CyberSip™ — Issue 70 — June 23, 2026

Today’s picture

New detail published today on the Mastra npm supply chain attack changes the story materially. The ehindero account was not a dormant former contributor as initially reported. Mastra confirmed that ehindero is a current, active employee whose machine was compromised through a social engineering attack: a threat actor using a hijacked LinkedIn account contacted him, he joined a call, and he clicked a malicious link. Microsoft attributed the attack on June 19 to North Korean state actor Sapphire Sleet, also known as BlueNoroff, with high confidence, the same group behind a near-identical attack on the Axios npm package in April. A 29-year-old bug in the Squid web proxy, named Squidbleed and tracked as CVE-2026-47729, was discovered this week with AI assistance and leaks other users’ cleartext HTTP credentials to anyone on the same shared proxy network. The fix ships in Squid 7.7, which has not yet been released. The FortiBleed credential harvesting operation has captured over 110 million credentials since February, according to new reporting from SecurityWeek published today.

Threat snapshot

3 active items · 2 monitoring

Mastra / Sapphire Sleet / DPRK / LinkedIn social engineering Squidbleed CVE-2026-47729 / 29-year-old bug / no fix yet FortiBleed / 110 million credentials / updated figure 3 items this issue

TodaySapphire Sleet / DPRKnpm Supply Chain

Mastra npm attack attributed to North Korean Sapphire Sleet. New detail: ehindero is a current active Mastra employee who was social-engineered via a hijacked LinkedIn account, not a dormant former contributor. A PowerShell backdoor survived package removal and reboots.

The group is also behind a near-identical attack on the Axios npm package in April 2026. After the initial credential theft payload ran, Sapphire Sleet deployed a separate PowerShell backdoor that installed itself as a persistent service called scdev under svchost.exe with SYSTEM privileges and automatic startup at boot. Removing the malicious package alone did not remove the backdoor. Any machine that ran npm install during the June 17 window should be treated as fully compromised, not merely cleaned.

June 19–23SquidbleedFix in 7.7, Not Yet Released

Squidbleed CVE-2026-47729: a 29-year-old bug in Squid Proxy leaks other users’ cleartext HTTP requests, including credentials and session tokens, to anyone on the same shared proxy network. Affects every version. Fix ships in 7.7.

The bug lives in Squid’s FTP parsing code from 1997 and was discovered by AI-assisted research from Calif.io. The practical mitigation available today is to disable FTP support in Squid’s configuration, which removes the attack surface immediately without needing the 7.7 release. Only cleartext HTTP and TLS-terminating proxy setups are affected. Standard HTTPS is not exposed.

Updated TodayFortiBleed

FortiBleed updated figure: the custom sniffer has captured over 110 million credentials since at least February 2026, using compromised FortiGate devices as listening posts on live VPN traffic.

Yesterday’s brief placed the figure at approximately 86,644 verified device credentials. Today’s SecurityWeek figure of 110 million reflects the total credentials captured through the VPN traffic interception mechanism, not just verified device logins. Both figures describe the same operation. Patch, rotate credentials, audit for unauthorized accounts.

Detailed intelligence

Full analysis

01 Sapphire Sleet npm Supply Chain

Mastra npm supply chain attack attributed to North Korean Sapphire Sleet. The entry point was a LinkedIn social engineering attack on a current active employee. A persistent backdoor survived package removal.

Sapphire Sleet · Microsoft · June 19

Mastra confirmed today that the compromised ehindero account belongs to a current, active employee who was targeted on LinkedIn by a threat actor using a hijacked account, joined a call, and clicked a malicious link that compromised his machine. Microsoft attributed the attack to Sapphire Sleet on June 19 with high confidence, noting the same group conducted a near-identical attack on the Axios npm package in April 2026.

Executive Impact

Any developer workstation or CI/CD pipeline that ran npm install or npm update against a Mastra package on June 17, 2026 should be treated as fully compromised. The malicious payload executed at install time, and on systems where it established command-and-control communication, Sapphire Sleet deployed a persistent backdoor that survived package removal and reboots. Rotating credentials is insufficient on affected machines. The machine itself should be reimaged, and credentials that were present during the exposure window should be rotated from a separate, clean device. Block C2 IP addresses 23.254.164[.]92 and 23.254.164[.]123 at the network perimeter.

Don’t Miss

Sapphire Sleet conducted a near-identical attack on the Axios npm package in April 2026. The playbook is consistent: identify a maintainer account, compromise it through social engineering, publish a clean decoy dependency to establish history, then weaponize it and distribute it by pushing new versions of packages that depend on it. The April Axios attack and the June Mastra attack are not isolated incidents. They are a documented pattern against the npm AI and JavaScript developer ecosystem by a North Korean state actor whose primary motivation is cryptocurrency theft. Mastra sits at the intersection of AI development and cloud infrastructure, making it a particularly high-value target because packages in its ecosystem are routinely installed in environments holding LLM API keys, cloud provider credentials, and cryptocurrency wallet access. Phoenix Security documented 60 supply chain campaigns across June 2024 to June 2026 in which zero CVEs were assigned during active exploitation. Traditional vulnerability scanners had no surface against which to alert for the Mastra attack.

CyberSip Take

This is no longer a dormant credential story. North Korea social-engineered an active employee at a major AI developer tooling project via LinkedIn, compromised his machine, and used his publishing rights to distribute malware to millions of developers. The persistent backdoor detail is significant: removing the package was not remediation for affected machines. For organizations whose developers ran npm install against Mastra on June 17, the right response is reimaging the affected machine, not rotating credentials from it.

What happened

Mastra confirmed today that the ehindero npm account, which was used to distribute malicious packages across the Mastra ecosystem on June 17, belongs to a current active Mastra employee rather than a dormant former contributor as initially reported. The employee was targeted by a threat actor using a hijacked LinkedIn account, was contacted for what appeared to be a professional conversation, joined a call, and clicked a malicious link that compromised his machine and gave the attackers access to his npm publishing credentials.

Microsoft attributed the attack on June 19 with high confidence to Sapphire Sleet, a North Korean state-sponsored threat actor also tracked as BlueNoroff, APT38, and Stardust Chollima. Microsoft noted the same group conducted a near-identical attack on the Axios npm HTTP client in April 2026, confirming a sustained campaign against the npm developer ecosystem. The malware deployed through the Mastra attack targeted 166 cryptocurrency wallet browser extensions and harvested LLM API keys, cloud provider credentials, and general login credentials from affected developer machines.

On systems where the initial payload established command-and-control communication, Sapphire Sleet deployed a separate PowerShell backdoor from different infrastructure. This backdoor installed itself as a persistent service called scdev, running under svchost.exe in the SYSTEM security context with automatic startup at boot, independent of any user login. The backdoor survived reboots and package cleanup. Affected organizations should block the known C2 IP addresses 23.254.164[.]92 and 23.254.164[.]123 at the network perimeter and check for the presence of the scdev service on any machine that was exposed.

Recommended actions

Check for the scdev service on any machine that ran npm install against a Mastra package on June 17. Its presence confirms the persistent backdoor was installed. Reimage the machine rather than attempting to clean it.
Check for the presence of easy-day-js in node_modules or package-lock.json files, and for IOC artifacts in $TMPDIR including .pkg_history and .pkg_logs files.
Block C2 IP addresses 23.254.164[.]92 and 23.254.164[.]123 at the network perimeter if not already done.
Rotate credentials, API keys, and tokens from a clean device, not from the affected machine. Credentials rotated from a compromised machine may themselves be captured during the rotation process.
Review npm maintainer account access across any open source projects your organization contributes to. Require phishing-resistant multi-factor authentication on accounts with publishing privileges.

Derived from The Hacker News, BleepingComputer, SecurityWeek, and Microsoft Security Blog on Mastra supply chain attack and Sapphire Sleet attribution, June 19–23, 2026.

02 Squidbleed Fix in Squid 7.7

Squidbleed CVE-2026-47729: a 29-year-old FTP parsing bug in Squid Proxy leaks other users’ cleartext HTTP credentials to anyone sharing the same proxy. Discovered by AI. Fix ships in Squid 7.7, not yet released.

CVE-2026-47729 · Squid · CVSS pending

Researchers at Calif.io discovered the vulnerability with the assistance of Anthropic’s Claude Mythos Preview. The bug originates in a 1997 FTP-parsing change in Squid and survives in the default configuration of every version of Squid released since. An attacker who shares the same Squid proxy as a victim and can control an FTP server reachable from the proxy can cause Squid to leak 4KB of heap memory containing the victim’s recent HTTP request data.

Executive Impact

Organizations running Squid as a corporate proxy, in shared environments, or in any multi-user network where multiple users route traffic through the same Squid instance should apply the immediate mitigation today: disable FTP support in squid.conf by removing port 21 from the Safe_ports ACL and restarting Squid. This eliminates the attack surface without requiring the 7.7 release. The risk is highest in corporate offices, schools, and shared networks where an insider or compromised account could position itself as the attacker. Only cleartext HTTP traffic and TLS-terminating proxy setups are exposed. Standard HTTPS connections are not affected.

Don’t Miss

The Squidbleed patch version requires care. Early reporting stated the fix shipped in Squid 7.6. The Squid maintainer corrected this on the oss-sec mailing list: the actual Squidbleed patch for CVE-2026-47729 ships in Squid 7.7, which has not yet been released. Squid 7.6 does fix a separate unrelated vulnerability, CVE-2026-50012, a heap-based buffer overflow in cache_digest handling. If your organization patched to 7.6 on the assumption it included the Squidbleed fix, it did not. Verify your squid.conf separately to confirm FTP access is disabled as the interim mitigation. The two-line patch is straightforward: add a null-terminator check before the strchr calls in the FTP directory-listing parser. The fix is merged to the development branch but has not shipped in a packaged release.

CyberSip Take

A 29-year-old bug, default configuration, no patch yet, and a public proof-of-concept. The mitigation of disabling FTP in Squid takes five minutes and costs nothing in most environments, since virtually no corporate traffic goes through FTP anymore. Open squid.conf, comment out or remove port 21 from Safe_ports, restart Squid. If your organization has not reviewed the Squid configuration since it was first deployed, this is a practical moment to do a broader audit of what protocols and ports are permitted.

What happened

Researchers at Calif.io disclosed CVE-2026-47729, nicknamed Squidbleed, this week after discovering it with the assistance of Claude Mythos Preview. The vulnerability is a heap buffer over-read in Squid’s FTP directory-listing parser, introduced in a January 1997 change to the codebase. The bug lies in a whitespace-skipping loop that calls strchr to search for whitespace characters. The C standard defines strchr as also matching the null terminator when the search character is null. When an attacker-controlled FTP server sends a directory listing line that ends immediately after a timestamp, without a null terminator at the expected position, the loop walks off the end of the buffer and reads into adjacent heap memory.

Because Squid reuses freed memory buffers without zeroing them through a custom per-size freelist allocator, the adjacent heap memory frequently contains the contents of a previous user’s HTTP request, including Authorization headers carrying credentials and session tokens. The attacker receives this data as part of what appears to be a valid FTP directory listing response. The attack requires only that the attacker share the same Squid proxy as the victim and can reach an FTP server they control on port 21. Both FTP support and port 21 are enabled in Squid’s default configuration through the Safe_ports ACL.

The exposure is limited to cleartext HTTP traffic and TLS-terminating proxy deployments where Squid decrypts and inspects HTTPS traffic. Standard HTTPS connections, which Squid forwards as opaque CONNECT tunnels, are not affected. The fix is a two-line null-terminator check in the parsing loop, merged to the development branch in April and targeted for release in Squid 7.7. No patched release is currently available.

Recommended actions

Disable FTP support in Squid immediately: comment out or remove the line acl Safe_ports port 21 from squid.conf, then restart Squid. This eliminates the Squidbleed attack surface without requiring the 7.7 release.
Do not rely on Squid 7.6 as the Squidbleed fix. Squid 7.6 addresses CVE-2026-50012, a separate cache_digest buffer overflow, not CVE-2026-47729. The Squidbleed patch ships in 7.7.
Monitor the Squid project release announcements for version 7.7 and upgrade promptly when it is released.
For TLS-terminating proxy deployments where Squid decrypts and inspects HTTPS traffic, the risk profile is higher because more traffic content is exposed. Prioritize the FTP mitigation in those environments.

Derived from The Hacker News, SecurityWeek, and Calif.io blog on Squidbleed CVE-2026-47729, June 19–23, 2026.

03 Updated FortiBleed

FortiBleed credential count updated to 110 million. The figure reflects total credentials captured through VPN traffic interception, not only verified device logins. The operation continues to grow.

FortiBleed · Updated June 23

SecurityWeek published updated figures today confirming the FortiBleed sniffer has captured over 110 million credentials since at least February 2026, using compromised FortiGate devices as listening posts on live SSL VPN traffic. This figure is larger than the 86,644 verified device credential figure from yesterday’s reporting because it counts every credential captured through the VPN interception mechanism, not only the credentials used to initially compromise each device.

Executive Impact

The operational response to FortiBleed does not change based on the updated figure: patch all FortiGate appliances, rotate all FortiGate administrator and VPN user credentials, audit for unauthorized accounts, and rename or disable factory default accounts. The higher total credential figure reinforces the urgency of credential rotation specifically, because every employee who has authenticated through a compromised FortiGate VPN gateway since February may have had their credentials captured, regardless of whether their organization’s own FortiGate devices have been directly compromised.

Don’t Miss

The 110 million figure clarifies how FortiBleed differs from a static credential dump. A static dump has a fixed scope determined by what was accessible at the moment of compromise. FortiBleed is a live interception operation. Every employee who has connected through a compromised FortiGate VPN gateway since February has potentially had their authentication credentials captured in real time, regardless of whether their organization appeared in the initial device credential database. For organizations that have not yet confirmed whether their FortiGate devices are among the compromised, the credential count is a reminder that the question matters not just for the device itself but for every user who authenticated through it.

CyberSip Take

110 million credentials captured from an operation that started in February and is still running. If your organization uses FortiGate for SSL VPN and has not yet verified whether its appliances are among those compromised, the scope of this operation is the reason to find out now rather than next week. The NCSC issued guidance yesterday. The credential count today underlines why.

What is new

SecurityWeek published updated FortiBleed figures today confirming that the custom sniffer deployed on compromised FortiGate devices has captured over 110 million credentials since at least February 2026. This total encompasses both the credentials used to initially compromise each device and the credentials captured from live SSL VPN authentication traffic passing through those compromised devices after the fact.

The figure is consistent with the self-feeding mechanism described in yesterday’s brief: compromised devices intercept live VPN traffic and capture authentication credentials from employees connecting through the gateway, feeding those credentials back into the operation continuously. The 86,644 figure from yesterday represents verified working login credentials for individual FortiGate devices. The 110 million figure represents the cumulative credential harvest from all interception activity.

The remediation guidance from Issues 68 and 69 remains unchanged: patch all internet-accessible FortiGate appliances to the latest firmware, rotate all administrator and VPN user credentials after patching, rename or disable factory default and built-in system accounts, and audit authentication logs for unexpected logins from unfamiliar IP addresses or at unusual times.

Recommended actions

Treat VPN user credentials on any FortiGate device as potentially compromised if the device has been internet-accessible since February 2026 and cannot be confirmed as uncompromised. Rotate those credentials promptly.
Apply the latest FortiGate firmware and rotate all administrator and VPN credentials as described in the NCSC and SOCRadar guidance published yesterday.

Derived from SecurityWeek FortiBleed updated figures, June 23, 2026.

Still watching

Aging items · days 2–5

Items here remain operationally relevant but have no significant new developments. They drop off after 7 days.

Klue / Icarus breach (Issue 69). Gong confirmed as second victim. Icarus data release deadline was yesterday June 22. Monitor for confirmation of data publication and additional victims being identified. Day 2

NGINX CVE-2026-42530 and CVE-2026-42055 (Issue 68). Both CVSS 9.2. Out-of-band patches June 17. Not yet exploited in the wild. Upgrade to NGINX Open Source 1.31.2 or 1.30.3. Day 4

Cross-source standouts

North Korea is running a sustained campaign against AI developer tooling on npm

The Axios attack in April. The Mastra attack in June. Both attributed to Sapphire Sleet. Both using the same playbook: social engineer a maintainer account, publish a clean decoy dependency, weaponize it, and distribute it through trusted packages. Mastra is used to build AI applications. Its packages sit in environments holding LLM API keys, cloud credentials, and cryptocurrency wallet access. The April Axios package had over 70 million weekly downloads. The Mastra framework had approximately 8 million. Neither number is small. For North Korea, whose primary objective through Sapphire Sleet is cryptocurrency theft to generate hard currency for the regime, AI developer tooling is not a peripheral target. It is direct access to the financial infrastructure those developers manage. Maintainers of other prominent TypeScript and JavaScript packages in the AI space should treat this as an active threat to their ecosystem, not a story about someone else.

AI discovered a 29-year-old bug that three decades of human review missed

Squidbleed has been in the Squid codebase since January 1997. It survived repeated security audits, three decades of releases, and independent code reviews. Calif.io found it by sending Claude Mythos Preview through Squid’s FTP parsing code. The model identified the strchr null-terminator edge case almost immediately, the kind of conjunction between a 1990s compatibility shim, a non-obvious C standard behavior, and an undocumented allocator reuse pattern that is easy to miss in a focused code review but tractable for a model that holds all three pieces in context simultaneously. This is the same research team that found the HTTP/2 Bomb attack two weeks earlier, this time using OpenAI’s Codex. Two researchers, two AI models, two critical infrastructure vulnerabilities in two weeks. The NCSC’s warning from yesterday about AI accelerating vulnerability discovery applies in both directions: defenders finding bugs faster, and the same capability available to attackers. The Squidbleed disclosure is a concrete example of the defensive application. The FortiBleed AI-assisted automated credential scanning is a concrete example of the offensive one.