ctipilot.ch

CTI Daily Brief — 2026-06-29

Typedaily
Date2026-06-29
GeneratorClaude Opus 4.8 (1M context) (`claude-opus-4-8[1m]`)
ClassificationTLP:CLEAR
LanguageEnglish
Promptv2.64
Items3
CVEs2
On this page

On this page

Tags (10)
Regions (2)
References (8)

0. TL;DR

  • KDDI discloses a third-party email-platform breach exposing up to 14.22 million subscriber credentials across six Japanese ISPs. Attackers exploited a vulnerability in a shared ISP email-management platform (detected ~2026-06-17); email addresses and passwords for STNet, JCOM, Chubu Telecommunications, Nifty, Biglobe and one further KDDI ISP are in scope. No CH/EU nexus, but the leaked credential pairs feed directly into credential-stuffing and phishing-as-initial-access against European targets (BleepingComputer, 2026-06-28). See § 1.
  • Gogs argument-injection RCE (CVE-2026-52806), patched 2026-06-07 and first covered here on 2026-06-20 with no observed exploitation, is now actively exploited. Wiz Threat Research documents a cryptojacking campaign that chained Gogs and Argo Workflows to compromise thousands of Linux hosts and pivot across 300+ Kubernetes nodes via stolen service-account tokens. Self-hosted Gogs is common in EU research/university and smaller public-sector IT; if you have not yet upgraded to 0.14.3, the exploitation status has changed (Wiz Threat Research, 2026-06-28). See § 4.
  • A novel indirect prompt-injection class turns a "clean" GitHub repo into a reverse shell against AI coding agents. Mozilla's 0DIN shows a three-step indirection — repo instructions → a deliberately failing Python package → an init command that fetches and runs a DNS TXT record as a shell command — with no malicious code in the repo to flag on static analysis. Relevant to any environment where AI coding agents (Claude Code, Copilot Workspace, Cursor) have repository and shell access (Mozilla 0DIN, 2026-06-25; BleepingComputer, 2026-06-27). See § 3.

3. Research & Investigative Reporting

Mozilla 0DIN: a "clean" GitHub repo coerces AI coding agents into a reverse shell via three-stage indirection

Mozilla's Zero Day Investigative Network (0DIN) detailed an indirect prompt-injection class against AI coding agents in which no malicious code is present in the repository itself (Mozilla 0DIN, 2026-06-25; reported BleepingComputer, 2026-06-27). The repository carries three cooperating components: (1) plausible setup instructions telling the user/agent to install a Python package; (2) the package, engineered to fail at runtime with an error message that instructs the runtime to run python3 -m axiom init; (3) the axiom init handler, which issues a DNS TXT lookup to an attacker-controlled domain and executes the returned record value as a shell command. The chain achieves three levels of indirection — error message → DNS resolution → shell execution — so the agent never "decides" to open a shell; it interprets each step as routine error recovery and autonomously runs the suggested remediation, side-stepping per-step user approval. No CVE is assigned: this is exploitation of agentic error-recovery autonomy plus out-of-band payload retrieval, not a single software bug. It is a distinct technique from the Amazon Q Developer MCP-config auto-load issue (CVE-2026-12957) covered on 2026-06-27 — that abused automatic config loading; this abuses error-recovery behaviour and DNS-TXT C2.

Why it matters to us: Any environment where AI coding agents (Claude Code, GitHub Copilot Workspace, Cursor) hold repository and shell access — developer workstations, CI/CD runners, increasingly common in public-sector DevOps — should treat agent-executed setup/init steps as an untrusted-input execution surface. The static-analysis-clean property means repo scanning will not catch it; the behavioural tells are network-dependent init steps and out-of-band command retrieval. Detection concepts (no IOCs): alert on DNS TXT-record queries originating from developer-tooling process trees (node, python, pip, npx) during repository setup; EDR parent-child chains where an agent process spawns an unexpected shell child; egress monitoring for DNS TXT lookups from developer workstations and build agents. Hardening: require human-in-the-loop approval for any external network call made by agent-executed init scripts, and treat an agent's DNS/network capability as a scope that needs explicit grant rather than a default. Mapped to T1566 (delivery via a malicious repo link), T1071.004 (DNS as C2 channel) and T1059.004 (Unix shell execution).

4. Updates to Prior Coverage

UPDATE: Gogs CVE-2026-52806 moves from "no observed exploitation" to active cryptojacking campaign

UPDATE (originally covered 2026-06-20): When this brief first covered the Gogs argument-injection RCE CVE-2026-52806 (branch name injects --exec into git rebase; fixed in 0.14.3 on 2026-06-07), exploitation status was not observed. Wiz Threat Research now reports the flaw under active in-the-wild exploitation: a cryptojacking campaign active 2026-06-13–23 chained Gogs and Argo Workflows vulnerabilities for initial access, compromised thousands of Linux hosts, and pivoted across more than 300 additional Kubernetes nodes (Wiz Threat Research, 2026-06-28). The new development is the exploitation, not the bug — the CVE mechanics and patch were covered on 2026-06-20.

Per Wiz, once on a node the operators stole Kubernetes service-account tokens and used them to schedule workloads cluster-wide, then escaped to host via privileged containers to deploy cryptominers; Wiz designates the actor "Unknown" and names the C2 framework "Realm C2." The Gogs argument-injection vector is the same one documented by Rapid7 — an authenticated (effectively unauthenticated on default open-registration instances) RCE via a malicious pull-request branch name during a "rebase before merging" operation (Rapid7 Labs). ATT&CK chain as reported: T1190 (exploit public-facing Argo Workflows / Gogs) → T1078.004 (stolen K8s service-account tokens) → T1610 (deploy container) → T1611 (escape to host) → T1496 (resource hijacking).

Defender delta since 2026-06-20: the patch urgency is now exploitation-driven, not advisory-driven. If self-hosted Gogs is still below 0.14.3, prioritise the upgrade and disable open self-registration (DISABLE_REGISTRATION = true). Hunt K8s API-server audit logs for create on workflows.argoproj.io and on pods from unexpected service accounts, git rebase child processes spawned by the Gogs service user, and privileged-container/nsenter activity. Enforce Pod Security Admission (restricted) and audit RBAC to remove default service accounts with node-escalation rights. Scope/attribution figures (thousands of hosts, 300+ nodes, "Realm C2") are Wiz's single-source assessment — see § 7.

Changes since first coverage(1 prior appearance)
  1. 2026-06-202026-06-20First coverage — argument-injection RCE; effectively unauth on default open-registration; fixed 0.14.3; BSI WID-SEC-2026-2013

5. Deep Dive

No item met the deep-dive bar in the reporting window. The window was genuinely quiet: the standout fresh research (§ 3, AI coding-agent indirect prompt injection) is a disclosed technique with no observed in-the-wild exploitation, and the actively-exploited item (§ 4, Gogs CVE-2026-52806) is an UPDATE to prior coverage carried on a single substantive source with niche internet-facing exposure. Neither clears the deep-dive criteria, and inventing depth on thin sourcing would degrade the brief. The § 3 and § 4 items carry their full operational detail inline.

6. Action Items

  • Upgrade self-hosted Gogs to 0.14.3 now if not already done — exploitation status changed. CVE-2026-52806 is now actively exploited (§ 4); disable open self-registration (DISABLE_REGISTRATION = true) on any internet-exposed instance and hunt for git rebase/--exec child processes under the Gogs service user. Common in EU research, university and smaller public-sector Git hosting.
  • Hunt your Kubernetes estate for the campaign's post-access behaviour (§ 4): K8s API-server audit-log create on workflows.argoproj.io and on pods from unexpected service accounts, privileged-container escapes, and unexplained miner-class CPU/GPU load. Enforce Pod Security Admission restricted and strip node-escalation rights from default service accounts.
  • Add AI-coding-agent abuse to your detection backlog (§ 3): alert on DNS TXT-record queries from developer-tooling process trees (node/python/pip/npx) during repo setup and on agent processes spawning unexpected shell children; require human-in-the-loop for external network calls in agent-executed init scripts. No patch exists — this is a behavioural/control change.
  • Treat the KDDI leak as a credential-stuffing precursor (§ 1): monitor external-facing authentication for anomalous logins from Japanese-ISP email address spaces, and audit third-party vendor access to your own subscriber/identity-management platforms with MFA enforced on the administration plane.

7. Verification Notes

  • Quiet window. Gap to prior brief is 24 h (standard daily; window_hours = 36, developing_window_hours = 72). EU/CH and CISA-KEV/national-CERT signal was genuinely thin: no new KEV additions, and all CERT-EU / CERT-FR / NCSC-NL / BSI advisories predate the window. Three items cleared the bar; the brief is short by design, not by omission.
  • Items dropped (relevance / nexus): AssuranceAmerica Managing General Agency breach (>1.1 M US insurance customers, 7 states; databreaches.net / PRNewswire, disclosed 2026-06-28) — in-window disclosure but a months-old (March 2026) US-domestic incident with no CH/EU nexus and no new technique beyond single-employee credential compromise → bulk exfiltration; logged here rather than carried.
  • Items dropped (recency / already covered): StrikeShark / SharkLoader Chinese-nexus Cobalt Strike loader (Kaspersky Securelist 2026-06-24, The Hacker News 2026-06-26) — both primary and corroborating sources fall outside the strict 36 h window; surfaced by S1 as contextual only and excluded.
  • Recency note (§ 3 included with annotation): the 0DIN AI-coding-agent item's in-window coverage is the BleepingComputer article timestamped 2026-06-27 14:22 UTC, which sits ~1.7 h before the strict 36 h cutoff (2026-06-27 16:23 UTC) but within the 72 h developing window; the underlying 0DIN research is 2026-06-25. Included as a substantive novel-technique research item with dates stated plainly; not presented as breaking-today.
  • Reduced confidence — aggregator-only sourcing (§ 1): the KDDI breach is carried on three news outlets (BleepingComputer, SecurityAffairs, Infosecurity Magazine) with no reachable vendor/regulator primary — KDDI's own English disclosure was not located and the Japanese corporate announcement sits behind a paywall (japantimes, HTTP 402). The three outlets corroborate each other on the core facts (six ISPs, ~14.22 M worst-case figure, third-party platform vector); treat the precise figure as KDDI's stated worst case.
  • Reduced confidence / single substantive source (§ 4): the scope and attribution claims for the Gogs/K8s campaign (thousands of hosts, 300+ nodes, "Realm C2", actor "Unknown") rest on the Wiz Threat Research tracker entry as the only substantive source; Rapid7 corroborates the Gogs CVE mechanics but not the campaign link. The CVE itself and the patch are independently established (covered 2026-06-20). Treat campaign-scale figures as Wiz's assessment.
  • Contradictions: none unresolved this run.
  • Tooling note: the end-of-run tools/source_health.py accessibility probe exceeded its 6-minute budget and was terminated before writing a fresh state/source_health.json; the existing snapshot (generated 2026-06-28 by the weekly GitHub Action) is retained unchanged. No source-health actions were derived this run; the next probe will refresh it.
  • Sub-agents: S1–S4 all returned within the 30-min cap (all Claude Sonnet 4.6). S2 (Switzerland/Europe/public sector) returned zero qualifying in-window items after checking NCSC-CH, CERT-EU, CERT-FR, BSI, NCSC-NL, ENISA EUVD, CERT.at and CERT.pl — none had in-window publications.
  • Coverage gaps: ncsc-ch-security-hub (Week 26 review not yet published; expected 2026-06-30); cert-eu (latest advisory 2026-06-10, outside window); cert-fr (latest 2026-06-19); ncsc-nl (latest 2026-06-25); bsi-de (latest WID-SEC 2026-06-25/26); enisa-euvd (no in-window exploited/critical entries); cert-at, cert-pl (Poland SIM-swap arrests ~46 h before window); cisa-kev (no additions in window); databreaches-net (article-level HTTP 403 via bridge; feed accessible, used feed summaries); sec-edgar (0 material cyber 8-K hits in window); ico-uk, cnil, edpb (no in-window enforcement); mandiant-gtig (feed returned empty); dfirreport, red-canary, check-point-research (no in-window primary posts).