Weekly review

ThreatNoir Morning Brief — June 22

2026-06-22Morning4 articles
Audio
Listen to the episode

Morning Review in IT Security — June 22, 2026

The threat landscape continues to shift as attackers exploit legacy infrastructure vulnerabilities, compromise open-source supply chains through nation-state actors, and target CI/CD workflows in popular development platforms. Today's review covers critical developments spanning IoT compromises, supply chain poisoning, GitHub Actions security improvements, and an imminent cryptographic deadline affecting millions of systems worldwide.

AryStinger Botnet Infected Thousands of D-Link Routers Worldwide

A previously undocumented malware botnet named AryStinger has compromised more than 4,000 outdated D-Link routers globally, converting them into proxies for malicious traffic distribution. The botnet exploits multiple known vulnerabilities in aging router firmware, including CVE-2013-3307, CVE-2016-5681, and CVE-2025-11837, targeting devices that have not received security patches in years. Source: Bleeping Computer

The widespread compromise demonstrates the persistent security risks posed by legacy IoT devices that remain connected to networks long after manufacturer support ends. Organizations and home users relying on these routers face significant exposure to network traffic interception and potential lateral movement attacks. The incident underscores the critical importance of device lifecycle management and timely firmware updates across all networked infrastructure.

Microsoft Links Mastra AI Supply Chain Attack to North Korean Hackers

Microsoft has attributed a recent Mastra AI supply chain attack that compromised more than 140 npm packages to the North Korean hacking group Sapphire Sleet, also known as BlueNoroff. The attack involved poisoning packages with malware including easy-day-js and PowerShell backdoors, allowing attackers to establish persistent access within developer environments and downstream applications. Source: Bleeping Computer

This attribution marks another significant nation-state incursion into the open-source ecosystem, where a single compromised package can affect thousands of dependent projects. The scale of the compromise—affecting 140 packages—demonstrates how attackers can leverage the interconnected nature of modern software development to maximize their impact. Organizations using npm dependencies must conduct immediate audits of their supply chains and implement stricter verification processes for package sources.

GitHub Actions Checkout Now Blocks Risky pull_request_target Checkouts

GitHub has released actions/checkout version 7 with new default protections designed to prevent one of the most persistent GitHub Actions supply chain vulnerabilities: privileged workflows that execute code from untrusted pull requests. The update refuses common "pwn request" patterns when workflows run under pull_request_target or certain workflow_run events, blocking checkouts that would pull code from forked repositories while maintaining access to the base repository's secrets and tokens. Source: Socket.dev

Recent high-profile supply chain attacks including the Nx compromise, Shai-Hulud, and TanStack incidents all exploited this vulnerability pattern, where attackers modified workflows to steal npm publishing tokens or mint OIDC tokens directly from the runner environment. The new protection will be automatically applied to workflows using floating major version tags such as actions/checkout@v4 on July 16, 2026, while workflows pinned to specific versions must upgrade manually. GitHub has also introduced an allow-unsafe-pr-checkout input for workflows requiring this behavior, deliberately named to flag the exception during code review and security analysis.

A Critical Deadline Is Approaching for Windows and Linux Security

The cryptographic keys that secure the boot sequence for Windows and Linux systems will begin to expire on June 24, 2026, creating a critical security window for UEFI firmware across millions of devices. The expiring Secure Boot certificates represent a foundational component of the boot chain, and their expiration could enable bootkit infections and other low-level firmware compromises if systems are not updated. Source: Wired

Organizations and individual users must prioritize firmware updates before the deadline to prevent potential exploitation of the expired certificate window. The timing of this expiration creates an urgent maintenance window, particularly for enterprise environments managing large numbers of systems. Failure to update affected systems could leave them vulnerable to sophisticated attacks that operate below the operating system level, making detection and remediation significantly more difficult.

As the week progresses, organizations should prioritize patching legacy IoT devices, auditing npm dependencies for compromised packages, updating GitHub Actions workflows to use the latest checkout version, and ensuring all systems receive UEFI firmware updates before the June 24 deadline. These convergent threats highlight the importance of proactive vulnerability management and supply chain security across all layers of the technology stack.

Sources & IOCs

Source articles and extracted indicators (defanged where appropriate).