June 2026: FortiBleed Cracks Fortinet Firewalls, Supply Chain Worms Hit npm and PyPI
June 2026 was headlined by FortiBleed, a Russian-attributed credential harvesting campaign that exposed over 86,000 Fortinet firewalls across 194 countries. ShinyHunters escalated again, exploiting an Oracle PeopleSoft zero-day against universities while leaking 234GB of DentaQuest health data. Three supply chain campaigns hit npm and PyPI in quick succession, and a new extortion group called Icarus turned a forgotten OAuth credential into a Salesforce breach at multiple cybersecurity firms.
FortiBleed Exposed Over 86,000 Fortinet Credentials Across 194 Countries in Active Harvesting Campaign
SOCRadar’s Threat Research Unit disclosed a dataset of validated credentials tied to 86,644 internet-facing Fortinet FortiGate firewalls and SSL VPN gateways after researchers discovered an exposed attacker server and mapped its full operational infrastructure.
Named FortiBleed by SOCRadar, the campaign had been running since at least February 2026 and was attributed to a Russian-speaking threat group. Attackers cracked SHA-256 password hashes from exposed FortiGate configuration files using a 45-GPU cluster, targeting a legacy storage format that persisted on devices where administrators had not logged in after upgrading.
CISA issued an emergency advisory on June 18, the UK NCSC published a global warning, and Fortinet’s PSIRT issued a formal blog post on June 19, all within six days of disclosure. The victim list spans banks, hospitals, telecoms, universities, and government agencies across 194 countries, with 591 confirmed government entries and 5,616 telecom entries.
For a deeper look at how the operation was built and run, SOCRadar published a full technical report.

See if your organization is in the FortiBleed leak via FortiBleed Checker (SOCRadar Free Tools)
ShinyHunters Exploited Oracle PeopleSoft Zero-Day to Breach Over 100 Organizations, Primarily in Higher Education
Between May 27 and June 9, 2026, ShinyHunters, tracked by Mandiant as UNC6240, ran an automated campaign against Oracle PeopleSoft environments exploiting CVE-2026-35273, a critical unauthenticated RCE flaw in PeopleTools 8.61 and 8.62. Oracle issued an out-of-band advisory on June 10, the day after ShinyHunters began leaking stolen data, confirming the vulnerability had been exploited as a zero-day. The flaw sits in the Environment Management Hub and requires only network-level HTTP access with no authentication.
ShinyHunters claimed compromise of approximately 300 instances across more than 100 organizations, 68% in higher education. The University of Nottingham publicly confirmed a breach, with records belonging to 454,600 students published on the group’s leak site. Staging environments hosted MeshCentral agents and a lateral movement script that spread through SSH, extracted credentials from PeopleSoft configuration files, and dropped ransom markers across affected directories. This was the first confirmed ShinyHunters campaign exploiting a server-side zero-day in on-premises ERP software, a notable escalation from the group’s established SaaS credential abuse methods.
Third-Party Vulnerability in KDDI’s ISP Email Platform Puts 14.2 Million Credentials at Risk
Japanese telecommunications operator KDDI detected unauthorized access to a shared email platform it operates for multiple ISPs on June 17, 2026, and disclosed the incident on June 23. The intrusion exploited a vulnerability in unnamed third-party software. KDDI contained the breach the same day it was detected but warned that email addresses and passwords may have already been obtained before access was closed.
The platform serves six ISPs: STNet, KDDI Web Communications, JCOM, Chubu Telecommunications, Nifty, and Biglobe, accounting for the 14.22 million figure — a worst-case estimate that includes inactive and canceled accounts. KDDI noted some passwords were stored in hashed or encrypted form. Each affected ISP launched its own response, with Nifty disabling mail passwords for accounts that had not completed a reset by June 25. KDDI reported the incident to Japan’s Personal Information Protection Commission and the Ministry of Internal Affairs and Communications. No threat actor has been publicly identified.
ShinyHunters Published 234GB of DentaQuest Health Records After Extortion Attempt Failed
In May 2026, ShinyHunters breached dental benefits administrator DentaQuest and listed the company on its leak site after negotiations collapsed. DentaQuest confirmed the incident on June 2, acknowledging unauthorized access to a portion of its network. External forensic investigators were engaged and systems remained operational with limited disruption. Have I Been Pwned confirmed 2.6 million unique email addresses in the released data.
The 234GB archive contained healthcare enrollment files including names, dates of birth, email addresses, phone numbers, addresses, gender data, government-issued IDs, and Medicaid IDs. Much of the data appeared in ASC X12 healthcare transaction sets used in insurance eligibility processing. DentaQuest is a Sun Life subsidiary and one of the largest Medicaid dental benefits administrators in the United States, serving 32 million people across 50 states. As of disclosure, the company had not yet reported the breach to the U.S. Department of Health and Human Services, raising potential HIPAA compliance concerns.

Threat actor card of ShinyHunters
What makes ShinyHunters particularly dangerous heading into the second half of 2026 is not just the volume of victims but the speed of capability expansion – from vishing and OAuth abuse in January to a server-side ERP zero-day by June. Keeping pace with that kind of evolution means going beyond incident reports. SOCRadar’s Cyber Threat Intelligence module tracks ShinyHunters continuously, mapping their infrastructure, campaign patterns, and targeting shifts so your team knows what the group is doing before the next victim finds out the hard way.
Hackers Used a Dormant Klue Credential to Access Salesforce Data at Multiple Cybersecurity Firms
On June 11, 2026, a threat actor accessed Klue’s integration infrastructure through a dormant credential created for a prototype integration that was later abandoned without being decommissioned. The attacker pushed code to harvest OAuth tokens from Klue’s customers, then ran automated scripts querying connected Salesforce environments for roughly 24 hours. Klue detected the activity on June 12, revoked credentials, disabled integrations, and issued a customer alert on June 13.
Extortion group Icarus, active since at least April 2026, claimed responsibility on June 19. Confirmed affected organizations include Recorded Future, Tanium, Jamf, Huntress, LastPass, and BeyondTrust, with Huntress independently confirming theft of business contacts, price quotes, and sales communications. Salesforce disabled the Klue Battlecards integration until further notice.
The attack follows the OAuth-abuse playbook behind the 2025 Salesloft Drift and Gainsight compromises, with researchers noting the pattern is now widely replicated. The entry point, a credential for a discarded prototype never cleaned up, reflects a systemic gap in how SaaS vendors manage legacy access paths.
Miasma Worm Rode Red Hat’s CI/CD Pipeline to Harvest Developer Credentials Across 32 npm Packages
On June 1, 2026, 96 malicious versions across 32 packages in the @redhat-cloud-services namespace were published through Red Hat’s legitimate GitHub Actions OIDC pipeline after an employee’s GitHub account was compromised. Whiteintel had detected Red Hat credentials in infostealer logs on April 13 and May 15, suggesting the account was stolen weeks in advance. Because the attacker published through the official CI/CD path, the packages carried valid SLSA Build Level 3 provenance attestations and passed cryptographic verification.
The payload, Miasma, is a Mini Shai-Hulud variant. It runs at install time, harvests GitHub tokens, npm credentials, SSH keys, and AWS, GCP, and Azure cloud identity data, then self-propagates by republishing poisoned versions of other packages the account can publish. It also carries a destructive tripwire that wipes the victim’s home directory if a stolen token is revoked before persistence is removed. Red Hat confirmed no official products shipped with compromised versions and removed all affected packages. Attribution is consistent with TeamPCP tooling but less certain following the May 12 open-sourcing of the worm.
Shai-Hulud Hades Wave Targeted PyPI Research Packages With Startup Hook Persistence
In early June 2026, a Shai-Hulud variant named Hades moved into the Python Package Index, using a new persistence mechanism. The first wave compromised 37 wheel artifacts across 19 bioinformatics and research packages, inserting .pth startup hook files that trigger the payload on every Python invocation regardless of whether the package is explicitly imported. A second wave on June 8 hit six genomics and machine learning packages, all published within 60 seconds using the Bun JavaScript runtime.
The Hades variant embedded its payload inside compiled binary extensions activating at runtime, making static analysis harder than prior waves. The worm harvests GitHub tokens, SSH keys, cloud credentials, and registry secrets, exfiltrating to GitHub dead-drop repositories marked “Hades: The End for the Damned.” Endor Labs quarantined the June 8 packages within 30 minutes. Socket tracked 473 total malicious artifacts across npm and PyPI between June 1 and June 10. Attribution for post-May 12 activity is uncertain following TeamPCP’s public release of the worm source code.

Threat actor card of TeamPCP
IronWorm Rust Malware Infected 36 npm Packages With eBPF Kernel Rootkit and Tor-Based Infrastructure
In early June 2026, researchers identified a supply chain attack across 36 npm packages originating from a compromised account named asteroiddao. The malware, IronWorm, is written in Rust and hides behind an eBPF kernel rootkit to conceal processes and network activity. It encrypts embedded strings with unique per-instance keys and communicates exclusively over Tor. Malicious commits were backdated up to 13 years to disguise injected code as long-established software.
IronWorm targets 86 environment variables and 20 credential files covering OpenAI and Anthropic API keys, AWS credentials, npm and GitHub tokens, SSH keys, HashiCorp Vault configurations, and Exodus wallet files. It self-propagates using stolen npm Trusted Publishing credentials to release trojanized versions of other packages the compromised developer owns.
Researchers found no clear code link to Shai-Hulud despite surface similarities, describing it as a custom implant on its own infrastructure. The attack was contained before spreading to more popular packages; the 36 affected packages had approximately 32,000 combined monthly downloads.
Texas Parks and Wildlife Vendor Breach Exposed Driver’s License Data of 3 Million License Holders
The Texas Parks and Wildlife Department (TPWD) disclosed on June 18, 2026, that an unnamed vendor responsible for hunting and fishing license sales had suffered a breach affecting 3,087,721 individuals. Texas Cyber Command notified TPWD on May 13, though the investigation had not determined the initial entry date, access method, or breach duration by the time of disclosure. A formal notification was published June 12 ahead of the public announcement on June 18.

A Dark Web forum post offers the full database dump for the TPWD breach (SOCRadar)
Exposed data included driver’s license information, passport numbers where provided, email addresses, phone numbers, and residential addresses. Social Security numbers, dates of birth, and financial information were not taken. Public contract records link Gordon-Darby Inc. as a current TPWD license system vendor, though the department has not officially named the vendor.
Affected customers were offered one year of free credit monitoring through Kroll, with enrollment open through September 14.
Xsolis Disclosed 1.4 Million-Person Breach Five Months After a Phishing Attack Went Undetected
Healthcare technology company Xsolis disclosed in late June 2026 that a phishing attack on January 20 had led to unauthorized access to files containing protected health information. The company detected the intrusion on January 22 but did not disclose publicly until June 23, five months later. HHS confirmed 1,396,519 individuals were affected.
Xsolis provides utilization management and revenue cycle solutions to hospital and payer clients, meaning the exposed data came from its provider and payer relationships rather than direct patient records. Potentially compromised information includes names, addresses, dates of birth, Social Security numbers, health insurance details, and medical treatment information. Xsolis reported the incident to law enforcement, engaged investigators, and notified affected individuals by mail with access to free credit monitoring. No ransomware group or threat actor claimed responsibility at the time of disclosure.
Fabricated VRChat and Discord Breach Filings Forced Maine to Suspend Its Public Notification Portal
On June 12, 2026, the Maine Attorney General’s Office took its public breach notification portal offline after fraudulent filings impersonating VRChat and Discord were published without verification. The VRChat filing claimed 2.4 million users were affected and was submitted on fabricated company letterhead under a nonexistent employee’s name. The Discord filing claimed 10 million. Both companies confirmed they had not submitted the notices and had no evidence of compromise. Maine described both as “hoaxes” and removed them.
The portal had cataloged nearly 6,000 incidents since mid-2020 and is a primary resource for researchers, journalists, and threat intelligence teams. Its open submission model allowed notices to publish without prior review, a design that enabled fast legitimate disclosures but offered no fraud protection. Maine continued accepting filings but suspended public access pending a procedural audit. The incident exposed a structural gap likely shared by other state breach registries, raising questions about the verification standards that public breach infrastructure should meet.
Monitor Your Exposure With SOCRadar XTI
June 2026 illustrated how quickly secondary damage accumulates. FortiBleed credentials entered criminal marketplaces within days of disclosure. The Klue OAuth tokens gave Icarus access that outlasted the initial compromise window. And the three supply chain campaigns running simultaneously across npm and PyPI mean that a single developer environment touching any affected package could have seeded further infections without ever knowing it.

SOCRadar XTI gives your team the visibility to get ahead of that pattern:
- Dark Web Monitoring – scans leak sites, criminal forums, and paste channels continuously for your organization’s exposed credentials, stolen data, and internal documents before they are weaponized
- Cyber Threat Intelligence – delivers in-depth, current profiles on threat actors like ShinyHunters, Icarus, and TeamPCP, including their infrastructure, preferred access paths, and active campaigns
- Supply Chain Intelligence – evaluates the security posture of your vendors and third-party integrations so a breach upstream does not become a blind spot downstream
SOCRadar XTI turns reactive incident tracking into proactive defense.
