
June’s unifying theme was trust being abused: old passwords, abandoned packages, and plugins we trust simply because they have always worked. The month was defined by “FortiBleed“, with nearly 87,000 compromised Fortinet firewalls, and the hijacking of the Arch Linux AUR repository, which turned over 400 packages into a malware distribution channel. Alongside them – a successful law enforcement strike against the infostealer ecosystem, flaws in AI tools, and France’s ultimatum to classical cryptography.
“FortiBleed”: 86,644 Compromised Fortinet Firewalls
The month’s most striking discovery belongs to SOCRadar researchers, who got inside an active campaign dubbed “FortiBleed” through a carelessly exposed attacker server. In it – credentials for as many as 86,644 Fortinet firewalls and VPN devices (detected across 194 countries): from banks and telecom operators to hospitals, universities, and government institutions.
Most interestingly, this was not a zero-day attack. Running since at least February, the campaign relies on two mutually feeding stages. The first – credential reuse: passwords collected from earlier Fortinet leaks and infostealer logs are tested automatically, around the clock, against exposed devices. The second – passive harvesting: a compromised device is turned into a listening post that monitors the VPN traffic passing through it and collects fresh credentials, which flow back into the scanner.
The analysis revealed an uncomfortable truth: a large share of the stolen logins consisted of generic administrator and factory-default Fortinet system accounts – many organizations never changed them, and the passwords remained unchanged even after earlier leaks. SOCRadar attributed the campaign to the “Lynx/INC” ransomware group, and its verdict is categorical: organizations that appear on the list should consider their perimeter already compromised.
“Atomic Arch”: Over 400 Hijacked Arch Linux Packages
The second big story hit the developer community. Starting June 11, attackers took over more than 400 abandoned packages in the community-run Arch User Repository (AUR) – packages whose maintainers left long ago, meaning anyone can “adopt” them. To avoid raising suspicion, the attackers forged the git history, imitating the work of a long-time maintainer, and inserted malicious code into the package build scripts. The result: every computer that compiled such a package silently installed an infostealer. The official Arch Linux repositories were not affected – what was exploited was not a software vulnerability, but the AUR trust model itself.
The Rust-written code targeted developers’ assets specifically: browser cookies and session tokens, GitHub, npm, and SSH keys, Docker and OpenAI credentials. When run with root privileges, it additionally installed an eBPF rootkit that hides its processes from standard tools – so simply removing the package is not enough, and an infected system should be reinstalled from trusted media. The campaign was named “Atomic Arch” by Sonatype researchers.
Organizations should prioritize:
Sources:
This entry is published as part of the SOCshare project (No. 101145843), which we are running together with Vilnius City Municipality. It is partly funded by the European Union. The views and opinions expressed are those of the authors alone and do not necessarily reflect those of the European Union or the European Cyber Security Centre of Excellence. Neither the European Union nor the European Cyber Security Centre of Excellence can be held responsible for them.