|
Fact
|
The Starlette Python framework at the center of this week's BadHost vulnerability receives more than 325 million downloads per week, making it one of the most widely installed pieces of infrastructure powering today's AI agent ecosystem. One authentication bypass in that codebase reaches every FastAPI app, every vLLM deployment, and every MCP server built on top of it. (Wiz Research, 2026)
|
|
|
This edition is a case study in trust that turned out to be misplaced: in a trusted npm registry, in a security vendor's own tools, in a platform you assumed wouldn't be weaponized against you. The week's stories aren't just about breaches. They're about what happens when the things you depend on to stay safe become the attack surface.
Notice the new look? We're going to be making some changes to the Newsletter to make it more valuable for YOU.
PS — Was this forwarded to you? Subscribe free at exzeccyber.com/subscribe →
|
|
In this edition
|
|
|
|
|
| |
🏛️ Privacy, Power & Policy |
|
|
|
|
|
|
Supply Chain
Your Developer Tools Just Became the Delivery Mechanism
Intro
Supply chain attacks usually compromise a library to reach its users. This one compromised a Red Hat employee's GitHub account to reach every organization that installs packages from Red Hat's cloud services namespace. The payload didn't just steal data. It tried to spread itself.
What Happened
On June 1, attackers pushed malicious code into at least 32 packages across 96 versions of Red Hat's @redhat-cloud-services npm namespace. The compromise came through a single employee's GitHub account. The injected malware, a variant called "Miasma: The Spreading Blight," executes the moment an affected package is installed, collecting GitHub Actions secrets, AWS credentials, Google Cloud credentials, Azure service principals, HashiCorp Vault tokens, Kubernetes service account tokens, SSH keys, Docker credentials, and .env files. Then it tries to spread to other packages the victim can publish. Researchers identified 309 compromised GitHub repositories across multiple organizations. On June 4, Wiz Research confirmed the campaign had expanded: a second wave of packages abused the binding.gyp install hook as a new execution vector, and added collectors specifically targeting GCP and Azure cloud identities. This campaign is still active.
Why It Matters
The @redhat-cloud-services namespace powers the Red Hat Hybrid Cloud Console, which enterprises use to manage cloud infrastructure. 117,000 combined weekly downloads means this reached production pipelines. The credentials being targeted are specifically cloud and DevOps credentials: the kind that allow lateral movement across cloud environments and CI/CD systems. Credential theft from a single developer workstation in this ecosystem can cascade into full cloud account compromise.
The Other Side
Red Hat moved fast. The company states the malicious code was never published for customer consumption and found no impact to production systems. The affected packages were removed promptly, and Red Hat has broad capabilities to audit internal pipeline integrity. The attack's scope, while wide, was detected before any customer-facing systems were confirmed compromised.
| |
👉 Takeaway
This is the third major supply chain attack to hit the npm ecosystem in 2026. The attack surface isn't your perimeter. It's your package manager. Audit what your CI/CD pipelines install automatically at build time.
|
TL;DR: Attackers compromised a Red Hat employee's GitHub account and pushed credential-stealing malware into 32 npm packages, hitting 309 repositories and targeting cloud credentials across AWS, GCP, and Azure.
|
| |
Law Enforcement | Cybersecurity Officials
Spanish National Police arrested a suspect in Granada who allegedly posted personal data of officers from the National Police, Civil Guard, Attorney General's Office, National Security Council, and INCIBE (Spain's national cybersecurity institute) across multiple public platforms. Police seized computers and electronic devices for forensic examination. Authorities noted the leaks expose officials to "harassment, threats, extortion attempts and coordinated targeting campaigns." No motive has been disclosed, and investigators are still determining whether others were involved.
→ Leaking the home addresses of the people who investigate cybercrime is a fast way to get arrested for cybercrime.
|
| |
Vulnerability | Active Exploitation
CVE-2026-41091 ("RedSun") allows attackers to escalate privileges to SYSTEM via an improper link resolution flaw in the Malware Protection Engine. CVE-2026-45498 ("UnDefend") is worse on paper: it puts Defender into a denial-of-service state and blocks all definition updates, leaving the host completely dark to new threats. Both are under active exploitation in the wild. The CISA deadline for federal agencies to patch passed June 3 — if you haven't patched, you're now behind the government's own schedule. Microsoft has released updated versions of both the engine and the antimalware platform.
→ Your endpoint security tool having an exploited zero-day that disables it is the kind of irony that only lands when it happens to someone else.
|
| |
Data Breach | Telecom
Charter Communications confirmed a breach after the ShinyHunters extortion group threatened to leak what it claims is 40 million Salesforce records: customer names, emails, addresses, phone numbers, plan data, and support ticket content. The entry point was a single vishing attack on April 1 that compromised an employee's Microsoft Entra account. Charter says no sensitive personal information or customer proprietary network information was exfiltrated. ShinyHunters disputes this. The same group used identical tactics this year against Instructure, 7-Eleven, and ADT.
→ Four major enterprise breaches in 2026 traced to the same playbook: call an employee, impersonate IT, compromise their Entra account, walk into Salesforce.
|
|
The GTM bets that shouldn't have worked, and did
One grew revenue 50x after half his team quit over the strategy. One brought in 50K signups in a single day with no paid budget. One generated 100M+ views from a stunt that took 50 hours to conceive. One asked every prospect to demo the product themselves instead of demoing it for them.
None of them followed the safe playbook. They treated GTM like an experiment, moved before they had proof, and made bets most founders would never get approved.
HubSpot for Startups documented all 6 stories in the free Bold Bets Playbook. The risks they took, why it was risky, and what it returned.
| |
AI Infrastructure | Vulnerability
CVE-2026-48710, called "BadHost," is an authentication bypass in Starlette, the Python web framework that FastAPI, vLLM, LiteLLM, and virtually every MCP server runs on. The flaw: Starlette reconstructs request URLs using the HTTP Host header without validating it against RFC standards. A single malformed character in the Host header lets unauthenticated attackers bypass path-based access controls entirely, reaching protected endpoints including LLM APIs, agent tooling, model endpoints, and anything connected to internal cloud storage, mailboxes, or databases. Security researchers argue the CVSS score of 6.5 severely underestimates real-world risk. Patched in Starlette 1.0.1. Free scanner at badhost.org.
→ This is the first vulnerability that directly targets AI agent infrastructure at ecosystem scale. If you run MCP servers or deploy AI agents on Starlette-based frameworks, patch this today.
|
| |
AI Offense | Fraud
A Russian-speaking threat actor identified as "bandcampro" used 73 stolen Gemini API keys and a jailbroken version of the model to run a solo fraud campaign targeting Trump supporters and conspiracy theorists between September 2025 and May 2026. The Telegram channel reached 17,000 subscribers. AI generated fake QAnon-style content, malware distribution schemes, and automated tools for brute-forcing WordPress credentials. Researchers from TrendAI concluded: "What previously required a team of writers, social media managers, IT workers, and malware programmers can now be automated by a single actor using a VPS, a Telegram bot, and API access to frontier models."
→ The threat model has changed. Resourced teams of attackers are still a concern. So is one person with a laptop and API access.
|
|
|
🏛️ Privacy, Power & Policy
|
|
| |
Surveillance | Civil Liberties
DeFlock.me crowdsources the locations of Flock Safety automated license plate readers, showing how many cameras are tracking vehicles in any given area and where that data flows. Flock Safety responded by sending a cease-and-desist letter to the site's creator, Will Freeman, claiming trademark violations. EFF stepped in and defended Freeman, arguing the site is clearly protected First Amendment speech. Flock backed down. Privacy advocates in multiple cities have since used the site to pressure local governments to block or cancel Flock contracts.
→ A surveillance technology company tried to use trademark law to suppress a public map of where it had placed its cameras. That's worth thinking about.
|
| |
AI Policy | National Security
An executive order signed June 2 creates a voluntary framework under which AI companies can share frontier models with the government for 30 days before public release. Treasury, NSA, and CISA are directed to build a joint vulnerability scanning and patch distribution clearinghouse for AI systems deployed in critical infrastructure. The DOJ must prioritize prosecuting AI-enabled computer crimes. The order explicitly prohibits mandatory preclearance, meaning participation is voluntary and AI companies cannot be blocked from releasing models that skip the review process.
→ The administration's first formal acknowledgment that frontier AI models represent a security risk requiring pre-deployment review. "Voluntary" means this framework has real teeth only if major labs opt in.
|
|
| |
Practical play
Patch cPanel Before CISA's Clock Runs Out on You Too
CISA ordered federal agencies to patch CVE-2026-48172 within four days of its disclosure. That window has passed for the government. It may not have passed for your infrastructure. CVE-2026-48172 is a privilege escalation flaw in the LiteSpeed cPanel plugin. It allows remote attackers with zero credentials to execute arbitrary scripts as root through a mishandled Redis configuration path. Attackers are actively exploiting it. Check whether your cPanel deployment runs the LiteSpeed plugin, confirm you're running a patched version (LiteSpeed released the fix May 21), and audit your Redis enable/disable configuration. If you manage shared hosting for clients, their infrastructure is at risk too. Detection: grep -rE "cpanel_jsonapi_func=redisAble" /var/cpanel/logs /usr/local/cpanel/logs/
|
|
Business news in 5 minutes flat. Morning Brew breaks down markets, tech, and the economy — clearly, quickly, and with serious personality. 100% free. Join 4M+ Readers.
|
Strange but real
Microsoft Declared War on a Security Researcher, Lost, and Then Asked for a Hug
Intro
A researcher dropped six Windows zero-days with working exploit code. Microsoft invoked its Digital Crimes Unit. The security community collectively lost its mind. Then Microsoft reversed course and extended what it called an olive branch. This all happened in five days, on X, in public.
What Happened
A researcher known as Nightmare-Eclipse released multiple Windows zero-days publicly, including two actively exploited vulnerabilities affecting Microsoft Defender. Microsoft's initial response was to declare that public vulnerability disclosure is "never justifiable" and to reference its Digital Crimes Unit, which handles cyberattacks and criminal abuse of Microsoft's platform. Nightmare-Eclipse claimed Microsoft had refused to pay out bug bounties, deleted their account without explanation, and failed to acknowledge prior communication. Other researchers began sending Nightmare-Eclipse additional undisclosed vulnerabilities in solidarity. One claimed to have a Secure Boot bypass.
Why It Matters
Responsible disclosure works on the assumption that researchers will act in good faith and vendors will respond in good faith. Microsoft's initial response was a threat. The security community's reaction was immediate and blunt. Kevin Beaumont called it a "dumpster fire." Katie Moussouris, who created Microsoft's bug bounty program, said the company sent "mixed messages" on a matter of fundamental trust in the entire security research ecosystem. The chilling effect of vendors threatening legal action against researchers who disclose bugs is a real and ongoing concern.
The Other Side
Microsoft's final position, that it has "no intention to pursue action against individuals conducting or publishing security research," is the right one. Whether the reversal was strategic or genuine is something only Microsoft knows. The company did not address Nightmare-Eclipse's specific allegations about bounty refusals, account deletion, or communication failures. Those remain unresolved.
| |
👉 Takeaway
The bug bounty relationship between researchers and vendors is built on trust and incentives, not law. When a vendor picks up the phone to call law enforcement instead of its vulnerability response team, it signals something important about how it views that relationship.
|
TL;DR: Microsoft threatened legal action against a zero-day researcher, security researchers rallied around the researcher and started sharing more bugs, and Microsoft reversed course five days later.
|
