WEEKLY INTELLIGENCE BRIEFING

Miasma Worm Hits 73 Microsoft GitHub Repositories in Major Supply Chain Attack. Self-replicating Miasma malware compromised 73 Microsoft repositories including Azure and MicrosoftDocs, with GitHub disabling access to affected repos.

Miasma Malware Hits 32 Red Hat Packages via Compromised GitHub Account. Attackers compromised a Red Hat employee's GitHub account to inject Miasma malware into 32 npm packages under @redhat-cloud-services, affecting 96 versions with 80K-117K weekly downloads.

IronWorm and New Miasma Worm Variant Hit npm in Supply Chain Attacks. Multiple campaigns deployed IronWorm Rust-based stealer and Miasma worm variants across 50+ legitimate npm packages, targeting secrets from OpenAI, AWS, Docker, and crypto wallets.

Hola Browser for Windows compromised to deliver cryptominer. Israeli VPN browser Hola was compromised to deliver undeclared Monero miners to 0.1% of users via supply chain attack.

Key Takeaway

Implement software composition analysis, monitor GitHub/npm repositories for anomalies, and verify package integrity using SLSA provenance attestations.

Over 900 US gas station tank gauge systems exposed to attacks. CISA, FBI, NSA warn of 900+ exposed automatic tank gauge systems across US critical infrastructure actively targeted by threat actors exploiting hardcoded credentials and SQL injection.

Cisco Catalyst SD-WAN Manager CVE-2026-20245 Flaw Actively Exploited – No Patch Available. Cisco disclosed CVE-2026-20245, the 7th exploited SD-WAN zero-day in 2026, allowing authenticated attackers to execute root commands via file uploads with no current patch.

Threat Brief: Active Exploitation of PAN-OS CVE-2026-0257. Unit 42 reports in-the-wild exploitation of PAN-OS GlobalProtect authentication bypass vulnerability allowing unauthorized VPN connections.

Key Takeaway

Inventory and segment industrial control systems, apply emergency patches for SD-WAN and VPN appliances, and implement network monitoring for anomalous OT traffic.

Chinese APT deploys new malware to keep access to hacked networks. UNC5221 (VerdantBamboo) used Brickstorm backdoor with new malware Plenet and AgentPSD for 18+ month persistence in Microsoft 365 environments, reinfecting networks post-remediation.

Five Eyes: Chinese Spies Target Government, Military Staff With Fake Job Opportunities. Chinese military intelligence conducts recruitment campaigns via LinkedIn, Indeed, Upwork targeting cleared personnel with fake defense analyst positions for intelligence collection.

New Threat Cluster OP-512 Targets Microsoft IIS Servers with Custom Web Shell Framework. China-aligned OP-512 deploys bespoke three-component web shell framework on IIS servers with timestomping and cryptographic access controls.

Key Takeaway

Train cleared personnel on social engineering tactics, monitor M365 for persistence indicators, and deploy advanced IIS web shell detection capabilities.

New Pink Extortion Group Targets Microsoft 365 Cloud Data Via Vishing Scams. Pink Extortion Group uses voice phishing to bypass MFA and exfiltrate M365 files for extortion with tight payment deadlines via internal communications.

DentaQuest data breach exposed info of 2.6 million accounts. ShinyHunters breached dental benefits administrator DentaQuest affecting 2.6M accounts, leaking 234GB including health insurance data after failed extortion.

PCPJack Hijacks 230 AWS, Google Cloud, and Azure Servers for Covert SMTP Relay Network. PCPJack compromised 230 cloud servers across major CSPs to operate covert SMTP relay network with exposed C2 directories containing Sliver configurations.

Key Takeaway

Implement M365 Conditional Access policies, monitor cloud workloads for unauthorized services, and establish incident response procedures for extortion attempts.

Critical Everest Forms Pro flaw exploited to take over WordPress sites. CVE-2026-3300 in Everest Forms Pro WordPress plugin actively exploited for arbitrary PHP code execution, enabling complete site takeover and rogue admin creation.

CISA: Hackers now exploit SolarWinds Serv-U flaw to crash servers. CISA added CVE-2026-28318 to KEV catalog as hackers actively exploit SolarWinds Serv-U denial-of-service vulnerability via crafted POST requests.

AI Agent Uncovers 21 Zero-Days in FFmpeg; Chrome Patches Record 429 Bugs. AI discovered 21 zero-days in FFmpeg (some 23 years old); Google patched record 429 vulnerabilities in Chrome 149 including critical sandbox escape flaws.

Key Takeaway

Prioritize patching WordPress plugins, SolarWinds Serv-U, and Chrome; implement automated vulnerability scanning enhanced by AI-powered discovery tools.

New ChatGPT Lockdown Mode Limits Tools That Could Enable Data Exfiltration. OpenAI introduced Lockdown Mode to mitigate prompt injection data exfiltration by limiting web browsing, file downloads, and image support in ChatGPT.

Adaptive, Agentic AI Worms Loom as Next Enterprise Threat. Researchers warn adaptive AI worms with learning capabilities and autonomous vulnerability discovery could materialize within one year.

Key Takeaway

Evaluate AI tool risks, implement data loss prevention for AI interactions, and prepare for autonomous threat actors in enterprise security planning.

• https://thehackernews.com/2026/06/miasma-worm-hits-73-microsoft-github.html
• https://hackread.com/miasma-malware-red-hat-packages-github-account/
• https://www.bleepingcomputer.com/news/security/over-900-us-gas-station-tank-gauge-systems-exposed-to-attacks/
• https://thehackernews.com/2026/06/cisco-catalyst-sd-wan-manager-cve-2026.html
• https://www.bleepingcomputer.com/news/security/chinese-apt-deploys-new-malware-to-keep-access-to-hacked-networks/
• https://hackread.com/pink-extortion-microsoft-365-cloud-data-vishing-scams/
• https://www.bleepingcomputer.com/news/security/critical-everest-forms-pro-flaw-exploited-to-take-over-wordpress-sites/
• https://thehackernews.com/2026/06/new-chatgpt-lockdown-mode-limits-tools.html