Threat Newsletter June 29, 2026

Share
Threat Newsletter June 29, 2026
Photo by Robynne O / Unsplash

Welcome to this week's Threat Intelligence Digest. From AI-assisted vulnerability discovery reshaping the security landscape to supply chain attacks hitting the firms that defend others, the week of June 22–28 was a reminder that no sector — and no security team — is immune.


Klue Supply Chain Attack Hits 9+ Security Firms via Salesforce OAuth

The Icarus extortion group breached market intelligence platform Klue on June 11–12 by compromising a legacy credential on an integration service account. Attackers injected malicious code to harvest OAuth tokens, then abused the Salesforce REST API to exfiltrate CRM data across customer environments — executing nearly 1,000 API queries in 15 minutes at peak. Victims include Huntress, Recorded Future, HackerOne, Jamf, Tanium, OneTrust, Snyk, Gong, and LastPass, among others.

Key Takeaways

  • A single compromised legacy credential cascaded into breaches across hundreds of organizations via OAuth token abuse.
  • Stolen data is primarily CRM-level (contacts, quotes, sales data) — not product telemetry or passwords — but the list of victims includes cybersecurity firms that detect attacks for a living.
  • Mandiant's CTO urged immediate auditing of Klue integrations and rotation of credentials in connected Salesforce environments.
  • Review and revoke all unused third-party OAuth integrations; monitor Salesforce API logs for bulk export activity.
Security shops among the ‘hundreds’ of Klue hack victims
As yet another extortion crew Icarus exploits Salesforce-linked integrations

Texas TPWD Data Breach Exposes 3M+ Driver's Licenses via Third-Party Vendor

The Texas Parks and Wildlife Department disclosed a data breach at its license system vendor that exposed personal information for over three million individuals, including driver's license numbers and other PII. This is a textbook third-party supply chain breach in the government sector.

Key Takeaways

  • Third-party vendor risk continues to be one of the highest-impact breach vectors for government agencies.
  • Over 3 million individuals' sensitive government ID data is at risk of identity fraud and social engineering.
  • Agencies must enforce contractual security requirements and conduct regular assessments of license/permit system vendors.
Texas Parks & Wildlife (TPWD) Data Breach impacts 3 Million People - Security Affairs
Texas Parks and Wildlife Department (TPWD) breach exposed data of 3M people via a third-party license vendor, including sensitive personal information.

Meta Pauses Employee Keystroke Tracking Program After Internal Data Leak

Meta's "Model Capability Initiative" — a mandatory program that captured employee keystrokes, mouse movements, clicks, and screenshots to train AI models — leaked sensitive employee data internally. Private conversations, performance reviews, AI prompts, and transcriptions became accessible far beyond the intended audience. The incident was rated SEV 2 internally. Over 1,600 employees had signed a petition against the program before the breach occurred.

Key Takeaways

  • Collecting rich behavioral data at scale creates enormous internal access-control obligations that are easy to misconfigure.
  • This is Meta's third AI-related security event in recent months, suggesting systemic data governance gaps as AI programs scale.
  • Any organization deploying keystroke or screen capture tools must treat that data with the same controls as production secrets.
  • EU AI Act provisions on employee-monitoring AI come into full effect August 2026 — this type of program is in scope
Meta Exposed Data Internally From Its Controversial Employee-Tracking Program
Employees had previously raised concerns about the initiative, which involves collecting workers’ keystroke data to train AI models.

Hackers Breach NY Knicks and Madison Square Garden Data

Hackers exposed customer and corporate data belonging to the New York Knicks and Madison Square Garden, with security leaders warning of significant reputational and legal risk. The incident highlights how major sports and entertainment brands remain high-value targets for cybercriminals seeking leverage through ransom or reputational harm.

Key Takeaways

  • Sports and entertainment organizations are increasingly targeted due to high brand value and large volumes of customer PII.
  • Data exposure in these sectors typically includes fan/customer data alongside sensitive corporate information.
  • Organizations should map and minimize their customer data attack surface and ensure breach response plans are rehearsed.
Hackers Exposed Knicks, Madison Square Garden Data
Security leaders discuss the release of Knicks and Madison Square Garden customer and corporate data.

Japan Ground Self-Defense Force Used China-Linked Malware-Infected USB Drives for Nearly a Year

Japan's Ground Self-Defense Force unknowingly used USB drives infected with China-linked malware on computers connected to classified military networks for close to a year before detection. The Nikkei report raises alarming questions not just about the initial compromise but about the detection gap — a nearly year-long dwell time on classified infrastructure is an extraordinary intelligence failure.

Key Takeaways

  • Removable media policies in sensitive environments must be strictly enforced — USB drives remain a viable nation-state attack vector.
  • Extended dwell time (nearly 12 months) indicates a significant gap in endpoint detection and anomaly monitoring on classified networks.
  • Nation-state actors targeting military networks prioritize stealth over speed — detection requires behavior analytics, not just signature scans.
Nikkei Warns of Japan’s Ground Self-Defense Force Used USB Drives Infected with a China-linked Malware
Japan’s JGSDF used China-made malware USB drives on classified networks, with the breach unnoticed for nearly a year.

Brazil's National Emergency Alert System Hijacked by Hackers

Hackers breached Brazil's national civil defense Cell Broadcast alert system overnight on June 19–20, sending ten fake "Extreme Alert" notifications — including messages referencing alien attacks and "misanthropy" — to millions of phones across at least seven states. The attackers used compromised legitimate accounts linked to the Defesa Civil of Pará state, bypassing silent mode on all devices. The platform was taken offline at 1:30am; the Federal Police launched an investigation.

Key Takeaways

  • Cell Broadcast systems globally lack cryptographic authentication — devices cannot independently verify whether an alert is genuine.
  • The attack erodes public trust in emergency systems; during a real disaster, some citizens may ignore future alerts.
  • Account compromise (not a platform zero-day) was likely the attack vector — MFA on operator accounts is non-negotiable.
  • Echoes a global pattern: Taiwan, the European Commission, and now Brazil all compromised through surprisingly basic attack vectors.
Hackers suspected to be behind unauthorized alert sent to cell phones across Brazil | CNN
An unauthorized alert bearing a mysterious message that was sent to cell phones in several states across Brazil on Saturday morning is suspected to be the work of hackers, the Brazilian government said.

North Korean Hackers (Sapphire Sleet) Behind Mastra AI Supply Chain Attack — 140+ npm Packages Compromised

Microsoft has attributed a supply chain attack on the Mastra AI framework to the North Korean group Sapphire Sleet (BlueNoroff), which compromised over 140 npm packages. The attack is consistent with DPRK's escalating focus on AI toolchains as a lucrative vector for financial theft and intelligence collection.

Key Takeaways

  • DPRK is actively targeting AI development toolchains — any organization using Mastra AI should audit their npm dependencies immediately.
  • Supply chain attacks via popular open-source AI frameworks are an evolving North Korean tactic for broad, low-effort compromise.
  • Pin npm dependency versions and use software composition analysis (SCA) tools in CI/CD pipelines as a baseline control.
Microsoft Attributes Mastra AI Supply Chain Attack to North Korea
North Korean threat actor Sapphire Sleet has been linked to a supply chain attack targeting Mastra, according to Microsoft security researchers

GentleKiller: The EDR-Killing Suite Powering "The Gentlemen" Ransomware Group

The Gentlemen ransomware operation provides affiliates with GentleKiller, a centralized EDR-killer suite that rapidly weaponizes BYOVD (Bring Your Own Vulnerable Driver) exploits to disable security tools before deploying ransomware. The suite lowers the technical barrier for affiliates to neutralize endpoint defenses at scale.

Key Takeaways

  • BYOVD-based EDR killing is now a commoditized, affiliate-accessible capability — not just reserved for sophisticated actors.
  • Prioritize driver allowlisting and Microsoft's Vulnerable Driver Blocklist as preventive controls against BYOVD attacks.
  • Ransomware groups that offer EDR-killer-as-a-service lower the skill floor for devastating attacks significantly.
  • Centralized toolkits make affiliate attribution harder — indicators may vary per incident while TTPs are consistent.
Inside GentleKiller: The EDR-Killer Powering The Gentlemen
The Gentlemen equips affiliates with a centralized EDR-killer suite, rapidly weaponizing BYOVD exploits to disable security tools before ransomware attacks.

Scattered Spider Members Plead Guilty on Day 1 of Trial in UK TfL Attack

Two members of the Scattered Spider hacking group pleaded guilty in the UK on day one of their trial for the August 2024 cyberattack that crippled Transport for London. The swift guilty pleas in a high-profile case mark a significant law enforcement success against the loosely organized criminal collective.

Key Takeaways

  • Scattered Spider's social engineering tactics — SIM swapping, MFA fatigue, and help desk impersonation — remain highly effective and widely imitated.
  • The prosecution demonstrates that English-speaking cybercriminals operating across borders are increasingly prosecutable.
  • Organizations should invest in staff training against voice phishing and help desk social engineering as a Scattered Spider-style mimic threat persists.
Scattered Spider Hackers Plead Guilty on Day 1 of Trial
Two men pleaded guilty in the United Kingdom this week to criminal charges stemming from an August 2024 cyberattack that crippled Transport for London, the entity responsible for the public transport network in the Greater London area. The duo were…

Cisco SD-WAN Zero-Day Exploited for Root-Level Access at Comms Provider

Mandiant revealed that attackers exploited a Cisco SD-WAN zero-day vulnerability to gain root-level access to a communications service provider's network — the highest privilege level possible. Zero-day exploitation in critical networking infrastructure at a telco is a significant threat given the downstream access it provides.

Key Takeaways

  • SD-WAN infrastructure is a high-value target; root-level access at a telco can enable extensive lateral movement and wiretapping capabilities.
  • Network device monitoring and anomaly detection must be treated as equally important to endpoint detection.
  • Apply Cisco patches immediately when released; review all SD-WAN management interfaces for exposure to untrusted networks.
Malicious hackers exploit Cisco zero-day for highest access level at communications service provider
Mandiant reveals an attacker exploited a Cisco SD-WAN zero-day vulnerability to gain root-level access to a communications service provider’s network.

Fake AI Agent Skill Bypassed Security Scans, Reached ~26,000 Agents

Security researchers from AIR demonstrated that a malicious AI agent skill passed security scanner checks by using a mutable external link — the payload changed after the skill was approved. The fake skill reportedly reached approximately 26,000 AI agents, exposing a critical blind spot in current agent skill vetting pipelines.

Key Takeaways

  • Static scanning of AI agent skills at submission time is insufficient — mutable external dependencies can deliver malicious payloads post-approval.
  • Agent marketplaces need runtime monitoring and behavioral vetting in addition to pre-approval static analysis.
  • Organizations using AI agent frameworks should maintain an inventory of installed skills and monitor them for behavioral changes.
Fake AI Agent Skill Passed Security Scans and Reportedly Reached 26,000 Agents
AIR says its fake AI skill passed scanner checks by using a mutable external link, exposing a blind spot in agent skill vetting.

Lookalike npm Package Impersonating postcss-selector-parser Drops Windows RAT

JFrog discovered an npm package impersonating the widely used postcss-selector-parser library designed to drop a multi-stage Windows Remote Access Trojan. The attack exploits developer trust in the npm ecosystem through typosquatting or namespace confusion tactics.

Key Takeaways

  • Developers should verify exact npm package names and publishers before installation — typosquatting attacks remain highly effective.
  • Integrate SCA (Software Composition Analysis) into CI/CD to flag suspicious or newly published packages mimicking popular libraries.
  • Pin exact dependency versions and hash-verify packages in production environments.
Lookalike npm Package Hides a Multi-Stage Windows RAT
JFrog found an npm package impersonating postcss-selector-parser to drop a multi-stage Windows RAT

'Cordyceps': Malicious Pull Requests Threaten CI/CD Pipelines Across Major Platforms

Security researcher Elad Meged disclosed "Cordyceps," a new class of CI/CD workflow weakness where malicious pull requests — submitted before code is merged — can compromise software supply chains. The weakness affects platforms including Microsoft, Google, Apache, Cloudflare, and Python's code repositories.

Key Takeaways

  • Pre-merge CI/CD pipelines that execute code from pull requests are a systematic attack surface across major organizations.
  • Review pull request permissions in CI/CD workflows — external contributors should not have access to secrets or production deployment pathways.
  • Require manual approval before running CI workflows triggered by first-time or external contributors.
Cordyceps CI/CD Flaws Expose 300+ GitHub Repositories to Supply-Chain Attacks
Researchers found Cordyceps CI/CD flaws affecting 300+ repositories, enabling code execution, credential theft, and supply chain risks.

Feds Seize Huione Group Cyber Scam Infrastructure Linked to SE Asia Criminal Marketplace

The DOJ, working with the Scam Center Strike Force, seized a cloud computing account hosting backend infrastructure for subsidiaries of the Huione Group — one of the world's most prolific criminal marketplaces linked to pig-butchering scams, human trafficking, and North Korean money laundering. The Treasury simultaneously issued new sanctions.

Key Takeaways

  • Huione Group's infrastructure supported stolen credit card data markets, malware-enabled theft, and romance/investment scam laundering.
  • Americans lost nearly $21 billion to cyber-enabled crimes in 2025 alone — SE Asian scam centers are a major source.
  • The seizure demonstrates law enforcement's increasing willingness to target cloud infrastructure directly, not just domain names.
Feds seize alleged cyber-scam infrastructure connected to Southeast Asian company
The Department of Justice announced the “seizure of a cloud computing account” used by subsidiaries of the Huione Group, a conglomerate severed from the U.S. financial system last year.

"Squidbleed" (CVE-2026-47729): 29-Year-Old Memory Leak Found in Squid Proxy with AI Help

Researchers at Calif.io, aided by Anthropic's Claude Mythos Preview, discovered a Heartbleed-style heap buffer overread vulnerability lurking in Squid's FTP parser since a 1997 code commit. The flaw (dubbed Squidbleed) can leak plaintext HTTP requests from other users on the same proxy, exposing passwords, API keys, and session tokens. A patch is available in Squid v7.6.

Key Takeaways

  • Upgrade to Squid v7.6 immediately; the fix is a single-line null check that should have prevented this for three decades.
  • Disable FTP support in Squid unless explicitly required — FTP is largely deprecated and eliminating it removes the entire attack surface.
  • The bug is most dangerous in shared proxy environments (corporate networks, schools, public Wi-Fi) where multiple users share one Squid instance.
  • AI-assisted vulnerability discovery is accelerating the pace of bug finding in legacy codebases — expect more disclosures of this type.
Mythos discovers ‘Squidbleed,’ a memory leak that’s gone undetected since Clinton era
Plus more blasts from the past: NetWare, FTP, and HTTP

Researchers Drop checkm8-Style BootROM Exploit for iPhone A12 & A13 Chips

Researchers released a checkm8-style BootROM (SecureROM) exploit targeting Apple devices running A12 and A13 processors, including the iPhone XS, XR, and iPhone 11 families. Because the vulnerability is in BootROM — permanently etched into the chip — it cannot be patched via software updates, making affected devices permanently jailbreakable.

Key Takeaways

  • Devices with A12/A13 chips cannot be patched — the vulnerability is in read-only silicon. The only full mitigation is device replacement.
  • This class of exploit is primarily a physical-access attack; remote exploitation is not known to be possible.
  • High-risk individuals (executives, journalists, activists) using affected devices should consider upgrading to A14+ hardware.
  • MDM/enterprise policies should flag jailbroken devices as non-compliant regardless of declared iOS version.
Researchers drop checkm8-style BootROM exploit for A12 and A13 iPhones
Owners of affected iPhones can stop checking for patches now: the fix for this SecureROM bug comes in a new handset

Anthropic Confirms Claude Mythos 5 Redeployment for US Critical Infrastructure

Anthropic confirmed that Claude Mythos 5 — its most advanced cybersecurity AI model — will be redeployed to a select group of US organizations operating and defending critical infrastructure, following a government-led review process that began June 12. The redeployment is part of Project Glasswing.

Key Takeaways

  • Mythos 5 is being positioned as a defensive asset for the most critical US infrastructure sectors after passing the government review.
  • Access remains highly restricted — this is not a public deployment; organizations must be part of the Project Glasswing partner program.
  • The controlled rollout to critical infrastructure reflects Anthropic's dual-use concerns about the model's offensive capabilities.
Anthropic Confirms Claude Mythos 5 Redeployment for US Critical Infrastructure Organizations
Anthropic has confirmed that Claude Mythos 5, its most powerful AI cybersecurity model, will be redeployed to a select set of U.S. organizations responsible for operating and defending critical infrastructure, following a government-led review process that began on June 12, 2026.

OpenAI Launches "Patch the Planet" Initiative to Help Fix Open-Source Vulnerabilities

OpenAI launched Patch the Planet under its Daybreak cyber strategy, partnering with Trail of Bits, HackerOne, and others to help open-source maintainers validate, patch, and disclose vulnerabilities — rather than just reporting findings. Initial projects include cURL, Go, Python, Sigstore, pyca/cryptography, and freenginx. The initiative comes directly in response to the surge of AI-discovered vulnerabilities overwhelming maintainers.

Key Takeaways

  • AI models are now finding bugs faster than small maintainer teams can fix them — a new class of vulnerability disclosure bottleneck is emerging.
  • Patch the Planet aims to close the gap between AI discovery and actual remediation — a more responsible model than bulk bug dumping.
  • 94% of widely used open-source projects have fewer than 10 developers responsible for 90%+ of new code — these projects are now high-priority targets for AI-assisted research.
OpenAI Launches Full-Scale Effort to Patch Open-Source Bugs as It Takes on Anthropic’s Mythos
Amid concerns about AI models’ cybersecurity capabilities, OpenAI revealed an improved version of GPT-5.5-Cyber and its “Patch the Planet” initiative to fix open-source software bugs.

Microsoft Copilot AI Helps Disrupt Amadey and StealC Malware Operations via RICO Charges

Microsoft's Digital Crimes Unit used Copilot AI to analyze Amadey and StealC malware — two tools linked to 140,000+ infected computers in May alone — and discovered they shared infrastructure. This allowed legal teams to treat both as a single conspiracy under RICO, disrupting over 200 command-and-control servers in a single action alongside Europol and industry partners.

Key Takeaways

  • AI-assisted malware analysis compressed multi-day manual tasks into minutes, enabling faster legal and technical action.
  • Using RICO to prosecute coordinated cybercrime infrastructure is an evolving legal strategy that can target entire ecosystems at once.
  • Amadey and StealC remain active — ensure EDR detections are up to date and monitor for loader-type malware as a ransomware precursor.
Microsoft Says Copilot AI Helped Knock Down Cybercrime Tools
Investigators used new tools to defeat old malware technology.

China's 360 Security Unveils "Yitian Tulong" AI Tools Claiming to Match Anthropic's Mythos

Chinese cybersecurity giant 360 Security Technology (Qihoo 360) unveiled two AI-powered tools at ISC.AI 2026 in Beijing: "Tulongfeng" for automated vulnerability discovery (described as "China's version of Mythos") and "Yitianzhen" for automated cyber defense and incident response. Founder Zhou Hongyi warned of "one-way transparency" where the US can probe Chinese infrastructure while China lacks equivalent capabilities.

Key Takeaways

  • The announcement signals an accelerating AI-driven cyber arms race — vulnerability discovery AI is now a declared national security priority for China.
  • Zhou acknowledged a 20–30% capability gap vs US models but argues specialized security knowledge compensates for raw model performance.
  • 360 is under US sanctions for alleged links to China's military — the dual-use nature of these tools is a declared concern in export control policy.
  • Critical infrastructure operators should monitor for AI-assisted reconnaissance patterns becoming more frequent in Chinese state-linked campaigns.
China cybersecurity firm 360 Security Technology claims to have developed tools to match Anthropic’s Mythos
Anthropic Mythos, previewed in April, is a system that detects software vulnerabilities, but cybersecurity ​experts have warned that it could supercharge cyberattacks.

Meet AIVEX: New AI-Native Triage Model for Software Supply Chain Risk

Researcher Devashri Datta introduced AIVEX (alongside the SRIL framework) — a new triage model designed to bring context-aware risk analysis to software supply chains. It helps security teams prioritize which supply chain vulnerabilities pose the greatest operational, safety, and business risk in AI-driven environments, going beyond generic CVSS scores.

Key Takeaways

  • Traditional CVSS scoring fails to capture business context and AI-era supply chain risk — AIVEX attempts to fill this gap.
  • Context-aware triage is essential as the volume of AI-discovered supply chain vulnerabilities overwhelms existing risk frameworks.
  • Worth evaluating for security teams managing large open-source dependency footprints in AI-integrated environments.
Exclusive: Meet AIVEX, a New Triage Model Built to Reduce Supply Chain Threat and Risk
Researcher Devashri Datta introduces AIVEX and SRIL, new approaches designed to bring context-aware risk analysis to software supply chains.

Congress Advances No FAKES Act Targeting AI-Generated Deepfakes

Congress advanced the No FAKES Act, targeting AI-generated deepfakes of real people — especially artists and performers — by prohibiting third parties from profiting from unauthorized digital replicas. The bill has bipartisan support though some business and digital rights groups oppose it.

Key Takeaways

  • The No FAKES Act represents the most significant proposed federal legislation targeting deepfake misuse to date.
  • Business and digital rights groups are concerned about overreach affecting legitimate AI training and satire use cases.
  • Organizations using AI to generate content featuring real individuals should review their legal exposure as the law progresses.
Congress tees up No FAKES Act, aiming at AI-generated deepfakes
While preventing third parties from profiting off unauthorized deepfakes of artists and performers is a bipartisan concern, some business and digital rights groups are opposed.

CISA Issues New SASE Guidance for Agencies Moving to Zero Trust (TIC 3.0)

CISA published new guidance showing federal agencies how to adopt Secure Access Service Edge (SASE) architecture to transition from legacy TIC 2.0 perimeter models to zero trust under the TIC 3.0 framework. The guidance provides a practical roadmap for secure cloud access without traditional network perimeters.

Key Takeaways

  • SASE as a zero-trust enabler is now officially endorsed for US federal agencies — expect this to influence state and critical infrastructure guidance too.
  • TIC 2.0's perimeter-centric model is increasingly incompatible with cloud-first and remote-work architectures.
  • Non-federal organizations should monitor this guidance as a leading indicator of security architecture best practices evolving toward SASE + zero trust.
New CISA Guide Helps Agencies Adopt SASE For Zero Trust
New CISA guidance shows federal agencies how to use SASE to move from legacy TIC 2.0 to zero trust

Forescout: Most Organizations Still Not Quantum-Safe — Progress Is Dangerously Slow

New Forescout data reveals that despite growing awareness of quantum computing risks and regulatory pressure, the majority of internet-connected infrastructure still does not use post-quantum cryptography (PQC). The findings underscore how far behind most organizations are given the "harvest now, decrypt later" threat that already exists.

Key Takeaways

  • "Harvest now, decrypt later" attacks mean nation-state actors are likely already collecting encrypted data today for future decryption.
  • NIST finalized PQC standards in 2024 — organizations should have begun crypto agility planning; most have not progressed beyond awareness.
  • Start with a cryptographic inventory: identify where RSA/ECC is used in critical systems, APIs, and long-lived certificates.
  • Prioritize TLS modernization and certificate management infrastructure as the first PQC transition targets.
New Forescout Data Reveals Slow Progress Toward Quantum-Safe Security
Despite growing awareness of quantum computing risks and increasing pressure on organisations to prepare for the transition to post-quantum cryptography (PQC),

Cloudflare Partners with Chrome, Firefox, Edge & Shopify to Build PACT Bot-Detection Protocol

Cloudflare announced PACT (Private Access Control Tokens) in collaboration with Google, Mozilla, Microsoft, and Shopify — a new protocol that replaces CAPTCHAs and invasive tracking with cryptographic, privacy-preserving tokens issued by browsers to verify human legitimacy. PACT is being submitted for IETF standardization and will cover ~77% of internet users via Chrome, Firefox, and Edge.

Key Takeaways

  • PACT could replace CAPTCHAs globally while being more privacy-preserving — anonymous tokens replace invasive user fingerprinting.
  • For AI agents and legitimate bots, PACT builds in a pathway for authenticated, recognized automated access — a key need as agentic AI grows.
  • Website operators should monitor PACT adoption timelines as it may affect bot protection and authentication stack decisions.
Cloudflare teams up with big browsers to help websites tell welcome from unwelcome visitors
Makers of Chrome, Edge, Firefox back bot-fraud defense called Private Access Control Tokens

Read more