Back to Weekly Roundups
2026-W26 Classification: PUBLIC

WEEKLY INTELLIGENCE BRIEFING

2026-06-22 to 2026-06-28 80 articles

Articles scanned
80
Top IOCs
15
Zero-days aged, AI went blind, supply chains cracked

Tagline

Zero-days aged, AI went blind, supply chains cracked

Executive Summary

The week in one line

Network edges, AI toolchains, and third-party vendors gave attackers durable footholds across every sector.

What happened

Attackers moved fast on newly disclosed vulnerabilities while also collecting returns on months-old zero-days. Two Linux kernel privilege escalation flaws dropped public exploits within 24 hours of disclosure. The Cisco SD-WAN zero-day (CVE-2026-20245) had been exploited for two months before patching. Supply chain operations simultaneously hit npm, GitHub Actions, the Go ecosystem, and a crypto prediction market's frontend vendor.

  • CVE-2026-20245 (Cisco SD-WAN) exploited via command injection for root access at a communications service provider, two months before disclosure
  • CVE-2026-12569 (PTC Windchill RCE) added to CISA KEV with active web shell deployment against industrial targets
  • Miasma Mini Shai-Hulud campaign compromised LeoPlatform, RStreams, and ImmobiliareLabs npm packages, expanded to Go ecosystem
  • Gaslight macOS implant (North Korea-linked) deployed prompt injection to disable AI-assisted malware triage
  • Russian intelligence (UNC5792, UNC4221) escalated Signal targeting to steal Backup Recovery Keys for full message history access

Why it matters for defenders and leaders

The exploitation timeline compression is real: two of this week's most significant flaws were being abused before defenders had a patch to apply. At the same time, attackers are actively probing the weakest links in modern security practice, specifically AI analysis pipelines and developer supply chains, which receive less scrutiny than traditional network perimeters.

  • A six-week gap between Check Point VPN exploitation and the CISA patch directive enabled a Qilin ransomware wave across dozens of organizations
  • AI coding agents and developer IDE plugins (Amazon Q CVE-2026-12957) now represent credential exfiltration surfaces requiring the same trust controls as production systems
  • Third-party SaaS integrations (Klue/LastPass, Polymarket vendor) are bypassing perimeter controls to expose customer data and steal funds
  • Linux LPE exploits (pedit COW, DirtyClone) with public PoCs are available right now for unpatched RHEL, Debian, and Ubuntu hosts

What to do this week

  • Patch CVE-2026-20245 (Cisco SD-WAN), CVE-2026-12569 (PTC Windchill), CVE-2026-20230 (Cisco CUCM), and the two Linux LPE CVEs (CVE-2026-46331, CVE-2026-43503) before end of week
  • Audit all GitHub Actions workflows for pinned action SHAs and review third-party actions like codfish/semantic-release-action for tampering
  • Update Amazon Q Developer IDE plugins to Language Servers for AWS 1.69.0 or later and enable explicit MCP server consent prompts
  • Review Signal linked devices for high-value personnel and disable unused device links to limit exposure to backup key theft
  • Inventory third-party OAuth token grants and Salesforce integrations to identify lateral data exposure paths similar to the Klue breach
TLDR
  • β€’ πŸ” Russian intelligence escalated messaging app attacks, now targeting Signal Backup Recovery Keys to access historical message archives.
  • β€’ 🏭 PTC Windchill (CVE-2026-12569) and Cisco SD-WAN (CVE-2026-20245) are under active exploitation, with the Cisco zero-day abused months before patching.
  • β€’ πŸ”— Supply chain attacks hit multiple fronts: Polymarket lost $3M via a vendor JS injection, Miasma campaign expanded to npm, GitHub Actions, and the Go ecosystem.
  • β€’ πŸ€– AI security gaps widened on two fronts: Gaslight macOS malware weaponizes prompt injection to blind AI analysis tools, while a clean GitHub repo technique tricks AI coding agents into running malware.
  • β€’ πŸͺŸ Linux kernel drew two local privilege escalation CVEs (pedit COW and DirtyClone) with public exploits released within 24 hours of disclosure.
  • β€’ 🌍 Europe is now ransomware's primary target region, with Qilin exploiting a Check Point VPN zero-day for six weeks before a CISA patch directive was issued.
  • β€’ πŸ›οΈ Regulatory pressure intensified with CISA emergency patch deadlines, FCC cybersecurity rules for emergency alert systems, and GDPR fines for breach notification failures.

Intelligence Breakdown

5 modules
Vulnerabilities & Exploits
VULNERABILITIES-AND-EXPLOITS
2026-W26

Cisco SD-WAN Zero-Day Exploited Months Before Patching. Mandiant confirmed that CVE-2026-20245, a command injection flaw in Cisco Catalyst SD-WAN Manager, was actively exploited by an unknown threat actor at least two months before Cisco published patches in June 2026. Attackers uploaded a malicious CSV file (evil_tenant.csv) to escalate privileges to root, and likely chained the attack with previously disclosed authentication bypass flaws CVE-2026-20127 and CVE-2026-20182 for initial access. Learn more

CISA Adds PTC Windchill RCE and Cisco CUCM to KEV, Sets June 28 Deadline. CISA added CVE-2026-12569 (PTC Windchill/FlexPLM RCE, CVSS 9.3) and CVE-2026-20230 (Cisco Unified Communications Manager SSRF) to its Known Exploited Vulnerabilities catalog, mandating federal remediation by June 28. The Windchill flaw marks the first-ever KEV addition for a PTC product and is particularly concerning given Windchill's footprint in manufacturing and defense supply chains. Learn more

Two Linux Kernel Local Privilege Escalation Flaws Drop Public Exploits. CVE-2026-46331 (pedit COW) and CVE-2026-43503 (DirtyClone) both allow unprivileged local users to gain root by corrupting cached binaries in memory. Public working exploits were available within 24 hours of CVE assignment for pedit COW; both affect major distributions including RHEL 8/9/10, Debian 11-13, and Ubuntu 18.04 through 26.04.

macOS XPC Flaw Allowed Standard Users to Disable CrowdStrike and Kandji. XM Cyber discovered a vulnerability in macOS XPC inter-process communication that let unprivileged users hijack trusted applications via CDHash cache and NIB injection, then disable EDR tools including CrowdStrike Falcon Sensor and Kandji MDM Agent. Both vendors have patched the issue, and XM Cyber released an open-source detection tool, XPC Hunter, to help identify exploitation attempts.

Key Takeaway

Prioritize patching CVE-2026-20245, CVE-2026-12569, and the two Linux kernel LPE CVEs immediately; audit unprivileged user namespace settings on Linux hosts and validate macOS EDR agent integrity.


Ransomware & Breaches
RANSOMWARE-AND-BREACHES
2026-W26

Check Point VPN Zero-Day Fueled Qilin Ransomware Wave for Six Weeks. CVE-2026-50751, an authentication bypass in Check Point Remote Access VPN, was exploited starting in early May before a CISA patch directive arrived on June 21, a six-week window during which a Qilin affiliate compromised dozens of organizations. The actor used Rclone for data exfiltration and Tox for C2, highlighting how patch directive lag creates durable exploitation windows. Learn more

Europe Becomes Ransomware's Primary Target Region. Threat intelligence data indicates ransomware operators have strategically shifted focus to EU organizations and their supply chains following a period of global activity decline. The concentration on European targets aligns with broader geopolitical trends and the region's dense interconnection of critical infrastructure suppliers. Learn more

LastPass Customer Data Exposed Again via Klue Third-Party Breach. A breach at Klue, a business intelligence partner integrated with LastPass, exposed customer names, phone numbers, email addresses, and physical addresses after attackers obtained OAuth tokens from Salesforce integrations. The incident is a textbook third-party data pipeline risk: LastPass's own systems were not compromised, but the vendor relationship created an exploitable data path.

Key Takeaway

Audit third-party platform integrations for OAuth token scope and data retention, and review vendor breach notification SLAs before the next partner incident exposes your customer data.


Supply Chain
SUPPLY-CHAIN
2026-W26

Miasma Mini Shai-Hulud Campaign Expands to npm, GitHub Actions, and Go Ecosystem. The Miasma campaign compromised maintainer infrastructure for both LeoPlatform/RStreams and ImmobiliareLabs Backstage npm packages, injecting malicious payloads that steal developer and CI/CD secrets. The campaign exploited a GitHub Actions privilege escalation via a compromised third-party action (codfish/semantic-release-action) and has now expanded to the Go ecosystem. Confirmed malicious file hashes include 32d1bc728d8e504952083a6adc488c309a401c7df4dc8f47b382ce32e4aebe21 (binding.gyp) and 57ba86f6f0caaa580c1dccdf4ed7873d1470e5ea2f8e9ca7a989dc04899f13c0 (leo-logger index.js).

Polymarket Loses $3M After Third-Party Vendor JS Injection. Attackers compromised a third-party vendor serving JavaScript to Polymarket's frontend, injecting code that tricked users into approving fraudulent transactions. Approximately $3M in pUSD was stolen and bridged to Ethereum. Polymarket plans full reimbursement and confirmed its own backend systems were unaffected.

Amazon Q Developer Flaw Let Malicious Repos Steal Cloud Credentials. CVE-2026-12957 (CVSS 8.5) affected all four Amazon Q Developer IDE plugins and allowed malicious MCP configuration files in cloned repositories to automatically execute arbitrary code and exfiltrate active AWS session credentials without user interaction beyond opening the repository. AWS has patched the issue in Language Servers for AWS 1.69.0 and added explicit consent prompts for untrusted MCP servers.

Clean GitHub Repo Technique Tricks AI Coding Agents into Running Malware. Researchers demonstrated an attack where a legitimate-looking GitHub repository with standard setup instructions causes AI coding agents like Claude Code to trigger a reverse shell during the setup sequence, bypassing both security scanners and human code review. The technique requires no malicious code visible in the repository itself.

Key Takeaway

Audit all third-party GitHub Actions for supply chain compromise, pin action versions to commit SHAs, restrict npm publishing credentials to CI-only secrets, and treat MCP config files in cloned repositories as untrusted code.


APT & Nation-State
APT-AND-NATION-STATE
2026-W26

Russian Intelligence Targets Signal Backup Recovery Keys via Phishing. The FBI and CISA updated their advisory on Russian Intelligence Services targeting commercial messaging apps, warning that actors UNC5792 and UNC4221 have evolved tactics to specifically steal Signal Backup Recovery Keys through social engineering. This enables restoration of full message history without breaking encryption, and has already compromised thousands of accounts globally targeting high-value individuals in government, military, and activism. Learn more

Turla Deploys New STOCKSTAY .NET Backdoor Against Ukraine and European Targets. Google detailed a new Turla (FSB) backdoor named STOCKSTAY that masquerades as stock market viewers, PDF readers, or calculators, using encrypted WebSocket channels (T1573.002) for C2. The implant shares code with Turla's older Kazuar backdoor and has targeted Ukrainian government and military organizations alongside entities interested in Italian foreign policy in the Netherlands, Poland, and Germany.

New macOS Gaslight Malware Uses Prompt Injection to Blind AI Analysis Tools. A North Korea-aligned threat actor deployed Gaslight, a Rust-based macOS implant that embeds fabricated system failure messages and prompt injection strings to cause AI-assisted triage tools to abort analysis. Gaslight uses a Telegram bot API for C2 (T1071.001) and a LaunchAgent for persistence (T1547.001, label com.apple.system.services.activity). The technique represents an escalation in AI-aware malware design. Learn more

Chinese APT SharkLoader Campaign Hits Diplomatic and Government Targets. A Chinese-speaking APT deployed SharkLoader, a new Cobalt Strike loader, against diplomatic and government organizations in Indonesia, Taiwan, and other countries, as well as software development companies. The StrikeShark campaign leveraged known Exchange vulnerabilities including ProxyLogon and ProxyNotShell for initial access.

Key Takeaway

Review Signal account linked devices and disable unused device links for high-value personnel; update AI-assisted triage playbooks to flag analysis aborts as a potential Gaslight-style evasion indicator.


References
REFERENCES
2026-W26

Regulatory Updates

Regulatory & Compliance
Action items and policy signal

FCC Approves New Cybersecurity Rules for Emergency Alert Systems and Undersea Cables. The FCC passed regulations requiring basic cyber hygiene (strong passwords, patching, authentication IDs) for Emergency Alert System and Wireless Emergency Alert infrastructure, alongside updated national security review processes for undersea cable terminal equipment. Brazil's emergency alert system compromise via a decade-old stolen credential this week underscores the urgency of these baseline controls. Learn more

GDPR Enforcement: Romania Fines Altex, Poland Reprimands Data Processors. Romania's ANSPDCP fined Altex Romania RON 52,086 (approximately €10,000) for failing to implement adequate security measures after a customer accessed a third party's personal data, and for missing breach notification obligations. Separately, Poland's UODO reprimanded a controller and multiple processors for GDPR integrity and accountability failures, fining the responsible sub-processor €2,415. Learn more

Key Takeaway

Test your GDPR breach notification workflows now: regulators are fining for failure to notify as much as for the underlying security failure, and the window is 72 hours.