All episodes
Week of Jun 29, 2026

Threat Vectr Weekly — week of Jun 29

15 min

Stories covered this week

Transcript

Narrated by two AI anchors. Lightly formatted for reading.

Marcus

Welcome to Threat Vectr Weekly for the week of June 29th. I'm Marcus, and we have a full plate this week. Canada just made history with a first-of-its-kind warrant to clean live botnets off private hardware. Microsoft quietly patched a one-click remote code execution flaw hiding inside an AI prototyping tool most developers never thought twice about securing. And a breach at competitive intelligence firm Klue is a masterclass in how abandoned OAuth credentials come back to haunt you. Eight stories, about ten minutes. Let's get into it.

Marcus

We'll start in Canada, where a Federal Court ruling unsealed June 15th marks a genuinely significant moment. Canada's Security Intelligence Service — CSIS — obtained a warrant authorizing it to reach into compromised routers, servers, and IoT devices on Canadian soil and dismantle two foreign-operated botnets. No notification to device owners. The court accepted that telling people would tip off the botnet operators. This mirrors what the FBI has been doing since takedowns like Cyclops Blink and Volt Typhoon — judicial authorization to remotely clean malware off private hardware. Canada is now formally on that map. Here's the part the press release glosses over: cleaning a botnet node is not a tidy operation. You are sending crafted commands to a device whose firmware you do not own. The failure modes range from bricking a router someone uses for VoIP nine-one-one calls, to burning your access while the implant survives and the command-and-control server simply rotates. Practically speaking, if you manage cloud workloads or co-location infrastructure in Canada, this ruling is a reminder that your infected kit is now legally fair game for a third party to touch without telling you. Audit your device inventory. Know what's hanging off your network. Over to Elena.

Elena

Thanks Marcus. Next up: ShinyHunters, a name that should not surprise anyone anymore and yet keeps doing exactly that. The group has been at this since at least 2020, and their recent activity is a reminder of one of the most uncomfortable truths in security. You do not need a sophisticated exploit to steal hundreds of millions of records. You need working credentials, a misconfigured cloud storage bucket, or a poorly scoped API token. The group's playbook reads like a checklist: find a weak authentication surface, get in without triggering endpoint detection, enumerate storage or move laterally, exfiltrate, post to a breach forum, repeat. No malware dropped. No zero-day burned. Just disciplined, patient process. Their initial access methods reportedly span phishing, SIM-swapping, and third-party vendor compromise — classic tradecraft adapted for cloud-native environments. What makes this operationally important is the targeting breadth. Retail, hospitality, telecom, financial services. The sector barely matters when access-control hygiene is poor across all of them. The takeaway is the same one it's been for years and keeps not landing: enforce multi-factor authentication everywhere, audit API token scopes, rotate credentials regularly, and treat your third-party vendors as part of your own attack surface. Back to you Marcus.

Marcus

Building on that credential hygiene thread — story three is about what happens when AI agents inherit the bad habits of the infrastructure they run on. About 71 percent of organizations are now piloting AI agents in production or near-production workflows, according to figures shared at the Gartner Security and Risk Management Summit this month. The governance side has actually moved fast — model cards, red-team exercises, acceptable-use policies. The infrastructure underneath has not caught up. That is where the risk lives. Governance frameworks like the NIST AI Risk Management Framework and the EU AI Act, which entered into force in August 2024 with obligations rolling out through August 2026, both place heavy emphasis on model behavior. Neither one prescribes hardening for the legacy identity stores, file shares, and service accounts that AI agents actually pull from at runtime. Here's the practical problem: an AI agent is by design an over-privileged user. It reads from SharePoint, queries databases, calls APIs through service principals provisioned years ago and never rotated. When an attacker compromises a stale account or an unpatched connector, they do not need to break the model. They just feed it bad data. Prompt injection through a poisoned document is the most-discussed version of this. It is not the only one. Token theft from a legacy single-sign-on integration, lateral movement through an agent's tool-use permissions — these are live attack paths right now. If you are deploying agents, the question is not just what the model does. It is what the model can reach.

ElenaSponsored

A quick word from our sponsor, Train2Secure. Your people are your biggest cyber risk — and your strongest defence. Train2Secure runs realistic phishing simulations and short, engaging security-awareness training your team will actually finish, with compliance-ready reporting that runs on autopilot. Turn your staff into a human firewall. Start your free trial today at Train2Secure dot com — that's Train, the number two, Secure, dot com.

Elena

Sticking with the theme of familiar problems at scale — our weekly threat roundup. Most of what crossed the wire this week was not new. It was proven tradecraft applied efficiently. A few things worth flagging. EDR killers are having a renaissance. Multiple ransomware affiliates are shipping bring-your-own-vulnerable-driver tooling — that means they load a legitimately signed but known-vulnerable driver onto a system specifically to use it as a weapon to kill endpoint detection before encrypting. The technique is old. The packaging is getting better and more accessible. Affiliates who could not write a driver loader six months ago are now doing it with off-the-shelf components. Capability is diffusing downward, and that is what defenders need to internalize. On the browser side, exploitable bugs were disclosed in widely deployed engines this week. Check CVE listings at the National Vulnerability Database directly rather than relying on summaries — CVSS severity scores on a few of these were rescored upward after initial publication. And an Android banking trojan made the rounds this week with a permission manifest that reads like a wishlist: accessibility services, SMS interception, overlay rendering. If you manage a mobile device fleet, that particular combination of permissions is worth adding to your policy blocklist. Marcus, you've got the Klue breach.

Marcus

Right, and this one connects directly to the ShinyHunters and AI infrastructure stories we just covered. Klue is a competitive intelligence vendor, and on June 12th they detected unauthorized access to customer data — specifically CRM data from platforms including Salesforce. The CEO addressed it publicly on June 19th. Here's the mechanism, and it's worth understanding clearly. Attackers got hold of a legacy credential tied to an abandoned integration project — a service that no longer existed in production but whose credentials were never revoked. Using that stale credential, they acquired OAuth tokens, which are essentially the keys that let one application act on behalf of another. With those tokens, they accessed multiple customer Salesforce environments and exfiltrated CRM data. Huntress, a security vendor also affected, disclosed that the attack involved a code update pushed specifically to harvest those tokens. Salesforce clarified the vulnerability was not in their platform — it was in how Klue managed the integration and its credentials. Klue has since revoked affected credentials and disabled the integrations. The practical lesson is painfully direct: when you decommission a service or an integration, you must also decommission its credentials. Abandoned OAuth tokens and service accounts are not inactive. They are unlocked doors. Audit them. Over to Elena.

Elena

From the breach that automated remediation is supposed to prevent, to the tool Amazon says can actually do it. AWS announced a new service called Continuum, positioned as an agentic security service that continuously discovers, validates, and remediates vulnerabilities across both first-party and third-party code in enterprise environments. The context matters here: AI coding tools are accelerating development, which is also accelerating the rate at which vulnerabilities are introduced. Triage queues are growing faster than security teams can process them. Continuum is AWS's answer to that. According to AWS, for internally owned applications, the service can analyze source code, confirm whether a finding is actually exploitable, generate a fix, and surface that fix through your existing developer workflows — meaning pull requests your team already reviews, not a separate portal nobody opens. Now, the obvious failure mode is automated remediation that lacks context making bad calls. AWS has a graduated trust model. Out of the box, humans stay in the loop. Once an organization is confident the system understands its environment well enough, they can enable what AWS calls enforce mode, where the service patches code autonomously. That is a meaningful amount of trust to extend to any automated system, and Continuum is still in gated preview, so most teams won't be making that call immediately. But it signals clearly where agentic security tooling is heading. Marcus, two more to go.

Marcus

Story seven involves Dify, which if you're not familiar, is an open-source platform for building agentic AI workflows. Over 146,000 stars on GitHub — one of the most-deployed AI orchestration tools in the open-source ecosystem. Researchers at Zafran Security disclosed a cluster of four vulnerabilities they're calling DifyTap. Chained together, these flaws allow an unauthenticated attacker — no login required, no user interaction required — to read AI conversations belonging to other tenants on the same Dify instance. In a multi-tenant deployment, that means one customer's conversation data is readable by an outsider without the victim seeing anything obviously wrong in their logs. No failed authentication attempts. No anomalies to hunt for. The read is silent. A few important caveats: at the time of disclosure, detailed technical information was limited. Specific CVE identifiers, affected version ranges, and confirmed patched releases had not yet been fully enumerated in primary advisories. So if you are running a self-hosted or managed Dify deployment, check the project's security advisories and release notes directly and frequently. The broader point stands regardless of where these specifics land: multi-tenant AI platforms carrying sensitive conversation data are high-value targets, and the attack surface is still being mapped in real time. Elena, take us home.

Elena

Last story, and it's a good one to end on because it illustrates something that is going to keep happening as agent frameworks proliferate. Researchers disclosed a vulnerability chain in AutoGen Studio — that's the graphical interface Microsoft built for prototyping multi-agent AI workflows — that turned an ordinary visit to a malicious webpage into arbitrary code execution on a developer's machine. They're calling it AutoJack. The chain is three steps. First: AutoGen Studio's local web server had a permissive cross-origin resource sharing policy — meaning it would accept requests from other websites, not just itself. Second: a server-side request forgery flaw let an external site use that permissiveness to send instructions through the API. Third: the agent's tool-use path would happily execute Python code passed in as part of a task. So a developer with AutoGen Studio running in the background opens the wrong browser tab, and a remote site pivots through the API, tells an agent to run code, and has shell access on the laptop. Microsoft has shipped fixes that tighten the CORS handling and constrain how user-supplied content reaches code execution. If you are running an older build, update before your next browsing session. The pattern to internalize here is bigger than this one patch. Developer tools that expose local HTTP servers with code execution on the other end are an RCE surface whether or not anyone designed them that way. Audit what is listening on localhost across your development environment. That's our eight stories for the week.

Marcus

That's a wrap on Threat Vectr Weekly for June 29th. Thanks for spending ten minutes with us — we know your time is short and your patch queue is not. If you want this reporting in your inbox before the weekend, head to threatvectr dot com slash newsletter and sign up. We'll be back next week with whatever the threat landscape decides to throw at us. Stay sharp.

© 2026 Threat Vectr