- PixelSmash vulnerability identifier
ThreatNoir Afternoon Brief — June 23
Afternoon Review in IT Security — June 23, 2026
The cybersecurity landscape continues to face critical threats across multiple vectors today, from dangerous vulnerabilities in widely-used multimedia libraries to sophisticated credential harvesting campaigns and supply-chain attacks targeting open-source ecosystems. Organizations worldwide remain under pressure to patch systems and strengthen access controls as threat actors exploit both legacy vulnerabilities and emerging attack surfaces.
FFmpeg PixelSmash Flaw Allows RCE on Video Players, Media Servers, NAS Appliances
A critical remote code execution vulnerability has been identified in FFmpeg's libavcodec library, tracked as CVE-2026-8461. The flaw enables attackers to execute arbitrary code by sending specially crafted media files to any application that depends on the vulnerable library. The impact extends across a broad range of systems including video players, media servers, and network-attached storage appliances, creating a significant supply-chain risk for organizations relying on FFmpeg-based solutions. Source: FFmpeg PixelSmash Flaw Allows RCE on Video Players, Media Servers, NAS Appliances
Russian Initial Access Broker Behind FortiBleed Campaign
A Russian-based initial access broker has been conducting a sophisticated credential harvesting operation known as the FortiBleed campaign, deploying a custom sniffer tool called FortigateSniffer to capture credentials from compromised networks. The threat actor has successfully harvested over 110 million credentials since at least February 2026 by exploiting unpatched FortiGate devices. This campaign demonstrates the continued risk posed by nation-state affiliated actors targeting enterprise infrastructure through supply-chain weaknesses and delayed patch management. Source: Russian Initial Access Broker Behind FortiBleed Campaign
Malicious npm Packages Pose as PostCSS Tools to Deliver Windows RAT
Cybersecurity researchers have uncovered a series of malicious packages on the npm registry designed to impersonate legitimate PostCSS development tools while delivering a Windows-based remote access trojan. The identified packages include aes-decode-runner-pro with 145 downloads, postcss-minify-selector with 256 downloads, and postcss-minify-selector-parser with 615 downloads, all published within the past month. The malicious packages communicate with command-and-control infrastructure hosted at nvidiadriver[.]net and stitch-production[.]org, exploiting the trust developers place in open-source package repositories. Source: Malicious npm Packages Pose as PostCSS Tools to Deliver Windows RAT
Two Scattered Spider-Linked Hackers Plead Guilty Over £39M TfL Cyberattack
Two teenagers associated with the Scattered Spider threat group have pleaded guilty to their involvement in a major cyberattack targeting Transport for London and US healthcare networks that resulted in approximately £39 million in damages. The case highlights how threat actors exploit weak access controls and social engineering techniques to gain initial entry into critical infrastructure. The upcoming sentencing will mark a significant legal precedent in addressing organized cybercriminal activity linked to the notorious Scattered Spider collective. Source: 2 Scattered Spider-Linked Hackers Plead Guilty Over £39M TfL Cyberattack
As these threats demonstrate, organizations face converging risks from unpatched infrastructure vulnerabilities, supply-chain compromises in open-source ecosystems, and persistent threat actors targeting access controls. Immediate action on patching critical systems, monitoring for malicious packages in development pipelines, and implementing robust credential protection mechanisms remains essential for enterprise security postures.
Sources & IOCs
Source articles and extracted indicators (defanged where appropriate).
- FortigateSnifferCustom Golang tool used for credential harvesting in the FortiBleed campaign.
nvidiadriver[.]netServer for downloading the next-stage payload.stitch-production[.]orgAttacker-controlled domain for exfiltrating stolen credentials from a separate campaign.