A firewall vendor’s credentials up for sale. A ransomware crew started auctioning stolen data to the highest bidder. And three new malware families showed up with enough capability to warrant their own case files. Here’s what Cynet’s CyOps Threat Intelligence Team tracked this June, and what it means for your defenses.

The Month’s Most Consequential Incidents
Scattered Spider members plead guilty in TfL breach
Two members of the Scattered Spider group pleaded guilty to breaching Transport for London’s internal network, an intrusion that cost TfL an estimated 29 million pounds and forced roughly 28,000 employees to re-authenticate in person. Investigators tied the pair to the attack through device evidence and access to a marketplace for breached credentials, a reminder that credential theft remains a primary entry point even for high-profile crews.
Salesforce data exposed through a Klue integration compromise
Market intelligence platform Klue confirmed attackers used a compromised legacy credential to obtain OAuth tokens connecting Klue to customer Salesforce instances. The Icarus extortion group claimed responsibility, and several affected companies, including Recorded Future, Tanium, and Huntress, disclosed that Salesforce data tied to the integration was exposed. Klue’s own platform and stored content were reportedly unaffected, underscoring how much risk now sits in third-party SaaS integrations rather than the core application itself.
GitHub tightens npm to blunt supply-chain abuse
GitHub announced that the upcoming npm v12 will stop automatically running preinstall, install, and postinstall scripts, and will block dependencies pulled from Git repositories or remote URLs unless explicitly approved. The changes directly target the install-script and Git-dependency abuse seen in recent campaigns, including Shai-Hulud-related activity, and will require developers who rely on that behavior to opt in going forward.
Kodak investigates a breach claimed by ShinyHunters
Kodak confirmed a third party gained temporary access to a limited set of company data, while the ShinyHunters extortion group claimed to have stolen over 2.2 million records and threatened to leak them. Kodak’s entry was later removed from the group’s leak site, and the company has stated it sees no current threat to its systems or operations.
Operation Endgame disrupts SocGholish and Evil Corp infrastructure
An international law enforcement effort cleaned SocGholish malware from nearly 15,000 compromised WordPress sites and took more than 100 servers and domains offline. SocGholish, active since 2017, has been used to deliver additional payloads including Dridex on behalf of the Evil Corp cybercrime group, and authorities describe this action as the start of further disruption efforts.
Vulnerability Spotlight: Splunk Enterprise Unauthenticated Arbitrary File Creation
Splunk disclosed a critical (CVSS 9.8) flaw in Splunk Enterprise caused by missing authentication on its PostgreSQL sidecar service. Researchers found that an unauthenticated backup request could be manipulated through the pg_dump utility to load an attacker-controlled database onto the target machine, and that the flow could be chained into full remote code execution rather than remaining a simple file-creation bug. Organizations running Splunk Enterprise should upgrade to version 10.4.0, 10.2.4, 10.0.7, or later without delay.
Cynet Lighthouse Reporting: FortiBleed
This month’s darknet feature covers FortiBleed, a large-scale credential-harvesting and access-brokering operation targeting internet-facing FortiGate firewalls and other edge appliances. The campaign was not built on a new Fortinet vulnerability. Instead, operators scanned exposed devices, stuffed or brute-forced credentials at scale, deployed a passive sniffer that abuses a legitimate FortiOS diagnostic command to capture authentication traffic, and cracked the resulting hashes on rented GPU infrastructure.
The operation became public only because its own aggregation infrastructure was left exposed online. Researchers who examined that exposed dataset found more than 110 million harvested credentials, 237,330 working FortiGate SSH logins, and 7,187 confirmed live SSL-VPN sessions, while Fortinet separately confirmed more than 86,000 validated working credentials across 194 countries. The resulting access is understood to be resold, most plausibly to ransomware operators, making MFA enforcement and taking VPN and admin interfaces off the public internet the two highest-priority defensive steps this month.
Three New Malware Families Under the Microscope
CyOps also completed full static, dynamic, and MITRE ATT&CK analysis of three emerging threats this month, each covered in its own detailed blog post.
HYFLOCK Ransomware
A two-stage Rust-based ransomware loader that unpacks a Babuk-derived payload internally identified as Nishi Encryptor. It suspends OneDrive sync before encrypting to avoid tipping off cloud-based detection, tunes its own thread pool to the host’s hardware, and negotiates exclusively through the decentralized Tox messaging protocol.
Zeta Stealer
A narrowly focused infostealer, likely of Turkish origin, that targets browser data, Discord credentials, and Wi-Fi passwords. Rather than staging stolen data into files, it exfiltrates directly through calls to a Telegram bot, and it persists through both a registry Run key and a startup-folder batch script.
CMD organization Ransomware
An emerging group active since late March 2026 with 31 claimed victims across seven countries, a quarter of them in healthcare. Its double-extortion model has a twist: rather than publishing stolen data outright, it invites leak-site visitors to bid directly on it.
Each of these families was tested against Cynet’s unified cybersecurity platform in detection mode to document exactly where in the attack chain it can be caught, from the initial file drop through registry and file-operation abuse.
Want the full technical detail, including IOCs, MITRE ATT&CK mappings, and the complete FortiBleed attack chain? Download Cynet’s full June 2026 CTI Report.