers.io community blocklist for broader coverage.
4. Monitor Sysmon Event ID 6 (Driver Loaded) for any load failures or blocked driver events, which indicate active BYOVD attempts.
5. Apply UEFI firmware updates from all 8 affected vendors (Acer, AMD, ASUS, ECS, Getac, GIGABYTE, Toshiba, Uniwill) per vendor security advisories addressing the CERT/CC Secure Boot bypass.

Framework alignment: NIST 800-53 SI-7 (Software, Firmware, and Information Integrity), CM-7 (Least Functionality), CIS v8 2.5/2.6 (Allowlist Authorized Software and Libraries), D3FEND D3-SFA (System File Analysis), D3-SICA (System Init Config Analysis).

5. Enforce npm Package Integrity Verification and Private Registry Proxy in CI/CD

Why this week: Two separate npm supply chain attacks this week (Mastra and Axios) exploited the same root vulnerability: build pipelines pulling directly from the public npm registry without integrity verification, and npm maintainer accounts without MFA. A private registry proxy with an allowlist intercepts malicious packages before they execute in builds.

How:

1. Deploy a private npm registry proxy (Nexus, Artifactory, Verdaccio, or GitHub Packages) as the sole npm registry endpoint for all CI/CD runners and developer workstations.
2. Configure the proxy in allowlist mode: only packages explicitly approved for your organization can be installed; new packages require security review before addition to the allowlist.
3. Enable npm package provenance attestation verification: configure npm config set audit true and integrate Sigstore/SLSA verification for packages from organizations that support it.
4. Enforce MFA on all npm accounts that your organization uses to publish packages (CIS 6.5).
5. Integrate an SCA (Software Composition Analysis) tool (Snyk, Dependabot, Socket) as a CI/CD gate that fails builds on integrity mismatches or newly introduced suspicious packages.

Framework alignment: NIST 800-53 SR-2 (Supply Chain Risk Management Plan), SR-3 (Supply Chain Controls and Processes), SI-7 (Software, Firmware, and Information Integrity), CM-7 (Least Functionality), CIS v8 2.1/2.3 (Software Inventory and Unauthorized Software), CIS v8 7.4 (Automated Application Patch Management), D3FEND D3-PBWSAM (Proxy-based Web Server Access Mediation).

Framework Alignment Matrix

Threat	MITRE Tactic	MITRE Technique	NIST 800-53 Controls	CIS v8 Safeguards
Mastra npm Supply Chain (Sapphire Sleet)	Initial Access, Execution, Persistence, Credential Access, Exfiltration	T1195.001, T1059.007, T1543.001/002/003, T1555, T1041	SR-2, SR-3, SI-7, CM-7, AC-6, IA-2, IA-5	2.1, 2.3, 2.5, 2.6, 6.3, 6.5, 7.4, 15.1
FortiBleed — Credential Exposure	Credential Access, Initial Access, Defense Evasion	T1110, T1133, T1078, T1552, T1556	AC-17, AC-7, IA-5, SC-7, AC-2	6.3, 6.4, 6.5, 5.2, 7.3, 7.4
Klue/Icarus OAuth Breach — Salesforce	Initial Access, Credential Access, Collection, Exfiltration	T1528, T1550.001, T1199, T1530, T1567	AC-2, AC-6, IA-5, AC-20, SR-2	6.1, 6.2, 5.4, 6.8, 15.1
ClickOnce Weaponization	Initial Access, Execution, Persistence, Defense Evasion	T1566.002, T1218.011, T1547.001, T1053.005, T1204.002, T1072	CM-7, SI-3, SI-4, AT-2, CA-7, SC-7	2.3, 2.5, 2.6, 8.2, 14.2
Gentlemen RaaS / GentleKiller BYOVD	Defense Evasion, Privilege Escalation, Impact	T1562.001, T1068, T1211, T1542.003, T1553.002, T1486	SI-2, SI-7, AC-6, CP-9, CP-10, SC-7	2.5, 2.6, 5.4, 7.3, 7.4
INC Ransomware — Active Campaign	Initial Access, Execution, Lateral Movement, Impact	T1190, T1021.001, T1003, T1486, T1490, T1489, T1562.001	SI-2, RA-5, CP-9, CP-10, AC-17, CA-8	6.3, 6.4, 7.3, 7.4, 8.2
pgAdmin 4 Critical Vulnerabilities	Initial Access, Execution, Collection, Impact	T1190, T1185, T1059.007, T1565.001	SI-2, SI-10, SC-23, AC-3, RA-5	7.3, 7.4, 6.1, 8.2
AI Agent Identity / NHI Standing Privilege (EO 14409)	Defense Evasion, Credential Access, Persistence	T1078.004, T1528, T1550.001, T1098, T1134	AC-2, AC-6, AC-3, IA-2, IA-5, AU-2, AU-6	5.1, 5.4, 6.1, 6.2, 6.8, 8.2
FishMonger / SprySOCKS Windows (China)	Persistence, Defense Evasion, Privilege Escalation	T1542.003, T1574.002, T1547.004, T1055.001, T1562.001, T1068	SI-7, CA-7, AC-6, RA-5, AU-6	6.1, 6.2, 7.3, 7.4, 8.2
AryStinger Botnet / EOL D-Link Routers	Resource Development, Command & Control, Credential Access	T1584.008, T1583.005, T1557, T1090.002, T1046	SC-7, SI-2, RA-5, CM-7, SI-4	1.1, 7.3, 7.4, 4.2
AutoJack / MCP AI Agent RCE	Execution, Initial Access	T1203, T1059.007, T1106, T1566	SI-2, CM-7, SI-4, AC-4, AC-6	2.5, 7.3, 7.4, 16.10
F5 NGINX Critical RCE/DoS	Initial Access, Impact, Execution	T1190, T1499.004, T1574, T1059	SI-2, SC-7, SC-5, RA-5, CA-8	7.3, 7.4, 16.10
ClickFix Loaders (BabaDeda/Potemkin/Lorem Ipsum)	Initial Access, Execution, Defense Evasion	T1566, T1218.005, T1204.002, T1562.001, T1574.002, T1189	AT-2, SI-3, SI-8, CA-7, SC-7	14.2, 7.3, 7.4, 8.2
Google Cloud Config Connector (Unpatched)	Privilege Escalation, Defense Evasion	T1548, T1078.004	AC-6, CM-6, AC-3, AU-2, AU-6	6.1, 6.2, 5.4, 6.8, 8.2

Upcoming Security Events & Deadlines

• Next Patch Tuesday: July 8, 2026 (second Tuesday of July). Expect Microsoft security updates; prioritize any Windows kernel, Defender MPE, and .NET updates given CVE-2026-50656 (public PoC, no patch as of this briefing).
• EO 14409 Federal Action Windows: 30-day window closes approximately July 2, 2026; 60-day window closes approximately August 1, 2026. Federal agencies and FISMA/CMMC contractors must complete AI security hardening actions by these dates. Document scope determination and gap assessments now.
• Cisco ISE Full RCE Fix (CVE-2026-20181 / CVE-2026-20190): ISE 3.5 complete RCE remediation (Patch 4) expected August 2026. ISE 3.3 Patch 11 and ISE 3.4 Patch 6 are available now. Organizations on ISE 3.5 must treat appliances as operating under extended risk and maintain compensating network controls through August.
• Oracle CPU (Critical Patch Update): Next Oracle CPU expected July 15, 2026. CVE-2026-35258 (WebLogic) and CVE-2026-35275 (VirtualBox) are addressed in the current CPU cycle; verify patch deployment before the July CPU resets timelines.
• UK Online Safety Act — Social Media Age Verification: Enforcement deadline for major platforms (Instagram, YouTube, TikTok, Snapchat, Facebook, X) is July 25, 2026. Ofcom has confirmed the schedule. Organizations operating UK-facing platforms must have age verification intermediary contracts and compliance postures documented.
• CISA KEV Remediation Deadlines (active within 30 days from June 22): Organizations should continuously monitor https://www.cisa.gov/known-exploited-vulnerabilities-catalog for any new KEV additions for CVEs documented this week (particularly FortiOS, Cisco ISE, F5 NGINX, and pgAdmin 4), which would impose federal remediation deadlines typically 2–3 weeks from KEV addition date.
• F5 Support EOL Reminder: NGINX versions that have reached end-of-life are not eligible for the emergency patches issued June 18, 2026. Verify your NGINX version tracks are within supported ranges.
• ClickOnce CrowdStrike Part 2 Publication: Expected within 7–14 days of June 20, 2026 (Part 1 publication date). Part 2 will contain specific exploitation techniques, detection rules, and Falcon hunting queries. Assign ownership for immediate intake and action upon publication.
• Fortinet ISE Full Patch (ISE 3.5 Patch 4): Tentative August 2026 availability for complete CVE-2026-20181 RCE remediation on ISE 3.5 track. Monitor Cisco advisory cisco-sa-ise-multi-G5WP8vv for updates.
• Black Hat USA 2026: Las Vegas, August 1–6, 2026. Anticipate new vulnerability disclosures, AI security research, and supply chain attack technique publications that may require rapid response in the following weeks.

Sources

Section 3 — Key Security Stories

• Microsoft Security Blog — Mastra npm Supply Chain: https://www.microsoft.com/en-us/security/blog/2026/06/17/postinstall-payload-inside-mastra-npm-supply-chain-compromise/
• Kodem Security IOC Runbook — Mastra: https://www.kodemsecurity.com/resources/mastra-npm-packages-compromised-easy-day-js-supply-chain-attack-iocs-and-response-runbook
• Snyk — Mastra Contributor Account Analysis: https://snyk.io/blog/a-forgotten-contributor-account-compromised-the-entire-mastra-npm-package-scope/
• The Hacker News — Salesforce/Klue: https://thehackernews.com/2026/06/salesforce-disables-klue-app.html
• BleepingComputer — Klue/Icarus Victim List: https://www.bleepingcomputer.com/news/security/klue-oauth-breach-victim-list-grows-as-icarus-hackers-claim-attack/
• Recorded Future — Klue Breach Disclosure: https://www.recordedfuture.com/blog/klue-security-incident
• Tanium — Klue Breach Disclosure: https://www.tanium.com/blog/security-update-taniums-response-to-the-klue-breach-that-allowed-data-exfiltration-from-salesforce/
• BleepingComputer — Gentlemen RaaS: https://www.bleepingcomputer.com/news/security/gentlemen-ransomware-uses-multiple-edr-killers-to-disable-defenses/
• The Hacker News — INC Ransomware 830 Victims: https://thehackernews.com/2026/06/inc-ransomware-claims-830-victims-since.html
• XLab Qianxin — AryStinger Botnet: blog.xlab.qianxin.com/arystinger-botnet-hijacks-legacy-routers-for-global-attacks-en/
• The Hacker News — usbliter8 BootROM: https://thehackernews.com/2026/06/unpatchable-usbliter8-exploit-breaks.html
• Unit 42 — Vertex AI Bucket Squatting: https://unit42.paloaltonetworks.com/hijacking-vertex-ai-model/
• Huntress — Klue Breach Investigation: https://www.huntress.com/blog/klue-breach-investigation
• ReliaQuest — Klue/CRM Threat Spotlight: https://reliaquest.com/blog/threat-spotlight-integration-abused-in-crm-data-theft
• BleepingComputer — Prinz Eugen Ransomware: https://www.bleepingcomputer.com/news/security/new-prinz-eugen-ransomware-prioritizes-recent-files-for-encryption/
• Microsoft Security Blog — USB Crypto Clipper: https://www.microsoft.com/en-us/security/blog/2026/06/17/crypto-clipper-uses-tor-worm-like-propagation-for-persistence-control/

Section 5 — Supply Chain & Developer Tool Threats

• Aikido Security — JetBrains Plugin Campaign: https://www.aikido.dev/blog/multiple-jetbrains-ide-plugins-caught-stealing-ai-keys
• axios/axios GitHub Issue #10636 — Axios Post-Mortem: https://github.com/axios/axios/issues/10636
• GHSA-537c-gmf6-5ccf — Python cryptography Bundled OpenSSL: https://github.com/advisories/GHSA-537c-gmf6-5ccf
• NVD — CVE-2026-11526 (Perl GD): https://nvd.nist.gov/vuln/detail/CVE-2026-11526

Section 6 — Nation-State & APT Activity

• ESET Research — FishMonger/SprySOCKS Windows Port (referenced in SCC-CAM-2026-0491)
• NCSC UK — Annual Review 2025 Chapter 02 (referenced in SCC-STY-2026-0220); NCSC CNI advisory
• Microsoft Security Blog — China/DPRK Technology Sector Campaign: https://www.microsoft.com/en-us/security/blog/ (June 2026 reporting)
• NVD — CVE-2023-24932: https://nvd.nist.gov/vuln/detail/cve-2023-24932
• Microsoft — CVE-2023-24932 Enterprise Deployment Guidance: https://support.microsoft.com/en-us/topic/enterprise-deployment-guidance-for-cve-2023-24932-88b8f034-20b7-4a45-80cb-c6049b0f9967

Section 7 — Phishing & Social Engineering

• Microsoft Security Blog — USB Crypto Clipper/CryptoBandits.A: https://www.microsoft.com/en-us/security/blog/2026/06/17/crypto-clipper-uses-tor-worm-like-propagation-for-persistence-control/
• Dark Reading — Lorem Ipsum / Vice Society Attribution (referenced in SCC-CAM-2026-0492)
• Europol — Operation Endgame / SocGholish Takedown (referenced in SCC-CAM-2026-0515)
• CISA — Ransomware guidance: https://www.cisa.gov/ransomware

Section 4 — Critical CVE Table Sources

• NVD — CVE-2023-3519: https://nvd.nist.gov/vuln/detail/cve-2023-3519
• Censys — CVE-2025-5777 Advisory: https://censys.com/advisory/cve-2025-5777-cve-2025-6543-cve-2025-5439/
• CISA — ICS Advisory ICSA-26-169-03 (Rockwell FactoryTalk Historian)
• CISA — ICS Advisory ICSA-26-169-07 (Schneider Electric)
• Oracle — Critical Patch Update (CVE-2026-35258, CVE-2026-35275): https://www.oracle.com/security-alerts/
• Cisco Security Advisory — cisco-sa-ise-multi-G5WP8vv (CVE-2026-20181 / CVE-2026-20190)
• Fortinet PSIRT — CVE-2026-25089: https://www.fortinet.com/blog/psirt
• Fortinet PSIRT — FG-IR-25-934: https://fortiguard.fortinet.com/psirt/FG-IR-25-934

Authoritative Frameworks Referenced

• NIST SP 800-53 Rev. 5 — Security and Privacy Controls: https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final
• NIST Cybersecurity Framework 2.0: https://www.nist.gov/cyberframework
• MITRE ATT&CK Framework: https://attack.mitre.org
• MITRE D3FEND: https://d3fend.mitre.org/
• CIS Controls v8.1: https://www.cisecurity.org/controls/v8
• CISA Known Exploited Vulnerabilities Catalog: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
• CISA BYOVD Guidance and CISA Ransomware: https://www.cisa.gov/ransomware
• Microsoft Vulnerable Driver Blocklist: https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules
• loldrivers.io — Vulnerable Driver Community List: https://www.loldrivers.io/