# Today's Top Stories

A massive credential breach has exposed VPN and network access credentials for thousands of sensitive organizations including Oracle, Lenovo, FedEx, a NATO contractor, and Fortinet. The scale and sensitivity of affected targets makes this immediately actionable for security teams conducting third-party risk assessments and incident response triage.

The 'FortiBleed' data leak has exposed Fortinet and FortiGate VPN credentials for 73,932 firewall URLs belonging to organizations worldwide. Combined with active exploitation of FortiSandbox vulnerabilities (articles 5079, 5136, 5167), this represents a compounding crisis for Fortinet-dependent network defenders who must audit exposed credentials and patch simultaneously.

Multiple critical vulnerabilities in Fortinet's FortiSandbox threat detection platform are being actively exploited in the wild, with threat intelligence firm Defused confirming attacks. SOCRadar has detected approximately 30,000 compromised Fortinet firewalls, and multiple firms report exploitation originating from independent sources rather than a single coordinated campaign.

Microsoft has confirmed CVE-2026-50656 (CVSS 7.8), a privilege escalation zero-day in the Microsoft Malware Protection Engine codenamed 'RoguePlanet,' with a patch still in development. Public PoC code exploiting a race condition to spawn a SYSTEM-level command prompt is already circulating, making this a high-priority exposure for any Windows endpoint running Defender.

A supply chain attack dubbed 'easy-day-js' compromised 144 npm packages in the Mastra '@mastra/*' namespace after attackers hijacked a single contributor account (ehindero), affecting a widely-used JavaScript/TypeScript AI application framework. Findings were reported by JFrog, SafeDep, Socket, and StepSecurity, underscoring the ongoing risk of single-account compromise cascading across large package ecosystems.

CISA added CVE-2026-48907 (CVSS 10.0), an improper access control flaw in the Widget Factory Joomla Content Editor (JCE) plugin enabling arbitrary PHP code execution, to its KEV catalog with a patch deadline of Friday for federal agencies. The maximum severity score and active exploitation make this urgent for any organization running Joomla with the JCE plugin installed.

DragonForce ransomware operators abused Microsoft Teams relay servers for command-and-control, deploying a novel Go-based backdoor that blends C2 traffic with legitimate Teams infrastructure to evade detection. This technique complicates network-layer defenses that whitelist Microsoft services and signals an escalation in ransomware groups' abuse of trusted SaaS platforms.

GitHub dismissed two formal vulnerability reports identifying design flaws that researchers say are now being actively exploited by variants of the Shai-Hulud supply-chain worm, which has infected hundreds of software packages and developer accounts globally. The platform's failure to act on reported design flaws before weaponization raises significant questions about responsible disclosure workflows at major code hosting providers.

A critical vulnerability dubbed 'SearchLeak' in Microsoft Copilot allowed attackers to steal users' 2FA codes via prompt injection, demonstrating once again that LLM-integrated tools inherit and amplify traditional web security flaws. The exploit illustrates how indirect prompt injection through search results can weaponize AI assistants against the very users they serve.

15 malicious plugins on the JetBrains Marketplace, posing as DeepSeek-based AI coding assistants, were found exfiltrating AI provider API keys from developers' machines in what researchers describe as a coordinated campaign. Separately, malicious Chrome extensions were observed capturing chatbot conversation data, representing a targeted supply-chain threat against developer toolchains handling sensitive AI credentials.