Here are today’s top cybersecurity stories for Wednesday, June 17, 2026.
FortiBleed: 73,932 Fortinet VPN Credentials Exposed in Massive Credential Leak
Security researcher Bob Diachenko uncovered a database containing valid Fortinet and FortiGate VPN credentials for 73,932 firewall URLs across 194 countries, a campaign dubbed FortiBleed. The leak contains usernames, email addresses, and plaintext passwords harvested through automated credential-stuffing against devices whose passwords were never rotated after earlier Fortinet breaches. Organizations confirmed in the dataset include Chevron, Samsung, Foxconn, and AT&T. Affected organizations should rotate all Fortinet VPN and admin credentials immediately and enable multi-factor authentication on all gateway interfaces. BleepingComputer
Mastra npm Supply Chain Attack Compromises 144 Packages, 1.1 Million Weekly Downloads at Risk
Attackers compromised a former contributor account on npm and mass-published 144 malicious packages under the @mastra namespace in 88 minutes on June 17, injecting a malicious dependency called easy-day-js — a typosquat of the legitimate dayjs library. The backdoored packages download a second-stage payload that steals credentials and deletes itself to remove traces. Combined weekly downloads across affected packages exceed 1.1 million. Any developer environment, CI runner, or build system that installed @mastra/* packages after June 16 should be treated as fully compromised. The Hacker News
15 Malicious JetBrains Marketplace Plugins Steal AI API Keys from 70,000+ Developers
Aikido Security identified 15 malicious plugins on the JetBrains Marketplace disguised as AI coding assistants — including fake DeepSeek and OpenAI tools — that silently exfiltrate AI provider API keys when users click Apply. The plugins accumulated over 70,000 installs since their first appearance in October 2025, with new variants published as recently as June 10. Developers using third-party AI plugins in IntelliJ-based IDEs should audit installed plugins immediately and rotate any AI provider keys entered in those tools. BleepingComputer
CISA Adds Joomla JCE CVE-2026-48907 to KEV: CVSS 10.0 PHP Code Execution Flaw Actively Exploited
CISA added CVE-2026-48907, a maximum-severity improper access control flaw in the Widget Factory Joomla Content Editor plugin, to its Known Exploited Vulnerabilities catalog on June 17. The flaw allows unauthenticated users to upload and execute arbitrary PHP code by creating new editor profiles. Versions 1.0.0 through 2.9.99.4 are affected; the patch is version 2.9.99.5, released June 3. Federal agencies face a July 7, 2026 remediation deadline. Working exploit code is public and attacks are automated. The Hacker News
Cisco Catalyst SD-WAN CVE-2026-20262: Authenticated File Write Leads to Root — CISA KEV June 29 Deadline
Cisco released patches on June 15–16 for CVE-2026-20262, an arbitrary file write vulnerability in Catalyst SD-WAN Manager that lets an authenticated attacker with write-level credentials escalate privileges to root via a crafted HTTP request. The flaw affects on-premises, cloud, and FedRAMP deployments. CISA added it to the KEV catalog with a June 29 federal remediation deadline following confirmation of limited active exploitation. BleepingComputer
Oracle June 2026 Critical Patch Update: 245 Fixes Across Communications, EBS, PeopleSoft, and More
Oracle released its June 2026 Critical Security Patch Update on June 16, delivering 245 new security patches across product families including Communications, E-Business Suite, Enterprise Manager, Fusion Middleware, MySQL, PeopleSoft, and WebCenter Sites. Among the critical fixes is CVE-2026-35293, an unauthenticated HTTP-exploitable flaw in Oracle WebCenter Sites 14.1.2.0.0 that permits full system takeover. Organizations running Oracle products should apply patches without delay. Oracle Security Alerts
ClickFix Campaigns Expand With Three New Malware Loaders: BabaDeda, Lorem Ipsum, and Potemkin
Researchers from Morphisec, BlueVoyant, and Huntress independently documented three new malware loaders — BabaDeda, Lorem Ipsum, and Potemkin — all delivered through ClickFix social engineering lures. BabaDeda has targeted education and financial organizations since April 2026, while Lorem Ipsum shifted to ClickFix delivery after the disruption of the Fox Tempest malware-signing operation last month. The loaders use PowerShell, in-memory shellcode, DLL side-loading, and external payload staging to drop infostealers and remote access trojans. The Hacker News
UNC1151/Ghostwriter Runs Sustained Gmail Phishing Campaign Against Polish Government Officials
Belarus-linked threat actor UNC1151 (Ghostwriter) has been running a high-intensity phishing campaign against Gmail accounts of Polish government officials, researchers, journalists, and public sector employees since March 2026. The group sends fake Google security alerts to steal login credentials and two-factor authentication codes, hosting phishing panels on compromised Polish websites. CERT Polska issued an advisory and confirmed new phishing domains appear almost daily. The campaign marks an escalation in Ghostwriter’s targeting of NATO member state government personnel. CERT Polska
Stay tuned for today’s in-depth analysis posts.
