June 24, 2026 by sig9

Hacker Wars - June 24, 2026

bulletin-feature-image

Your daily dose of infosec chaos

Today’s roundup has a bit of everything: actively exploited Cisco vulns, AI models finding holes in classified government systems, and supply chain attacks hiding in your pull requests. The usual apocalyptic buffet.

Cisco Unified CM Gets Rooted via PoC Exploit

CVE-2026-20230 is now being actively exploited in the wild after a proof-of-concept made the rounds. The flaw in Cisco Unified Communications Manager lets unauthenticated attackers write arbitrary files to the device via the web management interface, which is a fancy way of saying “game over for your phone system.” CVSS 8.6, and patches have been out since early June, so if you haven’t patched yet, we need to talk.

What to do: Patch Cisco Unified CM immediately. If you can’t patch yet, restrict access to the web management interface to trusted networks only.

Anthropic Mythos AI Finds Vulns in Classified Government Systems

An Anthropic model called Mythos reportedly discovered vulnerabilities in classified US government systems within hours of being pointed at them. Let that sink in for a moment. An AI found holes in systems that are supposed to be some of the most locked-down on the planet. Officials were quick to note that finding a vuln and exploiting it are different things, but the speed is still unsettling.

What to do: If you’re still treating AI-assisted security testing as a future problem, it’s already here. Start evaluating how LLMs can augment your vulnerability discovery pipeline before attackers do.

Tata Electronics Confirms Breach, Hackers Leak Data

Indian manufacturing giant Tata Electronics has confirmed a cyberattack that hit parts of its IT infrastructure. Threat actors have already started leaking stolen data. Tata is a major player in the electronics and semiconductor supply chain, so this one has ripple potential across the industry.

What to do: If you have Tata Electronics in your supply chain, reach out to your contacts for details on what was compromised and assess your exposure.

Salesforce OAuth Attack Chain Expands With Icarus Group

The Klue OAuth breach from last week just got worse. A new extortion group calling itself Icarus has leaked data stolen through compromised Salesforce OAuth tokens. The attack chain is elegant and nasty: breach a vendor, steal its OAuth tokens, pivot into customer Salesforce instances. More victims keep surfacing.

What to do: Audit your Salesforce connected apps and OAuth token permissions. Revoke tokens from any vendor integrations you don’t actively need.

Cordyceps Attack Poisons Pull Requests Across Major Projects

A supply chain attack dubbed “Cordyceps” is weaponizing malicious pull requests to compromise CI/CD pipelines. The attack has hit projects from Microsoft, Google, Apache, Cloudflare, and the Python Software Foundation. The technique is clever: submit a seemingly legitimate PR, get it merged, and your malicious code runs in the trusted build pipeline.

What to do: Enforce branch protection rules, require manual approval for CI workflow changes, and audit any recently merged PRs that touched your CI/CD configuration.

That’s it for today. Remember: the best incident is the one you prevented.

Brought to you by sig9 - sig9.ch | Protecting the unseen, securing the unknown

This bulletin is provided for informational purposes. Contact us for tailored security analysis.