# Today's Top Stories

CISA issued an urgent advisory for Fortinet customers after the 'FortiBleed' leak exposed credentials from nearly 74,000 firewall and VPN devices — roughly half of all internet-accessible Fortinet appliances. Security practitioners managing Fortinet infrastructure should treat this as an active incident requiring immediate credential rotation and access review.

The 'FortiBleed' campaign compromised credentials from approximately 86,000 Fortinet devices including firewalls and VPNs, representing a massive-scale credential theft event. The scale — affecting roughly half of internet-accessible Fortinet appliances — makes this a critical priority for network security teams with Fortinet deployments.

Operation Endgame targeted the SocGholish botnet infrastructure linked to Russia-based Evil Corp, taking down 106 command-and-control servers and domains and cleaning up approximately 15,000 compromised WordPress websites. The coordinated law enforcement and private-sector action represents a significant disruption to one of the most prolific drive-by download malware distribution networks.

An international police operation raided infrastructure tied to the SocGholish botnet, which has been attributed to Evil Corp, a Russia-based cybercrime group subject to U.S. Treasury sanctions. The takedown complements Operation Endgame's infrastructure seizures and signals continued cross-border pressure on Russian cybercrime ecosystems.

Microsoft attributed a supply chain attack on the Mastra AI framework to North Korean threat actor Sapphire Sleet (BlueNoroff), which compromised more than 140 npm packages. This campaign demonstrates North Korea's expanding focus on AI development toolchains as a vector for software supply chain compromise.

The Icarus extortion group's attack on market intelligence platform Klue resulted in OAuth token theft that granted access to customers' Salesforce environments, with confirmed victims including cybersecurity firms Huntress and Recorded Future. The incident illustrates how third-party SaaS integrations create transitive trust relationships that can cascade breaches across an entire customer base.

Market intelligence platform Klue confirmed that the Icarus extortion group stole OAuth tokens used to connect customer Salesforce environments, with the victim list continuing to grow. The breach highlights the risk of OAuth credential exposure in B2B SaaS platforms where a single token compromise can provide lateral access to downstream enterprise CRM data.

Microsoft researchers detailed 'AutoJack,' an exploit chain where a malicious web page loaded by an AI browsing agent can invoke a privileged local service via JavaScript and achieve host-level code execution — requiring no credentials or additional user interaction after initial page load. The attack demonstrates a new class of AI agent security risk where agentic browsing capabilities create unintended local privilege escalation paths.

Threat actors are actively exploiting CVE-2026-4020 (CVSS 5.3), an unauthenticated information disclosure vulnerability in the Gravity SMTP WordPress plugin installed on roughly 100,000 sites, to extract API keys, OAuth tokens, and other secrets from plugin configuration data. Despite the medium severity CVSS score, active in-the-wild exploitation of this plugin across a large install base makes patching urgent for WordPress site operators.

Apple patched CVE-2025-20701 (CVSS 8.8) in Beats Studio Buds firmware, a high-severity incorrect authorization flaw in the Airoha Bluetooth audio SDK that allows nearby attackers to pair with the device and access microphone audio without user consent. The vulnerability in the underlying Airoha SDK may affect other Bluetooth audio products beyond Apple's Beats line that use the same chipset.