ZeroFox Daily Intelligence Brief - June 18, 2026

ZeroFox Daily Intelligence Brief - June 18, 2026

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• Massive ‘FortiBleed’ Campaign Targets Over 320K Fortinet Devices Globally
• Exposed Database Sourced from Infostealer Logs Taken Offline
• Mastra Npm Packages Compromised in Easy-day-js Supply Chain Attack

Massive ‘FortiBleed’ Campaign Targets Over 320K Fortinet Devices Globally

Source: https://www.bleepingcomputer.com/news/security/fortibleed-leak-exposes-fortinet-vpn-credentials-for-73-000-devices/

What we know: An ongoing credential-harvesting campaign, dubbed "FortiBleed," has reportedly compromised approximately 75,000 Fortinet firewall and VPN devices across 194 countries. Fortune 500 companies and government agencies in more than 15 countries have reportedly been affected.

Context: The primary exposed server contains usernames, email addresses, and plaintext passwords for 73,932 unique firewall URLs. Attackers launched roughly 1.16 billion credential-stuffing attempts against more than 320,000 FortiGate targets. The campaign does not exploit a known vulnerability, instead it relies on previously exposed Fortinet infrastructure to deploy credential-stuffing and brute-force techniques.

Analyst note: Organizations that have not rotated passwords or enforced multi-factor authentication (MFA) almost certainly face immediate risk. A credential leak of this scale is also likely to fuel a significant surge in Initial Access Broker (IAB) activity, enabling cybercriminals to sell network access to ransomware syndicates.

Exposed Database Sourced from Infostealer Logs Taken Offline

Source: https://cybernews.com/security/24-billion-credentials-data-leak/

What we know: Researchers have reportedly discovered a leaked database of 24 billion records originating from an Elasticsearch cluster, containing over 8 TB of data. The dataset is an aggregation of data and not the result of a recent breach. The database is now reportedly offline.

Context: The database reportedly contained data sourced from infostealer logs with usernames, emails, passwords, and login URLs, originating from 36 sources including Telegram channels and breach compilations. It is yet to be determined how many of these records are duplicates.

Analyst note: The exposure is a data leak as a result of a server misconfiguration and almost certainly does not involve threat actor malicious activity. Although the database was taken offline, the briefly exposed information is likely to have been archived or copied. Organizations are advised to rotate credentials and enable multifactor authentication (MFA).

Mastra Npm Packages Compromised in Easy-day-js Supply Chain Attack

Source: https://thehackernews.com/2026/06/144-mastra-npm-packages-compromised-via.html

What we know: Threat actors have reportedly compromised 144 packages within the Mastra npm namespace by misusing the npm account of a former Mastra contributor with unrevoked publishing permissions to push malicious updates.

Context: These malicious updates contained a typosquatted dependency easy-day-js, which automatically executed a hidden post-install script upon installation or update. The script downloads a second-stage information stealer targeting cryptocurrency wallet credentials and browser history. Mastra's intersection with AI and cloud infrastructure makes it a high-value target routinely installed in environments holding sensitive credentials.

Analyst note: Projects that fail to audit and revoke dormant publishing permissions are very likely to face similar intrusions, with downstream developers unknowingly propagating malicious updates through routine dependency management.

DEEP AND DARK WEB INTELLIGENCE

Kodak confirms data breach: American photography organization Kodak has confirmed a data breach involving unauthorized access to a limited amount of company data. ShinyHunters extortion gang has claimed to have stolen over 2.2 million records containing customer PII and other internal corporate data from Kodak. The threat group has threatened to leak the stolen data on June 18 if Kodak refuses to pay the ransom, while the company maintains there is no active threat to its systems or operations.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2026-48907: CISA has ordered federal agencies to patch this actively exploited vulnerability in the Widget Factory Joomla Content Editor (JCE) plugin by Friday. The vulnerability enables unauthenticated attackers to upload and execute malicious PHP code via automated, low-complexity attacks targeting Joomla deployments that use the JCE WYSIWYG editor plugin.

Affected products: Versions before JCE Pro 2.9.99.6