June 2026: Supply Chains, Sniffed Secrets, and a Month-Long Game of Whack-a-Mole
June was the month attackers proved that old vulnerabilities, trusted install scripts, and even AI assistants could all be weaponized at industrial scale.
The month was defined by several high-impact developments:
A shapeshifting supply chain campaign — A single malware lineage mutated across npm, PyPI, and AUR (Red Hat packages, Miasma, Hades, IronWorm, hijacked Arch packages, and a North Korea-linked Mastra npm compromise), all reusing poisoned postinstall hooks and hijacked maintainer accounts to steal cloud and CI/CD credentials.
FortiBleed's massive credential haul — A Russian-speaking access broker exploited legacy password-hashing flaws surviving firmware upgrades on hundreds of thousands of Fortinet FortiGate firewalls, exposing over 100 million credentials and hitting at least one NATO-aligned defense contractor.
ShinyHunters' PeopleSoft rampage — A chained Oracle PeopleSoft zero-day let the group breach 100+ organizations, hammering higher education before spreading to insurers, government bodies, and automakers like Nissan.
Enterprise RCE stayed a reliable foothold — Cisco SD-WAN Manager, Windows Netlogon, and Splunk's PostgreSQL sidecar all saw exploitation by criminal and state-linked actors alike.
Law enforcement swung back hard — Operation Endgame took down SocGholish's delivery network and seized 25 million+ StealC/Amadey credentials, while Scattered Spider members pleaded guilty over the TfL attack — even as AI abuse (Meta's Instagram-hijacking assistant exploit) and Anthropic's Fable 5/Mythos 5 export restrictions kept AI security debates front and center.
Source: CyberSecBrief Monthly Briefing