CTI Daily Brief — 2026-06-24

PostCSS npm typosquats deliver a Nuitka-compiled Python RAT with Chrome DPAPI credential theft

JFrog Security Research disclosed (2026-06-22) three malicious npm packages published by the account abdrizak — postcss-minify-selector-parser, postcss-minify-selector and aes-decode-runner-pro — that typosquat the legitimate postcss-selector-parser (150M+ weekly downloads) (JFrog, 2026-06-22; The Hacker News, 2026-06-23). On import, each package's index.js decrypts an AES-256-GCM blob and runs a JavaScript dropper that writes and executes a PowerShell downloader (settings.ps1); PowerShell pulls a Windows payload from an attacker-controlled host, a VBScript bootstrapper (update.vbs) extracts an archive, and a Nuitka-compiled Python 3.10 RAT (chost.exe loading loader.py plus six .pyd extension modules) activates. The RAT performs RC4-encrypted HTTP POST C2, registry Run-key persistence under HKCU\Software\Microsoft\Windows\CurrentVersion\Run, VM detection via WMI and adapter-MAC heuristics, remote shell, file transfer, and Chrome credential and extension-data theft via a DPAPI / app-bound-encryption bypass.

Why it matters to us: This is the npm typosquat-to-RAT pattern aimed squarely at developer endpoints and CI/CD runners — the highest-trust hosts in a software supply chain. Mapped to T1195.001/T1195.002 (Supply Chain Compromise), T1059.001 (PowerShell), T1027 (obfuscation — AES + Nuitka), T1547.001 (Registry Run Key), T1555.003 (Credentials from Web Browsers). Detection concepts (no IOCs): alert on node/npm/npx parent processes spawning powershell.exe (Sysmon EID 1 with parent-image filter); wscript.exe/cscript.exe executing from %TEMP%; new HKCU\...\Run values written by a Node toolchain; and Python runtimes in %TEMP% making outbound HTTP POST. Remediation is not "remove the package" — any host that installed these versions should have all browser-stored and developer credentials rotated and be treated as compromised.

WhatsApp-borne VBScript silently installs a ManageEngine RMM agent for living-off-the-land remote control

Kaspersky documented (2026-06-22) a globally active campaign distributing heavily obfuscated VBScript via compromised WhatsApp Desktop / Web accounts, with financial-themed document lures in multiple languages (Kaspersky Securelist, 2026-06-22; The Hacker News, 2026-06-23). The three-stage chain: a stage-1 VBScript creates working directories and fetches payloads via curl/bitsadmin/certutil/PowerShell; stage 2 disables UAC consent by writing ConsentPromptBehaviorAdmin=0 to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System and strips Zone.Identifier ADS; stage 3 silently installs a preconfigured ManageEngine Endpoint Central RMM agent via msiexec pointed at attacker-controlled infrastructure. Kaspersky attributes the activity only with low confidence to a Chinese-speaking operator, on the basis of Simplified-Chinese code comments and C2 infrastructure overlapping prior ValleyRAT / Gh0st RAT activity — the claim, not a firm attribution. Victims are concentrated in Malaysia (~80%) with clusters including the UK and Spain.

Why it matters to us: Abuse of a legitimate, signed RMM agent (T1219) is the operational point — there is no bespoke implant to signature, and ManageEngine Endpoint Central is plausibly already whitelisted in many estates. Mapped to T1566.001 (spearphishing attachment, via WhatsApp), T1059.005 (VBScript), T1112 / T1548 (UAC-bypass registry write), T1105 (ingress tool transfer). Detection: msiexec.exe /quiet parented by wscript.exe/cscript.exe; writes to ...\Policies\System\ConsentPromptBehaviorAdmin; certutil -decode or bitsadmin in a script context; and ManageEngine DCAgentService.exe appearing on a host with no corresponding IT-provisioning change ticket. RMM-agent abuse is a well-worn precursor to hands-on-keyboard intrusion and ransomware staging.

Xsolis healthcare-AI vendor breach exposes 1.4M patients across seven US health systems — third-party processor pattern

Xsolis, a Tennessee-based healthcare-AI vendor supplying utilization-management software to hospitals, disclosed that a phishing-driven intrusion on 2026-01-20/22 gave an attacker access to a limited environment, exposing data on 1,396,519 patients across at least seven US health systems (HIPAA Journal, 2026-06-23; Security Affairs, 2026-06-23). Exposed data spans patient names, addresses, dates of birth, dates of service, medical record numbers, diagnosis/treatment and health-insurance information, and — for some individuals — Social Security numbers (affected patients were offered credit-monitoring / identity-theft protection); Xsolis says it contained the intrusion within ~48 hours and reports no confirmed misuse of the data as of disclosure. The ~5-month gap between intrusion (January) and broad notification (June) reflects the breach cascading through Xsolis as a HIPAA Business Associate to each covered-entity client's own notification clock.

CVE-2026-20230 — Cisco Unified CM: WebDialer SSRF to arbitrary file write to root, reconnaissance-stage exploitation observed

Cisco PSIRT's advisory (2026-06-03) for CVE-2026-20230 (CVSS 8.6, CWE-918 SSRF) describes a flaw in the WebDialer service of Cisco Unified Communications Manager (Unified CM) releases 14 and 15: the service fails to validate HTTP requests, so an unauthenticated remote attacker can send a crafted request with a file:// payload to write arbitrary files to the underlying OS, which Cisco states can subsequently be used to escalate to root (Cisco PSIRT, 2026-06-03; BleepingComputer, 2026-06-23). WebDialer is disabled by default, so exposure requires it to have been enabled. Threat-intelligence firm Defused observed exploitation over the weekend of ~2026-06-21/22 from a single source IP, writing a marker file (/tmp/cve-2026-20230-test.txt) — a vulnerability-fingerprinting pattern that historically precedes a targeted exploitation wave. A public PoC (SSD Secure Disclosure) exists. Not KEV-listed as of this run. Patched in 14SU6 for Release 14, with a COP interim fix for Release 15 (full 15SU5 is not due until September 2026). Maps to T1190 (Exploit Public-Facing Application) and T1068 (privilege escalation via the written file). Defenders with internet-facing Unified CM should disable WebDialer if unused (Service Parameters → Cisco WebDialer Web Service), and hunt WebDialer access logs for file:// URIs and unexpected file-creation events (Sysmon EID 11 / auditd) outside normal WebDialer paths — without treating absence of the marker file as proof of safety, since it is trivially cleaned up.

CVE-2025-67038 — Lantronix EDS5000 serial-to-IP converter: unauthenticated OS command injection to root, first BRIDGE:BREAK flaw added to CISA KEV

CVE-2025-67038 (CVSS 9.8) is an OS command-injection flaw in the Lantronix EDS5000-series serial-to-IP device servers (EDS5008/5016/5032): the HTTP management interface concatenates an unsanitised request parameter into a shell command, letting an unauthenticated remote attacker execute commands as root. It is one of the 22 vulnerabilities Forescout Vedere Labs disclosed in April 2026 as BRIDGE:BREAK, covering Lantronix and Silex serial-to-Ethernet converters (Forescout Vedere Labs, 2026-04-21; SecurityWeek, 2026-04-20). CISA added CVE-2025-67038 to its Known Exploited Vulnerabilities catalog on 2026-06-23 — the first confirmed in-the-wild exploitation of any BRIDGE:BREAK CVE, which makes it a priority for any operator who deferred the April advisory. EDS5000 units bridge legacy serial OT/ICS equipment (PLCs, relays, meters) onto IP networks, so a compromise yields a foothold adjacent to field devices, not just the converter. Forescout's disclosure cites fixed firmware 2.0.0R1 for the EDS5000 series; because the KEV-era advisory references later builds (see § 7), confirm the running firmware against Lantronix's current advisory rather than a single version number. Maps to T1190 (Exploit Public-Facing Application). Mitigations: patch to the current EDS5000 firmware, replace default credentials, and segment serial-to-IP converters off any internet-reachable or flat OT segment; hunt management-interface auth logs for shell metacharacters in request fields and unexpected scans of TCP/80/443 on these devices.

Unit 42: malicious skills on the OpenClaw "ClawHub" agent marketplace deliver macOS infostealers and weaponise AI agents for financial fraud

Palo Alto Networks Unit 42 (2026-06-23) documented five malicious skills published to ClawHub, the third-party skill marketplace for the OpenClaw AI-agent platform, active February–May 2026 (Unit 42, 2026-06-23; corroborated by Trend Micro). Two skills delivered the cluw macOS infostealer (an Atomic macOS Stealer / AMOS variant) by redirecting the agent to paste-site URLs (rentry.co, glot.io) carrying Base64-encoded curl | bash droppers. A third, omnicogg, padded its README to 22 MB to exceed the file-size threshold of both ClawScan and VirusTotal, slipping its payload past automated scanning. The most novel two cross a line into agentic abuse: money-radar fetches an attacker-controlled referrals.json at runtime to silently rewrite the financial referral links the agent recommends (revenue redirection with no re-publish), and letssendit coordinates a pool of agents to accumulate Solana ahead of operator-timed token launches — Unit 42's described first weaponisation of an AI-agent botnet for pump-and-dump fraud.

Why it matters to us: The skill-marketplace attack surface behaves like a package registry but is barely covered by existing supply-chain tooling, and "installation results in complete control over the agent's identity." For any organisation piloting agentic AI, treat skills as untrusted code: review them line-by-line before install, validate publisher provenance, and watch for agent processes spawning curl/shell, reaching paste sites, or creating cron persistence (T1195.001 supply-chain compromise, T1204.003/T1202 indirect execution, T1053.003 cron, T1555 credential access). The file-padding evasion is a reminder that a scanner with a content-size cutoff is a control with a documented bypass.

Unit 42: cloud-bucket hijacking via global-namespace reuse silently redirects log and replication streams `[SINGLE-SOURCE]`

Unit 42 detailed an architectural attack abusing the global uniqueness of object-storage bucket names across AWS S3, Google Cloud Storage and (less so) Azure Blob Storage (Unit 42, 2026-06-22). An actor holding bucket-delete rights deletes a destination bucket and immediately recreates it under their own account; existing log sinks, replication jobs, Pub/Sub-to-Storage subscriptions and Data Firehose streams keep writing to the now attacker-owned bucket with no config change and no entry in the source account's audit trail. No named in-the-wild exploitation is reported — this is offensive-research surfacing of an exposure class — but the impact on audit-log integrity is exactly what a SOC's detection pipeline depends on. [SINGLE-SOURCE] (Unit 42, a vendor lab, so the national-CERT carve-out does not apply; the underlying CSP behaviours are independently verifiable). Detection: alert on storage bucket-deletion API calls (GCP storage.buckets.delete, AWS CloudTrail DeleteBucket, Azure Microsoft.Storage/storageAccounts/delete) and on recreation of sink/replication targets; hardening: require multi-party approval for bucket deletion, enforce GCP VPC Service Controls / AWS account-region namespace isolation, and track sensitive-bucket ownership with DSPM. Maps to T1485/T1578 (resource manipulation) and the effective outcome of T1530 (data from cloud storage).

macOS ClickFix evolves: `hdiutil attach -nobrowse` mounts the malicious DMG invisibly before dropping AMOS `[SINGLE-SOURCE]`

A new macOS ClickFix variant (Palo Alto Unit 42, via BleepingComputer 2026-06-23) drops the visible-DMG step: the fake-CAPTCHA Terminal lure now has the user paste a curl command that uses hdiutil attach -nobrowse to mount the disk image without it appearing in Finder or on the desktop, then launches a self-signed app via open (BleepingComputer, 2026-06-23). The payload is Atomic macOS Stealer (AMOS): it presents a fake System Preferences authentication prompt to capture the local password, then steals browser credentials across numerous Chromium- and Firefox-derived browsers, cryptocurrency-wallet data, and Keychain contents. [SINGLE-SOURCE] — BleepingComputer attributes to Unit 42 but a separate primary Unit 42 article for this specific technique was not located this run (see § 7). Detection on macOS: hdiutil attach -nobrowse invoked by a shell parented by Terminal; Terminal executing pasted commands referencing external download URLs; apps launched from /Volumes/ mounts; user awareness that legitimate CAPTCHAs never require Terminal input (T1204.001, T1105, T1555).

Swiss Post Cybersecurity publishes its inaugural Swiss Threat Landscape Report `[SINGLE-SOURCE]`

Swiss Post Cybersecurity released its first Swiss Threat Landscape Report on 2026-06-23, presented at its Hack'Events conference, drawing on the firm's own SOC, incident-response and offensive-security engagement data rather than global aggregates (Swiss Post Cybersecurity, 2026-06-23). It names phishing, identity-based attacks (credential stuffing, account takeover, MFA-bypass chains) and AI-enabled threats as the dominant categories seen in Swiss incident intake, and argues the governance centre of gravity has moved from prevention to detection, response and recovery. [SINGLE-SOURCE] and vendor-authored, so the top-line categories are not novel; the value for a Swiss SOC is that the ranking is grounded in domestic operational data, which supports weighting identity-layer telemetry (Entra ID / AD sign-in logs, OAuth token-grant anomalies, MFA-fatigue patterns — T1621) and AI-assisted-phishing detection that leans on header/anomaly scoring rather than content heuristics (T1566.001). The full report is registration-gated (see § 7).

UPDATE: FortiBleed scale revised to 430K firewalls / 110M credentials; NATO-contractor exfiltration and a Russian-IAB attribution

UPDATE (originally covered 2026-06-18; last delta 2026-06-23): SOCRadar's full "Dismantling FortiBleed" report sharply revises the campaign's scale and attribution: it documents >430,000 FortiGate firewalls targeted and >110 million credentials harvested across 650+ collection pipelines, and attributes the operation to a likely Russian-speaking initial-access broker running financially-motivated activity (SecurityWeek, 2026-06-23; The Hacker News, 2026-06-23). The prior figure of 86,644 confirmed-compromised devices was the device count; the new numbers are the broader targeting and credential-collection totals.

The material new development is the first named high-value victim: on 2026-06-15 the operators offline-cracked Kerberos hashes and exfiltrated DFS backup data from a NATO-aligned defence contractor, moving the campaign from undifferentiated credential harvesting into confirmed geopolitical-risk territory. SpyCloud's analysis of the same infrastructure found parallel credential-collection runs against Synology, Sophos and MSSQL estates (SpyCloud, 2026-06-19). The reported mechanism remains consistent with prior coverage — SSH brute-force seeding, the Golang FortigateSniffer capturing authentication traffic, and offline GPU cracking — with no new Fortinet CVE involved (one reverse-engineering write-up framed the access around an older path-traversal CVE; that mechanism is not corroborated by the SOCRadar reporting and is not asserted here — see § 7).

Defender action for EU/CH FortiGate operators is unchanged but reinforced: assume any credential that transited an exposed FortiGate during the campaign window is burned, and — because the operators pivot to Kerberos/AD — run a retrospective hunt for Kerberoasting (T1558.003, EID 4769 anomalies on service accounts) and replication-style access (EID 4662) in the days after your device's exposure, and enforce credential non-reuse between appliance and domain accounts.

UPDATE: 8x8 confirms Klue/Icarus Salesforce exfiltration in an SEC 8-K Item 1.05 filing

UPDATE (originally covered 2026-06-19; campaign delta 2026-06-23): US cloud-communications provider 8x8 (NASDAQ: EGHT) filed a Form 8-K Item 1.05 on 2026-06-23 disclosing that an unauthorised party accessed its Salesforce environment on 2026-06-11/12 via a third-party integration — the Klue competitive-intelligence platform — the OAuth-integration vector behind the Icarus extortion campaign already tracked in prior briefs (SEC EDGAR — 8x8 Form 8-K, 2026-06-23).

The filing states the accessed data is limited to contract information, internal sales notes and business contact data (names, business emails, phone numbers, mailing addresses). As a publicly-listed company's mandatory material-incident disclosure, it is the formal confirmation that 8x8 is a named Klue-integration victim, extending the campaign's confirmed-victim list.

Defender takeaway for anyone running SaaS-to-Salesforce OAuth integrations (including EU public-sector users of competitive-intel tooling): audit Connected Apps in Salesforce Setup → App Manager for unexpected or stale OAuth grants, scope connected-app permissions to least privilege, and monitor EventType=OAuthToken in Salesforce Event Monitoring for anomalous token use (T1078.004 Valid Accounts: Cloud, T1550.001 token abuse).