Threat Vectr Weekly — week of Jun 15
Stories covered this week
LiteLLM Command Injection Hits CISA KEV as Attackers Chain to RCE
CVE-2026-42271 lets any authenticated user run shell commands on the LiteLLM proxy. CISA says it's already being exploited.
Microsoft Bakes a Two-Hour Quarantine Into VS Code Extension Auto-Updates
The delay is a soft tripwire against marketplace supply chain attacks — buying defenders a window to flag malicious updates before they propagate.
How Ukraine Turned a Nation-State Cyberwar Into a Masterclass in Operational Resilience
Former foreign minister Dmytro Kuleba details how pre-planned contingencies — not ad-hoc crisis management — kept Ukrainian government and business functions alive under sustained Russian attack.
UNC3753 Hit U.S. Professional Services Firms With Vishing and Walk-In Intrusions
Dozens of legal, financial, and consulting firms were hit between January and May 2026 in a data-theft extortion run that blended phone-based social engineering with physical site visits.
12 Questions That Expose Whether Your Security Program Is Actually Working
A roundup of hard questions CISOs should already be asking — about blast radius, nonhuman identities, and whether 'vibe coding' has eaten your attack surface.
Corporate Cyber Readiness Is a Compliance Exercise. The Military Treats It as Combat.
Enterprise incident response still runs on annual tabletops and audit checkboxes. That gap between posture and practice is exactly what attackers count on.
VerdantBamboo Ports BRICKSTORM to BSD, Goes Hunting for Linux Appliances
A China-nexus crew is rewriting its toolkit to live on the boxes most EDR vendors forgot about.
Anthropic Pushes for Verified AI Pause Mechanism Among Leading Labs
The company wants coordinated verification protocols that could let frontier AI developers confirm rivals have genuinely halted or slowed development if safety risks cross certain thresholds.
Transcript
Narrated by two AI anchors. Lightly formatted for reading.
Welcome to Threat Vectr Weekly for the week of June fifteenth. I'm Marcus, and we have a packed episode today. We're going to talk about a command injection flaw in the AI proxy layer that a lot of platform teams are quietly running in production — and CISA says attackers are already inside. We'll look at a China-nexus crew that rewrote its backdoor to hide on the operating systems your EDR vendor forgot about. And we'll hear what Ukraine's former foreign minister says is the real reason the country survived years of sustained Russian cyberattacks. That, plus five more stories that matter. Let's get into it.
We start with a vulnerability that should be flashing red for any team running a self-hosted AI gateway. CISA added CVE-2026-42271 to its Known Exploited Vulnerabilities catalog on Monday. The affected product is LiteLLM — that's BerriAI's open-source proxy that sits in front of model providers like OpenAI, Anthropic, AWS Bedrock, and others. A lot of platform teams use it to give internal developers a single unified API for whatever models the company has licensed. The problem is a command injection flaw with a CVSS score of eight point seven. Any authenticated user can run arbitrary shell commands on the host. And here's what makes the blast radius so much bigger than that CVSS score implies: authenticated user in most LiteLLM deployments means anyone who grabbed a virtual API key from the internal developer portal. That's contractors, that's interns, that's anyone who filled out a form. Once you have shell on the proxy pod, you're looking at every provider API key stored in environment variables and the workload identity binding on the underlying cloud node. CISA says this is actively exploited, so patch or isolate now.
That's a supply chain risk hiding inside what feels like pure infrastructure. Over to something on the developer toolchain side that's a quieter but genuinely smart defensive move. Microsoft is adding a two-hour delay to Visual Studio Code extension auto-updates. Starting with recent VS Code builds, when an extension has a new version available, it sits in a holding queue for two hours before it installs on user machines. The intent is straightforward: if a malicious update lands in the marketplace — through a hijacked publisher account, a stolen token, or a planted backdoor — there's now a window to catch and pull it before it propagates to millions of developer endpoints. Two hours sounds modest, but researchers tracking supply chain attacks across npm, PyPI, and the VS Code Marketplace have consistently found that the gap between a malicious publish and mass installation is exactly where defenders need friction. This fits a broader industry pattern. GitHub added publisher attestation to npm. PyPI now requires two-factor authentication for maintainers of high-traffic packages. The VS Code change is the same philosophy applied to the editor layer. If your developers use VS Code with auto-updates on — and most do — this protection is coming to them automatically. But it's also a prompt for teams to audit which extensions are installed across developer endpoints and whether any have suspiciously broad permissions.
From developer tooling to something that genuinely reframes how we should think about organizational resilience. Dmytro Kuleba, who ran Ukraine's foreign ministry from 2020 to 2024, spoke at Infosecurity Europe this week and delivered what I think is the most practically useful framing of cyber resilience I've heard in a long time. His central point: resilience is not a repair capability. It is muscle memory built before the crisis. He walked through the Kyivstar incident — in December 2023, Russian threat actors got in through a single employee account, reached the core of the mobile network, and took it down. Kyivstar restored service within days. Kuleba called that outcome, quote, the unimaginable, and he credited prior preparation, not improvisation. His own ministry started its continuity planning in November 2021 — three months before the full-scale invasion. His team mapped every system, every dependency, and pre-answered every question that organizations typically scramble to answer mid-crisis. When Russian forces crossed the border, the ministry evacuated services abroad without losing a single day to triage. The takeaway for any security leader is uncomfortable but clear: if you don't have written answers to your own continuity questions right now, you will be figuring them out under fire.
A quick word from our sponsor, Train2Secure. Your people are your biggest cyber risk — and your strongest defence. Train2Secure runs realistic phishing simulations and short, engaging security-awareness training your team will actually finish, with compliance-ready reporting that runs on autopilot. Turn your staff into a human firewall. Start your free trial today at Train2Secure dot com — that's Train, the number two, Secure, dot com.
That Ukraine story is a case study in what preparation actually looks like. And speaking of preparation failures, let's talk about UNC3753 — a financially motivated crew that Google Mandiant and the Google Threat Intelligence Group have been tracking through the first five months of 2026. These operators worked through dozens of U.S. professional services firms — legal, financial, and consulting — using phone calls and, in some cases, physically walking into offices. No zero-days. No exotic malware. They called help desks, talked past identity verification checks, and walked away with credentials or session tokens. Where phones didn't work, they apparently showed up in person. The goal was data exfiltration and extortion — pay up or the data gets published — which puts them in the same lane as Scattered Spider and the broader cluster of English-speaking social engineering crews that have been dominating incident response queues for the past two years. The targeting is deliberate. Professional services firms hold concentrated, high-leverage client data: privileged legal correspondence, merger and acquisition diligence, tax filings, beneficial ownership records. A single law firm breach can cascade into client notifications across an entire deal roster. The practical defense here is not technical. It's process. Identity verification at the help desk needs to be a hard checkpoint, not a soft conversation.
That UNC3753 story is a reminder that the attack surface often isn't a system — it's a person on the phone. Which connects to a piece this week that collected hard questions from a dozen security leaders about whether their programs are actually working. A few stood out. Roland Palmer, CISO at JumpCloud, asks his team to name one specific incident the security program actually prevented — not generically, but concretely, with business impact attached. If the answer is vague, the value is vague. On identity: Palmer calls IAM for both human and nonhuman identities an every-hour question now. AI agents, shadow deployments, and automated pipelines are generating new identities faster than most governance processes can track. Richard Watson at EY makes it sharper — most traditional identity governance tooling was never built for nonhuman principals at all. That's not a configuration gap, that's a category gap. And Dale Hoak at RegScale reframes mean time to detect bluntly: assume breach, then ask how fast you'd actually know. That number correlates directly to blast radius. Small number good, large number bad. These questions aren't novel. But the security leaders making them routine — on a schedule, not just at audit time — are the ones building programs that actually hold.
Those questions land differently when you contrast how corporate security teams rehearse versus how the military does it. There was a piece this week making that comparison explicitly, and it's worth sitting with. The U.S. military rehearses cyberattacks constantly — against live tooling, in exact replicas of operational environments, with a fixed starting assumption that the attack is coming. Corporate security teams still tend to treat preparedness as a documentation problem. Annual tabletop exercises, checkbox audits, policies that get reviewed once a year. When Scattered Spider worked through retailers and insurance brokers in early 2025, and when ransomware traced to supply chain compromises cost Jaguar Land Rover and Asahi Beer months of operational downtime, those weren't edge cases. That's the baseline now. Two findings in this piece added urgency. Cisco researchers found that frontier AI models from OpenAI, Anthropic, Google, xAI, and Amazon perform materially worse under multi-turn attack conditions than single-prompt benchmarks suggest — meaning the attack success rate climbs when a model is pressured across a conversation rather than probed once. And Google's Threat Intelligence Group identified what researchers are calling the first zero-day exploit developed using AI. Annual tabletops do not map to that threat pace. The military framing that resonates: the question is never whether. It's only when, and how ready are you.
From threat pace to threat infrastructure. This one is for the SOC teams and the threat intel folks. A China-nexus espionage cluster called VerdantBamboo — which overlaps with what Microsoft tracks as Clay Typhoon — has been spotted deploying a BSD-flavored variant of the BRICKSTORM backdoor, alongside two previously undocumented Linux implants called PLENET and AGENTPSD. BRICKSTORM has appeared before in long-dwell intrusions at managed service providers and edge appliance vendors. What's new is that the operators have ported it to BSD. That is a deliberate engineering choice. A lot of firewalls, load balancers, and storage controllers ship FreeBSD or a vendor fork underneath the product interface. Your EDR agent is almost certainly not on them. VerdantBamboo knows that. The playbook is the same one China-nexus actors have run for three years: find the appliance, drop a quiet implant on a platform nobody monitors, then pivot into the Linux fleet using stolen credentials or management plane access. PLENET and AGENTPSD cover the Linux side of that pivot. Volexity published the primary writeup with indicators of compromise and behavioral signatures. If you're running network appliances from any vendor and you don't have a clear answer for what telemetry you have on those devices, that's the gap to close this week.
And we close this week on something that sits at the edge of cybersecurity and AI governance. Anthropic has put forward a proposal for industry-level coordination that would give advanced AI labs a mechanism to verify whether their competitors have actually halted or meaningfully slowed AI development if safety risk thresholds are crossed. The framing is essentially a trust-but-verify structure — labs auditing one another's claims about development status. That is a significant ask. It raises obvious concerns about competitive sensitivity, intellectual property exposure, and depending on how it's structured, potential antitrust implications. But Anthropic's underlying logic is sound: a pause only functions as a safety mechanism if everyone actually pauses. Unilateral restraint by one lab while others continue is not a pause — it's a market concession. What's notable from a regulatory standpoint is how far the existing framework falls short. Neither the cyber incident reporting requirements under CIRCIA nor the SEC's cybersecurity disclosure rules address AI development risk as a trigger. The EU AI Act's high-risk classification provisions don't reach this either. There is no existing regulatory scaffold for what Anthropic is describing. Whether this proposal goes anywhere depends on whether competitors engage. But the problem it's trying to solve — verifying that a safety commitment is real — is exactly the kind of coordination problem the security community has been working on for decades with vulnerability disclosure frameworks and threat intelligence sharing. Worth watching.
That's all eight stories for the week of June fifteenth. Thank you for spending ten minutes with us on Threat Vectr Weekly. If you want the full write-ups, links to the primary research, and early access to next week's stories, head to threatvectr dot com slash newsletter and get on the list. We'll be back next week. Stay sharp.