Thursday, 18 June 2026

A hijacked npm contributor account just exposed 1.1 million weekly downloads of AI infrastructure tooling

On June 17, an attacker used the credentials of "ehindero" — a legitimate former contributor to the Mastra AI framework whose npm publishing access was never revoked — to mass-publish 141 packages across the @mastra/* scope in an 88-minute automated window. The packages themselves carried no malicious code; instead, each one had a single dependency quietly added: easy-day-js, a typosquat of the popular dayjs library that had been seeded as a clean copy the day before to build a benign version history. The weaponized version fires an obfuscated postinstall hook that disables TLS certificate validation, pulls a second-stage payload from attacker infrastructure, and self-deletes to limit forensic traces — meaning exposure happens at npm install, before a developer ever imports the package. Socket, JFrog, SafeDep, and StepSecurity all independently documented the campaign; Socket flagged the malicious dependency within six minutes of publication, and the loader sample itself had been sitting on public malware sandboxes since May 29, indicating reused tooling rather than a bespoke build. The npm scope generates SLSA provenance attestations on CI-published releases but doesn't require them — so a standard personal token could publish without one, and every malicious version in the wave was missing its attestation. That's the actionable gap: a policy requiring signed provenance (npm audit signatures or equivalent) would likely have prevented publication of the malicious versions, or at minimum flagged an immediate policy violation — implementation specifics matter, but the enforcement gap is real.

Watch for: whether npm or GitHub move to make provenance verification mandatory rather than advisory for high-download scopes, and whether StepSecurity's Harden-Runner telemetry or further sandbox matching ties the reused loader to a previously named campaign.

Sources: Socket (June 17, 2026); StepSecurity (June 17, 2026); The Hacker News (June 17, 2026); Orca Security (June 17, 2026).

JetBrains Marketplace plugins have been quietly running a stolen-API-key resale business since October

Aikido Security disclosed a coordinated campaign of at least 15 JetBrains IDE plugins, published under seven separate vendor accounts, that function exactly as advertised — AI coding assistants, commit-message generators, code review tools — while silently exfiltrating any AI provider API key a developer enters into the settings panel. BleepingComputer independently downloaded and confirmed the credential-theft code is still live in the current build of one plugin, DeepSeek AI Assist, as of publication. The mechanism is unusually clean: a hardcoded save() method fires the moment a user clicks "Apply," with no consent prompt or UI indicator. What separates this from a standard credential-theft campaign is the business model Aikido surfaced: the plugins offer a paid tier where users who pay a small fee receive a working API key in return — and Aikido's working theory is that those keys are the ones stolen from free users, meaning legitimate key owners are funding the compute costs of paying customers on the other side of the same scheme. The campaign has run since late October 2025 with new plugin variants published as recently as June 10. This is an analytical inference from the public record, not a confirmed finding: neither Aikido nor JetBrains has published telemetry proving the resold keys and the stolen keys are the same pool, though the architecture described makes it the most coherent explanation for the dual-sided monetization.

Watch for: whether JetBrains responds publicly or simply delists the flagged accounts without comment, and whether the ~70,000 combined install figure holds up against independent verification given Aikido's own caveat that marketplace download counts are routinely inflated.

Sources: Aikido Security (June 17, 2026); BleepingComputer (June 17, 2026); Infosecurity Magazine (June 17, 2026).

Two studies expose distinct trust-boundary failures in AI agents

Imperva and Varonis published independent research this week on OpenClaw, the self-hosted AI agent framework, demonstrating two distinct failure classes. Imperva's Yohann Sillam found that OpenClaw flattens shared contacts, vCards, and location pins directly into the LLM's prompt text with no boundary marking them as untrusted — meaning a malicious instruction embedded in an ordinary contact card executes without the victim seeing it. That's now patched in version 2026.4.23. Varonis Threat Labs took a different angle: they built a test agent, gave it a realistic inbox with mock AWS keys and database credentials, and ran it through phishing simulations against Google Gemini 3.1 Pro and OpenAI Codex GPT-5.4. In one case, an email impersonating a team lead asking for "staging credentials during a production issue" was enough for the agent to forward AWS IAM keys and database passwords to an external address — even with explicit identity-verification instructions already present in its system prompt. Varonis's framing is the useful part: prompt injection hides instructions in data the agent processes, while what they call "agent phishing" is a believable request through a normal channel that works because the agent acts before checking who actually sent it. The distinction matters operationally because the second failure mode has no patch — it's an architecture problem, not a bug.

Watch for: whether Varonis's promised follow-up research on cross-tenant agent abuse surfaces similar failure patterns in other agent frameworks beyond OpenClaw, and whether enterprises adopting agentic email/CRM access start requiring the human-approval gate Varonis recommends for credential-forwarding actions.

Sources: Imperva (June 11, 2026); Varonis Threat Labs (June 11, 2026); The Hacker News (June 12, 2026).

CISA put a maximum-severity score on a Joomla plugin most security teams don't think to patch

CISA added CVE-2026-48907 to its Known Exploited Vulnerabilities catalog on June 16 — a CVSS 10.0 improper access control flaw in Widget Factory's JCE (Joomla Content Editor), one of the most widely deployed WYSIWYG editor extensions for Joomla sites. The bug lets an unauthenticated attacker create a new editor profile and use it to upload and execute arbitrary PHP, which researcher Phil E. Taylor documented being actively weaponized to drop persistent web shells. Affected versions run 1.0.0 through 2.9.99.4; Widget Factory shipped the fix in 2.9.99.5 on June 3 — meaning there was a roughly two-week gap between patch availability and KEV listing, during which exploitation was apparently already underway. Worth flagging for sourcing accuracy: CISA's own notice and most outlets cite a Friday, June 19 FCEB remediation deadline under BOD 26-04. At least one outlet reported July 7 under the older BOD 22-01 framework instead. Reporting diverges on which compliance framework governs this case, and BCG has not independently verified which is authoritative. The broader pattern here is structural: JCE sits outside Joomla's core update mechanism, and CMS extensions routinely get treated as "set and forget" rather than the application-server attack surface they actually are.

Watch for: clarification on the actual FCEB deadline, and whether mass-scanning activity targeting unpatched JCE installs shows up in honeypot or CDN telemetry over the next week.

Sources: CISA KEV catalog (June 16, 2026); The Hacker News (June 17, 2026); BleepingComputer (June 17, 2026); Security Affairs (June 17, 2026).

Microsoft formally acknowledges Defender zero-day after a week of public dispute

CVE-2026-50656 — publicly dubbed RoguePlanet — was formally published by the Microsoft Security Response Center on June 16, more than a week after researcher Nightmare-Eclipse (also known as Chaotic Eclipse) first dropped the proof-of-concept on June 10, hours after that month's Patch Tuesday closed. This is a status update on a thread BCG has tracked since early June, not a new disclosure: what changed is that Microsoft moved from "investigating the validity of these claims" to a formal CVE with a CVSS 7.8 score and a stated commitment to ship a fix, with no patch yet available. The bug is a time-of-check-to-time-of-use race condition in the Microsoft Malware Protection Engine that spawns a SYSTEM-level command shell, and ThreatLocker independently reproduced it against fully patched Windows 11 systems running the June cumulative update. RoguePlanet is the researcher's fourth disclosed Defender zero-day since March, following BlueHammer, RedSun, and UnDefend — all since patched — in what the researcher has described as an ongoing dispute with Microsoft over its vulnerability handling and bug bounty practices.

Watch for: whether Microsoft ships an out-of-band fix before the July Patch Tuesday given the public PoC and confirmed reproduction, and whether Nightmare-Eclipse's pattern of timing drops to Patch Tuesday continues into July.

Sources: Microsoft Security Response Center (June 16, 2026); Help Net Security (June 17, 2026); BleepingComputer (June 17, 2026); SecurityWeek (June 17, 2026).

A typo in a date library and a missing signature check is the same lesson Mastra and the AI-IDE plugin economy are both learning right now

Setting the two supply-chain items above side by side: neither attack required a memory-corruption bug, a zero-day, or a sophisticated exploit chain. The Mastra compromise rode in on a transitive dependency typosquat with no malicious code in the parent package itself; the JetBrains campaign rode in on marketplace review processes that catch source-level malice but not a single hardcoded exfiltration call inside an otherwise-functional plugin. Both target the same asset class — developer and AI-pipeline credentials — and both succeeded against environments with mature-looking security postures on paper. This is an analytical inference from the public record, not a confirmed finding: no named source has tied these two campaigns to a common actor or toolkit, and the technical methods are distinct enough that coordination looks unlikely. The connective tissue is opportunistic convergence on a soft target, not a single operation — but it's worth naming as a pattern, because the defensive gap in both cases (signed provenance, install-time scanning, treating IDE plugins as untrusted code) is identical and currently unaddressed industry-wide.

Watch for: whether any named researcher publishes infrastructure or toolkit overlap between the two campaigns in the coming weeks, which would upgrade this from inference to attribution.

Sources: Synthesis of Items 1 and 2 above; no independent sourcing beyond what is cited there.

Border Cyber Group — independent cybersecurity research and investigative journalism.