CISO Daily Briefing – June 25, 2026

Executive Summary

The past 48 hours mark a sharp escalation across AI-enabled and AI-targeted threats. The FortiBleed campaign has compromised 86,644 FortiGate devices and exfiltrated more than 110 million credentials via a custom Go-based sniffer, while Cisco Unified CM (CVE-2026-20230) entered active exploitation within days of a public proof-of-concept. Security firm AIR demonstrated that a malicious AI agent skill bypassed every commercial skill scanner and silently reached 26,000 agents including corporate deployments. The DPRK-linked macOS.Gaslight backdoor weaponizes prompt injection not to attack victim systems, but to blind the AI-assisted analysts investigating it — a doctrinal inversion that redefines the SOC attack surface. On the governance front, the Five Eyes alliance, a White House Executive Order, and two House bills converged in a single week to establish that AI attack timelines are months, not years — and that current enterprise defenses were designed for a pre-AI threat environment.

FortiBleed: 110M Credentials Stolen

CRITICAL

86,644 FortiGate devices compromised by a custom Golang sniffer exploiting a built-in FortiOS diagnostic command. Cisco Unified CM also under active exploit simultaneously.

Rotate all credentials stored or transiting FortiGate devices immediately
Audit FortiOS diagnostic command access and disable where not required
Patch Cisco Unified CM for CVE-2026-20230 (CVSS 8.6)

macOS.Gaslight Blinds AI Analysts

CRITICAL

DPRK-linked Rust backdoor embeds 38 fabricated system-failure prompts to make LLM-assisted triage tools abort analysis. Harvests Keychain, browser creds, and shell history via Telegram C2.

Assess all AI-assisted triage and SOAR workflows for prompt injection exposure
Require human analyst review for any AI-generated “inconclusive” results
Update macOS endpoint detection rules for BONZAI/Gaslight IOCs

AI Agent Skill Scanners All Fail

HIGH

A fake skill published via a marketplace and Instagram ad campaign bypassed Cisco, NVIDIA, and all tested commercial scanners, reaching 26,000 agents — by serving a benign payload at scan time and a malicious one at runtime.

Prohibit unapproved third-party skills in enterprise AI agent deployments
Implement runtime behavior monitoring for all agent plugins/skills
Treat skill marketplaces as untrusted until runtime-verified

Five Eyes + U.S. Bills: AI Threat Months Away

HIGH

Five Eyes agencies warn frontier AI attack capabilities are “months away, not years.” A White House EO and two House bills (H.R. 9363, H.R. 9333) mark the most significant allied/legislative alignment since SolarWinds.

Brief boards now on the Five Eyes joint advisory timeline
Accelerate AI security roadmap to align with emerging regulatory baseline
Track H.R. 9333 for voluntary AI vulnerability reporting obligations

AI Offense Outpaces Defense — Systemically

HIGH

National Academies confirms AI near-term advances favor attackers. Insurance models, patch timelines, and liability frameworks were designed for human-speed threats and are structurally mismatched to the current environment.

Reassess cyber insurance coverage assumptions with your broker
Present board with a structural risk gap analysis, not just a tactical update
Accelerate patch cadence and attack surface reduction as a near-term hedge

Overnight Research Output

FortiBleed — Anatomy of a 110-Million-Credential Fortinet Harvesting Campaign

CRITICAL
Research Note

Summary: The FortiBleed campaign represents the most expansive network-infrastructure credential-harvesting operation of 2026. A financially motivated, Russian-speaking initial access broker deployed a custom Golang-based sniffer (FortigateSniffer) that exploits a built-in FortiOS diagnostic command to intercept and exfiltrate credentials in transit. As of June 23, 86,644 FortiGate devices have been confirmed compromised and over 110 million credentials exfiltrated — a campaign that has been active since February 2026 and has drawn warnings from CISA. Simultaneously, Cisco Unified CM (CVE-2026-20230, CVSS 8.6) entered active exploitation within days of a public PoC demonstrating a server-side request forgery and file-write-to-root attack path, signaling coordinated pressure on enterprise communication and network perimeter infrastructure from multiple threat actors.

Enterprise Risk: Network security appliances are being systematically targeted as credential-harvesting platforms, not just as access gatekeepers. Enterprises treating perimeter devices as “trusted infrastructure” rather than as high-value targets requiring credential rotation, diagnostic-command auditing, and sniffer-detection controls are exposed to mass credential compromise with minimal detection surface.

Recommended Actions: Immediately rotate all credentials that may have transited or been stored on FortiGate devices since February 2026. Audit and disable FortiOS built-in diagnostic commands where not operationally required. Patch Cisco Unified CM for CVE-2026-20230. Implement network-based anomaly detection for unusual credential traffic patterns on perimeter devices.

• The Hacker News — FortiBleed Targeted FortiGate Firewalls in 110 Million-Credential Harvesting Operation

• The Hacker News — CISA Warns Fortinet Customers as FortiBleed Hits 86,644 FortiGate Devices

• BleepingComputer — FortiBleed campaign used custom FortiGate sniffer to steal credentials

• BleepingComputer — Cisco Unified CM flaw CVE-2026-20230 now exploited in attacks

Why This Matters for CSA: CSA has not previously addressed network security appliances as a credential-harvesting attack surface. This note closes a governance gap — the organizational controls for firewalls and VPN concentrators as high-value targets requiring credential rotation and sniffer-detection controls are not covered in existing AICM or CCM guidance.

Read Full Research Note

The AI Agent Skill Trust Gap — All Commercial Scanners Bypassed

HIGH Research Note

Summary: Security firm AIR built a fake AI agent skill, published it through a marketplace using a fabricated GitHub reputation and an Instagram ad campaign, and documented it reaching approximately 26,000 agents — including verified corporate accounts — while bypassing every commercial skill security scanner tested, including those from Cisco and NVIDIA. The bypass exploited a fundamental architectural weakness: static scanning evaluates the skill at submission time, but the skill uses a mutable external link, meaning a benign payload passes review while the live skill serves something entirely different. AIR’s payload was deliberately limited to email address collection, but the same mechanism would support keylogging, credential exfiltration, or lateral prompt injection at identical scale.

Enterprise Risk: Agent skills are granted near-user-prompt-level authority within an agent’s context. The distribution channels — marketplaces, GitHub repositories, social media advertising — have no equivalent to the supply-chain transparency mechanisms in traditional software. The entire vetting infrastructure for agent skills currently provides a false sense of security. Any enterprise that has deployed AI agents with third-party skill integrations should treat those skills as unaudited runtime code until runtime behavioral verification is in place.

Recommended Actions: Audit all third-party skills currently installed in enterprise AI agent deployments. Enforce an approved-skills-only policy and disable unapproved integrations. Implement runtime behavioral monitoring that evaluates actual skill behavior at execution time, not at installation. Require skills to use pinned, immutable content references rather than mutable external links.

• The Hacker News — Fake AI Agent Skill Passed Security Scans and Reportedly Reached 26,000 Agents

• The Next Web — A fake AI agent skill passed every security scanner and reportedly reached 26,000 agents

• CSO Online — How a malicious AI agent skill passed security checks and reached 26,000 users

Why This Matters for CSA: CSA’s prior research on OpenClaw addressed supply chain attacks at the npm/package level. Agent skill trust is a distinct and underdocumented attack surface — skills receive near-user-prompt authority within agent contexts, and the distribution channels have no transparency equivalent. CSA’s AICM framework should add skill/plugin governance as a first-class control category.

View Full Research Note

macOS.Gaslight — DPRK Uses Prompt Injection to Blind AI Analysts

CRITICAL Research Note

Summary: The macOS.Gaslight backdoor, attributed to the DPRK-linked BONZAI threat family, marks the first documented state-actor deployment of prompt injection as an analyst evasion technique rather than as a victim-system attack. The Rust-based implant embeds a cascade of 38 fabricated system-failure messages within a Markdown-fenced block, engineered to convince LLM-assisted malware triage tools to abort, truncate, or refuse analysis — effectively blinding the AI analyst rather than the sandbox it runs in. While evading detection, the malware simultaneously harvests macOS Keychain data, browser credentials, and shell history, exfiltrating via a Telegram bot C2. Corroborating research presented at ICML 2026 and a parallel pattern documented by Schneier on Security in npm malware confirm this is not an isolated technique.

Enterprise Risk: Any organization that has integrated LLM-assisted triage, SOAR automation, or AI-powered EDR analysis into its SOC workflow has introduced a systematic blind spot. The AI capabilities that accelerate defense can be weaponized to create “inconclusive” analysis results on demand. The attack does not require access to the analyst’s system — only to the malware artifact the analyst examines.

Recommended Actions: Audit all AI-assisted triage and SOAR workflows for prompt injection susceptibility. Require mandatory human review before any AI-generated “inconclusive,” “error,” or “aborted analysis” result is acted upon. Deploy SentinelOne’s published IOCs for BONZAI/Gaslight on macOS endpoints. Update AI tool prompts to treat fabricated system-failure messages as suspicious signals.

• SentinelOne Labs — macOS.Gaslight: Rust Backdoor Turns Prompt Injection on the Analyst, Not the Sandbox

• The Hacker News — New Gaslight macOS Malware Uses Prompt Injection to Disrupt AI-Assisted Analysis

• Schneier on Security — Interesting Paper Exploring Prompt Injection (ICML 2026)

• Schneier on Security — Embedding Forbidden Text in Spyware to Discourage AI Analysis

Why This Matters for CSA: CSA has addressed prompt injection as a threat to AI systems used by victims. The inverse threat — malware that injects fabricated prompts to deceive the security analysts using AI — is undocumented in CSA’s corpus and represents a compounding risk for any SOC that has adopted AI-assisted analysis tooling.

Read Full Research Note

Five Eyes + U.S. Legislation: The New AI Security Compliance Baseline

HIGH Research Note

Summary: The week of June 22–25, 2026 produced a convergence of governance signals unprecedented since the SolarWinds response. The Five Eyes joint statement warns that frontier AI cyber attack capabilities are “months away, not years” and calls for a whole-of-organization response. The White House Executive Order on advancing AI innovation and security establishes executive branch priorities. Concurrently, the House Science Committee marked up H.R. 9363 (AI Security and Innovation Act) and H.R. 9333 (AI Flaw Reporting and Security Enhancement Act) — the latter directing NIST and CISA to establish a voluntary AI vulnerability reporting program.

Enterprise Risk: These instruments collectively define the compliance baseline for enterprise AI security over the next 12–18 months. H.R. 9333 would establish an AI vulnerability reporting database; organizations without AI security governance programs will find themselves outside the emerging norm. The Five Eyes statement’s urgency framing — months, not years — shortens the planning horizon boards and CISOs need to internalize.

Recommended Actions: Brief your board on the Five Eyes advisory and its explicit timeline. Map your AI security program against the White House EO priorities. Designate an owner for tracking H.R. 9363 and H.R. 9333 through markup and evaluate their potential impact on your disclosure obligations. Use CSA’s AICM framework to translate these regulatory signals into control mappings.

• CISA — Five Eyes Cyber Security Agencies Statement, June 22, 2026

• CyberScoop — Intel agencies: Frontier AI models will reshape cybersecurity faster than expected

• House Science Committee — H.R. 9363, AI Security and Innovation Act

• House Science Committee — H.R. 9333, AI Flaw Reporting and Security Enhancement Act

• The White House — Promoting Advanced Artificial Intelligence Innovation and Security

Why This Matters for CSA: CSA has analyzed individual regulatory frameworks in isolation. This is the first week producing simultaneous, mutually reinforcing signals from allied intelligence agencies, the executive branch, and two House bills. CSA’s AICM framework is positioned to translate this regulatory convergence into control mappings enterprise teams can act on.

Read Full Research Note

The AI Asymmetry Trap — Why Offense Now Outpaces Defense Structurally

HIGH Whitepaper

Summary: The National Academies rapid expert consultation released this week formally confirms that near-term AI advances favor attackers by reducing the time, expertise, and operational cost required for cyberattacks — and that the baseline level of cybersecurity across society must rise to counteract this. This scientific consensus lands alongside the Five Eyes timeline warning; Tenable’s report of 457 million AI-surfaced security issues across enterprise environments; and mounting evidence — the DBIR 2026, the FortiBleed campaign, the AI agent skill supply chain failure documented in Topic 2 — that exploitation has become the dominant initial access vector while the attacker productivity curve is now steeper than the defender curve.

Strategic Risk: The systemic question is not tactical. Cyber insurance actuarial models, software liability frameworks, patch-cycle norms, SOC staffing models, and vulnerability disclosure timelines were all designed for human-speed threats. Insurers have begun warning that AI-driven threats are outpacing their models. Regulatory bank stress tests are being paused because agencies acknowledge their scenarios predate AI-augmented attackers. For CISOs, the board-level risk conversation must shift from “what new threats did we see this week” to “does our governance architecture assume a threat environment that no longer exists.”

Recommended Actions: Commission a board-ready structural risk gap analysis that maps current governance architecture against AI-speed threat assumptions. Re-evaluate cyber insurance policy coverage with your broker specifically regarding AI-augmented attack scenarios. Accelerate patch cadence and attack surface reduction as immediate hedges while longer-term structural adjustments are planned. Use the National Academies interactive report as a credible third-party citation in board materials.

• National Academies — AI Will Elevate Near-Term Cybersecurity Risks but Can Strengthen Cybersecurity in the Long Run

• National Academies Press — Implications of AI for Cybersecurity: Rapid Expert Consultation (interactive)

• CISA — Five Eyes Cyber Security Agencies Statement

• CSO Online — Change your cyber risk strategy to meet AI threats, Five Eyes countries warn CSOs

• Just Security — When AI Runs the Operations: Autonomous Agents and the Future of Cyber Competition

Why This Matters for CSA: CSA’s existing whitepaper on AI-Powered Vulnerability Discovery addresses the tactical layer. This whitepaper addresses the strategic and systemic layer: what happens to enterprise risk governance, cyber insurance, liability frameworks, and board-level risk tolerance when the fundamental productivity relationship between attackers and defenders inverts? Neither MAESTRO nor AICM currently provides this strategic risk language.

Read Full Whitepaper (link pending)

Notable News & Signals

npm/PyPI Supply Chain: Malicious PostCSS Packages & Red Hat Miasma npm Worm

New malicious PostCSS packages delivering a Windows RAT and the Red Hat Miasma npm worm have been identified in package repositories. The techniques are variants of documented AI-augmented supply chain attacks rather than novel attack classes.

Source: The Hacker News — existing CSA coverage addresses this attack class; no new research note required.

PACT Protocol — Cloudflare, Google, Microsoft & Firefox on Privacy-Preserving AI Agent Auth

A pre-standardization initiative for privacy-preserving AI agent authentication is underway across major vendors. No enterprise compliance action is possible yet; the standard is worth monitoring for implications to NHI and agentic identity governance.

Source: The Hacker News — pre-standardization; revisit when draft standard is published.

Trump Post-Quantum Cryptography EO — Dec 2030 / Dec 2031 Deadlines Set

A new executive order accelerates previously known PQC transition timelines to December 2030 and December 2031. CSA has existing PQC corpus coverage; an update note to incorporate the new deadlines is recommended rather than a new research note.

Source: The White House — accelerates known PQC timelines; update to existing CSA PQC coverage recommended.

LastPass / Klue SaaS OAuth Supply Chain Breach — OAuth Token Theft Enables Customer Data Access

OAuth token theft enabled lateral access to customer data in a SaaS supply chain incident involving LastPass and Klue. The technique is well-documented; CSA’s existing SaaS security and OAuth coverage applies. Watch for sector-specific impact details.

Source: BleepingComputer — existing CSA SaaS and OAuth coverage addresses this class of attack.

Scattered Spider Guilty Pleas — Transport for London Prosecution Milestone

Guilty pleas were entered in the Scattered Spider / Transport for London case. A law enforcement milestone with no new technical threat guidance; organizations should review TfL incident after-action reports for social engineering and identity threat lessons.

Source: BleepingComputer — law enforcement milestone; no new technical threat guidance required.

Topics Already Covered — No New Research Action Required

npm/PyPI Supply Chain Attacks (Miasma worm, PostCSS RAT): CSA has covered Miasma and AI-augmented supply chain attacks in prior research notes. These are variants, not novel attack classes.
WhatsApp VBScript Campaign / RMM Abuse (Malaysia, India, UK, Vietnam): Significant campaign but the technique — social engineering to legitimate RMM tools — is well-documented. Lower priority than this cycle’s novel AI-specific attack vectors.
LastPass / Klue SaaS OAuth Supply Chain Breach: OAuth token theft enabling customer data access is a documented attack class. CSA SaaS supply chain and OAuth security coverage applies.
PACT Protocol (Cloudflare / Google / Microsoft / Firefox): Pre-standardization; no enterprise compliance action possible until a draft standard is published. Recommend revisiting then.
Trump Post-Quantum Cryptography Executive Order: CSA has existing PQC corpus coverage. The EO accelerates previously known timelines; an update note is more appropriate than a new research note.
ShapedPlugin WordPress Supply Chain Attack: Vendor build pipeline compromise scoped to WordPress Pro plugins. Limited enterprise AI security relevance compared to this cycle’s priority topics.
Scattered Spider Guilty Pleas (Transport for London): Law enforcement milestone. No new technical threat guidance required.

← Back to Research Index