🔴 Breaking
Device code phishing — 37x spike, 18 kits, every PhaaS vendor shipping it, bypasses all legacy MFA, token survives password resets, Conditional Access doesn’t block it by default  •  CVE-2026-46331 pedit COW — Linux kernel root exploit, FIM comes back clean  •  Cordyceps — free GitHub account hijacks Microsoft, Google, Apache CI/CD  •  Squidbleed CVE-2026-47729 — 29-year Heartbleed, patch NOT in 7.6  •  FortiBleed — CISA advisory, 86,644 devices    Device code phishing — 37x spike, 18 kits, every PhaaS vendor shipping it, bypasses all legacy MFA, token survives password resets, Conditional Access doesn’t block it by default  •  CVE-2026-46331 pedit COW — Linux kernel root exploit, FIM comes back clean  •  Cordyceps — free GitHub account hijacks Microsoft, Google, Apache CI/CD  •  Squidbleed CVE-2026-47729 — 29-year Heartbleed, patch NOT in 7.6  •  FortiBleed — CISA advisory, 86,644 devices   
Threat Briefs
35
Active Threats
13
CISA KEV Listed
10
No Patch Yet
4
Latest

Threats & Attacks

Identity Security · PhaaS · 37x Spike
Device Code Phishing: 37x Spike, 18 Kits, Every PhaaS Platform Shipping It — The MFA Bypass That Survives Password Resets Is Now a Criminal Commodity

18 months ago: Russian espionage. Today: criminal commodity. Bypasses TOTP, push, SMS. Token survives password resets. Conditional Access doesn’t block it by default. EvilTokens is AI-built. FBI advisory on Kali365.

June 29, 2026
 Linux Kernel · Root Exploit · FIM Blind
CVE-2026-46331 (pedit COW): Linux Kernel Root Exploit — File-Integrity Tools Say Everything Is Fine, Root Shell Is Already Open

The exploit never touches disk. FIM, Tripwire, AIDE — all report clean. Poisons the kernel page cache copy of /bin/su. Public PoC in 24 hours. Ubuntu patches pending.

June 28, 2026
 Supply Chain · CI/CD · 300+ Repos Exploitable
Cordyceps: A Free GitHub Account Is All It Takes to Hijack CI/CD at Microsoft, Google, Apache, and Cloudflare

No org membership. No special privileges. Owner-level Google Cloud access. Non-expiring Microsoft Sentinel keys. Python Black token for 130M monthly installs. AI agents reproducing the pattern.

June 25, 2026
 Proxy Security · AI Discovery · 29-Year Bug
Squidbleed (CVE-2026-47729): Claude Mythos Found a 29-Year Heartbleed in Squid Proxy — Patch NOT in 7.6

C’s strchr, a 1997 FTP parser, heap overread leaking other users’ passwords. Found by Claude Mythos in under an hour. Coming in 7.7. Disable FTP now.

June 23, 2026
 🚨 CISA Advisory · 86,644 Devices
FortiBleed Update: CISA Issues Formal Advisory — Scope Jumps to 86,644 Devices in 48 Hours

+181% in 48 hours. Five CISA-mandated actions. 35% generic admin accounts. Hudson Rock free lookup tool. FortiSandbox also exploited.

June 20, 2026
 Nation-State Espionage · China-Nexus
UNC6508: 26 Months Inside US and Canadian Research Labs — Hidden in a Misspelled Gmail Rule

REDCap exploitation, INFINITERED malware, domain admin, weaponized Google Workspace compliance rule. Defense, AI, and medical research data exfiltrated.

June 16, 2026
Analysis

Intelligence & Deep Dive

01
AI Discovery
$1,000 AI Agent Finds 21 Zero-Days in FFmpeg — Some Undetected for 23 Years
June 10, 2026  ·  Analysis
02
AI Policy
White House AI EO: Classified Benchmark, 30-Day Pre-Release Window — AI Is Now a Formal Cyber Weapon
June 4, 2026  ·  Policy
03
Zero-Day
CVE-2026-35273: Oracle PeopleSoft Zero-Day — ShinyHunters, 14 Days, 300 Installations
June 12, 2026  ·  Intelligence
04
Intelligence Report
Verizon DBIR 2026: Exploitation Is the #1 Breach Vector — Only 26% of CISA KEV Flaws Were Patched
May 26, 2026  ·  Report
More

Further Coverage

Network Security · Critical
FortiBleed: 30,791 Verified Fortinet Credentials, 194 Countries — The Self-Feeding Attack

Scan, stuff, sniff, feed. Turkish NATO defense contractor confirmed. Source still unconfirmed.

June 18, 2026
 SIEM Security · CVSS 9.8
CVE-2026-20253: Splunk Enterprise CVSS 9.8 — Unauthenticated RCE, CISA 3-Day Federal Deadline

No credentials. No interaction. AWS out of the box. watchTowr exploit chain published.

June 14, 2026
 Patch Tuesday · Record 200 CVEs
Microsoft June 2026 Patch Tuesday: Record 200 CVEs, Wormable CVSS 9.8, RoguePlanet

Largest Patch Tuesday ever. Wormable HTTP.sys. MiniPlasma patched. RoguePlanet now CVE-2026-50656.

June 10, 2026
 Network Security · CISA KEV
CVE-2026-0257: Palo Alto PAN-OS Auth Bypass — Active Exploitation Confirmed

Unauthenticated attackers forge GlobalProtect cookies, bypass MFA. CVSS 9.1. June 19 CISA deadline passed.

June 2, 2026
 Network Infrastructure · No Patch
CVE-2026-20245: Cisco’s 7th SD-WAN Zero-Day — Exploited for Months Before Disclosure

Now confirmed exploited for months prior to disclosure. No patch. Chains after CVSS 10.0 auth bypass.

June 5, 2026
 🚨 CISA Advisory · Supply Chain
CISA: Nx Console / GitHub Supply Chain — Megalodon Confirmed, Two CVEs on KEV

Nx Console breach + Megalodon GitHub Actions campaign. TeamPCP open-sourced framework. Earlier chapter of the Cordyceps supply chain arc.

May 29, 2026

The DataWater Intelligence Brief

Weekly CISO-level threat analysis — breaking vulnerabilities, technical depth, zero noise. Trusted by enterprise and government security leaders.