WEEKLY TOP TEN: June 29, 2026, 16:00 GMT
- Cordyceps CI/CD Flaws Expose 300+ GitHub Repositories To Supply-Chain Attacks
Researchers at Novee Security flagged a new class of CI/CD workflow weakness that lets attackers hijack workflows and compromise open-source supply chains. The critical exploitable pattern, codenamed Cordyceps, allows attackers to hijack automated workflows and compromise open-source supply chains, with more than 300 GitHub repositories identified as affected. The flaw class abuses how continuous integration and deployment pipelines handle untrusted input and permissions, enabling privilege escalation and malicious code injection into builds. For organizations consuming open-source dependencies, the finding reinforces that CI/CD pipelines remain a high-value, frequently overlooked attack surface. Maintainers and downstream users should audit workflow triggers, restrict token scopes, and require provenance verification on published artifacts. - Tata Electronics Confirms Breach After 630GB Leak Claim
Tata Electronics, an Indian electronics and semiconductor manufacturer that assembles Apple products and supplies Tesla, confirmed a cyberattack after attackers claimed to have stolen 630GB of data. Reuters reported that Tata notified some iPhone-assembly employees of the breach, Apple is investigating, and a ransom demand was made to the company. The extortion-focused group WorldLeaks claimed responsibility, threatening public leaks if unpaid. Tata currently accounts for roughly a third of Apple’s iPhone production in India, making the alleged exposure of supplier and design documents a notable supply-chain concern. The company said affected parts of its IT infrastructure were impacted while it investigates the scope. - Amadey And StealC Malware Operations Disrupted In Operation Endgame
Microsoft, Europol, and international partners disrupted infrastructure behind the Amadey and StealC malware operations as part of Operation Endgame. The action disrupted 326 servers and 142 domains, identified more than €41 million (about $47 million) in cryptocurrency linked to criminal activity, and recovered approximately 27 million credentials stolen from more than 385,000 compromised systems. Microsoft said the two malware families were linked to more than 140,000 infected devices during the first two weeks of May 2026 alone. Amadey provides initial access while StealC harvests credentials and wallets later sold to ransomware operators. Organizations should hunt for related activity and rotate credentials after suspected infostealer exposure. - Klue Supply-Chain Breach Exposes Salesforce Data At Huntress And Other Vendors
A new extortion group called Icarus compromised competitive-intelligence platform Klue through a long-dormant legacy credential, harvested OAuth tokens that customers used to connect Klue to their CRMs, then queried and exfiltrated Salesforce data from numerous downstream organizations. Icarus listed data for Huntress and several other companies on its leak site on June 22, 2026. Affected firms reportedly include Recorded Future, Tanium, Jamf, Sprout Social, Gong, and Insurity. The stolen records centered on business contacts, sales communications, and pricing data rather than product telemetry or passwords. A second unauthorized party later claimed access to the same dataset, complicating response and raising the risk of further exposure for roughly 200 named companies. - Cisco Catalyst SD-WAN Zero-Day Exploited For Root Months Before Disclosure
Mandiant detailed how an unknown threat actor exploited CVE-2026-20245 in Cisco Catalyst SD-WAN Manager as a zero-day to escalate from a compromised admin account to root. After gaining initial access via unauthorized peering connections, the attacker uploaded a malicious CSV file to trigger the flaw and gain root-level access, creating a rogue “troot” account on a service provider’s infrastructure. Throughout the intrusion the actor employed anti-forensic techniques, selectively deleting and restoring modified configuration files to frustrate investigators. The activity, beginning in March 2026, chained earlier Cisco SD-WAN authentication-bypass flaws. Organizations running affected versions are urged to upgrade and hunt for unauthorized peering and root activity. - Polymarket Customers Lose $3 Million In Frontend Supply-Chain Attack
Prediction-market platform Polymarket disclosed that a compromised third-party vendor injected malicious JavaScript into its website frontend, prompting users to approve fraudulent transactions. Researchers estimated losses of $2.94 million, with the attacker moving stolen funds from Polygon to Ethereum and converting them into roughly 1,893 ETH. Between 11 and 15 user wallets holding pUSD were drained; the platform’s smart contracts functioned as designed, but the web layer was tampered with. Polymarket removed the affected dependency, contacted impacted users, and pledged full refunds. The incident was the platform’s second security failure in five weeks and highlights frontend integrity as an underaddressed DeFi risk. - Scattered Spider Members Plead Guilty Over Transport For London Hack
Two members of the Scattered Spider cybercrime group pleaded guilty to the 2024 cyberattack on Transport for London. Thalha Jubair, 20, and Owen Flowers, 18, breached the transport authority’s systems between August 31 and September 3, 2024, causing millions of pounds in losses. The attack resulted in roughly £29 million in loss and recovery costs; the pair pleaded guilty under the UK’s Computer Misuse Act and will be sentenced on July 16. Attackers accessed data from TfL’s Oyster refunds system and disrupted customer refunds. Flowers also admitted to conspiring against US healthcare providers SSM Health Care and Sutter Health, and Jubair faces separate US charges. - FBI And CISA Warn Russian Hackers Now Steal Signal Backup Recovery Keys
The FBI and CISA updated a March advisory warning that a Russian intelligence-linked phishing campaign against Signal users has evolved. The actors now attempt to elicit victims’ Backup Recovery Keys, allowing access to historical messages. Handing over the key lets attackers restore the account’s backup, read private and group message history, and take over the account, with the key remaining usable even after a phone change. The activity is tracked as UNC5792 and UNC4221, tied to FSB and Russian military services. Targets include current and former government officials, military personnel, political figures, journalists, and key officials in Ukraine. Users are urged to regenerate keys and remove unknown linked devices. - Texas Parks And Wildlife Breach Affects Over 3 Million License Holders
The Texas Parks and Wildlife Department disclosed a breach affecting more than three million hunting and fishing license customers. On June 18, hackers targeted the computer systems of a third-party vendor that sells licenses for the department. An unauthorized actor infiltrated the vendor’s private network and may have accessed email addresses, phone numbers, home addresses, driver’s license details, and passport numbers. The department is working with security firm Kroll, offering Texas residents a year of free credit monitoring, and tightening access controls and network monitoring. The Texas Cyber Command is investigating. License sales remain available, and affected individuals are advised to consider credit freezes. - 2026 FIFA World Cup Faces Surge In Cyber Threats
Security researchers warned that the ongoing 2026 FIFA World Cup, running across the United States, Canada, and Mexico, presents a complex and dynamic threat landscape. A wide range of threat actors are targeting participants and attendees, with the event spanning physical security, civil unrest, cyber threats, and geopolitical developments. Both financially motivated criminals and nation-state actors seeking espionage opportunities are active, as the tournament runs until July 19 with teams from 48 nations. Common threats include phishing, fraud, ticketing scams, and DDoS attacks against venues and supporting infrastructure. FIFA, sponsors, broadcasters, hospitality providers, and travelers connecting to unfamiliar networks across three countries all face elevated risk.
Our Threat Operations and Intelligence team compiles a daily digest of the most recent online cybersecurity risks. The previous 10 stories were determined to be most significant during the course of the week, ranked by highest risk, and using multiple sources when available.