Critical Infrastructure RCEs, npm RAT & Post-Quantum Mandate

Critical Infrastructure RCEs, npm RAT & Post-Quantum Mandate

(00:00:00) Critical Infrastructure RCEs, npm RAT & Post-Quantum Mandate (00:00:46) Ubiquiti UniFi RCE Chain (00:01:44) npm PostCSS RAT Campaign (00:02:20) OpenAI GPT-5.5-Cyber Launch (00:02:54) Federal Post-Quantum Deadline (00:03:27) Texas Breach Watch Three critical infrastructure vulnerabilities hit Lantronix, Ubiquiti, and Cisco simultaneously — all confirmed actively exploited within 48 hours of disclosure. The Ubiquiti UniFi chain is particularly alarming: three maximum-severity flaws tracked as CVE-2026-34908, 34909, and 34910 can be chained in a single HTTP request to achieve full root access, with commodity malware already deploying the chain in the wild. Cisco's SSRF flaw in Unified Communications Manager and Lantronix's CVSS 9.8 command injection round out a trifecta that highlights how fast exploitation windows are collapsing. The npm ecosystem surfaces another supply chain threat: three PostCSS-impersonating packages used AES-256 encryption to hide a Windows RAT until runtime, bypassing static analysis and code review. Over a thousand downloads before discovery — small in number, significant in method maturity. OpenAI released GPT-5.5-Cyber to trusted defenders, already surfacing eight Linux kernel memory leaks and a 23-year-old OpenBSD flaw. The capability cuts both ways: defenders and attackers now both have access to faster vulnerability discovery tools. A new Executive Order makes post-quantum cryptography binding for federal high-value assets by December 31, 2030, with FIPS 203, 204, and 205 standards already in place. The mandate is the change — and the compliance cost runs into billions. Two Texas breaches round out the episode: Texas Parks and Wildlife lost data on three million licence holders via a vendor compromise, and Carnival Cruise disclosed a breach affecting over 800,000 Texas residents, with disclosure arriving 44 days after the incident. Cybersecurity Daily is a YesWee production, built using AI technology. This episode includes AI-generated content.

Space Surge, Icarus OAuth & Chrome Zero-Day CVE-2026-11645

(00:00:00) Space Surge, Icarus OAuth & Chrome Zero-Day CVE-2026-11645 (00:00:51) Klue Breach Hits Security Vendors (00:01:51) Bajaj Auto Ransomware Disclosed (00:02:37) FortiBleed Automated Domain Takeover (00:03:13) Five Eyes AI Warning and GPT-5.5-Cyber (00:04:13) Chrome Zero-Day CVE-2026-11645 Today's cybersecurity briefing opens with the sharpest signal in weeks: a 400% surge in cyberattacks against space infrastructure, timed to the escalation of U.S. and Israeli military operations against Iran. The attacks blend nation-state sophistication with hacktivist volume, targeting defense contractors, aerospace operators, and satellite systems in what appears to be large-scale reconnaissance — or pre-positioning for future disruption. The Icarus OAuth breach is the day's defining supply chain story. A newly attributed extortion group stole OAuth tokens via a compromised Klue-Salesforce integration, exposing CRM data at Huntress, Recorded Future, Tanium, Jamf, HackerOne, Snyk, and others. The victims are security vendors — companies whose core business is protecting others. The vector was a trusted third-party connector, not a direct attack. That's exactly what makes it so effective. India's Bajaj Auto confirmed a ransomware attack on June 23rd affecting parent systems and subsidiary BATL. Containment is ongoing; exfiltration is unconfirmed. For a manufacturer at this scale, the operational risk extends well beyond data loss into production disruption and supply chain exposure. The FortiBleed campaign demonstrates what AI-assisted exploitation looks like at scale: GPU-powered credential cracking, OpenFortiVPN pivoting, and an automated AI penetration agent achieving full domain compromise across thousands of networks. The Five Eyes alliance issued a coordinated warning the same day, flagging that frontier AI models are compressing the window from vulnerability discovery to active exploitation from years to months. Finally, a Chrome V8 zero-day — CVE-2026-11645 — is being actively exploited in the wild. Patch status is unconfirmed as of this recording. Enterprise browser policy teams should treat this as a priority item today. This episode includes AI-generated content.

Icarus OAuth Attack, Council of Europe Breach & AryStinger Botnet

(00:00:00) Icarus OAuth Attack, Council of Europe Breach & AryStinger Botnet (00:01:13) Oracle PeopleSoft Zero-Day, 100+ Victims (00:01:48) ShinyHunters Publishes Council of Europe Data (00:02:43) AryStinger Botnet Hijacks D-Link Routers (00:03:34) The Signal That Connects All Three Three major incidents dominated the past twenty-four hours, and they share a single underlying pattern: attackers exploiting the gap between trusted access and monitored access. The Icarus group compromised legacy credentials at Klue, a competitive intelligence platform, converting them into OAuth tokens that granted silent access to Salesforce data across nine cybersecurity firms — including HackerOne, Recorded Future, Snyk, and Jamf. Automated Python scripts queried the API continuously for twenty-four hours, blending into normal integration traffic. A ransom deadline of June 17th has already passed with no disclosed resolution. In a connected development, a critical Oracle PeopleSoft zero-day has been exploited across more than one hundred organisations. Attacks mimicked legitimate user sessions, bypassing anomaly detection entirely. The Council of Europe is among confirmed victims — and that breach escalated sharply when ShinyHunters published 297 gigabytes of stolen data after the Council declined to pay. The leaked files include payroll records, medical files, and bank details for approximately ten thousand employees. ShinyHunters deployed permanent torrent mirrors, explicitly framing the release as lasting until the end of time. That shift fundamentally changes the extortion calculus for every future victim: payment no longer removes the threat. Rounding out today's briefing, the AryStinger botnet has quietly compromised over 4,300 end-of-life D-Link routers — models the manufacturer abandoned — installing a Dropbear SSH backdoor for infrastructure reconnaissance rather than DDoS. Detection rates in mainstream security engines are near zero. Oracle's patch timeline remains undefined. Klue's full breach scope is unconfirmed. Affected Council of Europe employees are still awaiting notification. This is Cybersecurity Daily. This episode includes AI-generated content.

208 CVEs, Qilin Hits Telecom & GentleKiller EDR Bypass

(00:00:00) 208 CVEs, Qilin Hits Telecom & GentleKiller EDR Bypass (00:00:56) Qilin Claims Q Link Wireless (00:01:37) GentleKiller EDR Bypass Toolkit (00:02:24) Microsoft Teams Abused for C2 (00:02:53) DORA and CIRCIA Tighten Rules (00:03:37) Key Watchpoints This Cycle This episode covers six critical cybersecurity developments from the past 24 hours — from a Windows regression shipping inside Microsoft's own security patches, to ransomware hitting U.S. telecom infrastructure. Microsoft's latest Patch Tuesday addressed 208 vulnerabilities, but the same update introduced a Recycle Bin display bug exposing internal filenames across every supported Windows version — from Windows 10 through Server 2012. No rollback timeline has been issued, leaving enterprise administrators without clear remediation guidance. The Qilin ransomware group publicly claimed responsibility for breaching Q Link Wireless, a major U.S. telecom provider, in a move that signals a deliberate shift toward high-visibility critical infrastructure targets. Details on data exfiltrated and ransom demands remain undisclosed. A May 2026 internal leak exposed GentleKiller, a professionally maintained toolkit that disables over 400 EDR processes by exploiting signed but vulnerable drivers — bypassing kernel-level protections without triggering standard detection logic. The leak has made its operational details publicly available, raising urgent questions about active affiliate campaigns. A ransomware group also abused Microsoft Teams relay infrastructure between June 14–20 to hide command-and-control traffic inside legitimate enterprise application activity — a technique that defeats standard perimeter controls. On the regulatory front, EU financial regulators published their first DORA ICT incident overview, marking a shift from expectation to active enforcement. In the U.S., CISA continued public consultations to finalise the federal cyber incident reporting rule under CIRCIA. This podcast was built using AI technology. A YesWee production. This episode includes AI-generated content.

Credentials Meet CVE Data, FortiBleed & SocGholish Dismantled

(00:00:00) Credentials Meet CVE Data, FortiBleed & SocGholish Dismantled (00:01:17) FortiBleed Exposes Firewall Credentials (00:01:52) SocGholish Botnet Dismantled (00:02:42) Conti Operator Guilty Plea (00:03:13) CISA Doctrine Shift to Resilience (00:03:46) Novo Nordisk and GitHub Access Risk (00:04:10) White House AI Security Framework The cybersecurity threat landscape shifted in a meaningful way today. A 24-billion-password credential database has been indexed against known CVE data, turning opportunistic credential stuffing into a prioritised, exploit-driven attack model. Security teams managing unpatched systems face compounded risk: exposed credentials plus a flagged vulnerability in the same lookup table. Changing passwords alone is insufficient while millions of infostealer-infected machines may still be actively harvesting data. In parallel, the FortiBleed exposure has put 74,000 Fortinet firewall admin credentials into attacker hands. CISA is urging immediate incident-response-level action: terminate sessions, reset credentials, enforce phishing-resistant MFA, and restrict management interfaces to internal hosts only. On the enforcement side, the SocGholish botnet — also known as FakeUpdates — was dismantled after seven years of operation, with 15,000 compromised sites remediated and 106 servers seized. The botnet served as a primary initial-access channel for LockBit, DoppelPaymer, and RansomHub. Separately, Ukrainian national Oleksii Lytvynenko pleaded guilty to Conti ransomware development, facing up to 20 years at a September 2026 sentencing. CISA's acting director publicly shifted doctrine this week: critical infrastructure disruption by China and Russia is now treated as inevitable, with planning moving from prevention to resilience. Novo Nordisk disclosed a breach traced to a single compromised GitHub access token — a reminder that developer credentials are a systematically underprotected attack surface. And the White House and Anthropic are negotiating an AI security assessment framework following a jailbreak dispute, with no consensus yet on severity definitions or export control triggers. This episode includes AI-generated content.