Weekly review

ThreatNoir Morning Brief — June 23

2026-06-23Morning4 articles
Audio
Listen to the episode

Morning Review in IT Security — June 23, 2026

The threat landscape continues to evolve with sophisticated supply chain attacks, credential harvesting campaigns, and critical vulnerabilities in widely deployed software. Today's security briefing covers four significant incidents affecting enterprise infrastructure, content management systems, messaging platforms, and media processing tools.

FortiBleed Campaign Used Custom FortiGate Sniffer to Steal Credentials

Security firm SOCRadar has disclosed details of the large-scale FortiBleed campaign targeting Fortinet FortiGate devices through custom-built sniffers designed to harvest authentication secrets from compromised firewalls. The attackers leveraged diagnostic features within FortiGate appliances to extract credentials at scale, demonstrating a sophisticated understanding of the target infrastructure. The campaign identified three distinct malware variants: FortigateSniffer, PCAP Deep Analysis Toolkit, and SNIFTRAN. Source: Bleeping Computer

ShapedPlugin WordPress Pro Plugins Backdoored in Supply Chain Attack

Multiple WordPress plugins from ShapedPlugin fell victim to a supply chain attack when threat actors compromised the vendor's build and distribution pipeline, injecting backdoor code into Pro plugin releases. The attackers gained access to official licensed update channels, allowing them to distribute compromised versions to legitimate users. The incident involves CVE-2026-10735 and CVE-2026-49777, with indicators of compromise including the domain account.shapedplugin.com and IP address 194.76.217.28. Source: The Hacker News

WhatsApp Phishing Attack Uses Fake Business Documents to Hack PCs

An ongoing malware campaign is targeting WhatsApp users across multiple countries with deceptive messages containing fake business documents that distribute VBScript files. Once executed, these scripts provide remote system access to attackers, with the campaign leveraging both Gh0st RAT and ValleyRAT for post-exploitation activities. The attack demonstrates the continued effectiveness of social engineering tactics delivered through trusted communication platforms. Source: Bleeping Computer

FFmpeg Fixes PixelSmash Flaw in Widely Used Video Decoder

FFmpeg has addressed a critical vulnerability dubbed PixelSmash that could enable remote code execution on Jellyfin servers and trigger denial-of-service conditions across multiple applications. The flaw, tracked as CVE-2026-8461, affects widely deployed media software including Kodi, Emby, Nextcloud, PhotoPrism, and OBS Studio. The vulnerability can be exploited through maliciously crafted video files, presenting a significant risk to organizations relying on these platforms for content delivery and media processing. Source: Bleeping Computer

Organizations should prioritize patching the FFmpeg vulnerability, securing FortiGate devices against credential harvesting, reviewing WordPress plugin integrity, and implementing email and messaging security controls to defend against phishing campaigns leveraging social engineering tactics.

Sources & IOCs

Source articles and extracted indicators (defanged where appropriate).