Weekly review

ThreatNoir Afternoon Brief — June 22

2026-06-22Afternoon4 articles
Audio
Listen to the episode

Afternoon Review in IT Security — June 22, 2026

The threat landscape continues to evolve with significant developments spanning supply chain attacks, plugin vulnerabilities, and device-level exploits. Today's review covers critical incidents affecting developers, cybersecurity firms, WordPress administrators, and millions of iPhone users worldwide.

North Korean Hackers Blamed for Mastra NPM Supply Chain Attack

Attackers linked to North Korea have compromised over 140 packages within the Mastra NPM ecosystem, injecting malicious dependencies designed to target cryptocurrency extensions. The attack leveraged a malicious package named easy-day-js to distribute payloads capable of exfiltrating sensitive data from compromised systems. This supply chain compromise demonstrates the persistent threat posed by nation-state actors targeting the open-source development community.

Source: North Korean Hackers Blamed for Mastra NPM Supply Chain Attack

More Cybersecurity Firms Disclose Impact From Klue Hack

The scope of the Klue breach has expanded significantly, with prominent cybersecurity organizations now confirming their exposure. Affected companies include HackerOne, Huntress, Jamf, OneTrust, Recorded Future, Snyk, and Tanium, among others. The incident highlights how supply chain compromises can cascade through the security industry itself, potentially affecting the tools and services these firms provide to their own customers.

Source: More Cybersecurity Firms Disclose Impact From Klue Hack

Attackers Exploit Gravity SMTP Plugin Flaw to Harvest Valuable WordPress Data

A critical vulnerability in the Gravity SMTP WordPress plugin is being actively exploited to extract sensitive information from affected installations. The flaw enables attackers to harvest API keys, secrets, tokens, server information, and other valuable data from vulnerable plugin versions. This vulnerability, tracked as CVE-2026-4020, poses a significant risk to WordPress administrators who have not updated to patched versions.

Source: Attackers Exploit Gravity SMTP Plugin Flaw to Harvest Valuable WordPress Data

New Exploit Bypasses Apple's Boot Defenses, Affects Millions of iPhones

A newly discovered exploit called Usbliter8 successfully bypasses Apple's secure boot mechanisms, affecting millions of iPhone devices. The vulnerability cannot be patched through traditional software updates, as it operates at the BootROM level. Researchers have released a proof-of-concept exploit, raising concerns about widespread potential abuse of this fundamental security weakness.

Source: New Exploit Bypasses Apple's Boot Defenses, Affects Millions of iPhones

Organizations and individuals should prioritize immediate action on these threats, from updating WordPress plugins to reviewing their dependencies in the NPM ecosystem and assessing potential exposure from the Klue incident. The convergence of these incidents underscores the importance of comprehensive supply chain security and timely vulnerability management across all technology stacks.

Sources & IOCs

Source articles and extracted indicators (defanged where appropriate).

North Korean Hackers Blamed for Mastra NPM Supply Chain Attack
MITRE ATT&CK6
  • Application Layer Protocol: Web Protocols (used for fetching payload)
  • Command and Scripting Interpreter: Windows Command Shell (used for execution)
  • Ingress Tool Transfer (fetching second-stage payload)
  • Indicator Removal: File Deletion (malware deletes itself)
  • Credentials In-Memory: Password Dumping (implied by targeting crypto extensions)
  • Exfiltration Over C2 Channel (implied by fetching payload from attackers' servers)
Malware1
  • easy-day-js
    Malicious dependency injected into Mastra NPM packages.