AI Security Incidents: Week of June 25, 2026 — Klue OAuth Breach Hits LastPass, BeyondTrust, Snyk & HackerOne; ShinyHunters Logs In; Mastra npm Backdoor; UniFi & Splunk KEV Zero-Days

This Week’s Pattern: The Breach Came Through a Token, Not a Door.

The single biggest story of the week needed no exploit, no malware, and no CVE. Attackers using the alias “Icarus” abused a single compromised legacy integration credential at Klue — a competitive-intelligence vendor — to steal the OAuth tokens Klue holds for its customers, then walked into one Salesforce tenant after another. The victim list reads like a security-industry directory: LastPass, BeyondTrust, Snyk, HackerOne, Tanium, OneTrust, Jamf, Recorded Future, Sprout Social, Gong. The companies whose entire business is protecting other companies were breached through a dormant non-human identity and a valid token. The Register reports the scale may reach into the hundreds of Salesforce tenants.

Second, the same week, SecurityWeek’s analysis of the latest ShinyHunters breaches — Medtronic, Wynn Resorts, 7-Eleven, DentaQuest, Kodak, the Council of Europe, the University of Nottingham — landed on the identical conclusion: not a single perimeter was “broken.” Stolen infostealer credentials, abused OAuth tokens, MFA-fatigue prompts, and help-desk vishing. Valid identity, authorized apps, normal-looking sessions. As the piece puts it, identity has become the primary battleground — and the attacker’s preferred move is to log in, not break in.

Third, the machines we’re racing to deploy are inheriting all of it. The Mastra AI-agent framework had 144 npm versions backdoored to steal LLM API keys and CI credentials. Gartner warned that 70% of organizations grant AI agents more privileged access than a human in the same role — on top of legacy infrastructure (unpatched servers, misconfigured Active Directory, cached credentials) that gives attackers the path to hijack those agents. Texas Parks & Wildlife disclosed a 3-million-record breach through a third-party license vendor. And the vendor zero-days kept coming: Ubiquiti UniFi OS with a triple CVSS 10.0 chain on CISA KEV, Cisco Unified CM SSRF dropping webshells, Splunk Enterprise’s first-ever KEV zero-day, Lantronix EDS5000 command injection, the Cordyceps CI/CD class exposing 300+ GitHub repos, and a Gravity SMTP plugin leaking API keys and OAuth tokens to anyone who asked. Eleven incidents. We built one of the best identity stacks out there — and we still tell every customer it’s the front door, not the whole house. Here are the ones that matter and what stops them.

Non-Human Identity & OAuth Supply Chain

1 — Klue OAuth Breach Swallows the Security Industry: LastPass, BeyondTrust, Snyk, HackerOne, Tanium

1 Klue / Salesforce — Stolen OAuth Tokens From One Vendor Pivot Into a Who’s-Who of Security Companies’ CRMs COMPETITOR INCIDENT CRITICAL · NHI / OAUTH · SUPPLY CHAIN

SecurityWeek / BleepingComputer / The Register · June 22–24, 2026 · Klue OAuth integration · Salesforce · no CVE · threat actor “Icarus”

The Klue supply-chain breach exploded this week from a single vendor incident into an industry event. Attackers abused a compromised legacy integration credential at Klue to steal the OAuth tokens Klue holds for its customers, then used those tokens to read each victim’s Salesforce. A who’s-who of security firms disclosed impact — HackerOne, Snyk, OneTrust, Jamf, Recorded Future, Tanium, Sprout Social, Gong, and then LastPass and BeyondTrust. LastPass confirmed names, phone numbers, emails, physical addresses, and support-case contents were read from its Salesforce (vaults unaffected). No software was exploited; no CVE was involved. Icarus set a June 22 extortion deadline and began leaking data when it lapsed, and reporting suggests the campaign may have hit hundreds of Salesforce tenants through that one integration.

This is the purest possible illustration of the week’s thesis: the breach came through a token, not a door. A dormant integration credential at a single SaaS vendor became the key to dozens of downstream CRMs — and the victims were the companies the industry trusts to know better. There was no malware to detect and no vulnerability to patch, because the attacker presented valid OAuth tokens and queried an API exactly as the integration was authorized to. Every connected app holding an OAuth grant is a non-human identity that can read your data — and it is governed by the vendor’s security, not yours.

Most Advanced AI Security Why RuntimeAI Customers Are Protected

See every token before it’s abused: NHI Security keeps a live inventory of every OAuth grant and connected app touching critical SaaS — competitive-intel tools like Klue included — with the exact objects and fields each token can read. A dormant integration holding broad Salesforce scope surfaces as a flagged, owned identity, not a connection nobody has looked at in two years.
Scope the grant down so a stolen token isn’t a master key: KYA enforces least privilege on non-human identities, so a connected app is authorized only for the objects it genuinely needs — not the entire CRM. When its token is stolen, the attacker inherits a slice of the data, not all of it.
Catch machine-speed extraction in seconds: Flow Enforcer baselines how each integration normally behaves. Enumerating the full Salesforce object catalog and running ~1,000 queries in fifteen minutes is unmistakably non-human — flagged and suspended mid-extraction, not discovered when the data surfaces on a leak site a day later.
Cap bulk export at the data layer: PII Shield enforces export ceilings on CRM records regardless of which token is presented. A “valid” OAuth token operating under RuntimeAI policy still cannot drain a tenant — the data-layer control doesn’t care that the credential authenticated.
Revoke across every tenant in one move: When an integration is compromised, the control plane kills its tokens instantly across all affected tenants — customers don’t sit waiting for the vendor to disable the app the way the Klue victims waited on Salesforce.
Prove the blast radius in minutes: Every record reached through a third-party token is logged with the token’s identity, scope, and timestamp in the Audit Black Box. When the next vendor is breached, “what did they touch, through which token, in what window” is a query — not a multi-week reconstruction.

The Klue victims did everything right at the perimeter and were still breached through a token they didn’t mint. RuntimeAI governs the non-human identities your vendors hold on your behalf — so a compromised integration is a contained anomaly, not an industry-wide breach.

2 — ShinyHunters’ Latest Breaches: They Didn’t Hack Medtronic and Wynn — They Logged In

2 ShinyHunters — Valid Credentials, OAuth Tokens, and Help-Desk Vishing Empty Enterprise Data Stores HIGH · IDENTITY · BREACH PATTERN

SecurityWeek · June 22, 2026 · Medtronic, Wynn Resorts, 7-Eleven, DentaQuest, Kodak, Council of Europe, University of Nottingham

SecurityWeek’s analysis of the latest ShinyHunters breaches catalogs an extraordinary victim list — the University of Nottingham, DentaQuest (2.6 million impacted), 7-Eleven, Medtronic, Wynn Resorts, Kodak, the Council of Europe — and finds one thing in common: the attackers authenticated. The group leans on stolen credentials harvested by infostealers, OAuth token abuse and compromised SaaS integrations, MFA-fatigue attacks, vishing and help-desk impersonation, and overly permissive access configurations. There are no novel exploits here. The report’s conclusion is blunt: identity has become the primary battleground, because legitimate credentials and authorized applications look completely normal to existing security controls.

Read alongside the Klue story, the message of the week is unmistakable: the modern breach is an authentication event. Traditional controls fail here by design — a valid credential and an authorized app trip no alarm. And the exposure compounds the moment you add AI agents, which hold their own tokens, carry standing SaaS access, and are routinely granted more privilege than the humans they replaced. If a legitimate login and an authorized app look normal to your stack, the only thing that catches the abuse is behaviour, scope, and an audit trail on every identity — human and machine.

Most Advanced AI Security Zero Trust, Layer by Layer

Inventory the identities attackers actually target: KYA and NHI Security catalog every identity that can reach enterprise data — users, service accounts, OAuth grants, API keys, agents — with owner and scope. The forgotten service account and the over-permissioned integration ShinyHunters hunts for are surfaced and tightened before they’re the way in.
Don’t trust a session just because it authenticated: A stolen credential, an MFA-fatigue approval, and a help-desk reset all produce a “valid” login. Flow Enforcer steps up scrutiny on sensitive actions and judges the session by its behaviour, not by the fact that a credential checked out.
Flag the tells of account takeover: New device, new geography, impossible travel, or machine-speed access on a human identity are baselined as anomalous and contained — even though the password and the second factor both passed.
Cap what any one identity can reach and remove: KYA-scoped least privilege and PII Shield mean impersonating an identity grants only that identity’s declared access, and bulk export hits a data-layer ceiling regardless of how the session authenticated.
Revoke fast, then prove what happened: A credential suspected stolen is killed from the control plane in one move, and every action taken under it is reconstructable in the Audit Black Box — “we think we were breached” becomes “here is exactly what was touched, and it stopped here.”

Identity is the front door — and we built one of the best identity stacks out there. We still tell every customer it’s the front door, not the whole house. ShinyHunters is the reason: when the attacker logs in, you need enforcement and audit underneath the login.

AI Agents & Infrastructure Threats

3 — Mastra AI-Agent Framework: 144 npm Versions Backdoored to Steal LLM API Keys

3 Mastra (AI Agent Framework) — Compromised Maintainer Account Ships a Postinstall RAT Targeting AI & CI Secrets CRITICAL · AI SUPPLY CHAIN · NPM

Microsoft Security Blog · June 17, 2026 · Mastra (~1.1M weekly installs) · “Sapphire Sleet” · easy-day-js typosquat

Microsoft detailed a supply-chain compromise of Mastra, a popular AI-agent framework with roughly 1.1 million weekly installs. A compromised maintainer account was used to publish 144 malicious versions; the payload hid in an easy-day-js typosquat dependency with a postinstall remote-access trojan. The malware specifically hunts developer and CI credentials, LLM API keys, and cloud and crypto secrets — the exact assets that make an AI-agent build pipeline valuable. Microsoft attributes the activity to the Sapphire Sleet cluster. Because the package sits in the dependency tree of AI-agent applications, every downstream build inherited the backdoor until the malicious versions were pulled.

This is the AI-agent supply chain attacked at its root. Developers building agents trust their framework dependencies implicitly, and a postinstall script runs with whatever the build environment can reach — which, for an AI project, includes the LLM API keys and cloud credentials that power the agents themselves. Steal those and you don’t just compromise a build; you inherit the agents’ standing access. An AI agent inherits every secret in the pipeline that built it — and a single backdoored dependency turns that pipeline into a credential-harvesting machine.

Most Advanced AI Security Zero Trust · Defence in Depth

Map the dependencies — and the secrets they can reach: Coding Agent Defense and NHI Security inventory the packages feeding every AI-agent build and the credentials those builds can touch — LLM API keys, cloud tokens, CI secrets. A framework like Mastra and the keys in its pipeline are known, so a poisoned release has a precomputed blast radius.
Verify provenance before code runs: Pinned versions and publisher/provenance checks target the exact vectors here — a hijacked maintainer account pushing 144 versions and a typosquatted easy-day-js dependency — before the postinstall script ever executes.
Sandbox what install and build steps may do: Flow Enforcer constrains postinstall and build processes. A script suddenly reading environment secrets and dialing unknown infrastructure deviates from the build’s declared behaviour and is blocked — not trusted because it arrived as “just a dependency.”
Make stolen keys useless off-network: Secrets only matter if they leave and work elsewhere. The Secure LLM Router and egress policy stop LLM keys and cloud tokens from reaching non-allowlisted destinations, and scoped, short-lived tokens limit what a leaked key can do even if it escapes.
Know exactly what to rotate: Every dependency pulled, secret accessed, and outbound call from the build is logged in the Audit Black Box — so when a backdoored package surfaces, the precise set of exposed secrets is a query, and rotation is targeted instead of “rotate everything and hope.”

The AI supply chain is now a primary target precisely because agents concentrate high-value secrets. RuntimeAI scopes those secrets, constrains the build, and proves what was touched — so a poisoned dependency is contained rather than catastrophic.

4 — Legacy Infrastructure Is Hijacking Your AI Agents (Gartner: 70% Are Over-Privileged)

4 Gartner Security Summit — Attackers Don’t Need New Techniques to Hijack AI Agents; They Need Old Ones HIGH · AI AGENTS · INDUSTRY

The Hacker News · Week of June 22, 2026 · Gartner Security & Risk Management Summit · AI-agent infrastructure

The Hacker News, reporting from this year’s Gartner Security & Risk Management Summit, names a blind spot most AI-security programs miss: while organizations rush to secure the AI layer, attackers reach AI agents through the legacy infrastructure underneath — unpatched servers, misconfigured Active Directory permissions, cached credentials on a developer’s machine. The piece reports roughly 71% of organizations are piloting AI agents and 31% have moved them into production, while 70% grant AI systems more privileged access than a human in the same role. The conclusion: AI-agent dependencies carry whatever security debt existed before deployment, and attackers don’t need novel techniques — they need old ones and an environment that lets the old exploit the new.

This is RuntimeAI’s home turf stated as an industry finding. Securing “the model” or bolting a guardrail onto the prompt does nothing about the misconfigured AD permission or the cached credential that an agent depends on to do its job. Stack an over-privileged autonomous actor on top of unaddressed infrastructure debt and you have created a fast, scalable version of a twenty-year-old problem. You don’t secure an agent by securing the model — you secure it by giving it a real identity, enforcing least privilege on the messy infrastructure it actually touches, and keeping a kill switch and an audit trail.

Most Advanced AI Security Zero Trust · Defence in Depth

Map each agent to the infrastructure it actually leans on: KYA and Cloud Security tie every AI agent to the hosts, AD permissions, service accounts, and cached credentials it depends on — so the unpatched server and the stale AD entry that become the hijack path show up as part of the agent’s real attack surface.
Expose the over-privilege Gartner is warning about: RuntimeAI surfaces each agent’s actual reach versus what its task needs, so the 70% of agents holding more access than the human they replaced are flagged and trimmed before an attacker inherits that access.
Enforce least privilege at runtime, on the messy infra: Flow Enforcer enforces scope at the workload and data layer where the agent operates — so a misconfigured AD permission or a cached credential underneath the agent doesn’t translate into agent-driven compromise.
Keep a kill switch on every agent: Each agent identity is scoped and instantly revocable. When the infrastructure beneath an agent is compromised, you stop the agent in one move, and egress policy keeps it from pivoting past its declared scope.
Audit across the model and the plumbing: The Audit Black Box logs the agent’s actions across both the AI layer and the legacy infrastructure underneath — so an investigation captures the old-technique step (the unpatched host, the cached credential) the attacker used to reach the new system.

The AI layer is necessary to secure, and nowhere near sufficient. RuntimeAI is the runtime control plane that governs agents on the existing infrastructure they depend on — identity, least privilege, kill switch, and audit, deployed over what you already run.

Data Breaches

5 — Texas Parks & Wildlife: 3 Million Breached Through a Third-Party License Vendor

5 Texas Parks & Wildlife — Driver’s License and Passport Numbers Exposed Via a Breached License-Selling Vendor HIGH · DATA BREACH · THIRD-PARTY

SecurityWeek · June 22, 2026 · Texas Parks & Wildlife Department · ~3 million individuals · third-party vendor

The Texas Parks and Wildlife Department (TPWD) disclosed a breach affecting approximately 3 million people who purchased hunting and fishing licenses — and TPWD itself was not breached; a third-party vendor that sells the licenses was. TPWD learned of the incident from the Texas Cyber Command, not from its own monitoring. The exposed data includes email addresses, physical addresses, phone numbers, driver’s license information, and passport numbers; notably, Social Security numbers, dates of birth, and financial/credit-card data were not obtained. TPWD says it took immediate steps to strengthen access controls for customer profile data, with more security features to follow.

This is the supply-chain breach in its plainest form: your data is only as secure as the least-governed third party you connected to it, and you often can’t see misuse until a regulator or a cyber-command tells you. The 2026 escalation is that AI agents are becoming the newest such third parties — granted broad data access and standing credentials, with almost no ongoing review. If you wouldn’t hand a new vendor unlimited, unaudited access to three million identity records, don’t hand it to an agent either.

Most Advanced AI Security Why RuntimeAI Customers Are Protected

Know which third parties hold your customers’ data: NHI Security maps every vendor, integration, and agent that receives or can reach sensitive records — so the license-selling vendor that becomes the breach door is a tracked, scoped relationship, not an off-the-books data flow you rediscover via a cyber-command call.
Send the vendor the minimum, not the database: Data-minimization policy means a third party receives only the fields it needs to do its job. A vendor breached tomorrow leaks a narrow slice, not three million complete identity profiles.
Tokenize the documents that can’t be reissued: PII Shield tokenizes driver’s license and passport numbers at the data layer, so partners and processes operate on tokens. Even a fully compromised vendor walks away with tokens, not the raw identity documents victims can never rotate.
Cap bulk extraction wherever the data lives: Export ceilings apply regardless of which connected party initiated the pull — a compromised vendor account can’t siphon the entire customer base in a single run.
Find out before the regulator does: Every access to customer-profile data is logged with the requesting identity, scope, and timestamp in the Audit Black Box — so you detect and scope a third-party breach from your own telemetry, instead of learning of it from Texas Cyber Command.

You inherit a vendor’s — or an agent’s — security posture the moment you connect it. RuntimeAI governs those connections like the third parties they are: scoped, behaviourally enforced, and audited.

Vendor Zero-Days & Active Exploitation

6 — Ubiquiti UniFi OS: Three Max-Severity (CVSS 10.0) Flaws Chained to Unauthenticated Root RCE on KEV

6 Ubiquiti UniFi OS — Improper Access Control + Path Traversal + Input Validation Chain Into Unauthenticated Root VENDOR ADVISORY CRITICAL · VENDOR · KEV ZERO-DAY

BleepingComputer · June 23, 2026 · CVE-2026-34908 + -34909 + -34910 (all CVSS 10.0) · Ubiquiti UniFi OS

CISA added three maximum-severity flaws in Ubiquiti UniFi OS — CVE-2026-34908, CVE-2026-34909, and CVE-2026-34910, all rated CVSS 10.0 — to its Known Exploited Vulnerabilities catalog. The trio (improper access control, path traversal, and improper input validation) was chained by Bishop Fox researchers into unauthenticated remote root code execution on UniFi OS devices, and the flaws are under active exploitation. UniFi OS sits at the network edge for a large base of organizations; an unauthenticated path to root on the device that controls the network is the worst-case profile for network infrastructure.

Three separate CVSS 10.0 bugs in one product, chained to unauthenticated root and added to KEV, is about as severe as a network-appliance advisory gets. The device that controls your network becomes attacker-controlled with no credentials required — and everything that trusts the network position behind it inherits the risk. When the box that runs your network can be rooted by anyone who can reach it, the only durable control is one that limits what a compromised device can actually touch downstream.

Most Advanced AI Security How RuntimeAI Stops This

Instant exposure list when KEV lands: Cloud Security inventories every network appliance — UniFi OS devices included — with firmware version and KEV exposure, so a triple-10.0 chain produces a target list in seconds instead of a manual hunt across the estate.
Network position is not authorization: KYA-scoped credentials mean a rooted appliance cannot mint or present valid identities for the workloads behind it. Sitting on the network grants nothing — every access decision is re-validated at the workload, so root on the box is not root on the business.
Microsegment east-west so one device isn’t the whole network: Flow Enforcer constrains lateral movement hop by hop. Root on one edge device yields visibility, not reach — each subsequent hop demands its own scoped credential the attacker doesn’t hold.
Choke the appliance’s egress: A compromised UniFi box trying to beacon to attacker infrastructure or pivot inward hits per-device egress policy — the foothold is boxed in to the handful of destinations the appliance legitimately needs.
Keep the forensic trail off the box: Post-exploitation actions are logged to the Audit Black Box independently of the device, so the attack sequence survives even when the attacker wipes the appliance’s own logs — the usual first move after rooting network gear.

An unauthenticated-to-root network device is the start of an investigation under RuntimeAI, not the end of your defense — because enforcement lives at the workload and data layer, not the appliance.

7 — Cisco Unified CM: Unauthenticated SSRF Exploited in the Wild to Drop Root Webshells

7 Cisco Unified Communications Manager — WebDialer SSRF Chained With a Rogue Axis Service to Write JSP Webshells VENDOR ADVISORY HIGH · VENDOR · ACTIVE EXPLOITATION

BleepingComputer · June 23–24, 2026 · CVE-2026-20230 (CVSS 8.6) · Cisco Unified CM / SME

Attackers are actively exploiting CVE-2026-20230, a CVSS 8.6 unauthenticated server-side request forgery flaw in Cisco Unified Communications Manager (and Session Management Edition) via the WebDialer component. Using file:// payloads and a rogue Apache Axis service, attackers wrote JSP webshells and escalated to root, with exploitation first observed the weekend of June 20–21. Unified CM is the call-control core of enterprise telephony; a server-side request forgery that becomes a root webshell turns the communications backbone into an attacker foothold.

An unauthenticated SSRF that the attacker walks all the way to a root webshell is a full compromise of a core enterprise system — and it follows the same pattern as the rest of this week’s vendor advisories: the infrastructure you trust to run the business becomes the way in. The disclosure predates the exploitation, but the active-exploitation event is fresh, which is exactly when a compensating control matters most. A root webshell on the communications core is only as dangerous as what that server is allowed to reach next.

Most Advanced AI Security How RuntimeAI Stops This

Pin down the comms core before the SSRF does: Cloud Security maps Unified CM instances and exactly what they can reach, so an actively-exploited SSRF gets an instant impact assessment instead of an unknown surface to chase.
Block the SSRF’s own moves: The attack’s tells — internal file:// fetches, a rogue Apache Axis service spinning up, a JSP webshell executing — all deviate from what a call-control server should ever do, and Flow Enforcer contains them at the boundary even before a patch exists.
Box in the foothold: A rooted Unified CM trying to pivot inward or beacon to attacker infrastructure hits per-workload egress policy — the webshell is confined to the handful of destinations the server legitimately needs, not the internal network.
Reconstruct the whole chain: The SSRF request, the webshell write, and every action after it are logged in the Audit Black Box with full context — so containment and clean-up start from a complete picture, not guesswork.

RuntimeAI treats core infrastructure as the privileged, broadly-trusted system it is — baselined, egress-constrained, and audited — so a single SSRF-to-webshell does not become network-wide access.

8 — Splunk Enterprise: First-Ever Splunk KEV Zero-Day, Exploited Days After Disclosure

8 Splunk Enterprise — Unauthenticated Sidecar Endpoint Allows Arbitrary File Write and RCE VENDOR ADVISORY HIGH · VENDOR · KEV ZERO-DAY

SecurityWeek · June 18, 2026 · CVE-2026-20253 · Splunk Enterprise <10.2.4 / <10.0.7 · federal deadline June 21

CISA added CVE-2026-20253 in Splunk Enterprise to its Known Exploited Vulnerabilities catalog — the first-ever Splunk entry on KEV — with active exploitation reported days after disclosure and a federal remediation deadline of June 21. The flaw is in a PostgreSQL sidecar service endpoint that lacks authentication, allowing any network-reachable user to create or truncate arbitrary files, demonstrated escalating to remote code execution. Splunk is the security-analytics backbone for a large share of SOCs; an unauthenticated RCE in the platform that ingests an organization’s security telemetry is a high-value, high-trust target.

The product the SOC relies on to detect everything else becoming the entry point is the recurring shape of this week. An unauthenticated sidecar endpoint that allows arbitrary file write is a missing-access-control failure — no credential to steal, the check simply wasn’t there — and its first-ever KEV listing means it’s being used now. When your detection platform is the exploited asset, you need a control plane that doesn’t depend on that platform to see and contain the abuse.

Most Advanced AI Security How RuntimeAI Stops This

Find the unauthenticated endpoint first: Cloud Security inventories analytics platforms like Splunk and their exposed services, flagging an endpoint reachable without auth — a sidecar included — as a high-priority gap before an attacker finds it for you.
Contain the write even though there’s no credential to check: This is a missing-access-control bug, so there’s nothing to authenticate against. Flow Enforcer baselines platform behaviour and contains the anomalous arbitrary-file-write-to-RCE path regardless of whether the sidecar enforces auth.
Confine the analytics plane: A compromised Splunk host can’t pivot or exfiltrate past its declared scope — per-workload egress policy limits where the platform that ingests all your telemetry can actually reach after RCE.
Keep the record where the attacker can’t reach it: The Audit Black Box is independent of the SIEM, so compromising your detection platform doesn’t blind the investigation — the one scenario where in-SIEM logging fails you is the one RuntimeAI is built to survive.

When the detection platform is the target, RuntimeAI’s independent enforcement and audit are the layer that still sees — so a Splunk zero-day is contained, not a blind spot.

9 — Lantronix EDS5000: CVSS 9.8 Command Injection Added to CISA KEV

9 Lantronix EDS5000 — Unsanitized Username in Failed-Auth Logging Yields Root-Level OS Command Injection VENDOR ADVISORY CRITICAL · VENDOR / OT · KEV

The Hacker News · June 23–24, 2026 · CVE-2025-67038 (CVSS 9.8) · Lantronix EDS5000 (firmware 2.1.0.0R3)

CISA added CVE-2025-67038, a CVSS 9.8 command-injection flaw in the Lantronix EDS5000 device server, to its Known Exploited Vulnerabilities catalog. The HTTP RPC module logs failed authentication attempts by concatenating the supplied username directly into a shell command without sanitization — so an attacker simply puts a command in the username field and the device runs it at root when the login fails. EDS5000 device servers bridge serial equipment to IP networks in industrial and operational environments, where a root-level command injection on the gateway is a foothold into OT.

This is a textbook injection: untrusted input (the username) flowing into a shell command, triggered by the most ordinary event there is — a failed login. The OT context makes it worse, because device servers often sit in environments that are hard to patch and rich in downstream equipment. A failed login that executes the attacker’s command is a foothold handed out for free — the only mitigation that helps before patching is constraining what the device can reach.

Most Advanced AI Security How RuntimeAI Stops This

Inventory the gateways no one re-images: Cloud Security catalogs serial-to-IP device servers like the EDS5000 — firmware, and the equipment and networks they bridge — so a KEV-listed injection flaw has a known footprint in environments that are otherwise dark.
Treat a failed login as untrusted input: Flow Enforcer baselines what a gateway should do; root-level command execution triggered by a login attempt is so far outside that baseline it’s flagged and contained — the injection fires into a constrained environment, not a free shell.
Contain the OT blast radius: A compromised gateway can’t reach past its declared scope into the broader OT or IT network without a separately valid scoped credential — the compensating control that matters most when firmware updates take months.
Give OT teams a record they usually don’t have: Command execution and post-exploitation activity are logged in the Audit Black Box, supplying a reconstructable trail where device-level logging is typically thin or absent.

OT gateways are hard to patch and easy to under-monitor. RuntimeAI’s egress containment and audit are the controls that work in the long window before firmware is updated.

Supply Chain & Secrets Exposure

10 — “Cordyceps”: CI/CD Pwn-Request Class Exposes 300+ GitHub Repos and Their Secrets

10 GitHub Actions — pull_request_target Misuse Lets Fork PRs Inherit the Workflow’s Token and Secrets HIGH · SUPPLY CHAIN · CI/CD

The Hacker News · June 23, 2026 · GitHub Actions pull_request_target · no CVE (systemic class) · actions/checkout v7 fix GA June 18

Researchers detailed “Cordyceps,” a class of CI/CD pwn-request flaws affecting more than 300 GitHub repositories. An unauthenticated attacker submits a fork pull request or comment; a misconfigured low-privilege workflow then checks out the untrusted head code and runs it while inheriting the workflow’s GITHUB_TOKEN and secrets — yielding credential theft and supply-chain compromise. The pattern was confirmed exploitable against repositories at Microsoft, Google, Apache, and Cloudflare. GitHub shipped an actions/checkout v7 fix that went GA on June 18, but the misconfiguration is systemic and not closed by a single CVE.

The CI/CD pipeline is a privileged, secret-laden execution environment, and the pwn-request pattern turns an open-source courtesy — running CI on contributor pull requests — into arbitrary code execution with the repo’s tokens. Because it’s a configuration class rather than a single bug, every org has to audit its own workflows; a vendor patch alone doesn’t save you. A build pipeline that runs untrusted PR code with privileged tokens is a supply-chain breach waiting for a contributor — the fix is constraining what the pipeline’s identity can do.

Most Advanced AI Security Zero Trust · Defence in Depth

Know what every workflow can touch: NHI Security inventories CI/CD service identities, the secrets they can reach, and the tokens (like GITHUB_TOKEN) they wield — so the blast radius of a pwn-request workflow is precomputed, not discovered after a contributor exploits it.
Don’t let untrusted PR code act like trusted code: Flow Enforcer constrains what a build job may execute and reach. Fork-PR code attempting to read secrets or call out deviates from the pipeline’s declared behaviour and is blocked — the “run CI on contributor PRs” courtesy stops being arbitrary code execution.
Make the token worth little if stolen: Scoped, least-privilege, short-lived CI tokens plus egress policy mean a hijacked workflow can’t exfiltrate secrets or reach production — a captured GITHUB_TOKEN does only what its narrow scope allows.
Close the class, not just the bug: The actions/checkout patch closes one path; least privilege closes the pattern. Every job execution, secret access, and outbound call is logged in the Audit Black Box, so a compromised workflow’s exact reach is reconstructable for targeted rotation.

A patch closes one path; least privilege closes the class. RuntimeAI scopes and audits the CI/CD identities that pwn-request attacks rely on, so a misconfigured workflow can’t become a supply-chain breach.

11 — Gravity SMTP Plugin: Unauthenticated Endpoint Leaks API Keys and OAuth Tokens

11 Gravity SMTP (WordPress) — A permission_callback That Always Returns True Exposes a Secrets-Laden System Report HIGH · SECRETS LEAK · NHI / OAUTH

BleepingComputer · June 19, 2026 · CVE-2026-4020 · Gravity SMTP plugin (≤2.1.4, ~100k sites) · 17M+ attempts blocked

Attackers are mass-exploiting CVE-2026-4020 in the Gravity SMTP WordPress plugin, installed on roughly 100,000 sites. The plugin’s REST endpoint had a permission_callback that always returned true, so an unauthenticated GET returns a full “System Report” JSON — leaking SES, Google, Mailjet, and Zoho API keys, secrets, and OAuth tokens. Wordfence reports blocking more than 17 million exploitation attempts. The flaw itself is rated medium on CVSS, but the impact is high: it hands attackers the very non-human-identity credentials that this week’s biggest breaches were built on.

This is the supply line for the rest of the week’s stories. A trivial missing-authorization bug doesn’t need to be “critical” on paper when what it leaks is a bundle of API keys and OAuth tokens — the exact assets ShinyHunters and the Klue attackers used to log in elsewhere. Seventeen million blocked attempts show the market for those credentials is industrial. A “medium” bug that leaks OAuth tokens funds a “critical” breach somewhere else — the severity is in what the secret unlocks.

Most Advanced AI Security How RuntimeAI Stops This

Track the keys before they leak: NHI Security inventories where API keys and OAuth tokens live and what each can reach — so a SES, Google, Mailjet, or Zoho token dumped in a System Report is a known, scoped, revocable identity, not an untracked master key you didn’t know existed.
Catch the leaked key the moment it’s used: Flow Enforcer baselines normal token behaviour. A credential leaked from the plugin and replayed from a new source or for a new scope is flagged and contained on first abuse — the leak doesn’t silently become a breach.
Limit and revoke without a scavenger hunt: Every non-human credential is scoped to its declared purpose and instantly revocable from the control plane. A leaked token can’t exceed its scope, and rotation is one action — not a frantic hunt for everywhere that key was hardcoded.
Trace what each token unlocked: Every action taken with each token is logged in the Audit Black Box, so when a secret leaks, exactly what it touched — and precisely what must be rotated — is determinable at once.

The whole week runs on stolen and leaked tokens. RuntimeAI inventories, scopes, and audits every one of them — so a leaked credential is a contained, revocable event, not the seed of the next breach.

🔍 This Week’s Through-Line: The Breach Came Through a Token, Not a Door

The two biggest stories of the week needed no exploit. The Klue OAuth supply-chain breach pivoted stolen tokens into the Salesforce tenants of LastPass, BeyondTrust, Snyk, HackerOne, Tanium and more — the security industry breached through a dormant non-human identity. ShinyHunters walked into Medtronic, Wynn, 7-Eleven, and DentaQuest the same way: valid credentials, OAuth tokens, MFA fatigue, help-desk vishing. Zero CVEs between them. Identity is the primary battleground, and the attacker’s move is to log in.

The machines inherit all of it. Mastra’s AI-agent framework was backdoored on npm to steal LLM API keys; Gartner warned 70% of AI agents are over-privileged on legacy infrastructure attackers already know how to abuse; Texas Parks & Wildlife lost 3 million identity records through a third-party vendor. And the vendor zero-days — Ubiquiti UniFi’s triple CVSS 10.0, Cisco Unified CM’s SSRF-to-webshell, Splunk’s first KEV, Lantronix, Cordyceps’ 300+ repos, and Gravity SMTP’s leaked OAuth tokens — are the supply line that funds the next login-based breach.

RuntimeAI’s approach: inventory and govern every non-human identity — OAuth grants, API keys, service accounts, AI agents — with KYA and NHI Security; enforce behaviour and least privilege at runtime with Flow Enforcer and Coding Agent Defense; scope and tokenize data access with PII Shield, the Secure LLM Router, and QuantumVault; and prove it all with the immutable Audit Black Box. We built one of the best identity stacks out there — and we still tell every customer it’s the front door, not the whole house. Eleven incidents. One pattern: the breach comes through a valid token, and runtime governance is how you contain it.

Sources

More cybersecurity firms disclose impact from the Klue hack (HackerOne, Snyk, OneTrust, Jamf, Recorded Future, Tanium, Gong) — SecurityWeek
LastPass confirms data breach in the Klue supply-chain attack — BleepingComputer
BeyondTrust & LastPass impacted by the Klue–Salesforce incident — SecurityWeek
What the latest ShinyHunters breaches reveal about modern cyberattacks — SecurityWeek
Postinstall payload inside the Mastra npm supply-chain compromise — Microsoft Security Blog
Stop your legacy infrastructure from hijacking your AI agents — The Hacker News
Texas Parks & Wildlife data breach affects 3 million individuals — SecurityWeek
CISA warns of max-severity Ubiquiti UniFi flaws exploited in attacks (CVE-2026-34908/-34909/-34910) — BleepingComputer
Cisco Unified CM/SME flaw CVE-2026-20230 now exploited in attacks — BleepingComputer
Splunk Enterprise vulnerability exploited in attacks days after disclosure (CVE-2026-20253) — SecurityWeek
CISA warns of critical Lantronix EDS5000 command-injection flaw (CVE-2025-67038) — The Hacker News
“Cordyceps” CI/CD flaws expose 300+ GitHub repositories — The Hacker News
Hackers exploit info-disclosure bug in the Gravity SMTP WordPress plugin (CVE-2026-4020) — BleepingComputer

Get the Weekly Digest

Weekly AI security digest: every major incident with the RuntimeAI Take on what stops it. No fluff, no vendor pitches — just what happened, why it matters, and what to enforce next.