Border Cyber Group - June 25, 2026 - Jonathan Brown
Pattern of the Day
Two unrelated lineages converged on the same idea this week. A North Korea-aligned macOS implant and a freelancer-built npm/PyPI worm both shipped payloads designed to make an LLM-assisted analyst doubt its own session — not to dodge the sandbox, but to dodge the AI sitting in the triage seat. This is an analytical inference from the public record, not a confirmed finding: no named source has stated the two clusters share tooling or personnel. But the near-simultaneous appearance of the same evasion philosophy in a DPRK-linked binary and an open-sourced criminal worm suggests the technique itself — not any one actor — is what's spreading. See items 3 and 4.
Cisco's SD-WAN management plane was breached, and the attacker spent more effort hiding the intrusion than executing it
Mandiant published a full forensic account this week of CVE-2026-20245, a CVSS 7.8 command-injection flaw in Cisco Catalyst SD-WAN Manager's CLI that an unidentified threat actor exploited as a zero-day starting March 2026 — roughly two months before Cisco disclosed and patched it. Per Mandiant, the attacker first established unauthorized "rogue peering" connections to a service provider's SD-WAN Manager instances (likely via two earlier SD-WAN auth-bypass zero-days, CVE-2026-20127 or CVE-2026-20182), then uploaded a malicious file named evil_tenant.csv through the tenant-upload feature to escalate to root and create a rogue account named "troot." The attacker then reverted the admin password to its original value, deleted the malicious file, and ran a validation script to confirm no traces remained — full anti-forensic discipline, not smash-and-grab. CISA added CVE-2026-20245 to KEV on June 4 with a June 23 federal remediation deadline, which has already passed. This is the seventh Cisco SD-WAN vulnerability flagged as exploited in 2026.
Watch for: whether a named IR firm ties this intrusion set to the same UAT-8616 cluster previously linked to CVE-2026-20127, given the overlapping rogue-peering tradecraft.
Sources: Google Cloud/Mandiant blog (June 2026); BleepingComputer (June 25, 2026); Dark Reading (June 2026); SecurityWeek (June 25, 2026); Cisco Security Advisory cisco-sa-sdwan-privesc.
Ubiquiti's UniFi OS auth bypass isn't theoretical anymore — BishopFox built and ran the chain
CISA's June 23 KEV addition for three Ubiquiti UniFi OS flaws (CVE-2026-34908, CVE-2026-34909, CVE-2026-34910 — all CVSS 10.0) now has a confirmed exploitation mechanism behind it. BishopFox tested the chain against a live UniFi OS 5.0.6 instance and found CVE-2026-34908/34909 amount to an authentication-gateway bypass in how NGINX normalizes incoming requests: a request that begins with an auth-exempt prefix in raw form resolves, after normalization, to an authenticated internal route. That bypass reaches a function that validates update package names — CVE-2026-34910 — which fails to filter shell metacharacters, giving an unauthenticated remote attacker command injection. BishopFox confirmed the unauthenticated path using a benign timing oracle rather than a destructive payload. Ubiquiti shipped UniFi OS Server 5.0.8 in late May with fixes; this is a patch-now situation with a now-demonstrated exploit path, not a theoretical CVSS-10 score.
Watch for: in-the-wild exploitation reports citing the specific NGINX-normalization mechanism, which would confirm criminal or scanning infrastructure has reverse-engineered BishopFox's published analysis.
Sources: SecurityWeek (June 24, 2026); BishopFox technical analysis; CISA KEV catalog (June 23, 2026).
A DPRK-linked macOS backdoor doesn't just evade the sandbox — it manipulates LLM-assisted analysis
SentinelLABS detailed a new Rust-based macOS implant, tracked as macOS.Gaslight, that embeds a 3.5 KB block of 38 fabricated "system" messages — fake token-expiry warnings, out-of-memory kills, and bogus static-analysis flags — built to convince an LLM-assisted triage agent that its own session is failing and that it should abort analysis. SentinelLABS assesses with high confidence the implant belongs to a DPRK-aligned macOS activity cluster, based on overlap with Apple's BONZAI and AIRPIPE XProtect detection rules, which the firm separately ties to North Korean operators. Functionally, the implant is a credential stealer and interactive-shell backdoor that runs C2 over a Telegram Bot API polling loop, encrypts payloads with AES-GCM over a custom-pinned TLS connection, and self-redacts its own bot token from logs and crash output to deny defenders a forensic anchor. The notable development is the operational deployment of a prompt-injection component inside a production malware family; the rest of the tradecraft is largely familiar DPRK macOS engineering.
Watch for: whether a second DPRK-linked sample reuses the same 38-message scaffold verbatim, which would indicate a shared builder rather than independent invention.
Sources: SentinelLabs/SentinelOne (June 23, 2026); The Hacker News (June 24–25, 2026); Infosecurity Magazine (June 2026).
Shai-Hulud's descendants dropped their old aliases and picked a new way to hide from npm's lifecycle-script scanners
JFrog Security Research identified a new Shai-Hulud-lineage npm campaign, this time hitting 20 packages in the Leo/RStreams framework — an AWS-native event-streaming SDK pulling roughly 45,000 monthly downloads. The notable shift is mechanism, not scale: instead of the preinstall/postinstall hooks used in earlier Miasma and Hades waves, this payload triggers through binding.gyp during the node-gyp rebuild process, a path that basic scanners watching only standard lifecycle scripts won't catch. The campaign also dropped its previous branding — the GitHub exfiltration-repo markers "Miasma" and "Hades" are gone, replaced with "Alright Lets See If This Works" and a token-revocation threat reading "RevokeAndItGoesKaboom" — alongside a gated SEED_PAT environment check that looks like operator-controlled staging. This is the same broader lineage Orca Security and Zscaler ThreatLabz have tracked introducing prompt-injection text into PyPI packages on June 8 specifically to mislead LLM-based security scanners, and decoy network traffic to spoofed Anthropic API endpoints to confuse network-level analysis. That earlier wave appears to reflect the same anti-AI-analyst logic observed in Item 3, though no evidence currently links the two efforts. Attribution past TeamPCP's mid-May source release is genuinely uncertain; the toolkit is now public and copycat activity is expected.
Watch for: whether the marker rotation (away from Dune/Greek-myth branding) becomes the new baseline naming convention across future waves, which would suggest a deliberate break from prior OPSEC rather than just creative fatigue.
Sources: JFrog Security Research via Cyberpress (June 25, 2026); Orca Security blog (June 2026); Zscaler ThreatLabz (June 2026); Dark Reading (June 2026).
"Cordyceps" is a reminder that your CI/CD YAML is an attack surface, not configuration
Novee Security disclosed a systemic class of CI/CD vulnerabilities it calls Cordyceps, found across roughly 30,000 scanned high-impact GitHub repositories, with more than 300 confirmed fully exploitable by any unauthenticated, free-tier GitHub account — no org membership required. The pattern is a multi-step trust-boundary failure: untrusted input from a pull request or PR comment triggers a low-privilege workflow whose output feeds a higher-privilege workflow that authenticates to cloud infrastructure with maintainer-level permissions. Novee documented concrete chains in Microsoft's Azure Sentinel content pipeline (PR comment → non-expiring GitHub App key theft), Google's AI Agent Development Kit sample repo (single PR → full roles/owner on a GCP project), and Apache Doris (two zero-click paths to credential theft). Microsoft, Google, Cloudflare, Apache, and the Python Software Foundation have all confirmed fixes. Novee told Dark Reading explicitly that it has no evidence of the pattern being exploited at scale by any actor — this is a researcher disclosure with confirmed vendor remediation, not an active-exploitation item, and should be read that way.
Watch for: a named incident-response firm publishing the first confirmed real-world Cordyceps-pattern breach, which would convert this from disclosed-and-patched to actively-weaponized.
Sources: Novee Security blog (June 23, 2026); Dark Reading (June 2026); SecurityWeek (June 2026); The Hacker News (June 2026).
Europol shifted from targeting individual ransomware gangs to targeting the supply chain that feeds them
Europol announced the latest phase of Operation Endgame on June 24: a two-week coordinated action against StealC and Amadey — the infostealer and loader pairing Microsoft says was linked to over 140,000 infected devices in just the first two weeks of May 2026 — alongside continued cleanup of SocGholish infrastructure tied to Evil Corp. Authorities and private partners (Microsoft, Bitdefender, Proofpoint, IBM X-Force, Shadowserver, and others) took down 326 servers and 142 domains, recovered roughly 27 million stolen credentials, and flagged over €41 million ($47 million) in criminal cryptocurrency. Law enforcement from Canada, Denmark, Germany, the Netherlands, the UK, and the US participated, coordinated by Europol and Eurojust. The explicit framing from Europol is strategic: target the loader-stealer-deployment chain that feeds ransomware operators, rather than chasing individual ransomware brands after the fact. Whether this materially raises the cost of doing business for affiliates who can simply rebuild infrastructure elsewhere is not something this takedown alone can answer — that's an open question for the next few months of telemetry, not a conclusion supported by today's announcement.
Watch for: infostealer/loader replacement rates over the next 30 days as a rough proxy for how much friction this actually added.
Sources: Europol statement (June 24, 2026); Eurojust (June 2026); BleepingComputer (June 24, 2026); Infosecurity Magazine (June 24, 2026); The Hacker News (June 24, 2026).
Handala claimed it could disrupt water service to American cities. A two-week investigation found no evidence it could.
California Water Service's Mandiant-assisted investigation has concluded there is no evidence of OT or ICS compromise following Iran-linked group Handala's June 12 claim that it had breached Cal Water and could disrupt water service to several California cities. Threat intelligence firm Dataminr's contemporaneous analysis found the actual access was limited to an internet-facing GNSS correction server (RTKBase) and a customer billing database — neither of which touches water treatment or distribution — and Cal Water's own preliminary IT/OT scan reported no signs of compromise in production systems. Handala did publish roughly 5 GB of exfiltrated customer data and billing screenshots, which is a real privacy exposure, but the disruption claim itself does not hold up against the published technical evidence. BeyondTrust's Sean Malone characterized the "we could but chose not to" framing as the actual operation: a psyop layered on top of a genuine but limited data breach. Handala's own toolkit does include destructive wipers and MBR-overwrite capability used in prior campaigns (the Stryker incident), which is the basis for treating this as a heightened-risk period rather than a closed matter, not evidence this specific intrusion reached OT.
Watch for: whether Cal Water's continuing investigation or a follow-up CISA/WaterISAC advisory identifies the specific initial-access vector — that detail, not the disruption claim, is the part still unresolved.
Sources: SecurityWeek (June 25 and June 16, 2026); Industrial Cyber (June 2026); Dataminr analysis via SecurityWeek and Hackread; IT Security News (June 25, 2026).
Border Cyber Group is reader-supported. If this feed is useful to you, consider a subscription or buy us a coffee! Thanks. bordercybergroup.com.
Member discussion: