Real-World Cloud Attack Intelligence

On June 23, 2026, the Cybersecurity and Infrastructure Security Agency (CISA) added four new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, indicating active exploitation. These vulnerabilities include CVE-2025-67038 affecting Lantronix EDS5000 devices, and three critical issues in Ubiquiti UniFi OS: CVE-2026-34908 (improper access control), CVE-2026-34909 (path traversal), and CVE-2026-34910 (improper input validation). These vulnerabilities are frequently exploited by malicious actors, posing significant risks to federal enterprises. ([cyberleveling.com](https://cyberleveling.com/blog/unifi-os-cve-2026-34908-34909-34910-critical?utm_source=openai)) The inclusion of these vulnerabilities in the KEV Catalog underscores the ongoing threat posed by unpatched systems. Organizations are urged to prioritize remediation efforts to mitigate potential exploits, especially given the critical nature of these vulnerabilities and their potential impact on network infrastructure.

In June 2026, the U.S. Department of Justice seized a cloud computing account utilized by subsidiaries of Cambodia-based Huione Group. This infrastructure supported Huione Guarantee, a Telegram-based marketplace facilitating the laundering of billions in cryptocurrency obtained through investment frauds and cyber scams. The platform offered services such as money laundering, sale of stolen personal data, and tools for fraudulent activities, enabling the conversion of illicit proceeds into the legitimate banking system undetected. This action underscores the escalating global efforts to dismantle sophisticated cybercriminal networks exploiting digital platforms for large-scale financial crimes. The seizure highlights the critical need for robust cybersecurity measures and vigilant monitoring of online marketplaces to prevent the proliferation of such illicit activities.

In June 2026, a critical server-side request forgery (SSRF) vulnerability, identified as CVE-2026-20230, was discovered in Cisco Unified Communications Manager (Unified CM) and Unified CM Session Management Edition (SME). This flaw allows unauthenticated remote attackers to send crafted HTTP requests, enabling arbitrary file writes to the underlying operating system and potential privilege escalation to root. The vulnerability specifically affects deployments with the WebDialer service enabled, which is disabled by default. Cisco has assigned a Security Impact Rating of Critical due to the severity of the potential exploit. The public availability of proof-of-concept exploit code has led to active exploitation of this vulnerability in the wild. Organizations using affected Cisco Unified CM versions are urged to apply the provided patches immediately or disable the WebDialer service to mitigate the risk of unauthorized access and control over their telephony infrastructure.

In early 2026, the cybersecurity landscape experienced a paradigm shift with the emergence of frontier agentic AI models capable of autonomously discovering and exploiting software vulnerabilities at unprecedented speeds. These AI entities can identify, weaponize, and execute attacks before human defenders can respond, rendering traditional defense mechanisms inadequate. The convergence of IT and OT systems further amplifies the risk, as AI-driven breaches can seamlessly transition from digital to physical infrastructures, leading to potential operational disruptions and safety hazards. This development underscores the urgent need for organizations to reassess their cybersecurity strategies. The rapid evolution of AI-driven threats necessitates the adoption of advanced defense mechanisms that can operate at machine speed, ensuring resilience against these sophisticated adversaries.

In early 2026, the OpenClaw AI agent ecosystem experienced a significant supply chain attack. Malicious actors uploaded over 800 compromised skills to ClawHub, OpenClaw's official skill marketplace, embedding infostealers and enabling agentic financial fraud. This breach exposed more than 135,000 instances, highlighting critical vulnerabilities in AI agent platforms. The incident underscores the urgent need for enhanced security measures in AI supply chains, as attackers increasingly exploit these platforms to distribute malware and conduct sophisticated cyber operations.

In June 2026, cybersecurity firm Novee identified a systemic class of vulnerabilities, dubbed 'Cordyceps,' within GitHub Actions workflows. These flaws enable unauthenticated attackers to hijack continuous integration and continuous deployment (CI/CD) pipelines by exploiting insecure configurations in YAML files. The vulnerabilities affect repositories from major organizations, including Microsoft, Google, Apache, Cloudflare, and the Python Software Foundation, potentially compromising software supply chains and exposing sensitive credentials. ([securityweek.com](https://www.securityweek.com/exploitable-ci-cd-vulnerabilities-expose-millions-of-repositories-to-hijacking/?utm_source=openai)) This incident underscores the escalating risks associated with CI/CD pipeline security, especially as AI-driven coding tools proliferate. Organizations must prioritize securing their development workflows to prevent similar supply chain attacks, which are becoming increasingly sophisticated and widespread. ([mallory.ai](https://www.mallory.ai/stories/019ef4cf-b141-7c22-b785-3b7e99e1c73f?utm_source=openai))

In June 2026, the U.S. Department of Justice seized a cloud computing account linked to subsidiaries of the Cambodia-based Huione Group, a conglomerate implicated in extensive cyber scams and money laundering activities. This infrastructure supported Huione Guarantee, a Telegram-based marketplace facilitating the sale of stolen personal data, malware-enabled thefts, and laundering of proceeds from various scams, including romance and investment frauds. The operation disrupted a significant node in the global cybercrime ecosystem, which had laundered over $4 billion in illicit funds between August 2021 and January 2025. This action underscores the escalating efforts by U.S. authorities to dismantle transnational cybercriminal networks exploiting digital platforms for large-scale fraud. The seizure highlights the critical need for robust cybersecurity measures and international cooperation to combat the evolving landscape of cyber threats targeting individuals and financial systems worldwide.

In June 2026, Microsoft, in collaboration with international law enforcement agencies and industry partners, executed a court-authorized operation to simultaneously disrupt the Amadey botnet and StealC infostealer. These tools, often used in tandem by cybercriminals, were linked to over 140,000 infected computers globally in early May 2026. The operation targeted more than 200 command-and-control servers, significantly hindering the infrastructure supporting these malware families. This coordinated effort marked a strategic shift in cyber defense, emphasizing the importance of disrupting interconnected cybercrime tools to enhance the effectiveness of takedown operations. The success of this operation underscores the necessity for collaborative approaches in combating sophisticated cyber threats that exploit modular, pay-as-you-go models to escalate attacks rapidly.

In June 2026, LastPass experienced a data breach resulting from a supply chain attack on Klue, a third-party market intelligence platform integrated with LastPass's Salesforce environment. Attackers exploited compromised OAuth tokens obtained from Klue to access LastPass customer data, including names, phone numbers, email addresses, physical addresses, support case information, and sales-related data. Importantly, LastPass's core products, services, and customer vaults remained unaffected. ([blog.lastpass.com](https://blog.lastpass.com/posts/klue-supply-chain-incident-and-lastpass-response?utm_source=openai)) This incident underscores the escalating risks associated with third-party integrations and supply chain vulnerabilities. Organizations must reassess their security postures, particularly concerning external partnerships, to mitigate potential threats arising from interconnected systems.

In June 2026, a report highlighted the dramatic acceleration in the exploitation of software vulnerabilities due to AI advancements. The Zero Day Clock indicated that the average time from vulnerability disclosure to exploitation had decreased from 53 days in 2024 to just 8 hours in 2026. This rapid reduction challenges traditional vulnerability management practices, which relied on longer remediation windows. Organizations now face increased risks as attackers can exploit vulnerabilities almost immediately after disclosure, outpacing conventional patching and mitigation efforts. This development underscores the urgent need for organizations to adopt proactive security measures, such as continuous threat exposure management and automated security validation, to effectively address the evolving threat landscape.

In late August 2024, the cybercriminal group Scattered Spider infiltrated Transport for London's (TfL) systems, compromising the Oyster refunds system and causing significant operational disruptions. The attack led to the theft of customer data and forced all 28,000 TfL employees to reset their passwords, resulting in financial damages estimated at £29 million ($38.3 million). This incident underscores the escalating threat posed by cybercriminal groups targeting critical infrastructure. Organizations must enhance their cybersecurity measures to prevent similar breaches and mitigate potential operational and financial impacts.

In June 2026, a new macOS ClickFix campaign emerged, utilizing Terminal commands to silently download, mount, and execute info-stealing malware from malicious disk image (DMG) files. This attack infects Mac devices with the Atomic macOS Stealer (AMOS), which exfiltrates browser credentials, cryptocurrency wallet data, Keychain information, messaging app data, and user documents. The campaign begins with a fake CAPTCHA page instructing users to open Terminal and paste a malicious command, leading to the automatic execution of the malware. This method represents an evolution in ClickFix attacks, combining social engineering with automated malware deployment to enhance stealth and effectiveness. The significance of this incident lies in the increasing sophistication of social engineering attacks targeting macOS users. By leveraging trusted system utilities and deceptive prompts, attackers can bypass traditional security measures and user vigilance. This trend underscores the need for enhanced user education, robust endpoint protection, and continuous monitoring to detect and mitigate such evolving threats.