GitHub Poisoned at Scale: Megalodon, Laravel-Lang & YellowKey BitLocker

Space Surge, Icarus OAuth & Chrome Zero-Day CVE-2026-11645

(00:00:00) Space Surge, Icarus OAuth & Chrome Zero-Day CVE-2026-11645 (00:00:51) Klue Breach Hits Security Vendors (00:01:51) Bajaj Auto Ransomware Disclosed (00:02:37) FortiBleed Automated Domain Takeover (00:03:13) Five Eyes AI Warning and GPT-5.5-Cyber (00:04:13) Chrome Zero-Day CVE-2026-11645 Today's cybersecurity briefing opens with the sharpest signal in weeks: a 400% surge in cyberattacks against space infrastructure, timed to the escalation of U.S. and Israeli military operations against Iran. The attacks blend nation-state sophistication with hacktivist volume, targeting defense contractors, aerospace operators, and satellite systems in what appears to be large-scale reconnaissance — or pre-positioning for future disruption. The Icarus OAuth breach is the day's defining supply chain story. A newly attributed extortion group stole OAuth tokens via a compromised Klue-Salesforce integration, exposing CRM data at Huntress, Recorded Future, Tanium, Jamf, HackerOne, Snyk, and others. The victims are security vendors — companies whose core business is protecting others. The vector was a trusted third-party connector, not a direct attack. That's exactly what makes it so effective. India's Bajaj Auto confirmed a ransomware attack on June 23rd affecting parent systems and subsidiary BATL. Containment is ongoing; exfiltration is unconfirmed. For a manufacturer at this scale, the operational risk extends well beyond data loss into production disruption and supply chain exposure. The FortiBleed campaign demonstrates what AI-assisted exploitation looks like at scale: GPU-powered credential cracking, OpenFortiVPN pivoting, and an automated AI penetration agent achieving full domain compromise across thousands of networks. The Five Eyes alliance issued a coordinated warning the same day, flagging that frontier AI models are compressing the window from vulnerability discovery to active exploitation from years to months. Finally, a Chrome V8 zero-day — CVE-2026-11645 — is being actively exploited in the wild. Patch status is unconfirmed as of this recording. Enterprise browser policy teams should treat this as a priority item today. This episode includes AI-generated content.

Icarus OAuth Attack, Council of Europe Breach & AryStinger Botnet

(00:00:00) Icarus OAuth Attack, Council of Europe Breach & AryStinger Botnet (00:01:13) Oracle PeopleSoft Zero-Day, 100+ Victims (00:01:48) ShinyHunters Publishes Council of Europe Data (00:02:43) AryStinger Botnet Hijacks D-Link Routers (00:03:34) The Signal That Connects All Three Three major incidents dominated the past twenty-four hours, and they share a single underlying pattern: attackers exploiting the gap between trusted access and monitored access. The Icarus group compromised legacy credentials at Klue, a competitive intelligence platform, converting them into OAuth tokens that granted silent access to Salesforce data across nine cybersecurity firms — including HackerOne, Recorded Future, Snyk, and Jamf. Automated Python scripts queried the API continuously for twenty-four hours, blending into normal integration traffic. A ransom deadline of June 17th has already passed with no disclosed resolution. In a connected development, a critical Oracle PeopleSoft zero-day has been exploited across more than one hundred organisations. Attacks mimicked legitimate user sessions, bypassing anomaly detection entirely. The Council of Europe is among confirmed victims — and that breach escalated sharply when ShinyHunters published 297 gigabytes of stolen data after the Council declined to pay. The leaked files include payroll records, medical files, and bank details for approximately ten thousand employees. ShinyHunters deployed permanent torrent mirrors, explicitly framing the release as lasting until the end of time. That shift fundamentally changes the extortion calculus for every future victim: payment no longer removes the threat. Rounding out today's briefing, the AryStinger botnet has quietly compromised over 4,300 end-of-life D-Link routers — models the manufacturer abandoned — installing a Dropbear SSH backdoor for infrastructure reconnaissance rather than DDoS. Detection rates in mainstream security engines are near zero. Oracle's patch timeline remains undefined. Klue's full breach scope is unconfirmed. Affected Council of Europe employees are still awaiting notification. This is Cybersecurity Daily. This episode includes AI-generated content.

208 CVEs, Qilin Hits Telecom & GentleKiller EDR Bypass

(00:00:00) 208 CVEs, Qilin Hits Telecom & GentleKiller EDR Bypass (00:00:56) Qilin Claims Q Link Wireless (00:01:37) GentleKiller EDR Bypass Toolkit (00:02:24) Microsoft Teams Abused for C2 (00:02:53) DORA and CIRCIA Tighten Rules (00:03:37) Key Watchpoints This Cycle This episode covers six critical cybersecurity developments from the past 24 hours — from a Windows regression shipping inside Microsoft's own security patches, to ransomware hitting U.S. telecom infrastructure. Microsoft's latest Patch Tuesday addressed 208 vulnerabilities, but the same update introduced a Recycle Bin display bug exposing internal filenames across every supported Windows version — from Windows 10 through Server 2012. No rollback timeline has been issued, leaving enterprise administrators without clear remediation guidance. The Qilin ransomware group publicly claimed responsibility for breaching Q Link Wireless, a major U.S. telecom provider, in a move that signals a deliberate shift toward high-visibility critical infrastructure targets. Details on data exfiltrated and ransom demands remain undisclosed. A May 2026 internal leak exposed GentleKiller, a professionally maintained toolkit that disables over 400 EDR processes by exploiting signed but vulnerable drivers — bypassing kernel-level protections without triggering standard detection logic. The leak has made its operational details publicly available, raising urgent questions about active affiliate campaigns. A ransomware group also abused Microsoft Teams relay infrastructure between June 14–20 to hide command-and-control traffic inside legitimate enterprise application activity — a technique that defeats standard perimeter controls. On the regulatory front, EU financial regulators published their first DORA ICT incident overview, marking a shift from expectation to active enforcement. In the U.S., CISA continued public consultations to finalise the federal cyber incident reporting rule under CIRCIA. This podcast was built using AI technology. A YesWee production. This episode includes AI-generated content.

Credentials Meet CVE Data, FortiBleed & SocGholish Dismantled

(00:00:00) Credentials Meet CVE Data, FortiBleed & SocGholish Dismantled (00:01:17) FortiBleed Exposes Firewall Credentials (00:01:52) SocGholish Botnet Dismantled (00:02:42) Conti Operator Guilty Plea (00:03:13) CISA Doctrine Shift to Resilience (00:03:46) Novo Nordisk and GitHub Access Risk (00:04:10) White House AI Security Framework The cybersecurity threat landscape shifted in a meaningful way today. A 24-billion-password credential database has been indexed against known CVE data, turning opportunistic credential stuffing into a prioritised, exploit-driven attack model. Security teams managing unpatched systems face compounded risk: exposed credentials plus a flagged vulnerability in the same lookup table. Changing passwords alone is insufficient while millions of infostealer-infected machines may still be actively harvesting data. In parallel, the FortiBleed exposure has put 74,000 Fortinet firewall admin credentials into attacker hands. CISA is urging immediate incident-response-level action: terminate sessions, reset credentials, enforce phishing-resistant MFA, and restrict management interfaces to internal hosts only. On the enforcement side, the SocGholish botnet — also known as FakeUpdates — was dismantled after seven years of operation, with 15,000 compromised sites remediated and 106 servers seized. The botnet served as a primary initial-access channel for LockBit, DoppelPaymer, and RansomHub. Separately, Ukrainian national Oleksii Lytvynenko pleaded guilty to Conti ransomware development, facing up to 20 years at a September 2026 sentencing. CISA's acting director publicly shifted doctrine this week: critical infrastructure disruption by China and Russia is now treated as inevitable, with planning moving from prevention to resilience. Novo Nordisk disclosed a breach traced to a single compromised GitHub access token — a reminder that developer credentials are a systematically underprotected attack surface. And the White House and Anthropic are negotiating an AI security assessment framework following a jailbreak dispute, with no consensus yet on severity definitions or export control triggers. This episode includes AI-generated content.

Splunk RCE Exploited & Icarus OAuth Attack Hit CRM Data

(00:00:00) Splunk RCE Exploited & Icarus OAuth Attack Hit CRM Data (00:00:37) CVE-2026-20253 Exploit Chain (00:01:49) Klue OAuth Token Compromise (00:02:33) Why OAuth Tokens Bypass Defenses (00:03:06) SaaS Supply Chain Scale (00:03:27) What To Watch Now A critical Splunk Enterprise vulnerability is now confirmed under active exploitation — and the implications reach far beyond a single server. CVE-2026-20253 carries a CVSS score of 9.8 and enables unauthenticated remote code execution through an unprotected PostgreSQL sidecar service. Federal agencies face a June 21 patch deadline, but organisations running vulnerable versions before Splunk's June 10 advisory may already be compromised. Because Splunk sits at the centre of security visibility — indexing logs, feeding detection pipelines, holding credentials — a successful intrusion lets attackers see what your security team sees, erase forensic evidence, and move laterally at scale. Running in parallel, threat actor Icarus used a stolen legacy credential to compromise OAuth tokens at competitive intelligence vendor Klue. Those tokens gave Icarus legitimate, passwordless access to the Salesforce environments of Huntress, Jamf, Recorded Future, and Tanium — running automated data extraction loops for 24 hours without triggering alarms. Salesforce wasn't breached; trusted OAuth tokens were simply abused. Integration service accounts held broad permissions with no MFA, no behavioural baseline, and no rotation cadence to limit a stolen token's useful life. Together these stories illustrate the defining challenge of modern enterprise security: third-party breaches now account for 30% of all incidents, doubled year-over-year. One compromised vendor credential can simultaneously unlock multiple downstream customers. The attack surface isn't a firewall gap — it's the trusted integrations organisations rely on every day. Key indicators to hunt: unusual PostgreSQL connection parameters in Splunk, unexpected database dumps, outbound Splunk connections to unknown hosts, and unreviewed OAuth token grants across SaaS integrations. This episode includes AI-generated content.