The week’s channel intelligence points to a concentrated risk pattern: widely deployed enterprise platforms are being actively exploited or exposed through credentials, ransomware operators are refining pre-encryption defense evasion, SaaS integrations are becoming data-theft routes, and state-aligned actors continue to mature kernel-level stealth. The AI thread is also moving from theoretical governance concern to operational exposure, with attackers targeting developer AI API keys through marketplace plugins.
Source: Bleeping Computer
CISA confirmed active exploitation of CVE-2026-20253, a critical Splunk Enterprise flaw affecting versions 10.2.0 to 10.2.3 and 10.0.0 to 10.0.6 that allows unauthenticated remote attackers to create or truncate files through a PostgreSQL sidecar endpoint.
Security operations platforms are high-value targets. A compromise affecting SIEM or log infrastructure can erode detection, investigation, and response capacity at the same moment defenders need those systems most.
Source: Bleeping Computer
CISA warned Fortinet customers after leaked credentials associated with roughly 74,000 Fortinet devices, including firewalls and VPN gateways, were tied to malicious targeting of government and private-sector organizations.
Perimeter credentials remain a direct route to remote access, lateral movement, and ransomware staging. Organizations should treat exposed VPN and administrative credentials as active incident response triggers, not routine password reset events.
Source: Bleeping Computer
The Gentlemen ransomware as a service operation is maintaining a suite of EDR killing tools, including GentleKiller variants that use vulnerable drivers and target more than 400 security related processes across roughly 48 vendors.
Ransomware crews continue to industrialize defense evasion before encryption. Driver governance, attack surface reduction, tamper protection, and early stage telemetry are now board relevant ransomware controls.
Source: Dark Reading
Attackers abused compromised Klue Battlecards integration credentials and OAuth tokens to access Salesforce instances, automate REST API data theft, and support an extortion campaign attributed in reporting to the emerging Icarus group.
SaaS integrations are functioning as supply chain pathways into sensitive business data. OAuth grants, dormant credentials, connected app permissions, and abnormal API volume need the same executive attention as endpoint and cloud controls.
Source: Dark Reading
FishMonger, a China nexus threat group, expanded SprySOCKS with a Windows variant using malicious kernel drivers for stealth, with reporting tying deployments to government targets in Honduras, Taiwan, Thailand, and Pakistan.
State aligned operators are continuing to expand cross platform and kernel level evasion capabilities. That shifts driver control, code integrity, and public facing application hygiene into strategic cyber resilience priorities.
Source: Bleeping Computer
At least 15 malicious JetBrains Marketplace plugins posed as AI coding assistants, code review tools, and Git utilities while exfiltrating AI provider API keys from developer settings, with the campaign reportedly nearing 70,000 installs.
AI tooling creates new credential exposure and data governance risk inside developer workflows. Security teams should extend marketplace vetting, secrets scanning, and API key governance to AI coding assistants and adjacent plugins.
Cyber risk this week is less about isolated exploits and more about control plane trust: identity, credentials, integrations, endpoint protection, and developer tooling are all being targeted as force multipliers. Executives should prioritize exposed access paths, verify SaaS trust relationships, and test whether ransomware era defense evasion can be detected before business disruption begins.
For immediate assistance with securing AI, network intrusion, ransomware
attack, or BEC, please contact: IrongateResponse@irongatesecurity.com