# CTI Daily Brief — 2026-06-29

> **AI-generated content — no human review.** This brief was produced autonomously by an LLM (Claude Opus 4.8 (1M context), model ID `claude-opus-4-8[1m]`) with parallel research and verification by sub-agents (Claude Sonnet 4.6, Claude Opus 4.8 (1M context)) executing the prompt at `prompts/daily-cti-brief.md` as a Claude Code routine on Anthropic-managed cloud infrastructure. **Nothing here is reviewed or edited by a human before publication.** All facts are linked inline to public sources the agent fetched in this run. Verify any operationally critical claim against the linked primary source before acting.

**Generated by:** Claude Opus 4.8 (1M context) (`claude-opus-4-8[1m]`) · **Sub-agents:** S1: Claude Sonnet 4.6 · S2: Claude Sonnet 4.6 · S3: Claude Sonnet 4.6 · S4: Claude Sonnet 4.6 · verify: Claude Opus 4.8 (1M context), Claude Sonnet 4.6 · **Classification:** TLP:CLEAR · **Language:** English · **Prompt:** v2.64 · **Recency window:** 36 h (gap to prior brief: 24 h)

## 0. TL;DR

- **KDDI discloses a third-party email-platform breach exposing up to 14.22 million subscriber credentials across six Japanese ISPs.** Attackers exploited a vulnerability in a shared ISP email-management platform (detected ~2026-06-17); email addresses and passwords for STNet, JCOM, Chubu Telecommunications, Nifty, Biglobe and one further KDDI ISP are in scope. No CH/EU nexus, but the leaked credential pairs feed directly into credential-stuffing and phishing-as-initial-access against European targets ([BleepingComputer, 2026-06-28](https://www.bleepingcomputer.com/news/security/data-breach-exposes-up-to-142-million-email-logins-at-six-isps/)). See § 1.
- **Gogs argument-injection RCE (CVE-2026-52806), patched 2026-06-07 and first covered here on 2026-06-20 with no observed exploitation, is now actively exploited.** Wiz Threat Research documents a cryptojacking campaign that chained Gogs and Argo Workflows to compromise thousands of Linux hosts and pivot across 300+ Kubernetes nodes via stolen service-account tokens. Self-hosted Gogs is common in EU research/university and smaller public-sector IT; if you have not yet upgraded to 0.14.3, the exploitation status has changed ([Wiz Threat Research, 2026-06-28](https://threats.wiz.io/all-incidents/cryptojacking-campaign-targeting-k8s-clusters)). See § 4.
- **A novel indirect prompt-injection class turns a "clean" GitHub repo into a reverse shell against AI coding agents.** Mozilla's 0DIN shows a three-step indirection — repo instructions → a deliberately failing Python package → an `init` command that fetches and runs a DNS TXT record as a shell command — with no malicious code in the repo to flag on static analysis. Relevant to any environment where AI coding agents (Claude Code, Copilot Workspace, Cursor) have repository and shell access ([Mozilla 0DIN, 2026-06-25](https://0din.ai/blog/clone-this-repo-and-i-own-your-machine); [BleepingComputer, 2026-06-27](https://www.bleepingcomputer.com/news/security/clean-github-repo-tricks-ai-coding-agents-into-running-malware/)). See § 3.

## 1. Active Threats, Trending Actors, Notable Incidents & Disclosures

### KDDI third-party email platform breach exposes up to 14.22 million credentials across six Japanese ISPs

Japanese carrier KDDI disclosed that a threat actor exploited a vulnerability in third-party software integrated into its centralised ISP email-management platform, with unauthorised access detected on approximately 2026-06-17 ([BleepingComputer, 2026-06-28](https://www.bleepingcomputer.com/news/security/data-breach-exposes-up-to-142-million-email-logins-at-six-isps/)). The breach potentially exposed email addresses and passwords for up to 14.22 million subscriber accounts across six ISPs running on the shared platform — STNet, JCOM, Chubu Telecommunications, Nifty, Biglobe and a further KDDI ISP; KDDI states some passwords were stored hashed or encrypted and that 14.22 million is a worst-case figure pending forensic completion ([SecurityAffairs, 2026-06-28](https://securityaffairs.com/194387/data-breach/kddi-data-breach-impacts-up-to-14-2-million-email-accounts-at-six-isps.html); [Infosecurity Magazine, 2026-06-24](https://infosecurity-magazine.com/news/kddi-breach-japanese-telcos/)). No CVE for the third-party software flaw and no threat actor have been named; KDDI notified Japan's Personal Information Protection Commission and advised affected users to change passwords and enable MFA.

**Why it matters to us:** The structural lesson, not the jurisdiction, is the signal — a single vulnerable dependency in a shared multi-tenant email-management plane produced a six-ISP blast radius, the same exposure model any European telco or managed-ISP operator carries when subscriber-mail administration is consolidated onto one vendor platform. The immediate downstream risk for Swiss/EU defenders is credential-stuffing: 14.22 million leaked email/password pairs will surface in combolists and feed phishing-as-initial-access. Hunt for anomalous authentication against external-facing services from Japanese-ISP email address spaces, and treat any reused-password exposure on those domains as a stuffing precursor. Inventory third-party vendor access to your own subscriber/identity-management platforms and enforce MFA on the administration plane itself.

— *Source: [BleepingComputer](https://www.bleepingcomputer.com/news/security/data-breach-exposes-up-to-142-million-email-logins-at-six-isps/) · Additional source: [SecurityAffairs](https://securityaffairs.com/194387/data-breach/kddi-data-breach-impacts-up-to-14-2-million-email-accounts-at-six-isps.html) · Additional source: [Infosecurity Magazine](https://infosecurity-magazine.com/news/kddi-breach-japanese-telcos/) · Tags: data-breach, supply-chain, phishing · Region: apac, global · Sector: telco*

## 2. Trending Vulnerabilities

*No newly-disclosed qualifying vulnerability in window — section intentionally left empty.* No CVE was added to CISA KEV, flagged exploited/critical in ENISA EUVD, or reported under fresh in-the-wild exploitation by a vendor or high-reliability researcher in the 36-hour window. The one actively-exploited CVE this run — CVE-2026-52806 (Gogs) — was first covered on 2026-06-20; its new exploitation status is handled as an UPDATE in § 4, not as a fresh entry, per the no-repetition rule.

## 3. Research & Investigative Reporting

### Mozilla 0DIN: a "clean" GitHub repo coerces AI coding agents into a reverse shell via three-stage indirection

Mozilla's Zero Day Investigative Network (0DIN) detailed an indirect prompt-injection class against AI coding agents in which no malicious code is present in the repository itself ([Mozilla 0DIN, 2026-06-25](https://0din.ai/blog/clone-this-repo-and-i-own-your-machine); reported [BleepingComputer, 2026-06-27](https://www.bleepingcomputer.com/news/security/clean-github-repo-tricks-ai-coding-agents-into-running-malware/)). The repository carries three cooperating components: (1) plausible setup instructions telling the user/agent to install a Python package; (2) the package, engineered to fail at runtime with an error message that instructs the runtime to run `python3 -m axiom init`; (3) the `axiom init` handler, which issues a DNS TXT lookup to an attacker-controlled domain and executes the returned record value as a shell command. The chain achieves three levels of indirection — error message → DNS resolution → shell execution — so the agent never "decides" to open a shell; it interprets each step as routine error recovery and autonomously runs the suggested remediation, side-stepping per-step user approval. No CVE is assigned: this is exploitation of agentic error-recovery autonomy plus out-of-band payload retrieval, not a single software bug. It is a distinct technique from the Amazon Q Developer MCP-config auto-load issue (CVE-2026-12957) covered on 2026-06-27 — that abused automatic config loading; this abuses error-recovery behaviour and DNS-TXT C2.

**Why it matters to us:** Any environment where AI coding agents (Claude Code, GitHub Copilot Workspace, Cursor) hold repository and shell access — developer workstations, CI/CD runners, increasingly common in public-sector DevOps — should treat agent-executed setup/init steps as an untrusted-input execution surface. The static-analysis-clean property means repo scanning will not catch it; the behavioural tells are network-dependent init steps and out-of-band command retrieval. Detection concepts (no IOCs): alert on DNS TXT-record queries originating from developer-tooling process trees (`node`, `python`, `pip`, `npx`) during repository setup; EDR parent-child chains where an agent process spawns an unexpected shell child; egress monitoring for DNS TXT lookups from developer workstations and build agents. Hardening: require human-in-the-loop approval for any external network call made by agent-executed init scripts, and treat an agent's DNS/network capability as a scope that needs explicit grant rather than a default. Mapped to [T1566](https://attack.mitre.org/techniques/T1566/) (delivery via a malicious repo link), [T1071.004](https://attack.mitre.org/techniques/T1071/004/) (DNS as C2 channel) and [T1059.004](https://attack.mitre.org/techniques/T1059/004/) (Unix shell execution).

— *Source: [Mozilla 0DIN](https://0din.ai/blog/clone-this-repo-and-i-own-your-machine) · Additional source: [BleepingComputer](https://www.bleepingcomputer.com/news/security/clean-github-repo-tricks-ai-coding-agents-into-running-malware/) · Tags: ai-abuse, supply-chain, phishing · Region: global · Sector: technology, public-sector · Evidence: "Claude Code never decided to open a shell. It decided to fix an error. The reverse shell is three indirection steps away from anything Claude Code actually evaluated" (Mozilla 0DIN); "a seemingly benign GitHub repository contains three components: clean setup instructions, a Python package that triggers an error message, and an initialization command that fetches and executes a DNS TXT record controlled by attackers" (BleepingComputer)*

## 4. Updates to Prior Coverage

### UPDATE: Gogs CVE-2026-52806 moves from "no observed exploitation" to active cryptojacking campaign

> **UPDATE (originally covered 2026-06-20):** When this brief first covered the Gogs argument-injection RCE CVE-2026-52806 (branch name injects `--exec` into `git rebase`; fixed in 0.14.3 on 2026-06-07), exploitation status was *not observed*. Wiz Threat Research now reports the flaw under active in-the-wild exploitation: a cryptojacking campaign active 2026-06-13–23 chained Gogs and Argo Workflows vulnerabilities for initial access, compromised thousands of Linux hosts, and pivoted across more than 300 additional Kubernetes nodes ([Wiz Threat Research, 2026-06-28](https://threats.wiz.io/all-incidents/cryptojacking-campaign-targeting-k8s-clusters)). The new development is the exploitation, not the bug — the CVE mechanics and patch were covered on 2026-06-20.
>
> Per Wiz, once on a node the operators stole Kubernetes service-account tokens and used them to schedule workloads cluster-wide, then escaped to host via privileged containers to deploy cryptominers; Wiz designates the actor "Unknown" and names the C2 framework "Realm C2." The Gogs argument-injection vector is the same one documented by Rapid7 — an authenticated (effectively unauthenticated on default open-registration instances) RCE via a malicious pull-request branch name during a "rebase before merging" operation ([Rapid7 Labs](https://www.rapid7.com/blog/post/ve-authenticated-rce-via-argument-injection-gogs-unfixed/)). ATT&CK chain as reported: [T1190](https://attack.mitre.org/techniques/T1190/) (exploit public-facing Argo Workflows / Gogs) → [T1078.004](https://attack.mitre.org/techniques/T1078/004/) (stolen K8s service-account tokens) → [T1610](https://attack.mitre.org/techniques/T1610/) (deploy container) → [T1611](https://attack.mitre.org/techniques/T1611/) (escape to host) → [T1496](https://attack.mitre.org/techniques/T1496/) (resource hijacking).
>
> Defender delta since 2026-06-20: the patch urgency is now exploitation-driven, not advisory-driven. If self-hosted Gogs is still below 0.14.3, prioritise the upgrade and disable open self-registration (`DISABLE_REGISTRATION = true`). Hunt K8s API-server audit logs for `create` on `workflows.argoproj.io` and on `pods` from unexpected service accounts, `git rebase` child processes spawned by the Gogs service user, and privileged-container/`nsenter` activity. Enforce Pod Security Admission (`restricted`) and audit RBAC to remove default service accounts with node-escalation rights. Scope/attribution figures (thousands of hosts, 300+ nodes, "Realm C2") are Wiz's single-source assessment — see § 7.
>
> — *Source: [Wiz Threat Research](https://threats.wiz.io/all-incidents/cryptojacking-campaign-targeting-k8s-clusters) · Additional source: [Rapid7 Labs](https://www.rapid7.com/blog/post/ve-authenticated-rce-via-argument-injection-gogs-unfixed/) · Tags: vulnerabilities, actively-exploited, cloud, cryptocrime, rce, default-config · Region: global · Sector: technology, education, public-sector · CVE: CVE-2026-52806 · CVSS: 9.4 · Vector: user-interaction · Auth: default-config · Status: exploited, patch-available*

## 5. Deep Dive

*No item met the deep-dive bar in the reporting window.* The window was genuinely quiet: the standout fresh research (§ 3, AI coding-agent indirect prompt injection) is a disclosed technique with no observed in-the-wild exploitation, and the actively-exploited item (§ 4, Gogs CVE-2026-52806) is an UPDATE to prior coverage carried on a single substantive source with niche internet-facing exposure. Neither clears the deep-dive criteria, and inventing depth on thin sourcing would degrade the brief. The § 3 and § 4 items carry their full operational detail inline.

## 6. Action Items

- **Upgrade self-hosted Gogs to 0.14.3 now if not already done — exploitation status changed.** CVE-2026-52806 is now actively exploited (§ 4); disable open self-registration (`DISABLE_REGISTRATION = true`) on any internet-exposed instance and hunt for `git rebase`/`--exec` child processes under the Gogs service user. Common in EU research, university and smaller public-sector Git hosting.
- **Hunt your Kubernetes estate for the campaign's post-access behaviour** (§ 4): K8s API-server audit-log `create` on `workflows.argoproj.io` and on `pods` from unexpected service accounts, privileged-container escapes, and unexplained miner-class CPU/GPU load. Enforce Pod Security Admission `restricted` and strip node-escalation rights from default service accounts.
- **Add AI-coding-agent abuse to your detection backlog** (§ 3): alert on DNS TXT-record queries from developer-tooling process trees (`node`/`python`/`pip`/`npx`) during repo setup and on agent processes spawning unexpected shell children; require human-in-the-loop for external network calls in agent-executed init scripts. No patch exists — this is a behavioural/control change.
- **Treat the KDDI leak as a credential-stuffing precursor** (§ 1): monitor external-facing authentication for anomalous logins from Japanese-ISP email address spaces, and audit third-party vendor access to your own subscriber/identity-management platforms with MFA enforced on the administration plane.

— *Source: [Wiz Threat Research](https://threats.wiz.io/all-incidents/cryptojacking-campaign-targeting-k8s-clusters) · Additional source: [Mozilla 0DIN](https://0din.ai/blog/clone-this-repo-and-i-own-your-machine) · Tags: actively-exploited, rce, cloud, ai-abuse · Region: global · Sector: public-sector, technology*

## 7. Verification Notes

- **Quiet window.** Gap to prior brief is 24 h (standard daily; `window_hours = 36`, `developing_window_hours = 72`). EU/CH and CISA-KEV/national-CERT signal was genuinely thin: no new KEV additions, and all CERT-EU / CERT-FR / NCSC-NL / BSI advisories predate the window. Three items cleared the bar; the brief is short by design, not by omission.
- **Items dropped (relevance / nexus):** AssuranceAmerica Managing General Agency breach (>1.1 M US insurance customers, 7 states; databreaches.net / PRNewswire, disclosed 2026-06-28) — in-window disclosure but a months-old (March 2026) US-domestic incident with no CH/EU nexus and no new technique beyond single-employee credential compromise → bulk exfiltration; logged here rather than carried.
- **Items dropped (recency / already covered):** StrikeShark / SharkLoader Chinese-nexus Cobalt Strike loader (Kaspersky Securelist 2026-06-24, The Hacker News 2026-06-26) — both primary and corroborating sources fall outside the strict 36 h window; surfaced by S1 as contextual only and excluded.
- **Recency note (§ 3 included with annotation):** the 0DIN AI-coding-agent item's in-window coverage is the BleepingComputer article timestamped 2026-06-27 14:22 UTC, which sits ~1.7 h before the strict 36 h cutoff (2026-06-27 16:23 UTC) but within the 72 h developing window; the underlying 0DIN research is 2026-06-25. Included as a substantive novel-technique research item with dates stated plainly; not presented as breaking-today.
- **Reduced confidence — aggregator-only sourcing (§ 1):** the KDDI breach is carried on three news outlets (BleepingComputer, SecurityAffairs, Infosecurity Magazine) with no reachable vendor/regulator primary — KDDI's own English disclosure was not located and the Japanese corporate announcement sits behind a paywall (japantimes, HTTP 402). The three outlets corroborate each other on the core facts (six ISPs, ~14.22 M worst-case figure, third-party platform vector); treat the precise figure as KDDI's stated worst case.
- **Reduced confidence / single substantive source (§ 4):** the scope and attribution claims for the Gogs/K8s campaign (thousands of hosts, 300+ nodes, "Realm C2", actor "Unknown") rest on the Wiz Threat Research tracker entry as the only substantive source; Rapid7 corroborates the Gogs CVE mechanics but not the campaign link. The CVE itself and the patch are independently established (covered 2026-06-20). Treat campaign-scale figures as Wiz's assessment.
- **Contradictions:** none unresolved this run.
- **Tooling note:** the end-of-run `tools/source_health.py` accessibility probe exceeded its 6-minute budget and was terminated before writing a fresh `state/source_health.json`; the existing snapshot (generated 2026-06-28 by the weekly GitHub Action) is retained unchanged. No source-health actions were derived this run; the next probe will refresh it.
- **Sub-agents:** S1–S4 all returned within the 30-min cap (all Claude Sonnet 4.6). S2 (Switzerland/Europe/public sector) returned zero qualifying in-window items after checking NCSC-CH, CERT-EU, CERT-FR, BSI, NCSC-NL, ENISA EUVD, CERT.at and CERT.pl — none had in-window publications.
- Coverage gaps: ncsc-ch-security-hub (Week 26 review not yet published; expected 2026-06-30); cert-eu (latest advisory 2026-06-10, outside window); cert-fr (latest 2026-06-19); ncsc-nl (latest 2026-06-25); bsi-de (latest WID-SEC 2026-06-25/26); enisa-euvd (no in-window exploited/critical entries); cert-at, cert-pl (Poland SIM-swap arrests ~46 h before window); cisa-kev (no additions in window); databreaches-net (article-level HTTP 403 via bridge; feed accessible, used feed summaries); sec-edgar (0 material cyber 8-K hits in window); ico-uk, cnil, edpb (no in-window enforcement); mandiant-gtig (feed returned empty); dfirreport, red-canary, check-point-research (no in-window primary posts).