Multiple Supply Chain Attacks Rattle Tech Sector as Ransomware and Credential Abuse Campaigns Continue

A joint warning from the Five Eyes intelligence alliance, including the NSA and CISA, states that advanced AI hacking models will be publicly available 'within months,' not years. This significantly accelerates the timeline for AI-driven cyber threats, with specific frontier models like Anthropic's 'Fable 5' and OpenAI's 'Daybreak' cited. The alliance urges global organizations, especially critical infrastructure, to immediately re-evaluate risk assessments, invest in AI-driven defenses, and update incident response plans to counter increased attack velocity and the democratization of sophisticated threats.

International cybersecurity agencies, including CISA, have issued a joint advisory regarding the ongoing FortiBleed campaign. This update reinforces the widespread nature of the threat, emphasizing that attackers are leveraging credential stuffing (T1110.004) and password guessing (T1110.001) against Fortinet devices. The advisory highlights the critical importance of phishing-resistant MFA and provides additional D3FEND techniques for detection and mitigation, underscoring the continued focus on poor credential hygiene rather than zero-day exploits. Organizations are urged to assume exposure and implement immediate hardening measures.

New details reveal the Klue supply chain breach originated from a compromised legacy credential, allowing attackers to inject malicious code and harvest OAuth tokens. The Icarus group used these tokens to access not only Salesforce but also Gong environments of customers. High-profile victims now include Huntress, Recorded Future, Tanium, Jamf, Sprout Social, and Insurity. The incident was detected on June 11, 2026, highlighting the cascading risks in interconnected SaaS ecosystems and the need for robust credential management. The report also provides specific cyber observables for detection.

Further analysis of 'The Gentlemen' ransomware attack on Mackay Sugar reveals the group's advanced tactics. They utilize a custom Go-based encryptor with worm-like capabilities for rapid network propagation and an EDR-evasion suite called 'GentleKiller' to disable security tools. The attack specifically targeted IT systems, encrypting critical scheduling and historian databases, which forced the shutdown of OT operations due to a loss of operational visibility. This highlights a sophisticated understanding of IT/OT convergence and the ability to cause kinetic effects without directly compromising industrial control systems. The group operates a RaaS model, is a splinter from Qilin, and actively recruits affiliates, posing a significant threat to industrial sectors.

The Texas Parks and Wildlife Department data breach, stemming from a third-party vendor, now confirms 3,087,721 affected individuals, a more precise figure than initially reported. In addition to driver's license and passport numbers, email addresses have been explicitly identified as part of the compromised data. This update reinforces the significant risk of identity theft and targeted phishing for license holders. The incident continues to highlight critical third-party supply chain risks.

New analysis by Check Point Research reveals that the supply chain attack on ShapedPlugin distributed a hidden, fake WooCommerce plugin. This malicious payload is specifically designed to steal critical credentials, including WordPress administrator logins, database credentials, and two-factor authentication (2FA) codes. It also grants attackers the ability to modify website content, leading to potential complete site takeover, data breaches, and financial loss for e-commerce sites. This update provides crucial details on the specific malware functionality and its severe implications, affecting three of ShapedPlugin's paid plugins.