GitHub Poisoned at Scale: Megalodon, Laravel-Lang & YellowKey BitLocker

AI Dev Tool Backdoors, Europe's Ransomware Surge & Dark Web AI Explosion

(00:00:00) AI Dev Tool Backdoors, Europe's Ransomware Surge & Dark Web AI Explosion (00:00:38) MCP Implicit Trust Problem (00:01:22) European Ransomware Supply Chain Surge (00:02:12) Dark Web AI Tool Explosion (00:03:07) SIP Telephony Industrialized Exploitation (00:03:34) Watchpoints and Closing A critical vulnerability in AI developer tooling is rewriting the threat model for software teams worldwide. CVE-2026-12957 in Amazon Q Developer allows a malicious config file to execute arbitrary code using the developer's live AWS credentials — silently, with no prompt. But the story is bigger than one vendor: Claude Code, Cursor, and Windsurf carry structurally identical flaws, all rooted in the Model Context Protocol's implicit trust of project-level config files. Patches are available for Amazon Q Developer; the open question is how many other MCP-compatible tools share the same dangerous assumption. In Europe, ransomware disclosures jumped 55% in the first four months of 2026 versus the same period in 2025. The dominant vector is supply chain compromise: a single third-party breach chain hit 64 organisations and exposed over one million personal records. Qilin is now active across 26 of 31 European countries, putting NIS2 and DORA compliance programs under real operational pressure. On the threat democratisation front, dark web posts referencing AI hacking tools surged from 38 in December 2025 to roughly 1,500 by February 2026 — a 40-fold increase. WormGPT is now freemium. Voice cloning from three seconds of audio succeeds in over 90% of social engineering attempts. The floor for capable attacks has dropped sharply. Finally, a honeypot monitoring SIP telephony systems recorded 1.86 million credential attempts in just 18 days alongside 90,000 toll-fraud call attempts — evidence that enterprise phone infrastructure is being monetised at industrial scale. Today's through-line: implicit trust, in config files, supplier relationships, and telephony auth, is being exploited methodically and at volume. This episode includes AI-generated content.

ShinyHunters Hits NAIC, PQC Federal Mandate & US Breach Costs Peak

(00:00:00) ShinyHunters Hits NAIC, PQC Federal Mandate & US Breach Costs Peak (00:01:19) ShinyHunters Breaches NAIC (00:02:12) Post-Quantum Cryptography Federal Mandate (00:03:07) Mexico's Six-Year Cybersecurity Plan (00:03:34) US Breach Costs Hit Record High Today's briefing opens with two actively exploited device families — Lantronix EDS5000 and Ubiquiti UniFi OS — now under a 72-hour federal patch deadline set by CISA for June 26th. The Lantronix flaw (CVE-2025-67038, CVSS 9.8) allows root-level OS command execution, while three chained Ubiquiti flaws are already delivering reverse shells in the wild via a Bishop Fox proof-of-concept. The insurance sector's primary US regulator, the National Association of Insurance Commissioners, confirmed a breach by ShinyHunters, who claim to have stolen 3.1 terabytes of data through an Oracle PeopleSoft zero-day. The NAIC disputes the full scope, but the FBI is now involved — and the sensitivity of state-level regulatory data makes this a high-value target regardless of exact volume. The White House signed an executive order on June 25th establishing the first binding federal mandate for post-quantum cryptography migration. Agencies must adopt NIST-approved PQC algorithms for key establishment by end of 2030 and digital signatures by end of 2031 — a tight timeline driven by harvest-now, decrypt-later threats from state-level adversaries. Mexico's Congress approved a National Cybersecurity Plan running 2025 through 2030, including a national cyber range and a Latin America incident response hub, though institutional durability remains an open question. Finally, a new industry report shows global average data breach costs fell 9% to $4.44 million — but US costs hit an all-time high of $10.22 million per breach, driven by healthcare exposure, financial regulation, and 50-state notification complexity. Organizations with AI-driven security tooling averaged $1.9 million less per breach. This episode includes AI-generated content.

Critical Infrastructure RCEs, npm RAT & Post-Quantum Mandate

(00:00:00) Critical Infrastructure RCEs, npm RAT & Post-Quantum Mandate (00:00:46) Ubiquiti UniFi RCE Chain (00:01:44) npm PostCSS RAT Campaign (00:02:20) OpenAI GPT-5.5-Cyber Launch (00:02:54) Federal Post-Quantum Deadline (00:03:27) Texas Breach Watch Three critical infrastructure vulnerabilities hit Lantronix, Ubiquiti, and Cisco simultaneously — all confirmed actively exploited within 48 hours of disclosure. The Ubiquiti UniFi chain is particularly alarming: three maximum-severity flaws tracked as CVE-2026-34908, 34909, and 34910 can be chained in a single HTTP request to achieve full root access, with commodity malware already deploying the chain in the wild. Cisco's SSRF flaw in Unified Communications Manager and Lantronix's CVSS 9.8 command injection round out a trifecta that highlights how fast exploitation windows are collapsing. The npm ecosystem surfaces another supply chain threat: three PostCSS-impersonating packages used AES-256 encryption to hide a Windows RAT until runtime, bypassing static analysis and code review. Over a thousand downloads before discovery — small in number, significant in method maturity. OpenAI released GPT-5.5-Cyber to trusted defenders, already surfacing eight Linux kernel memory leaks and a 23-year-old OpenBSD flaw. The capability cuts both ways: defenders and attackers now both have access to faster vulnerability discovery tools. A new Executive Order makes post-quantum cryptography binding for federal high-value assets by December 31, 2030, with FIPS 203, 204, and 205 standards already in place. The mandate is the change — and the compliance cost runs into billions. Two Texas breaches round out the episode: Texas Parks and Wildlife lost data on three million licence holders via a vendor compromise, and Carnival Cruise disclosed a breach affecting over 800,000 Texas residents, with disclosure arriving 44 days after the incident. Cybersecurity Daily is a YesWee production, built using AI technology. This episode includes AI-generated content.

Space Surge, Icarus OAuth & Chrome Zero-Day CVE-2026-11645

(00:00:00) Space Surge, Icarus OAuth & Chrome Zero-Day CVE-2026-11645 (00:00:51) Klue Breach Hits Security Vendors (00:01:51) Bajaj Auto Ransomware Disclosed (00:02:37) FortiBleed Automated Domain Takeover (00:03:13) Five Eyes AI Warning and GPT-5.5-Cyber (00:04:13) Chrome Zero-Day CVE-2026-11645 Today's cybersecurity briefing opens with the sharpest signal in weeks: a 400% surge in cyberattacks against space infrastructure, timed to the escalation of U.S. and Israeli military operations against Iran. The attacks blend nation-state sophistication with hacktivist volume, targeting defense contractors, aerospace operators, and satellite systems in what appears to be large-scale reconnaissance — or pre-positioning for future disruption. The Icarus OAuth breach is the day's defining supply chain story. A newly attributed extortion group stole OAuth tokens via a compromised Klue-Salesforce integration, exposing CRM data at Huntress, Recorded Future, Tanium, Jamf, HackerOne, Snyk, and others. The victims are security vendors — companies whose core business is protecting others. The vector was a trusted third-party connector, not a direct attack. That's exactly what makes it so effective. India's Bajaj Auto confirmed a ransomware attack on June 23rd affecting parent systems and subsidiary BATL. Containment is ongoing; exfiltration is unconfirmed. For a manufacturer at this scale, the operational risk extends well beyond data loss into production disruption and supply chain exposure. The FortiBleed campaign demonstrates what AI-assisted exploitation looks like at scale: GPU-powered credential cracking, OpenFortiVPN pivoting, and an automated AI penetration agent achieving full domain compromise across thousands of networks. The Five Eyes alliance issued a coordinated warning the same day, flagging that frontier AI models are compressing the window from vulnerability discovery to active exploitation from years to months. Finally, a Chrome V8 zero-day — CVE-2026-11645 — is being actively exploited in the wild. Patch status is unconfirmed as of this recording. Enterprise browser policy teams should treat this as a priority item today. This episode includes AI-generated content.

Icarus OAuth Attack, Council of Europe Breach & AryStinger Botnet

(00:00:00) Icarus OAuth Attack, Council of Europe Breach & AryStinger Botnet (00:01:13) Oracle PeopleSoft Zero-Day, 100+ Victims (00:01:48) ShinyHunters Publishes Council of Europe Data (00:02:43) AryStinger Botnet Hijacks D-Link Routers (00:03:34) The Signal That Connects All Three Three major incidents dominated the past twenty-four hours, and they share a single underlying pattern: attackers exploiting the gap between trusted access and monitored access. The Icarus group compromised legacy credentials at Klue, a competitive intelligence platform, converting them into OAuth tokens that granted silent access to Salesforce data across nine cybersecurity firms — including HackerOne, Recorded Future, Snyk, and Jamf. Automated Python scripts queried the API continuously for twenty-four hours, blending into normal integration traffic. A ransom deadline of June 17th has already passed with no disclosed resolution. In a connected development, a critical Oracle PeopleSoft zero-day has been exploited across more than one hundred organisations. Attacks mimicked legitimate user sessions, bypassing anomaly detection entirely. The Council of Europe is among confirmed victims — and that breach escalated sharply when ShinyHunters published 297 gigabytes of stolen data after the Council declined to pay. The leaked files include payroll records, medical files, and bank details for approximately ten thousand employees. ShinyHunters deployed permanent torrent mirrors, explicitly framing the release as lasting until the end of time. That shift fundamentally changes the extortion calculus for every future victim: payment no longer removes the threat. Rounding out today's briefing, the AryStinger botnet has quietly compromised over 4,300 end-of-life D-Link routers — models the manufacturer abandoned — installing a Dropbear SSH backdoor for infrastructure reconnaissance rather than DDoS. Detection rates in mainstream security engines are near zero. Oracle's patch timeline remains undefined. Klue's full breach scope is unconfirmed. Affected Council of Europe employees are still awaiting notification. This is Cybersecurity Daily. This episode includes AI-generated content.