hxxps://github[.]com/codfish/semantic-release-actionCompromised GitHub Action repository used for dead-drop resolver.hxxps://github[.]com/search?q=description%3D%22Alright%20Lets%20See%20If%20This%20Works[.]%22Public GitHub repository used for uploading stolen secrets.
ThreatNoir Afternoon Brief — June 26
Afternoon Review in IT Security — June 26, 2026
The threat landscape continues to evolve across multiple vectors on June 26, 2026, with supply chain attacks intensifying, forensic tool misuse emerging in geopolitical contexts, industrial systems facing active exploitation, and hospitality organizations becoming targets of sophisticated phishing campaigns.
Miasma Malware Targets npm Packages and GitHub Actions in Supply Chain Attack
Cybersecurity researchers have identified a new wave of supply chain attacks linked to the Mini Shai-Hulud, Miasma, and Hades malware family. The latest activity demonstrates the threat actors' expanding reach, with malicious npm releases affecting LeoPlatform and RStreams packages while simultaneously propagating to the Go ecosystem. The attackers have also abused GitHub Actions workflows as part of their distribution strategy, highlighting the vulnerability of development infrastructure to compromise. Source: Miasma Malware Targets npm Packages and GitHub Actions in Supply Chain Attack
Russia Used Cellebrite on Jailed Activist's iPhone Months After Sales Cutoff
Research published by the Citizen Lab on June 25 reveals that Russian authorities deployed Cellebrite's UFED forensic tools against the iPhone of detained opposition activist Andrey Pivovarov in June 2021. This discovery is particularly significant because it occurred three months after Cellebrite announced it would cease selling its tools and services to Russia and Belarus. The evidence comes from forensic traces found on the device itself combined with official Russian documentation, demonstrating that the sales cutoff did not prevent continued use of the technology. Source: Russia Used Cellebrite on Jailed Activist's iPhone Months After Sales Cutoff
First-Ever Exploitation of PTC Windchill Vulnerability Discovered in the Wild
CISA has added the remote code execution vulnerability CVE-2026-12569 affecting PTC Windchill to its Known Exploited Vulnerabilities catalog, marking the first documented exploitation of this flaw in active attacks. This development underscores the urgency for organizations relying on industrial and product lifecycle management software to prioritize patching efforts. The vulnerability's exploitation in the wild represents a significant risk to manufacturing and engineering environments. Source: First-Ever Exploitation of PTC Windchill Vulnerability Discovered in the Wild
Microsoft Warns of Photo ZIP Phishing Campaign Targeting Hotels with Node.js Implant
Microsoft has disclosed an active phishing campaign that has been targeting hotel and hospitality organizations across Europe and Asia since April 2026. The campaign employs photo-themed ZIP files as lures to deliver a Node.js implant designed to compromise front-desk systems and establish persistence within hotel networks. While the threat actors remain unattributed and their ultimate objectives unclear, the campaign demonstrates a sophisticated understanding of hospitality operations and supply chain vulnerabilities. Source: Microsoft Warns of Photo ZIP Phishing Campaign Targeting Hotels with Node.js Implant
The convergence of these threats—from developer ecosystem poisoning to industrial system exploitation to targeted hospitality attacks—reinforces the critical importance of defense-in-depth strategies across all organizational layers and sectors.
Sources & IOCs
Source articles and extracted indicators (defanged where appropriate).
- Previously identified PTC Windchill vulnerability, no reports of exploitation
- Remote code execution vulnerability in PTC Windchill and FlexPLM
- Signed Binary Proxy Execution: Rundll32 (implied by LNK execution).
- Non-standard Port for C2 communication.
- Ingress Tool Transfer (downloading implant).
- File Deletion (implied by cleanup difficulty).
- Registry Run Keys / Startup Folder for persistence.
- PowerShell used to decode URL and download payload.
- Deobfuscate/decode files or information.
- Encrypted WebSocket channel for C2.
- Web Protocols (HTTP/HTTPS) used for C2 communication.
- TonRATName of the Node.js implant used in the campaign.
8443Non-standard port used for C2 communication by the TonRAT implant.8445Non-standard port used for C2 communication by the TonRAT implant.8453Non-standard port used for C2 communication by the TonRAT implant.5555Non-standard port used for C2 communication by the TonRAT implant.56001Non-standard port used for C2 communication by the TonRAT implant.56002Non-standard port used for C2 communication by the TonRAT implant.56003Non-standard port used for C2 communication by the TonRAT implant.