Cyber Threat Brief — June 17 2026
⚠️ This report is AI-generated. Always validate findings.
1. Mastra npm Supply Chain — 144 Packages Backdoored via easy-day-js
TL;DR: Attacker hijacked the @mastra npm account and injected the easy-day-js typosquat dependency into 144 packages (1.1M+ weekly downloads) on June 16-17. The dropper exfils API keys and deploys a crypto-stealing RAT.
What’s New:
- Account “ehindero” mass-published 141+ malicious versions within a narrow window on June 17
easy-day-jscontains obfuscated postinstall dropper that downloads second-stage payload then self-deletes- Second stage is a RAT using ICAP-style tasking protocol over HTTPS POST with custom parameters (reqmod, PrimaryUrl, SecondaryUrl, sub_net_resolve)
- Targets AI provider API keys — critical for orgs using Mastra AI framework
- If any @mastra/* package was installed since June 16, treat the machine as compromised
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
23[.]254[.]164[.]92 | C2 IP | T1071.001 | Firewall/proxy | Block at DNS and HTTPS proxy |
23[.]254[.]164[.]123 | C2 IP | T1071.001 | Firewall/proxy | Block at DNS and HTTPS proxy |
https://23.254.164.92:8000/update/49890878 | C2 URL | T1105 | Proxy logs | Hunt for connections to this endpoint |
easy-day-js npm package | Supply chain | T1195.002 | Package manager logs | Audit node_modules for this dependency |
@mastra/* packages (June 16+ versions) | Supply chain | T1195.002 | CI/CD logs | Pin to pre-June 16 versions; audit lockfiles |
| ICAP-style POST parameters (reqmod, PrimaryUrl) | C2 protocol | T1071.001 | NDR/proxy | Alert on unusual HTTPS POST bodies with these keywords |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | None | Need rule for npm postinstall script spawning network connections |
| Elastic | None | Need rule for node.js child process making outbound connections to non-registry IPs |
| Sigma | None | Need proc_creation rule for npm/node postinstall → curl/wget/fetch to non-npmjs domains |
Sources: The Hacker News · Socket.dev · StepSecurity · SafeDep
2. FortiSandbox Triple-CVE Active Exploitation — CVE-2026-39813, CVE-2026-39808, CVE-2026-25089
TL;DR: Defused Cyber confirmed active exploitation of three FortiSandbox vulnerabilities within the last 24 hours. CVE-2026-39813 (auth bypass) and CVE-2026-39808 (root RCE) are trivially weaponizable — no auth, no user interaction. First observed ITW exploitation of CVE-2026-39813.
What’s New:
- CVE-2026-39813: path traversal in JRPC API bypasses auth via
session: "../../tmp/"— leaks config backups, serial numbers, version info - CVE-2026-39808: OS command injection via
jidGET parameter → root RCE with single curl; public PoC since April 2026 - CVE-2026-25089: OS command injection in web UI; exploit assessed as “vibecoded” (likely AI-generated), potentially faulty
- Patches available since April 2026 — this is exploitation of unpatched instances
- FortiSandbox is upstream of other Fortinet products for threat verdicts; compromise impacts blocking decisions fleet-wide
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
JRPC API path traversal ../../tmp/ in session param | Exploit signature | T1190 | WAF/reverse proxy | Block traversal sequences in FortiSandbox JRPC requests |
jid GET parameter with pipe-chained commands | Exploit signature | T1190 | WAF/web logs | Alert on shell metacharacters in jid parameter |
| FortiSandbox management interface (TCP/443) | Attack surface | T1190 | Firewall | Restrict management to internal/VPN only |
| FortiSandbox versions 5.0.0–5.0.5, 4.4.0–4.4.8 | Vulnerable | T1190 | Asset inventory | Patch to 5.0.6+/4.4.9+ immediately |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | None | Need FortiSandbox-specific web exploit detection for JRPC API abuse |
| Elastic | None | No FortiSandbox-specific rules |
| Sigma | None | Need web_cve rule for FortiSandbox path traversal and command injection patterns |
Sources: Help Net Security · The Hacker News · BleepingComputer · Defused Cyber
3. APT37 NarwhalRAT — MS-Themed Phishing with Dead-Drop C2
TL;DR: North Korean APT37 (ScarCruft) is deploying NarwhalRAT via spear-phishing emails impersonating Microsoft Account security alerts. The Python-based RAT supports 30+ commands including keylogging, screen capture, mic recording, and USB collection, with dual C2 via compromised Korean websites and pCloud.
What’s New:
- Genians published full analysis June 16 with complete IOC set
- Infection chain: ZIP → LNK → CMD env-var obfuscation → PowerShell → curl.exe (LOLBin) → Python embedded package → .pyc payload disguised as .cat file
- Fileless execution: Python ctypes VirtualAlloc (RWX) → RtlMoveMemory → CFUNCTYPE in-memory PE load
- Persistence: scheduled task “MicrosoftUserInterfacePicturesUpdateTackMachine” running every 1 minute
- Working dir
%APPDATA%\naverwhale(mimics Naver Whale browser), KakaoTalk window filtering confirms Korean targeting - AES-128 encrypted config file stored as random
.entfile in%LOCALAPPDATA%\Microsoft\Internet Explorer\
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
3715092aa00f380cefe8b4d2eddb7d08 | MD5 hash | T1204.002 | EDR | Block/alert |
7cef19f9c4480adac0cd4702ff98f46c | MD5 hash | T1204.002 | EDR | Block/alert |
7eb9cee1f696727752169f25cf79a338 | MD5 hash | T1059.006 | EDR | Block/alert |
b6b0602310bb2d4360c52685119aac1b | MD5 hash | T1059.006 | EDR | Block/alert |
daehoat[.]com | C2 domain | T1071.001 | DNS/proxy | Block |
novel21.co[.]kr | C2 domain | T1071.001 | DNS/proxy | Block |
webhostingkorea[.]com | C2 relay | T1071.001 | DNS/proxy | Block |
crwellfood[.]com | C2 domain | T1071.001 | DNS/proxy | Block |
fe01.co[.]kr | C2 relay | T1071.001 | DNS/proxy | Block |
121.254.222[.]10 | C2 IP | T1071.001 | Firewall | Block |
121.254.222[.]80 | C2 IP | T1071.001 | Firewall | Block |
211.239.157[.]126 | C2 IP | T1071.001 | Firewall | Block |
218.150.78[.]198 | C2 IP | T1071.001 | Firewall | Block |
218.150.78[.]231 | C2 IP | T1071.001 | Firewall | Block |
61.100.9[.]206 | C2 IP | T1071.001 | Firewall | Block |
userscreen.exe (renamed Pythonw.exe) | Process name | T1036.005 | EDR/Sysmon | Hunt for Pythonw.exe renamed and running .cat files |
Sched task MicrosoftUserInterfacePicturesUpdateTackMachine | Persistence | T1053.005 | Windows Event Log (4698) | Hunt for this exact task name |
%APPDATA%\naverwhale (Hidden+System) | Working dir | T1564.001 | EDR/filesystem | Hunt for this folder |
| pCloud API calls (folderid, auth params) | Dead-drop C2 | T1102.001 | Proxy/NDR | Alert on process-to-pcloud traffic from non-browser processes |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | Scheduled Task Created (generic) | Need rule for Pythonw.exe/.cat execution pattern and env-var obfuscated BAT scripts |
| Elastic | Suspicious LNK File Creation (generic) | Need rule for Python ctypes RWX memory allocation from non-IDE processes |
| Sigma | proc_creation_win_schtasks_creation.yml (generic) | Need rule for pCloud API abuse from non-browser processes; LNK→CMD→BAT env-var substitution chain |
Sources: Genians · The Hacker News · GBHackers
4. SprySOCKS Windows Variants — Kernel-Level Stealth by FishMonger/I-SOON
TL;DR: ESET disclosed two previously undocumented Windows variants (WIN_DRV and WIN_PLUS) of the SprySOCKS backdoor, previously Linux-only. WIN_DRV uses kernel drivers for rootkit-like process hiding. Attributed to China-linked FishMonger (I-SOON contractor) targeting government organizations.
What’s New:
- ESET published June 16; telemetry shows real activity 2023-2024 targeting government orgs in Honduras, Taiwan, Thailand, Pakistan
- WIN_DRV loads encrypted kernel driver
fsdiskbit.sys(DriverLoader) → loads second driverRawWNPFdirectly into memory - RawWNPF hides processes via IOCTLs
0x220358,0x22035C,0x220354,0x220350 - Both variants support 30+ C2 commands over TCP, UDP, and WebSocket
- Driver signed with leaked certificate from PastDSE GitHub project
- WIN_PLUS is barebones backdoor without kernel driver component
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
fsdiskbit.sys driver name | Rootkit loader | T1014 | Sysmon (EID 6 driver load) | Alert on this driver name loading |
RawWNPF in-memory driver | Rootkit | T1014 | Kernel telemetry/EDR | Hunt for unknown kernel drivers hiding processes |
IOCTLs 0x220358/0x22035C/0x220354/0x220350 | Process hiding | T1014 | EDR/kernel hooks | Monitor for these IOCTL codes |
| PastDSE leaked certificate | Code signing | T1553.002 | Certificate logs | Alert on binaries signed with known-leaked certs |
| TCP/UDP/WebSocket C2 channels | Multi-protocol C2 | T1071 | NDR/firewall | Correlate unusual WebSocket + raw TCP from same host |
| WIN_DRV / WIN_PLUS internal version strings | Malware ID | T1059 | EDR memory scans | YARA scan for these strings |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | None | Need rule for unsigned/leaked-cert kernel driver loads and IOCTL-based process hiding |
| Elastic | Suspicious Kernel Driver Installation (generic) | Need rule for fsdiskbit.sys or PastDSE cert-signed drivers specifically |
| Sigma | driver_load_win_vuln_drivers.yml (partial) | Add fsdiskbit.sys to vulnerable driver blocklist; need IOCTL process-hide detection |
Sources: WeLiveSecurity (ESET) · The Hacker News · Dark Reading · BleepingComputer
Status Updates
- CVE-2026-39808 (FortiSandbox): Now actively exploited ITW as part of triple-CVE chain (see item 2 above). Original brief.
- CVE-2026-48907 (Joomla JCE): Added to CISA KEV June 16 — improper access control in Widget Factory Joomla Content Editor, active exploitation confirmed.
- CVE-2026-54420 (LiteSpeed cPanel Plugin): Added to CISA KEV June 15 — CVSS 8.5 privilege escalation, federal deadline June 18 (tomorrow).