# Today's Top Stories

SOCRadar's analysis of the FortiBleed campaign reveals that threat actors deployed custom sniffers on compromised Fortinet FortiGate devices to harvest authentication credentials at scale, resulting in a database of over 86,000 confirmed working credentials. Fortinet has formally responded to the campaign, which targeted firewall appliances and represents a significant ongoing threat to enterprise network perimeters. Security teams running FortiGate devices should audit for indicators of compromise and rotate any credentials that may have traversed affected systems.

Researchers released a proof-of-concept for 'Usbliter8,' an exploit that bypasses Apple's boot defenses and cannot be patched via software update, affecting millions of iPhones. The unpatchable nature of the vulnerability makes it particularly severe, as Apple cannot remediate it without hardware changes in future device generations. Security practitioners should monitor for guidance from Apple on mitigations and assess exposure for high-value targets in their environments.

Fortinet confirmed that the FortiBleed credential-harvesting campaign produced a verified database of over 86,000 working credentials stolen from compromised FortiGate firewall deployments. The campaign used custom-built sniffers injected into device memory to intercept authentication traffic in real time, a technique that evades many traditional detection methods. Organizations using FortiGate should treat the credential store as compromised and implement immediate remediation per Fortinet's guidance.

Canada's CSIS obtained a first-of-its-kind threat reduction warrant — publicly released June 15 — authorizing agents to remotely access and neutralize two foreign-operated botnets affecting Canadian servers, home routers, and IoT devices. This marks the first documented use of CSIS's threat reduction warrant powers for active botnet disruption, setting a significant legal precedent for intelligence-led cyber defense operations. The ruling expands the toolkit available to Canadian authorities beyond passive monitoring to active infrastructure intervention.

Wordfence confirmed a supply chain attack against ShapedPlugin's WordPress Pro plugins, where threat actors compromised the vendor's build and distribution pipeline to inject backdoor code into official licensed update releases. The attack targeted users of ShapedPlugin's premium plugin suite distributed through legitimate update channels, making detection difficult for site owners who trusted the update mechanism. WordPress administrators running ShapedPlugin Pro products should audit installed plugin versions and check for unauthorized code immediately.

Researchers at Calif.io disclosed 'Squidbleed,' a heap over-read vulnerability in Squid proxy that traces to a 1997 FTP-parsing code change and remains present in Squid's default configuration today. The flaw can leak a user's cleartext HTTP request — including credentials and session tokens — to other users sending traffic through the same proxy, drawing direct comparisons to Heartbleed in its potential for credential exposure. Squid deployments in enterprise and ISP environments should be patched or mitigated immediately given the widespread use of the software.

QiAnXin's XLab identified AryStinger, a new malware family that has infected at least 4,300 legacy home routers — primarily D-Link devices — to build a distributed reconnaissance and proxy network rather than a traditional DDoS botnet. Unlike typical router botnets, AryStinger is designed for the pre-exploitation phase of attacks, providing threat actors with anonymized infrastructure for reconnaissance operations. The malware count is still rising, and the focus on pre-attack staging makes it a high-value tool for targeted intrusion campaigns.

North Korean threat actors have been attributed to a supply chain attack on the Mastra framework's NPM ecosystem, injecting a malicious dependency into over 140 Mastra packages that fetches a payload specifically targeting cryptocurrency browser extensions. The campaign continues the pattern of DPRK-linked groups using open-source package ecosystems to compromise developer environments and steal cryptocurrency assets. Developers using Mastra packages should audit their dependency trees and check for the malicious dependency introduced by the attackers.

Zafran Security disclosed four vulnerabilities collectively named 'DifyTap' in Dify, an open-source AI agentic workflow platform with over 146,000 GitHub stars, that allow unauthenticated attackers to read AI conversation data across tenant boundaries. The cross-tenant data leakage flaws expose sensitive AI interaction logs from other customers' applications, making this a critical concern for multi-tenant Dify deployments used in enterprise AI workflows. Organizations running Dify should apply available patches and audit their multi-tenant configurations immediately.

The breach of Klue, a competitive intelligence platform, has expanded to impact multiple prominent cybersecurity vendors including HackerOne, Huntress, Jamf, OneTrust, Recorded Future, Snyk, and Tanium. The compromise of a vendor serving so many security-focused organizations underscores the third-party supply chain risk even within the cybersecurity industry itself. Affected organizations should assess what data was shared with Klue and notify relevant stakeholders per breach disclosure obligations.