This Week in Cybersecurity: North Korea's 88-Minute npm Heist, FortiBleed's 86,000 Cracked VPN Logins, and Tata Electronics Leaks Apple and Tesla Trade Secrets

Explore this content with AI:

ChatGPT | Perplexity | Claude | Google AI Mode

North Korean Sapphire Sleet poisons 144 Mastra AI npm packages in 88-minute supply chain attack

On June 17, 2026, a North Korean threat actor Microsoft tracks as Sapphire Sleet — a financially motivated sub-cluster operating under the Lazarus Group umbrella within North Korea's Reconnaissance General Bureau — executed a rapid supply chain attack against the Mastra AI framework's npm package ecosystem. The vector was straightforward: an attacker compromised the npm account of "ehindero," a former Mastra contributor whose publishing privileges had never been revoked, and then used that access to publish poisoned updates for 144 packages across the @mastra scope in just 88 minutes. Each poisoned version injected a new dependency — "easy-day-js," a typosquat of the legitimate dayjs date library — that fired a postinstall hook on every developer machine that ran npm install. Socket's automated tooling flagged the malicious package within six minutes of publication; even so, packages with a combined weekly download count exceeding 1.1 million were exposed before the campaign was contained.

The payload was a cross-platform information stealer targeting Windows, macOS, and Linux. It disabled TLS certificate verification, contacted attacker-controlled command-and-control infrastructure, and dropped a second-stage remote access trojan designed to sweep credentials, authentication tokens, AI API keys, and the presence of 166 cryptocurrency wallet browser extensions — including MetaMask, Phantom, Coinbase Wallet, Binance Wallet, and TronLink. Attribution to Sapphire Sleet was confirmed by Microsoft Threat Intelligence, Snyk, and Orca Security, all of whom identified payload tradecraft consistent with the group's prior Lazarus Group cryptocurrency-targeting campaigns. Microsoft published its attribution analysis the same day as the attack.

Why it matters: This attack is a direct continuation of the 2026 pattern — Sapphire Sleet also compromised Axios npm packages in April — in which North Korean APTs target the AI developer toolchain specifically to harvest the tokens and keys that underpin enterprise AI workflows. The lesson from this attack is not "don't use open-source dependencies." It is "your dependency graph almost certainly contains accounts with publish rights that belong to former contributors, contractors, or employees, and those accounts are targets." Audit your package access controls now, not after a compromise.

Read more at The Hacker News

FortiBleed campaign exposes more than 73,000 working Fortinet VPN credentials cracked by a 45-GPU cluster

Between June 18 and June 22, 2026, a Russian-speaking multi-operator threat group — operating under the campaign name FortiBleed — assembled a database of working administrator credentials for more than 73,000 internet-facing Fortinet FortiGate firewall and SSL VPN gateway devices across 194 countries (with some researchers placing the figure closer to 86,000). The operation did not exploit a new vulnerability. Instead, the group conducted approximately 1.16 billion authentication attempts against over 320,000 identified FortiGate targets, intercepted SSL VPN authentication hashes from responding devices, and cracked them using a 45-GPU cluster managed through Hashtopolis — a distributed hash-cracking orchestration platform. The recovered credentials include plaintext VPN usernames and passwords linked to 21,632 unique domains, along with partial firewall configuration data. CISA issued an advisory on June 18, urging organizations to immediately harden Fortinet devices. Verified victims include AT&T, Chevron, Samsung, Siemens, and multiple government agencies.

The exposure is not theoretical: the dataset is actively circulating in criminal underground communities. Researchers from Arctic Wolf and Recorded Future, who analyzed samples, confirmed that the credentials resolve to live, internet-reachable FortiGate systems as of mid-June. The FortiBleed campaign is the fourth Fortinet-targeting event of 2026 — following AI-assisted automated exploitation in February, a FortiClient EMS endpoint manager takeover in June, and ongoing FortiSandbox appliance exploitation beginning June 15 — suggesting a persistent, organized effort against Fortinet's product line. No new patch is available because no new vulnerability is required; the attack weaponizes weak or reused passwords against devices that are already internet-exposed.

Why it matters: A working username and password for a FortiGate SSL VPN is an initial access broker's most portable asset — it bypasses perimeter controls entirely and drops an attacker directly onto an internal network segment. A contributing factor is a known FortiOS behavior: devices upgraded from older firmware versions retain administrator passwords as weak SHA-256 hashes until the account holder manually logs in after the upgrade, making those credentials disproportionately vulnerable to offline cracking. Every organization running an internet-facing FortiGate device should immediately terminate all active VPN and administrative sessions, reset every Fortinet account credential (prioritizing accounts with admin or full-access privileges), verify that multi-factor authentication is enforced, and audit which legacy IKEv1 configurations remain enabled. If you cannot complete that checklist today, treat active sessions as potentially adversary-controlled.

Read more at Recorded Future

Tata Electronics confirms breach as World Leaks publishes 630 GB of alleged Apple and Tesla trade secrets

This Tuesday morning, June 23, Tata Electronics — the Indian conglomerate that manufactures iPhone components and acts as a key Apple supply chain partner — confirmed a "cybersecurity incident" after the World Leaks ransomware group published more than 200,000 files totaling 630 gigabytes on a dark web leak site. Cybernews researchers who reviewed the data confirmed the files include a 52-page document bearing Apple's proprietary markings and describing quality inspection standards for iPhone circuit board components, multiple Tesla engineering documents labeled "TRADE SECRET" including drawings for an upgraded Tesla Model Y chargeport controller and internal project blueprints for the Model 3 "Highland" program, as well as employee records including email correspondence, multi-year event logs, and passport scans of employees including foreign nationals. Tata Electronics said it identified the incident several weeks ago and that "response protocols were deployed immediately, with the incident having no impact on operations across businesses." Apple is investigating, and Tata has received a ransom demand from World Leaks.

World Leaks is a relatively new ransomware group that first surfaced in late 2025 and, in several confirmed cases, has taken a data-extortion approach rather than an encryption-first one. The Tata breach follows the ShinyHunters Council of Europe payroll breach covered here last week, where a similar data-first, extortion-second method was used against a government institution. No attribution has been publicly confirmed for the Tata incident; Tata Electronics has not named a threat actor, and World Leaks has not disclosed an attack methodology.

Why it matters: Apple and Tesla manufacturing documentation is among the most commercially sensitive material in global electronics supply chains — specifications, tolerances, and component blueprints represent years of engineering investment and, in some cases, regulatory commitments tied to product certification. For security teams at companies operating in the defense, automotive, or consumer electronics supply chains, this breach is a reminder that your organization's risk profile is shaped not only by your own security posture but by every vendor, contract manufacturer, and logistics partner in your ecosystem. Third-party risk assessments need to account for data residency: if a partner holds your engineering files, your IP is only as protected as their security program.

Read more at CNBC

FFmpeg PixelSmash (CVE-2026-8461): Watching a malicious video file achieves remote code execution

On June 17, 2026, FFmpeg released version 8.1.2, patching a critical vulnerability in the MagicYUV video decoder within libavcodec — the core codec library embedded in virtually every application that processes media on Linux, macOS, and Windows. The flaw, CVE-2026-8461 (CVSS 8.8), dubbed "PixelSmash" by researchers at JFrog who discovered it on May 13 and reported it to the FFmpeg security team, is a heap out-of-bounds write caused by an inconsistency between how FFmpeg's frame allocator and the MagicYUV decoder independently compute chroma plane heights when processing video slices. The mismatch allows an attacker-crafted AVI, MKV, or MOV file to write beyond the allocated heap buffer. JFrog's research team demonstrated that the vulnerability can be escalated from crash to reliable remote code execution on unpatched Jellyfin 10.11.9 media server instances and Nextcloud installations; additional affected applications include Kodi, mpv, Emby, PhotoPrism, OBS Studio, and any Linux file manager that generates video thumbnails using libavcodec.

The attack surface is unusually broad because FFmpeg is a foundational dependency — it is embedded not as an explicit application feature but as a library component, meaning many users and administrators are unaware that a media file they receive by email, messaging platform, or shared drive could trigger it. The fix is FFmpeg 8.1.2 or later. Organizations running self-hosted Jellyfin, Nextcloud, or Emby should prioritize this patch; administrators of CI/CD pipelines that process user-uploaded media are also exposed.

Why it matters: The practical attack scenario for PixelSmash is not a targeted exploit but a drive-by attack: a malicious video file distributed via a file-sharing service, a phishing email attachment, or even an auto-generating thumbnail in a web-accessible media folder. The "just watching a video" attack surface has a long history of exploitation, and this flaw follows that pattern almost exactly. Upgrade FFmpeg to 8.1.2, audit whether any of your self-hosted media applications have it as a dependency, and disable thumbnail auto-generation for untrusted media libraries until patching is complete.

Read more at BleepingComputer

Fifteen malicious JetBrains IDE plugins steal AI API keys from 70,000 developer installs

On June 16–17, 2026, JetBrains removed 15 malicious plugins from its Marketplace after security researchers identified a coordinated campaign that had been silently harvesting developer API keys from AI providers for at least 8 months. The plugins were published under seven separate vendor accounts beginning in October 2025, with the most recent uploads dated June 10. Together, they accumulated nearly 70,000 combined installs, with the two highest-download packages — "DeepSeek AI Assist" (27,727 installs) and "CodeGPT AI Assistant" (25,571 installs) — marketed as AI coding assistants built on DeepSeek and other large language models. Each plugin functioned as advertised, providing chat, commit message generation, code review, and bug-finding features. The theft mechanism was concealed behind normal-looking settings: when a developer entered an AI API key and clicked "Apply," the key was silently transmitted to attacker-controlled infrastructure. JetBrains immediately terminated all seven publisher accounts, purged the 15 plugins from the Marketplace, and remotely disabled the extensions in any affected IDE at the next relaunch.

The targeted keys include OpenAI, Anthropic (Claude), Google Gemini, DeepSeek, and other provider credentials that developers store in their local IDE settings. Developers who installed any of the affected plugins and configured an AI API key between October 2025 and June 17, 2026, should treat every key stored in those plugin settings as compromised and rotate immediately — including any key that may have been used for automated workflows, CI/CD pipelines, or billing-enabled production API access.

Why it matters: IDE plugins occupy one of the most privileged positions in a developer's environment — they run with the same user-level access as the developer, they have read access to open project files, and they often handle credentials for cloud services and AI APIs. The eight-month detection gap in this case reflects a wider industry gap: Marketplace code review for third-party plugins is not equivalent to auditing first-party software, and the quality and frequency of security review vary widely across plugin ecosystems. Treat plugin installations with the same scrutiny you'd apply to a third-party library, verify publisher account legitimacy before installing, and audit which plugins in your team's standard IDE configuration have access to AI API keys.

Read more at Infosecurity Magazine

Final thoughts

This week's incidents are not five separate stories — they are five variations on the same story. A forgotten npm contributor account. A decade-old firewall password that survived 1.16 billion guessing attempts. A media library that trusts every file it receives. An IDE plugin that a developer installed because it said "AI assistant." A contract manufacturer holding engineering blueprints for two of the world's most valuable companies. In every case, the exploited element was something that had been implicitly trusted without ongoing verification.

The security industry has spent the last decade building increasingly sophisticated defenses around identities, endpoints, and perimeters. This week's attackers are building increasingly sophisticated operations targeting the very things those defenses assume are safe: package registries, IDE environments, VPN appliances, and supply chain partners. That gap between "what we monitor" and "what we trust" is where 2026's breaches are happening.

Check back next Tuesday for the next installment of This Week in Cybersecurity.