SOCshare June 2026: cybersecurity landscape review

Icon

Old passwords, abandoned packages, and plugins

June’s unifying theme was trust being abusedold passwordsabandoned packagesand plugins we trust simply because they have always workedThe month was defined by “FortiBleed“, with nearly 87,000 compromised Fortinet firewallsand the hijacking of the Arch Linux AUR repositorywhich turned over 400 packages into a malware distribution channelAlongside them – a successful law enforcement strike against the infostealer ecosystemflaws in AI toolsand France’s ultimatum to classical cryptography.

„FortiBleed“ and „Atomic Arch“

“FortiBleed”: 86,644 Compromised Fortinet Firewalls 

The month’s most striking discovery belongs to SOCRadar researchers, who got inside an active campaign dubbed “FortiBleed” through a carelessly exposed attacker server. In it – credentials for as many as 86,644 Fortinet firewalls and VPN devices (detected across 194 countries): from banks and telecom operators to hospitals, universities, and government institutions. 

Most interestingly, this was not a zero-day attack. Running since at least February, the campaign relies on two mutually feeding stages. The first – credential reuse: passwords collected from earlier Fortinet leaks and infostealer logs are tested automatically, around the clock, against exposed devices. The second – passive harvesting: a compromised device is turned into a listening post that monitors the VPN traffic passing through it and collects fresh credentials, which flow back into the scanner. 

The analysis revealed an uncomfortable truth: a large share of the stolen logins consisted of generic administrator and factory-default Fortinet system accounts – many organizations never changed them, and the passwords remained unchanged even after earlier leaksSOCRadar attributed the campaign to the “Lynx/INC” ransomware groupand its verdict is categoricalorganizations that appear on the list should consider their perimeter already compromised.

“Atomic Arch”: Over 400 Hijacked Arch Linux Packages 

The second big story hit the developer community. Starting June 11, attackers took over more than 400 abandoned packages in the community-run Arch User Repository (AUR) – packages whose maintainers left long ago, meaning anyone can “adopt” them. To avoid raising suspicion, the attackers forged the git history, imitating the work of a long-time maintainer, and inserted malicious code into the package build scripts. The result: every computer that compiled such a package silently installed an infostealer. The official Arch Linux repositories were not affected – what was exploited was not a software vulnerability, but the AUR trust model itself. 

The Rust-written code targeted developers’ assets specifically: browser cookies and session tokens, GitHub, npm, and SSH keys, Docker and OpenAI credentials. When run with root privileges, it additionally installed an eBPF rootkit that hides its processes from standard tools – so simply removing the package is not enough, and an infected system should be reinstalled from trusted media. The campaign was named “Atomic Arch” by Sonatype researchers. 

What else happened in June 2026?

Operation Endgame
Operation Endgame
On June 24, Europol and its partners announced the takedown of the SocGholish, Amadey, and StealC infrastructure - 326 servers and 142 domains - while nearly 15,000 infected websites used to distribute SocGholish were cleaned up. Around 27 million stolen login credentials were recovered, and over EUR 41 million worth of crypto assets were blocked from the criminals. The strike targeted the initial access link - it is precisely such stolen login data that becomes the "raw material" for later ransomware attacks.
Instagram AI assistant flaw
Instagram AI assistant flaw
According to researchers ZachXBT and Dark Web Informer, malicious actors could convince Meta's AI assistant to forward password reset codes knowing only the victim's username. Accounts taken over this way were resold through Telegram channels. Meta patched the flaw and confirmed that its systems were not breached, and accounts protected by multi-factor authentication (MFA) were not affected.
Malicious JetBrains plugins
Malicious JetBrains plugins
Aikido researchers found 15 plugins on the JetBrains Marketplace (around 70,000 installs) that posed as AI coding assistants and worked as advertised, yet silently forwarded the user's AI provider API key to an attacker server. The stolen keys are suspected to have later been resold to paying customers of the same plugin.
France's quantum deadline
France's quantum deadline
The cybersecurity agency ANSSI announced it will stop certifying security products without quantum-resistant encryption from 2027, and recommended that businesses buy only such products by 2030. Since the certification is mandatory for government institutions and critical infrastructure, this is a de facto end of legacy encryption - a response to the "harvest now, decrypt later" threat.

Looking ahead

Organizations should prioritize: 

  • Check your passwords and enable MFA: review the logins of all services and servers, remove weak and reused passwords, rename or disable factory-default accounts. Multi-factor authentication is a must wherever possible, and management interfaces should not be publicly accessible. “FortiBleed” showed that attackers often only need old credentials that were never changed. 
  • Control plugins and extensions: establish clear policies under which the software plugins and browser extensions used by employees are centrally monitored, vetted, and approved. 
  • Limit the privileges of AI tools: AI assistants with access to account management or other sensitive functions become social engineering targets themselves. Grant them only the minimum necessary permissions and require additional identity verification before sensitive actions. 
  • Start preparing for the quantum era: France has set a concrete deadline, and other countries will likely follow its example. It is worth taking inventory now of where and what cryptography is in use, and planning the transition to quantum-resistant solutions. The phrase “harvest now, decrypt later” is a reminder that data encrypted today will not necessarily be safe tomorrow. 

Sources: 

This entry is published as part of the SOCshare project (No. 101145843), which we are running together with Vilnius City Municipality. It is partly funded by the European Union. The views and opinions expressed are those of the authors alone and do not necessarily reflect those of the European Union or the European Cyber Security Centre of Excellence. Neither the European Union nor the European Cyber Security Centre of Excellence can be held responsible for them.

Other news and stories

The 3rd edition of the Guide for developing a National Cybersecurity Strategy
The 3rd edition of the Guide for developing a National Cybersecurity Strategy
SOCshare May 2026: News in cyber threat landscape
SOCshare May 2026: News in cyber threat landscape
SOCshare April 2026 review : Adobe Acrobat Reader, Claude and phishing
SOCshare April 2026 review : Adobe Acrobat Reader, Claude and phishing
SOCcare March 2026: A “Little Gift” from the photo shop
SOCcare March 2026: A “Little Gift” from the photo shop
Safe4SOC updates: enhancing CyberSOC efficiency through unified alert sharing
Safe4SOC updates: enhancing CyberSOC efficiency through unified alert sharing
SOCshare: cybersecurity landscape in February 2026
SOCshare: cybersecurity landscape in February 2026
SOCshare January 2026: cybersecurity landscape review
SOCshare January 2026: cybersecurity landscape review
SOCshare: cybersecurity landscape in December 2025
SOCshare: cybersecurity landscape in December 2025