CyberSip™ — Issue 69 — June 22, 2026

Today’s picture

FortiBleed escalated significantly today as the UK NCSC issued formal guidance, the credential database was confirmed to include major organisations including Oracle, Spotify, Toyota, and AT&T, and a new technical detail emerged: compromised FortiGate devices are being used as listening posts to intercept passing VPN traffic, feeding freshly captured credentials back into the scanner and creating a self-sustaining compromise loop. The Klue supply chain breach from Issue 67 has expanded, with revenue intelligence platform Gong now confirmed as a victim after attackers exploited its Klue integration on Friday, and today is Icarus’s stated deadline for publishing stolen data if negotiations do not begin. The UK NCSC published a blog post today warning that vibe coding and AI-generated code introduce security vulnerabilities that developers are not catching, and that the approach is not yet reliable enough for production use in systems where security matters.

Threat snapshot

3 active items · 2 monitoring

FortiBleed / self-feeding loop / NCSC guidance today / named victims Klue / Gong confirmed / Icarus data release deadline today NCSC / AI vibe coding / production security warning 3 items this issue

TodayFortiBleedNCSC Guidance Issued

FortiBleed grows: NCSC issues guidance today, named victims include Oracle, Spotify, Toyota, and AT&T. Compromised firewalls are intercepting live VPN traffic and feeding captured credentials back into the scanner, creating a self-sustaining loop.

The campaign has been running since at least February 2026 and covers approximately half of all internet-accessible Fortinet firewalls globally. The self-feeding mechanism means the credential database grows on its own as long as compromised devices remain in attacker hands. Patching is necessary but not sufficient: credentials on patched devices must also be rotated, since the patch does not invalidate credentials already harvested.

June 20–22Klue / IcarusExpanding

Klue breach expands: Gong confirmed as a second victim with internal user data accessed via its Klue integration. Icarus has listed Klue on its leak site and today is the stated deadline for publishing stolen data.

Gong confirmed no call recordings or customer transcripts were accessed but that user names, business titles, and emails were taken. Multiple additional firms are reported to be assessing their exposure. Salesforce and Gong have both disabled their Klue integrations.

TodayNCSCAI Code Warning

NCSC warns that vibe coding and AI-generated code introduce security vulnerabilities developers are not catching. Acceptable for low-risk projects, not suitable for production systems where security matters without thorough human review.

The guidance says teams should not trust AI output without scrutiny, should test and understand AI-generated code before deploying it, and should calibrate trust based on current model reliability rather than anticipated future improvement. The agency says the field is not yet there.

Detailed intelligence

Full analysis

01 FortiBleed NCSC Guidance Today

FortiBleed escalates: NCSC issues formal guidance today, named victims confirmed, and a self-feeding credential loop mechanism means patching alone does not close the exposure.

FortiBleed · NCSC · June 22

The UK NCSC released formal guidance for Fortinet customers today, confirming the FortiBleed database includes credentials from major global organisations. SOCRadar’s research revealed the mechanism driving the campaign’s growth: once a FortiGate device is compromised, attackers use it to monitor passing VPN traffic and harvest additional credentials, which are fed back into the scanning operation to compromise further devices.

Executive Impact

Organisations running internet-accessible FortiGate appliances should treat both patching and credential rotation as mandatory. Applying the latest firmware is necessary to close active exploitation paths, but it does not invalidate credentials that were already harvested while the device was compromised. A patched device running credentials that were captured during the compromise window is still exposed to password-based login attacks. The correct sequence is to patch, then rotate all FortiGate administrator and VPN credentials, then verify that no unexpected accounts were created during the compromise period.

Don’t Miss

The self-feeding loop mechanism is the detail that makes FortiBleed structurally different from a static credential dump. In a conventional credential theft campaign, the attacker steals a fixed dataset and monetises it. In FortiBleed, compromised FortiGate devices continue intercepting VPN authentication traffic from employees connecting through those devices, capturing credentials in real time and feeding them back into the scanner. The campaign grows as long as compromised devices remain in attacker hands, which means the database of valid credentials is not a historical snapshot but a live feed. Organisations that believe they were not affected based on last week’s scope figures should recheck today, as the number of confirmed valid credential sets continues to increase.

CyberSip Take

The NCSC issuing formal guidance on the same day that named victims including Oracle and AT&T appear in public reporting is a signal to take this seriously regardless of whether your organisation appeared in yesterday’s brief. The self-feeding loop means the longer any compromised devices remain undetected, the more credentials the attackers hold. This is not a static dataset to check once. It is an active operation that requires checking your exposure, patching your appliances, rotating every credential, auditing for unauthorised accounts, and then checking again.

What happened

The UK National Cyber Security Centre released formal guidance for Fortinet customers today in response to the FortiBleed campaign, as additional confirmed detail emerged about the scale and mechanism of the operation. The Infosecurity Magazine report published today, citing NCSC and Hudson Rock data, confirmed that the credential database contains verified working logins for organisations including Oracle, Spotify, Toyota, and AT&T, and spans over 21,000 unique domains across 194 countries. Kevin Beaumont and Hudson Rock independently verified that sampled logins from the database are real and current, covering approximately half of all internet-facing Fortinet firewalls globally.

SOCRadar’s detailed analysis of the operation confirmed a self-sustaining mechanism at its core. Once attackers successfully compromise a FortiGate device, that device is configured to monitor SSL VPN traffic passing through it and capture authentication credentials from employees connecting to the network via VPN. Those captured credentials are automatically fed back into the central scanning and authentication testing operation, allowing the campaign to grow through the compromised devices themselves rather than requiring the attacker to find entirely new targets. The operation has been running since at least February 2026 and continued to add new compromised devices as of the most recent reporting.

Security researcher Bob Diachenko attributed the campaign to a Russian-speaking threat actor based on infrastructure and operational patterns. At least four organisations have been fully compromised based on his investigation. The NCSC’s guidance published today specifically addresses credential rotation alongside patching as essential steps, reflecting the self-feeding dynamic.

Recommended actions

Apply the latest Fortinet firmware updates to all internet-accessible FortiGate appliances. Patching closes the active exploitation paths but does not address credentials already compromised.
Rotate all FortiGate administrator credentials and VPN user credentials immediately after patching. Credentials captured during the compromise window remain valid until changed.
Audit all FortiGate administrator accounts for any accounts created or modified during the compromise window. Attackers may have established persistence through new accounts.
Rename or disable the default admin account and any built-in Fortinet system accounts, as these remain the primary vector for the scanning phase of the campaign.
Monitor FortiGate authentication logs for successful logins from unexpected IP addresses or at unexpected times, which may indicate use of harvested credentials.

Derived from Infosecurity Magazine, SOCRadar, and NCSC FortiBleed guidance, June 22, 2026.

02 Klue / Icarus Expanding

Klue breach expands: Gong confirmed as a second major victim. Icarus lists Klue on its leak site and today is the stated deadline for publishing stolen Salesforce data.

Klue · Icarus · June 22

Revenue intelligence platform Gong disabled its Klue integration on Friday after confirming attackers accessed internal user data through the same OAuth token theft mechanism used in the Huntress compromise covered in Issue 67. Icarus has added Klue to its Tor-based leak site and stated it will publish stolen data from affected organisations’ Salesforce instances today unless negotiations begin.

Executive Impact

Any organisation that uses the Klue Battlecards integration with Salesforce should treat its Salesforce OAuth tokens and connected app credentials for Klue as compromised. Salesforce has disabled the integration platform-wide. Revoke and rotate all associated OAuth tokens and conduct a Salesforce API log audit covering June 11 to 17 for anomalous query volumes. If your organisation has not yet received direct communication from Klue, that does not confirm you were unaffected: the scope of the breach is still being established and new victims are being identified.

Don’t Miss

Gong is a revenue intelligence platform used to record, transcribe, and analyse sales calls and customer conversations. The data it holds through its Salesforce integration includes deal stages, customer interaction records, sales team communications, and internal strategy information, which is significantly more sensitive than basic contact records. Gong confirmed that call recordings and customer transcripts were not accessed, and that the compromised data was limited to user names, business titles, and email addresses from its licensed user list. That scope is materially better than the worst case. However, additional organisations are still assessing their exposure, and Icarus’s stated data release deadline is today. Organisations that have not yet audited their Klue integration exposure should do so before interpreting any silence from Klue as confirmation they were not affected.

CyberSip Take

The root cause across the Klue incident, FortiBleed, the Mastra npm attack, and the Nx Console compromise earlier this year is identical: a credential that outlived its usefulness but retained its access. The entry point in every case was not a sophisticated zero-day. It was an access relationship nobody ended. Auditing and revoking stale API credentials and OAuth grants is not glamorous work. It also would have prevented all four of the incidents that defined this week in this brief.

What happened

Revenue intelligence platform Gong disclosed on June 20 that it disabled its Klue Battlecards integration after discovering that attackers had exploited the compromised Klue OAuth token collection mechanism to access its Salesforce environment. Gong confirmed the data accessed was limited to internal licensed user information including user names, business titles, and email addresses, and that call recordings and customer transcripts were not reached.

The Icarus extortion group, which Huntress attributed responsibility for the original Klue breach in Issue 67, added Klue to its Tor-based leak site over the weekend. The group claimed responsibility for the attack and threatened to publish data stolen from affected organisations’ Salesforce instances unless negotiations begin. Icarus stated June 22 as the deadline for the data to be published or negotiations to commence.

SecurityWeek reported today that multiple additional cybersecurity and technology firms are assessing their exposure after the Gong disclosure, as Klue’s customer list spans a broad range of enterprise organisations that use it for competitive intelligence integrated with their CRM data. The full scope of affected organisations has not yet been confirmed publicly.

Recommended actions

Revoke and rotate all OAuth tokens, refresh tokens, and client secrets associated with the Klue Battlecards integration in your Salesforce environment if not already done.
Audit Salesforce API logs for the period June 11 to 17 for unusual query volumes from Klue service accounts, Python-urllib user-agent strings, and bulk record query patterns.
If you have not yet received a notification from Klue, do not interpret the absence of contact as confirmation you were unaffected. Proactively audit your Salesforce connected apps and OAuth grant list for the Klue integration and its associated service accounts.

Derived from SecurityWeek reporting on Klue breach expansion and Gong disclosure, June 20–22, 2026.

03 NCSC AI Code Warning

NCSC publishes guidance today warning that AI generated code and vibe coding introduce security vulnerabilities developers are not reviewing. Not yet suitable as-is for production use in security-critical systems.

NCSC · Vibe Coding Guidance · June 22

The UK National Cyber Security Centre published a blog post today addressed to developers and engineering leaders, warning that the shift toward AI-generated code is outpacing the review practices needed to catch the security flaws that AI models introduce. The agency stops short of condemning the practice but draws a clear line: low-risk and experimental projects are acceptable, but production systems where security matters require thorough human review of every output.

Executive Impact

The practical implication for development teams is not to stop using AI coding tools but to treat their output as code that requires the same review as any other untrusted contribution, rather than as validated output that can be merged without scrutiny. Security review practices that were applied to human-written code should apply equally to AI-generated code. The NCSC specifically flags messy and hard-to-audit systems as a consequence of vibe coding at scale, noting that AI-generated code can accumulate technical debt that creates security risks that are not visible in any single pull request.

Don’t Miss

The NCSC guidance closes with a specific framing worth noting: it is possible that trust in vibe coding will be warranted over time as models improve, but calibration should be based on today’s actual model reliability, not on anticipated future capability. That is a direct pushback on the common reasoning that current limitations are acceptable because the technology is improving quickly. The NCSC is saying that production security decisions should be grounded in what models can do today, not what they are expected to do next year. This brief has documented two direct consequences of that gap in practice: the FortiBleed campaign included AI-assisted automated exploitation, and the Agentjacking attack in Issue 63 used AI coding agents as an execution layer. Both of those represent the offensive side of the same dynamic the NCSC is warning about on the defensive side.

CyberSip Take

The NCSC is a credible voice and today’s guidance reflects what this brief has been documenting in practice all year. AI tooling is accelerating both attacker capability and developer productivity at the same time. The NCSC’s point that trust must be calibrated to today’s reality rather than tomorrow’s potential is the right framing for engineering leaders deciding how to govern AI code generation in their organisations right now.

What the NCSC said

The UK National Cyber Security Centre published guidance today on the security implications of vibe coding, the practice of using AI models to generate software from natural-language prompts with minimal developer review of the output. The agency says AI-generated code can introduce security flaws and create systems that are difficult to understand or maintain, even when the code appears functional and passes basic tests.

The NCSC draws a distinction between low-risk and experimental use cases, which it considers acceptable, and production systems where security matters, for which it says AI-generated output must be thoroughly reviewed, tested, and understood by developers before deployment. The agency specifically warns against deploying code that the development team does not understand, noting that this creates audit and incident response problems that extend beyond the initial security risk.

The guidance notes that AI models are evolving and that calibrated trust may be appropriate as reliability improves, but explicitly states that developers should base their current practices on today’s model capabilities rather than anticipated future improvement. The NCSC positions the guidance as practical advice for developers navigating a genuinely novel situation, acknowledging the productivity benefits of AI coding assistance while being direct about the security risks of using it without adequate review discipline.

Recommended actions

Apply the same code review standards to AI-generated code as to any other untrusted contribution. Do not merge AI-generated code that the reviewing developer does not understand.
Restrict vibe coding and fully AI-generated code to low-risk and experimental contexts. Production systems where security matters require human review of all code before deployment.
Include AI-generated code in static analysis, dependency scanning, and security testing pipelines. The fact that an AI generated the code does not exempt it from standard security tooling.

Derived from Cybernews and Infosecurity Magazine reporting on NCSC vibe coding guidance, June 22, 2026.

Still watching

Aging items · days 2–5

Items here remain operationally relevant but have no significant new developments. They drop off after 7 days.

NGINX CVE-2026-42530 and CVE-2026-42055 (Issue 68). Both CVSS 9.2. Out-of-band patches released June 17. Not yet confirmed exploited. Upgrade to NGINX Open Source 1.31.2 or 1.30.3. Previous critical NGINX flaw went from disclosure to exploitation in days. Day 2

RoguePlanet CVE-2026-50656 (Issue 66). Microsoft confirmed working on patch. No release date. CVSS 7.8. Application allowlisting prevents execution. Monitor MSRC for patch release. Day 6

Cross-source standouts

FortiBleed is not a static breach. It is a live operation that grows through its own victims.

Most large-scale credential theft campaigns produce a dataset that depreciates over time as passwords are changed and accounts are locked. FortiBleed works differently. Once a FortiGate device is compromised, it intercepts live VPN traffic and sends newly captured credentials back to the scanning operation. The campaign feeds itself. This means that an organisation whose device was compromised in February 2026 may have been leaking credentials continuously for four months, with every VPN session from every employee connecting through that device contributing to the attacker’s credential database. The scope of FortiBleed does not reflect a moment in time. It reflects the cumulative output of an operation that has been running for months and continues to operate today.

The NCSC vibe coding warning and the FortiBleed AI exploitation detail are two sides of the same observation

The FortiBleed campaign used AI-assisted automation to scan for and test credentials against hundreds of thousands of devices at a scale and speed no human team could sustain. The NCSC’s warning today notes that AI models are becoming capable of finding software weaknesses and writing exploits for them at comparable speed and scale. The defensive and offensive implications of the same capability are arriving simultaneously. The NCSC’s guidance asks developers not to trust AI-generated code without scrutiny, while the FortiBleed campaign demonstrates that attackers are already deploying AI-assisted operations at production scale. Both observations point to the same conclusion: the window between when a capability exists and when it is operationalised is now very short, and security postures calibrated to last year’s threat model are already behind.