SECURITYINTEL DAILY BRIEF ■ ThreatIntel BriefTuesday, June 23, 2026 INTEL CONFIDENCE 100% | THREAT LEVEL CRITICAL |
|
THREAT OF THE DAY Supply Chain Attacks and Proxy Flaws Threaten Enterprises | CRITICAL |
|
5 C2 IPs | 1 OTX IOCs | 34 ARTICLES |
|
■ ANALYST TLDR Today's intelligence highlights significant supply chain compromises affecting ShapedPlugin WordPress plugins and Mastra NPM packages, alongside critical vulnerabilities like "Squidbleed" in Squid Proxy and "PixelSmash" in FFmpeg. Additionally, threat actors are actively exploiting SonicWall CVE-2024-40766 due to misconfigurations, while the FortiBleed campaign has harvested over 86,000 credentials using custom FortiGate sniffers. Organizations must immediately audit their dependencies, patch public-facing appliances, and secure cloud storage configurations. |
|
■ CRITICAL STORIES ShapedPlugin WordPress Pro Plugins Backdoored in Supply Chain Attack Attackers compromised the vendor's build and distribution channels to inject backdoor code into multiple popular WordPress plugins, presenting a severe supply chain risk for web administrators. |
North Korean Hackers Blamed for Mastra NPM Supply Chain Attack State-sponsored actors injected malicious dependencies into over 140 Mastra NPM packages to target cryptocurrency extensions, demonstrating highly targeted supply chain poisoning. |
Decades-Old Squid Proxy Flaw ‘Squidbleed’ Can Expose User Data A 29-year-old heap over-read vulnerability in the Squid web proxy, dubbed "Squidbleed," allows attackers to leak cleartext HTTP requests, including credentials and session tokens, from other users. |
New Exploit Bypasses Apple’s Boot Defenses, Affects Millions of iPhones The "Usbliter8" bootrom exploit bypasses Apple's secure boot defenses on millions of devices. Because it is a hardware-level vulnerability, it cannot be patched via software updates. |
|
■ CVEs IDENTIFIED CVE-2024-40766 SonicWall SonicOS — Improper Access Control and VPN bypass leading to unauthorized access |
[CVE-TBD] FFmpeg (PixelSmash) — Remote Code Execution and Denial of Service in video decoders |
[CVE-TBD] Squid Web Proxy (Squidbleed) — Heap over-read leading to cleartext HTTP request and credential leakage |
[CVE-TBD] Microsoft AutoGen Studio (AutoJack) — Remote Code Execution via malicious web page interaction |
|
■ THREAT ACTORS Injected malicious dependencies into over 140 Mastra NPM packages to target cryptocurrency extensions |
ShinyHunters | Cybercrime Group |
Executed major data breaches exploiting stolen credentials and cloud misconfigurations without malware |
AryStinger Botnet Operators | Cybercrime Group |
Compromised and absorbed thousands of outdated D-Link routers into a botnet |
|
|
|
■ ATT&CK TTPs | T1190 | | Exploit Public-Facing Application | Exploitation of SonicWall CVE-2024-40766 and Squidbleed proxy vulnerability |
| T1195.002 | | Supply Chain Compromise: Compromise Software Dependencies | Backdooring of ShapedPlugin WordPress plugins and Mastra NPM packages |
| T1566.001 | | Phishing: Spearphishing Attachment | WhatsApp campaigns delivering malicious VBScript files disguised as business documents |
| T1539 | | Steal Web Session Technologies | Squidbleed heap over-read used to harvest cleartext HTTP session tokens and credentials |
| T1552 | | Unsecured Credentials | Gravity SMTP plugin leaking API keys; FortiBleed harvesting firewall credentials |
| T1584.005 | | Compromise Infrastructure: Botnet | AryStinger botnet recruiting outdated D-Link routers |
|
■ PATCH PRIORITY SonicWall — SonicOS (CVE-2024-40766) — Active exploitation and configuration bypass risk — [SANS] |
FFmpeg — Video Decoder (PixelSmash) — Remote Code Execution vulnerability affecting Jellyfin and other media platforms — [BC] |
Microsoft — AutoGen Studio (AutoJack) — RCE vulnerability chain in AI agent prototyping interface — [BC] |
Squid — Web Proxy (Squidbleed) — Heap over-read leaking cleartext HTTP requests and session tokens — [THN] |
|
|
|
■ RECOMMENDED ACTIONS TODAY | 1 | [P1] Patch SonicWall SonicOS immediately to remediate CVE-2024-40766 and audit appliance configurations to ensure the patch is properly applied. |
| 2 | [P1] Update FFmpeg libraries to the latest patched version across all media-dependent applications including Jellyfin, Emby, and Nextcloud to prevent PixelSmash RCE. |
| 3 | [P1] Audit all Node.js development environments and remove any Mastra NPM packages containing the malicious North Korean backdoor dependencies. |
| 4 | [P1] Remove and replace all ShapedPlugin WordPress plugins with clean, verified versions from trusted sources to eliminate backdoor code. |
| 5 | [P2] Update Squid Web Proxy installations to mitigate the Squidbleed heap over-read vulnerability and prevent cleartext credential disclosure. |
|
|
|
C2 IP BLOCKLIST · AbuseCH Feodo · Showing 5 of 5 IP ADDRESS 162.243.103.246 | PORT 8080 | STATUS OFFLINE | MALWARE Emotet | COUNTRY US |
IP ADDRESS 50.16.16.211 | PORT 443 | STATUS ONLINE | MALWARE QakBot | COUNTRY US |
IP ADDRESS 34.204.119.63 | PORT 443 | STATUS OFFLINE | MALWARE QakBot | COUNTRY US |
IP ADDRESS 178.62.3.223 | PORT 443 | STATUS OFFLINE | MALWARE QakBot | COUNTRY GB |
IP ADDRESS 27.133.154.218 | PORT 443 | STATUS OFFLINE | MALWARE QakBot | COUNTRY JP |
|
FULL IOC EXPORT — GOOGLE SHEET All live IOCs with full SHA256 hashes (OTX), IPs, and domains. 2 tabs: C2 IPs · OTX IOCs
Updated daily · Export as CSV to import directly into your tools ■ Open Full IOC Sheet → |
|
IOC SOURCES: AbuseCH Feodo · AlienVault OTX
NEWS: THN · KRB · SANS · REC · BC · SW · AWS · GCP · MSFT · U42 · SCH · MWB |