Not historically. Right now. CISA says so. The patch deadlines are already past. Four technology products account for the majority of active exploitation activity in the last thirty days. Two of the four are Cisco. The other two are Fortinet and Oracle. If you run any of these, you are not facing a theoretical risk. You are facing adversaries who are currently inside organizations that run the same software you do. Here is what is happening with each. Cisco Catalyst SD-WAN Ma

We have been saying we catch things early. Today we ran the actual measurement. We pulled a random cross-section of IPs and domains from our IOC corpus — indicators flagged by our own detection pipeline, not ingested from external feeds. We then checked which of those indicators later appeared in ThreatFox, one of the largest community threat intelligence feeds in the world. We found 51 overlapping indicators. In every single case — 51 out of 51 — we had indexed the indicator

On June 12, 2026, the Icarus extortion group compromised Klue — a market intelligence platform that security companies use to track competitors — and walked out with OAuth tokens granting access to customer Salesforce instances across hundreds of organizations. The victim list includes Recorded Future, Tanium, Jamf, Huntress, Sprout Social, Gong, Insurity, and LastPass. Recorded Future is a threat intelligence company. They got popped via their sales software. What Klue Does

On June 12, 2026, Cybernews researchers found an exposed Elasticsearch cluster containing 24 billion records and 8.3 terabytes of data. By June 15, it was secured. The headlines called it a colossal leak. That framing is technically correct and strategically wrong. This was not a pile of old breach data. This was an automated attack-planning system, and someone left the door open. What Was Actually in There The 24 billion records came from 36 distinct sources: Telegram channe

Squidbleed is CVE-2026-47729. It is a heap over-read vulnerability in Squid, the widely deployed open-source web proxy, that leaks another user's cleartext HTTP request — including any credentials or session tokens in that request — to an attacker who can send a crafted request to the same proxy. The vulnerability traces to a change in Squid's FTP parsing code made in 1997. It is present in Squid's default configuration today. The name is deliberate. The researchers at Calif.

ShinyHunters posted One Medical to their dark web leak site this week. Eight point eight terabytes of alleged stolen data. Eight hundred thirty thousand patients across more than 250 clinics in the United States. The extortion deadline is June 22 — today. One Medical is Amazon's primary care company, acquired in 2023 for 3.9 billion dollars. Amazon is also the company that runs your pharmacy, your health insurance in certain states, and the cloud infrastructure that stores th

The forensic investigation Sygnia published this week is called Operation Highland. The threat actor is Velvet Ant, tracked by Mandiant as UNC3886, a China-nexus espionage group. The timeline runs from 2016 to 2026. Ten years. The target was critical infrastructure. The network was air-gapped. They did not cross the air gap. They owned the mechanism that validates every legitimate crossing, and then they sat inside it for a decade while every authorized administrator walked t

iRhythm Holdings makes the Zio patch, an FDA-cleared continuous cardiac monitoring device worn by patients for up to fourteen days to detect arrhythmias. The data it generates is clinical data — heart rhythm recordings, physician interpretations, diagnostic findings — stored and processed on behalf of patients who are being evaluated for conditions ranging from atrial fibrillation to undiagnosed syncope. On June 8, 2026, the company identified unauthorized activity on certain

Three weeks. Three vendors. Three product categories that exist specifically to make networks more secure. All three opened in the same window. Week one: FortiBleed. Eighty-six thousand FortiGate firewalls and FortiProxy VPN gateways with working admin credentials in a single database, across 194 countries, collected by a Russian-speaking crew through a combination of eight years of unpatched CVEs and a patch that did not re-hash existing passwords. The perimeter firewall — t

CVE-2026-20262 is a path traversal vulnerability in Cisco Catalyst SD-WAN Manager that allows an authenticated, remote attacker to write or overwrite any file on the filesystem of an affected system. CISA added it to the Known Exploited Vulnerabilities catalog on June 15, 2026. The federal remediation deadline is June 29. Cisco confirmed limited active exploitation in targeted attacks. We have written about this product three times in the last six weeks. On May 16, we documen

The number being quoted is 86,644. The framing being applied is campaign. Both are correct and together they understate the problem by an order of magnitude. FortiBleed is not a campaign in the sense of a targeted actor running a sophisticated operation against specific victims. It is an audit result. Someone ran a credential collection pass against the global population of internet-exposed Fortinet devices and published what they found. What they found is that roughly half o

MongoBleed is back in the June headlines, described as a pre-authentication memory read that pulls credentials and session tokens out of server memory and puts anything internet-facing at immediate risk. The framing is correct. The novelty is not. We published our analysis on January 12, 2026, under the title MongoBleed: 87,000 MongoDB Instances Are Leaking Your Secrets. The vulnerability has been in CISA's Known Exploited Vulnerabilities catalog since late December 2025 as C

We published five separate stories this week. Mastra on Monday. Vertex AI on Tuesday. Novo Nordisk on Wednesday. JetBrains on Friday morning. PromptSnatcher alongside it. Each one looked like an independent breach disclosure. Reading them together, they are not independent at all. This week, every layer of the AI development and usage stack was attacked. Not metaphorically. Literally — every layer, by different actors, using different techniques, hitting different victims. If

The same week JetBrains pulled fifteen plugins stealing AI API keys from developer IDEs, two Chrome extensions with a combined 100,000 users were caught doing something narrower but in some ways more invasive: reading every AI conversation you had. Not the API key. The actual conversation. The campaign is being tracked as PromptSnatcher. The delivery mechanism was two adblocker extensions — Smart Adblocker (100,000 users, published October 2022) and Adblock for Browser (10,00

Fifteen plugins sat in the JetBrains Marketplace for eight months. They worked. They provided AI code review, commit message generation, bug finding, unit test creation — exactly what they advertised. They also silently POSTed every AI API key a developer typed into their settings to a server in Beijing the moment the developer clicked Apply. The campaign ran from October 2025 to June 10, 2026. Combined installs across the fifteen plugins exceeded 70,000. JetBrains pulled the

SocGholish is one of the most durable initial access campaigns in the threat landscape. TA569, the group behind it, has been running fake browser update lures on compromised legitimate websites since at least 2017. The lure is always the same: visit a compromised site, see a modal that looks like a Chrome or Firefox update prompt, download a ZIP, execute a JavaScript loader. If you work in enterprise security, you have seen this campaign in someone's inbox, in a phishing awar

We have written about this attack three times now. September 2025 we named it OAuth's Blind Spot and walked through the Salesloft/Drift breach. June 2 we covered how ShinyHunters used TruffleHog to extract OAuth tokens from source code and exfiltrated 1.5 billion records from 760 organizations. June 5 we wrote about the federal takedown of the leak site and noted that closing the site doesn't close the attack class. On June 11, a threat actor called Icarus — operator signs as

On June 5, we wrote that the Cisco Catalyst SD-WAN Manager had just grown a new zero-day and that anyone tracking this product line should not be surprised. The May post we referenced in that piece mapped the four CVEs that landed in the CISA Known Exploited Vulnerabilities catalog on the same day, and made a point about the shape: SD-WAN Manager is the single brain that pushes configuration to every edge device in the fabric. When the brain has multiple independent flaws, th

We have been writing about Chaotic Eclipse, the researcher who goes by Nightmare Eclipse, since April 17, 2026. We wrote about BlueHammer — a TOCTOU race condition in Defender's malware cleanup engine, CVSS 7.8, SYSTEM-level privilege escalation on fully patched Windows 10 and 11 — the day it dropped. We wrote on June 5 that Microsoft's response to that disclosure was to ban the researcher from its own GitHub and refer him to its Crimes and Security Team, which cybersecurity

We ran a cross-reference this week — pulled ThreatFox's seven-day IOC batch and compared it against our own corpus source by source. Not to pick a fight with ThreatFox. They are very good at what they do. The point was to find out honestly where the overlap lives and, more importantly, where it doesn't. The answer surprised us by being as clean as it was. ThreatFox is a community feed built around command-and-control network indicators: malicious IPs, domains, and URLs tagged