Threat Newsletter June 15, 2026

Share
Threat Newsletter June 15, 2026
Photo by Clint Patterson / Unsplash

This week's roundup is dominated by one overarching story: AI has become both the weapon and the target. Anthropic's restricted "Mythos" cyber-models are now turning newly disclosed bugs into working exploits in hours, are quietly embedded inside the NSA's offensive operations, and have just spawned a "safer" public sibling (Claude Fable 5) — even as attackers turn the same AI coding agents (Claude Code, Cursor, Gemini CLI) into their own infection vector via supply-chain worms like Miasma/Shai-Hulud/Hades and novel techniques like "Agentjacking."

Layered on top of that is a brutal vulnerability season: a record-breaking ~200-CVE Patch Tuesday, a feuding ex-Microsoft researcher ("Nightmare Eclipse") dropping Windows zero-days on a roughly 10-day cadence, actively exploited flaws in SolarWinds Serv-U, Cisco SD-WAN, FortiSandbox, and the AI dev platform Langflow, and a new CISA directive compressing federal patch timelines down to as little as 72 hours.

Rounding things out: large-scale account-takeover and espionage campaigns (Meta's AI support bot abused to hijack 20,000 Instagram accounts, Chinese recruitment-scam networks on LinkedIn/Indeed/Upwork, Fancy Bear's router-hijacking infrastructure), governance and legal fallout from AI misuse (a Mississippi court case derailed by dueling AI-hallucinated filings, an IBM breach-cover-up lawsuit), and continued hardening of the open-source supply chain (GitHub disabling npm install scripts by default).

Below, each resource gets its own title, summary, key takeaways, and source link.


Serv-U Under Siege: CISA Flags Active DoS Exploits

CISA confirmed active exploitation of CVE-2026-28318, a high-severity uncontrolled resource consumption flaw in SolarWinds Serv-U that lets unauthenticated attackers crash the file-transfer service with a specially crafted POST request. SolarWinds patched it days earlier in Serv-U 15.5.4 Hotfix 1, but CISA has already added it to the Known Exploited Vulnerabilities catalog and ordered federal agencies to patch by June 19 under BOD 22-01.

Key Takeaways:

  • Exploitable without authentication via a crafted "Content-Encoding: deflate" POST request — no user interaction needed.
  • Over 12,000 Serv-U instances are exposed on Shodan; ~3,100 tracked by Shadowserver.
  • Serv-U has a long history of being targeted by ransomware (Clop) and Chinese state-linked actors.
  • Admins who can't patch immediately should restrict access and block POST requests containing "content-encoding."
CISA: Hackers now exploit SolarWinds Serv-U flaw to crash servers
CISA warned today that hackers are now actively exploiting a recently patched high-severity SolarWinds Serv-U flaw to crash servers.

Miasma Worm Burrows Into Microsoft's Own GitHub

The self-replicating "Miasma" worm — a variant of the Mini Shai-Hulud supply-chain malware — compromised 73 Microsoft repositories across Azure, Azure-Samples, Microsoft, and MicrosoftDocs GitHub orgs, forcing GitHub to disable access. The attack re-used credentials from May's compromise of the Azure "durabletask" package and planted configuration files (.claude/settings.json, .gemini/settings.json, Cursor rules, VS Code tasks) designed to auto-execute a payload the moment a developer opens an infected repo in an AI coding tool.

Key Takeaways:

  • The same contributor account from May's breach was reused, suggesting credentials were never fully rotated.
  • Payload targets Claude Code, Gemini CLI, Cursor, and VS Code via session-start hooks and auto-run tasks.
  • Some malicious code was pushed directly to repos, entirely bypassing the npm registry.
  • Researchers say the worm "exploits the trust model" of package registries rather than a software vulnerability — every malicious publish looks like a routine update.
Miasma Worm Hits 73 Microsoft GitHub Repositories in Major Supply Chain Attack
Miasma hit 73 Microsoft repos across four GitHub orgs, forcing access disablement and exposing open-source trust risks.

Inside the NSA's Quiet Access to Anthropic's Mythos

The Financial Times reports Anthropic has placed roughly six "forward-deployed" engineers inside the NSA to help the agency use Mythos — Anthropic's most capable and tightly restricted cyber-AI model — for offensive operations, even as Anthropic publicly fights a Pentagon "supply-chain risk" designation and a possible Claude ban from DoD systems by August. Project Glasswing, the controlled-access program for Mythos, has also expanded from ~50 to ~150 organizations across 15+ countries, including NATO, ENISA, and Australia's Signals Directorate.

Key Takeaways:

  • Mythos Preview reportedly built a complete exploit pipeline against a complex Linux target in under a day for under $2,000.
  • UK's AI Security Institute found Mythos solved 73% of expert-level tasks no prior model could complete.
  • The NSA carve-out exists despite the broader DoD procurement ban on Anthropic.
  • Glasswing partners have surfaced 10,000+ high/critical vulnerabilities; an internal scan of 1,000 open-source projects flagged 23,019 potential issues.
Report: Anthropic Deploys Engineers to Support NSA Use of Mythos
Reports claim Anthropic engineers are helping the NSA use its restricted AI model Mythos, known for advanced cybersecurity capabilities.

When Phishing Fails, They Show Up With a Thumb Drive

Google Mandiant warns that extortion group UNC3753 (aka Luna Moth / Chatty Spider / Silent Ransom Group) has hit "dozens" of US banks, law firms, and professional services firms since January using fake help-desk calls — and when remote social engineering fails, operatives show up in person posing as IT technicians and use USB thumb drives to steal data. Some operations have gone from initial contact to data theft in under an hour.

Key Takeaways:

  • The group has operated since 2022, evolving from fake billing-renewal lures into callback phishing and now physical intrusion.
  • Mandiant has separately observed adversaries planting insiders or bribing employees to gain physical access elsewhere.
  • Speed is a hallmark: data search, staging, and theft can occur in under an hour once access is gained.
  • Law firms and professional services should lock down USB ports and train staff to verify "IT support" visits independently.
If you don’t fall for these extortionists’ calls, they’ll show up with USB sticks
When ‘Chatty Spider’ morphs into tech services cosplay spider

Microsoft's Repos Weaponized Against AI Coding Tools

Microsoft took the unusual step of disabling more than 70 of its own GitHub repositories (the same Miasma incident covered above) after researchers found malware designed to harvest credentials from people using AI coding agents such as Claude Code and Gemini CLI. The exact scope of the breach remains unclear, but it ties back to a previously compromised package.

Key Takeaways:

  • A major vendor disabling dozens of its own repos is a rare, visible admission of a serious supply-chain compromise.
  • The malware specifically targets AI coding-agent users, reflecting attackers' pivot toward developer AI tooling as an attack surface.
  • The incident is directly linked to the broader Miasma/Shai-Hulud campaign covered elsewhere in this roundup.
Microsoft Hacked to Deliver Malware to Claude and Gemini Users
Microsoft took the highly unusual step of shutting down more than 70 of its own GitHub repositories after hackers pushed malware that would steal credentials from AI coding agent users.

From Patch to Exploit in Minutes: Mythos and the Shrinking Patch Gap

New Anthropic red-team research shared with Axios shows Mythos Preview can turn newly disclosed vulnerabilities — in this case in Firefox and the Windows kernel — into working exploits within hours rather than weeks. In one test, Mythos produced a Windows kernel proof-of-concept in 31 minutes and ultimately built 8 distinct privilege-escalation exploits from 21 kernel bugs; on Firefox it built 8 working code-execution exploits from 18 patches.

Key Takeaways:

  • This shrinks the "patch gap" — the window between a fix being published and attackers weaponizing it — dramatically.
  • Anthropic estimates it spent about $15,700 in API credits to generate the Windows exploits (~$2,000 each).
  • Other models, including open-source ones and OpenAI's GPT-5.5-Cyber, show similar exploit-generation capability.
  • The findings land alongside a new Trump administration executive order assessing national-security risks from frontier AI models.
Anthropic Research Shows Mythos Model Built Working Exploits For Newly Disclosed Software Flaws In Hours
New research shows that the time required to convert flaws into working exploits has narrowed significantly with Anthropic’s new Mythos model.

Meta's AI Support Bot Becomes an Account-Takeover Tool

Meta disclosed to the Maine Attorney General that roughly 20,225 Instagram accounts may have been compromised after attackers exploited a bug in its AI-powered "High Touch Support" account-recovery tool. The tool failed to verify that an email address requesting a password reset actually belonged to the account, allowing attackers without 2FA-protected targets to seize accounts — including high-profile ones later sold on the dark web.

Key Takeaways:

  • The flaw was in a separate code path that skipped email-ownership verification during password resets.
  • Accounts without two-factor authentication were the ones successfully hijacked.
  • Meta has disabled the tool, invalidated generated reset links, and forced security checkpoints on affected accounts.
  • Victims reportedly included accounts tied to the Obama White House, Sephora, and a US Space Force official.
Meta Says 20,000 Instagram Accounts Hacked via AI Tool Abuse
Meta says roughly 20,000 Instagram accounts may have been hacked in a recent attack abusing an AI-powered account recovery support tool.

Whistleblower: IBM Buried Decade-Old Chinese Breaches

A newly unsealed 2020 lawsuit from William Barlow, IBM's former VP of threat intelligence, alleges IBM's core network — shared with AT&T — was breached more than 56,000 times between 2013–2016 by the Chinese state-linked group APT10, and that IBM covered up this and breaches at two subsidiaries (Trusteer and Truven) without notifying the government or affected parties.

Key Takeaways:

  • IBM allegedly lacked basic access logs, hampering its own investigation into the scope of the breach.
  • Five Eyes intelligence agencies reportedly warned IBM of the intrusion in 2017, prompting the internal probe.
  • IBM says the DOJ declined to intervene in the case and maintains it followed the law.
  • The case highlights ongoing gaps in breach-disclosure accountability for major federal cybersecurity vendors.
Former cyber executive turned whistleblower accuses IBM of covering up several data breaches | TechCrunch
IBM and two of its subsidiary companies were allegedly breached during the mid-2010s — a lawsuit filed by a former cybersecurity executive accuses IBM of not disclosing and actively covering it up.

Hades Rises: Shai-Hulud's Underworld-Themed PyPI Assault

Socket researchers uncovered a new Mini Shai-Hulud campaign — branded "Hades" — that compromised 37 malicious PyPI wheels across 19 packages. Unlike prior npm-focused waves, this one abuses Python ".pth" startup files to launch a Bun-powered JavaScript credential stealer, while leaning into a Greek-underworld naming theme (stygian, cerberus, charon, thanatos, etc.) for exfiltration repos.

Key Takeaways:

  • The .pth abuse is a new execution mechanism — Python's equivalent of npm's install-hook problem.
  • The campaign is "unmistakably" linked to the broader Shai-Hulud/Miasma lineage via its Bun-based cross-runtime design.
  • PyPI quarantined many affected releases; the rest were reported to PyPI security.
  • Organizations that installed affected packages should treat all install-time-accessible credentials (GitHub tokens, cloud keys, SSH keys) as compromised and rotate them.
Hades PyPI Attack: 19 Packages Poisoned to Auto-Run Bun Credential Stealer
Hades, a new PyPI branch of the Mini Shai-Hulud/Miasma supply chain campaign, hit 37 malicious wheels across 19 packages.

Job Boards as Spy Tools: Five Eyes Warns on Chinese Recruitment Ops

The Five Eyes intelligence alliance (US, UK, Australia, Canada, New Zealand) warns that Chinese actors are using LinkedIn, Indeed, and Upwork to pose as HR consultants, post fake jobs, and pressure security-clearance holders, military personnel, and people adjacent to government work (journalists, think-tank staff) into handing over sensitive information. China's London embassy has denied the allegations.

Key Takeaways:

  • Campaigns reportedly involve multi-round "interviews" using deepfake audio/video to impersonate recruiters and hiring managers.
  • Attackers exploit positive emotions (career opportunity, prestige) rather than fear-based urgency, making them harder to spot.
  • Experts recommend verifying any unsolicited recruiting outreach through official company channels before engaging further.
  • This warning is closely tied to the FBI website-seizure story later in this roundup.
LinkedIn, Indeed and Upwork Leveraged for Chinese Spying Threat
Five Eyes warns that China is targeting individuals in order to access sensitive or classified information.

Claude Fable 5: A Mythos-Class Model With a Leash

Anthropic launched Claude Fable 5 — its first Mythos-capability-class model deemed safe enough for general public and developer access. In sensitive domains like cybersecurity and biology, Fable 5 automatically falls back to the less-capable Claude Opus 4.8, with Anthropic saying over 95% of sessions never trigger this fallback. Separately, Project Glasswing partners are being upgraded from Mythos Preview to "Mythos 5."

Key Takeaways:

  • Anthropic ran 1,000+ hours of external bug-bounty red-teaming with no universal jailbreaks found.
  • Both Fable 5 and Mythos 5 are priced at $10/million input tokens and $50/million output tokens.
  • New Glasswing participants include Dragos, Tenable, Trend Micro, Netskope, BeyondTrust, Rubrik, BT, ICE, and Hitachi.
  • The release illustrates the industry's broader push to separate "generally capable" models from "frontier cyber-capable" ones via tiered access.
Anthropic Launches Claude Fable 5: Mythos-Class AI With Cybersecurity Guardrails
Anthropic launches Claude Fable 5, a Mythos-class AI model engineered with new safeguards that specifically restrict its use in cybersecurity.

CISA Rethinks Risk: Patching Priorities Get an Overhaul

CISA Acting Director Nick Andersen announced the agency is moving away from a blanket "patch everything immediately" model toward fine-grained risk prioritization — for both federal agencies and critical infrastructure — based on factors like internet exposure, KEV catalog status, and whether exploitation can be automated.

Key Takeaways:

  • Andersen explicitly cites AI-accelerated "weaponization timelines" as a driver, though the directive was in development before recent AI headlines.
  • CISA is hiring 329 new staff, with job offers to 182 by end of June, focused on operational capabilities.
  • Past prioritization schemes (like "Section 9" critical infrastructure designations) are described as too coarse to be useful.
  • Town halls on CIRCIA incident-reporting rules (72-hour reporting requirement) are set to begin the following week after shutdown-related delays.
CISA is rethinking how it prioritizes risks and vulnerabilities for feds, private sector
CISA is shifting federal agencies and critical infrastructure away from blanket patching toward targeted cyber risk prioritization, acting director Nick Andersen says.

Cisco's Seventh SD-WAN Zero-Day of the Year

Cisco disclosed CVE-2026-20245, an actively exploited command-injection vulnerability in Catalyst SD-WAN Manager that lets authenticated or already-privileged attackers run commands as root — the seventh actively exploited SD-WAN zero-day Cisco has faced this year, and no patch is yet available.

Key Takeaways:

  • Exploitation requires existing valid credentials or privileged access — likely obtained via two earlier 2026 Cisco SD-WAN zero-days (CVE-2026-20182, CVE-2026-20127).
  • Cisco has observed limited cases of malicious configuration changes pushed to edge devices.
  • Mandiant first spotted the activity; Cisco recommends upgrading to May's fixed software as a protective interim measure.
  • Cisco has had seven SD-WAN/firewall CVEs added to CISA's KEV catalog this year alone.
Cisco customers encounter another SD-WAN zero-day under attack
The defect marks the seventh actively exploited zero-day in Cisco SD-WANs this year, and the vendor has yet to release a patch.

Two AIs Walk Into a Courtroom: Judge Pulls the Plug

A federal judge in Mississippi canceled a trial and disqualified all four attorneys involved after discovering that lawyers on both sides of a contractual dispute had used generative AI tools that produced hallucinated, nonexistent case citations — effectively, as one observer put it, "two clients basically paying for ChatGPT to argue against itself."

Key Takeaways:

  • Two lawyers were barred from appearing before the court for two years; all four received fines of $1,000–$3,500.
  • The judge called it a "prime example of the risk associated with serving as a rubber-stamp" for AI output.
  • This is part of a growing pattern of courts sanctioning attorneys for unverified AI-generated filings.
  • For organizations using AI in any regulated or compliance-sensitive workflow, this underscores the need for human verification of AI outputs.
Judge Learns Lawyers on Both Sides of Case Used AI, Cancels Trial, Kicks Everyone Off the Case
When two AIs argue against each other, the legal system loses.

Microsoft's Biggest Patch Tuesday Ever

Microsoft's June 2026 Patch Tuesday fixed nearly 200 vulnerabilities (separately, ~360 additional browser/Chromium flaws not counted in that total) — a record. Security researchers point to AI-assisted vulnerability discovery (by both attackers and defenders) as a likely driver of the growing volume. The update also addressed flaws tied to "Nightmare Eclipse," an anonymous researcher in an ongoing public feud with Microsoft over vulnerability disclosure and bounty handling, plus a zero-day Visual Studio Code flaw allowing one-click GitHub token theft.

Key Takeaways:

  • One zero-day (CVE-2026-49160, an IIS denial-of-service bug) was reported by OpenAI's Codex.
  • Tenable's Satnam Narang notes ~90% of security professionals already use AI tools, suggesting this volume becomes "the norm."
  • Nightmare Eclipse claims to be a disgruntled former Microsoft employee and has promised more zero-days for July 14 (next Patch Tuesday).
  • The Patch Tuesday fixes also addressed two of Nightmare Eclipse's previously disclosed BitLocker/CTF framework bugs (YellowKey, GreenPlasma).
A Record-Breaking Patch Tuesday for June 2026
Microsoft today released software updates to plug nearly 200 security holes across its Windows operating systems and supported software, a record number of fixes for the company’s monthly Patch Tuesday cycle. Nearly three dozen of those bugs earned Microsoft’s most…

RoguePlanet: A Vengeful Researcher's Latest Windows Defender Zero-Day

Hours after Microsoft's record June Patch Tuesday, "Nightmare Eclipse" (aka Chaotic Eclipse) released proof-of-concept code for "RoguePlanet," a Microsoft Defender zero-day exploiting a race condition that can grant SYSTEM-level privileges on fully patched Windows 10 and 11 systems. The researcher — a self-described disgruntled ex-Microsoft employee — has now released roughly one new Defender/Windows zero-day every ~10 days over a two-month span.

Key Takeaways:

  • The exploit was originally an RCE vector via malicious SMB-hosted .vhd(x) files but now focuses on local privilege escalation after Microsoft's Defender changes blocked the remote path.
  • ThreatLocker and independent researchers confirmed the exploit is real, though success is inconsistent (race condition).
  • Microsoft says it is aware and investigating; it previously walked back threats of legal action against the researcher.
  • The dispute centers on Microsoft's handling of vulnerability disclosures and bounty payments.
Angry bug hunter with Microsoft beef drops new Windows 0-day
Revenge is a dish best served code

False Alarm: Bug Bounty Research Mistaken for a ServiceNow Breach

ServiceNow initially warned customers of a "security issue" that could allow an unauthenticated user to query certain instance tables — but the company has since attributed the activity to legitimate bug bounty researchers, not attackers. A security update was applied June 5 to affected hosted instances on the Australia platform release.

Key Takeaways:

  • The issue could allow unauthenticated users to gain unintended access to instance data under certain configurations.
  • ServiceNow says the researchers confirmed activity was solely for bug bounty submissions and no data was retained.
  • The episode shows how legitimate security research can be mistaken for an active breach — and vice versa.
  • Affected customers were notified directly; ServiceNow describes the impacted customer range as "not broad."
ServiceNow API Breach: What Customers Need to Know Now | The CyberSec Guru
A misconfigured ServiceNow REST endpoint exposed customer tenants in. Here’s what happened, what attackers accessed, and what you need know

AI Dev Platform Langflow's Path Traversal Flaw Under Active Attack

Attackers are actively exploiting CVE-2026-5027, a path traversal flaw in Langflow's file-upload endpoint that lets unauthenticated attackers write files anywhere on the filesystem via "../" sequences. Langflow — a popular drag-and-drop platform for building AI agents and RAG systems with 149,000+ GitHub stars — left the endpoint reachable via its default unauthenticated auto-login.

Key Takeaways:

  • Tenable disclosed the flaw in March after Langflow didn't respond for over two months; it was patched in langflow-base 0.8.3 / Langflow 1.9.0.
  • VulnCheck honeypots have observed attackers dropping test files on vulnerable instances.
  • Censys identified roughly 7,000 historically exposed Langflow instances (current exposure may differ).
  • This is the latest in a string of actively exploited Langflow CVEs, including one linked to Iran's MuddyWater group.
Path traversal flaw in AI dev platform Langflow exploited in attacks
Attackers are actively exploiting CVE-2026-5027, a high-severity path traversal vulnerability in the AI development platform Langflow, to write arbitrary files on exposed servers.

CISA's New Rule: Patch the Worst Bugs in 72 Hours

CISA's new Binding Operational Directive (BOD 26-04) requires federal civilian agencies to patch vulnerabilities meeting at least three of four risk criteria — internet exposure, presence in the KEV catalog, automatable exploitation, and degree of attacker control gained — within 72 hours, citing AI-accelerated threats. Agencies have 180 days to adopt the new timeline; less-severe vulnerabilities get up to two weeks or can wait until the next scheduled update.

Key Takeaways:

  • At one agency CISA studied, only 1% of vulnerabilities met the 3-day bar, while 60%+ were low-priority.
  • Agencies must also assess whether a system was already compromised before patching — "applying a patch generally does not evict a threat actor."
  • CISA strongly encourages (but doesn't mandate) state/local governments and critical infrastructure operators to adopt similar timelines.
  • The directive coincides with Sen. Mark Warner introducing legislation directing CISA to modernize cyber defenses for the AI era.
CISA to require federal agencies to patch some cyber vulnerabilities within 3 days
CISA is giving agencies 180 days to adopt the new patching time frame, according to a directive released Wednesday.

Miasma's Source Code Goes Public — Briefly

The source code for the Miasma credential-stealing framework (an evolution of Shai-Hulud) was briefly published on GitHub via numerous compromised developer accounts, in repos named "Miasma-Open-Source-Release." SafeDep's analysis reveals the toolkit needs no traditional C2 infrastructure — it uses GitHub itself — and includes a "dead-man switch" that wipes a victim's home and Documents folders if its stolen GitHub token is revoked.

Key Takeaways:

  • The framework harvests credentials from cloud providers, CI/CD systems, Kubernetes, password managers, and secret stores.
  • It can poison configurations for AI coding tools including Claude, Gemini, Cursor, Copilot, Kiro, and Cline.
  • A five-stage build pipeline generates unique, heavily obfuscated payloads for every build, hampering signature detection.
  • As with the original Shai-Hulud leak, this release is expected to spawn further copycat variants.
The ‘Miasma’ worm source code briefly leaked on GitHub
The Miasma credential-stealing attack framework, which has recently targeted open-source ecosystems through supply-chain attacks, was briefly open-sourced on GitHub.

Fortinet Patches a 9.8-Severity FortiSandbox Command Injection

Fortinet patched CVE-2026-25089, a critical (CVSS 9.8) OS command injection flaw in FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS that could let unauthenticated remote attackers execute arbitrary commands via crafted HTTP requests. Two lower-severity flaws in FortiOS, FortiProxy, and FortiPortal were also fixed.

Key Takeaways:

  • Affects FortiSandbox 5.0.0–5.0.5 and 4.4.0–4.4.8; upgrade to 5.0.6+/4.4.9+ respectively.
  • Discovered internally by Fortinet's own Product Security team (Adham El Karn).
  • Fortinet says it has no evidence of in-the-wild exploitation of any of these flaws yet — but given Fortinet's history as a frequent target, prompt patching is advised.
Fortinet patched a new critical FortiSandbox flaw
Fortinet patched a critical FortiSandbox flaw that could let unauthenticated attackers remotely execute commands via crafted HTTP requests

npm 12 Locks the Door on Install-Script Attacks

GitHub announced breaking changes coming in npm 12 (next month) that disable preinstall/install/postinstall lifecycle scripts by default, along with Git and remote-URL dependency resolution — directly targeting the "single largest code-execution surface in the npm ecosystem" that supply-chain worms like Shai-Hulud and Miasma have repeatedly exploited.

Key Takeaways:

  • Scripts will require explicit per-package approval via npm approve-scripts --allow-scripts-pending.
  • Git dependencies now default to blocked (--allow-git=none), closing a path where malicious .npmrc files could hijack the Git executable.
  • This even blocks implicit native node-gyp rebuilds for packages without an explicit install script.
  • Developers are urged to upgrade to npm 11.16.0+ now and review/approve trusted packages ahead of the breaking change.
GitHub to Disable npm Install Scripts by Default to Stop Supply Chain Attacks
npm 12 disables install scripts by default, requiring explicit approval to reduce dependency-based code execution risks.

FBI Dismantles Fake Job Sites Tied to Chinese Recruitment Scheme

The DOJ announced the FBI seized 13 websites posing as consulting firms that advertised fake jobs targeting current and former US security-clearance holders. The sites used fraudulent identities and AI-generated photos for legitimacy, and recruits were allegedly paid via cryptocurrency for sensitive "research" — part of a broader pattern flagged in the Five Eyes warning covered in entry #10.

Key Takeaways:

  • The websites were often linked from job postings on LinkedIn and other hiring platforms.
  • Victims who reported "weird" payment requests via crypto/online payment systems helped the FBI identify the network.
  • China's Washington embassy called the espionage allegations "entirely fabricated."
  • The FBI is asking the public to help identify additional similar websites.
FBI Seizes 13 Websites That Officials Say Were Used by China to Target and Recruit US Workers
The FBI has seized more than a dozen websites part of a Chinese effort to target American workers who have access to classified information.

Security Teams Know AI Is a Threat — They Just Don't Have Time to Train for It

A new (ISC)² study of nearly 1,000 cybersecurity leaders found that while 73% report increased security-training budgets over the past year, teams are struggling to find time to actually train on emerging threats — with AI cited by 47% of respondents as the most pressing skills gap their organization needs to address.

Key Takeaways:

  • Budget increases haven't translated into protected training time for security staff.
  • AI-related skills are now the top training priority for nearly half of surveyed organizations.
  • The gap between "we know we need this training" and "we can actually schedule it" is itself becoming a risk factor as AI-driven threats accelerate.
Most Security Teams Struggle to Find Time for Training on New Threats
Organizations are aware of the challenges that new technologies like AI bring: but cybersecurity staff struggle to make time for the required training during working hours

Fancy Bear's New Playbook: Hijacked Routers and Cloud Camouflage

APT28 (Fancy Bear / Forest Blizzard / Sofacy, linked to Russia's GRU Unit 26165) has shifted to hijacking home/consumer EdgeRouters to build untraceable shadow infrastructure, while routing malware command-and-control through legitimate cloud storage APIs. In "Operation Phantom Net Voxel," a custom C++ backdoor called BeardShell used a cloud storage API as its C2 channel — and the group has been observed swapping cloud providers to stay ahead of detection.

Key Takeaways:

  • A keylogger called "Slimagent" found on the same infrastructure shares code lineage with APT28's decade-old X-Agent implant.
  • The group operates under 30+ known aliases and has targeted NATO members and Ukraine for over two decades.
  • Recommended mitigations: update router firmware, change default credentials, disable unused remote management, enforce phishing-resistant MFA, and audit OAuth token permissions for cloud services.
Fancy Bear Hackers Abuse EdgeRouters and Cloud Services to Launch Stealthy Cyberattacks
APT28/Fancy Bear hijacks home routers and consumer devices to hide attack traffic targeting NATO, Ukraine, and critical infrastructure.

2.7 Million Downloads Later: npm Packages Caught Stealing Developer Secrets

Cyfirma researchers uncovered a coordinated npm campaign using packages that impersonate Web3/Ethereum tools (ethers-jss, coinbase-wallet-utils, and others) to steal SSH keys, cloud credentials, wallet seed phrases, and API tokens via preinstall/postinstall hooks and obfuscated loaders. One package alone — moralis-sdk — had over 2.7 million downloads before being flagged.

Key Takeaways:

  • ethers-jss acted as a malicious wrapper around the legitimate "ethers" library, intercepting wallet creation/recovery functions.
  • Some packages used Ethereum smart contracts to retrieve C2 addresses dynamically, avoiding hardcoded indicators.
  • Several packages were still actively reaching new victims at the time of disclosure.
  • This is part of a wider pattern of npm/PyPI/crates.io campaigns (separately reported elsewhere) collectively harvesting SSH keys, cloud creds, and crypto wallets at scale.
Malicious npm Campaign Steals SSH Keys, API Tokens, Cloud Credentials, and Wallet Secrets
Malicious npm packages impersonate Web3 tools, stealing SSH keys, cloud creds, wallet phrases, and API tokens from developers.

Agentjacking: One Fake Bug Report, 85% Hijack Rate

Tenet Security disclosed "Agentjacking," a new attack class that hijacks AI coding agents (Claude Code, Cursor, Codex) by injecting malicious instructions into fake Sentry error events. Because the Sentry MCP server returns this data to AI agents as "trusted" diagnostic output, agents executed attacker-controlled code with the developer's own privileges — even when explicitly told to ignore untrusted data. Tenet achieved an 85% success rate across 100+ real organizations.

Key Takeaways:

  • The attack requires only a public Sentry DSN (Data Source Name), which is routinely embedded in frontend JavaScript — Tenet found 2,388 organizations with exposed, injectable DSNs.
  • No phishing, malware, or server compromise is needed — every step is "technically authorized," bypassing EDR, WAFs, IAM, and firewalls entirely.
  • Sentry acknowledged the issue but called it "technically not defensible" at the platform level.
  • Potential impact includes exposure of environment variables, Git credentials, private repo URLs, and full developer-machine code execution.
  • This signals a broader shift: the AI agent itself — and the tools it trusts — is becoming the primary attack surface.
New Agentjacking Attack Hijacks Your AI Coding Agent to Run Code From a Hacker’s Server
Agentjacking lets attackers hijack AI coding assistants and run malicious code using a fake error log.

Read more