‘Cordyceps’: Malicious Pull Requests Threaten CI/CD Workflows
Security researchers at Novee have disclosed a widespread CI/CD vulnerability class dubbed “Cordyceps,” named for the parasitic fungus known for hijacking its hosts. The weakness exploits overly permissive automated workflows triggered by pull requests, allowing any unauthenticated user — with nothing more than a free GitHub account — to execute attacker-controlled code, steal signing keys and access tokens, and potentially compromise software supply chains. From a scan of around 30,000 high-impact repositories, over 300 were confirmed fully exploitable, including pipelines belonging to Microsoft Azure Sentinel, Google’s AI Agent Development Kit, Apache Doris, Cloudflare’s Workers SDK, and the Python Software Foundation’s Black formatter. Researchers warn that AI coding agents are accelerating the problem by reproducing the same insecure CI/CD configuration patterns across millions of repositories.
FortiBleed Campaign Exposes Credentials for 73,932 FortiGate Systems
A dataset containing valid administrative and SSL VPN credentials for nearly 74,000 Fortinet FortiGate firewall URLs across 194 countries has been attributed to a Russian-speaking threat group in what is shaping up to be one of the most significant Fortinet security incidents on record. Security researcher Volodymyr “Bob” Diachenko disclosed the “FortiBleed” dataset on June 13, and subsequent analysis by independent researchers confirmed that sampled credentials were authentic and many of the affected devices remained internet-exposed at the time. Threat actors used a 45-GPU cracking cluster to systematically recover plaintext credentials from intercepted SSL VPN authentication hashes — with no ongoing access to the targeted devices required — and investigators found evidence of downstream Active Directory enumeration, lateral movement tooling, and log-clearing activity on attacker infrastructure. Affected organizations span government, telecom, finance, healthcare, and critical infrastructure sectors, and a Turkish NATO defense contractor is among those reportedly impacted.
Law Enforcement Hits StealC and Amadey Malware Networks
As part of the ongoing Operation Endgame campaign, law enforcement agencies from the Netherlands, Canada, the United States, and Germany — backed by Europol, Eurojust, and private sector partners including Microsoft and Proofpoint — announced the takedown of 326 servers and 142 domains tied to the StealC and Amadey malware-as-a-service ecosystems. The two malware families operate in tandem: Amadey provides initial device access while StealC harvests passwords and sensitive data, and in some observed cases StealC functioned as a dropper for LockBit Black ransomware payloads. Investigators leveraged AI to link the two independently developed criminal operations as a single conspiracy — enabling RICO charges against multiple operators and affiliates simultaneously — and seized approximately €41 million in cryptocurrency assets while recovering nearly 27 million stolen login credentials.
Splunk Enterprise Vulnerability Exploited in Attacks Days After Disclosure
A critical unauthenticated remote code execution flaw in Splunk Enterprise, tracked as CVE-2026-20253, moved from public disclosure to active exploitation in under two days — a timeline that has become increasingly common as proof-of-concept code publication accelerates attacker response. The vulnerability exists because a PostgreSQL sidecar service endpoint lacks authentication controls, allowing any network-reachable user to create or truncate arbitrary files, which researchers at WatchTowr demonstrated could be leveraged for full remote code execution. Splunk confirmed exploitation on June 18, and CISA immediately added the flaw to its Known Exploited Vulnerabilities catalog, giving federal agencies just three days to apply patches — marking the first Splunk vulnerability ever added to the KEV list.
KDDI Breach Affects Six Japanese ISPs, Exposes 14.2 Million Email Credentials
Japanese telecom giant KDDI has confirmed that attackers exploited a vulnerability in third-party software underpinning a shared email platform it operates on behalf of multiple regional ISPs, potentially compromising up to 14.22 million email addresses and passwords across six providers — including STNet, JCOM, Nifty Corporation, and BIGLOBE. KDDI detected the intrusion on June 17, contained further access on the same day, and notified Japan’s Personal Information Protection Commission and Ministry of Internal Affairs and Communications. While passwords were stored in hashed and encrypted form, the company has strongly advised all customers of the affected email services to change their credentials immediately, noting that the breach extends to accounts belonging to former and inactive users as well.
