June 21, 2026 by sig9

Hacker Wars - June 21, 2026

bulletin-feature-image

Your daily dose of infosec chaos

Today’s lineup reads like a threat modeler’s worst day: North Koreans poisoning npm packages, an unpatchable hole burned into Apple silicon, AI agents getting hijacked into RCE delivery trucks, OAuth tokens walking out the front door, and ransomware that quietly nukes your freshest files first. Pour a coffee - this one’s dense.

North Korean Hackers Hit Mastra AI Supply Chain In Massive NPM Campaign

Microsoft attributed a supply chain attack that compromised over 140 npm packages to North Korea’s Sapphire Sleet group (aka BlueNoroff). The poisoned dependencies turned dev environments into a quiet beachhead for downstream victims.

What to do: Audit your npm dependency tree for Mastra-related packages and pin to trusted versions.

Unpatchable usbliter8 Exploit Breaks Apple A12 And A13 SecureROM

Researchers published a working exploit that achieves code execution inside the SecureROM of Apple’s A12 and A13 chips - firmware burned into silicon that no software update can ever fix. The boot chain on affected iPhones is permanently compromisable.

What to do: Physical security matters - retire or upgrade affected devices used in sensitive environments.

AutoJack Attack Turns AI Browsing Agents Into RCE Delivery Vehicles

Microsoft detailed AutoJack, an exploit chain where a single malicious web page steers an AI browsing agent to reach a privileged local service and execute host code. Your helpful AI assistant just became the attacker’s delivery truck.

What to do: Sandbox AI agents in isolated containers with no path to privileged local services.

Klue OAuth Breach Grows As New Icarus Extortion Group Claims Attack

Market intelligence platform Klue confirmed attackers stole OAuth tokens linking customers to Salesforce, and the fledgling Icarus extortion group is publicly claiming the hit. Stolen tokens mean attackers stroll in through the front door on valid credentials.

What to do: Revoke and rotate all OAuth tokens and review connected-app permissions in Salesforce.

Prinz Eugen Ransomware Targets Your Most Recent Files First

A new ransomware operation called Prinz Eugen encrypts your most recently modified files first - maximizing disruption before you notice - and leaves no ransom note behind. The no-note approach points to pure data extortion or sabotage.

What to do: Back up frequently with incremental snapshots and actually test your restore process.

That’s the chaos for today. Stay sharp out there.

Brought to you by sig9 - sig9.ch | Protecting the unseen, securing the unknown

This bulletin is provided for informational purposes. Contact us for tailored security analysis.