FortiBleed Exposes 86,000 Fortinet Credentials
An ongoing campaign, FortiBleed, has exposed valid Fortinet VPN credentials for over 86,000 Fortinet firewalls and VPN appliances across 194 countries. The scale of this data exposure is significant, offering potential initial access to many organizations globally. The leaked data includes email addresses, usernames, and passwords, along with specific company details such as industry, revenue, and country of origin.
This widespread compromise impacts various critical sectors, including financial institutions, telecommunications providers, healthcare organizations, higher education bodies, and critical infrastructure entities. While the precise method of credential acquisition remains undetermined, researchers suspect a link to data stolen from previous exploitation of known Fortinet vulnerabilities.
The FortiBleed campaign represents a key initial access operation. The compromised credentials are likely being used or sold to other threat actors for subsequent attacks. The global distribution and critical nature of the affected organizations demonstrate the severity of this exposure, which requires immediate attention to credential rotation and enhanced security measures for Fortinet device deployments.
What is the scope of the FortiBleed credential exposure?
The FortiBleed campaign exposed valid VPN credentials for over 86,000 Fortinet firewall and VPN appliances across 194 countries. Security researchers Voldymyr Diachenko and Kevin Beaumont identified the compromise through an exposed open directory containing configuration files directly exported from Fortinet appliances. This data set includes email addresses, usernames, and passwords for administrative accounts, alongside company-specific metadata such as industry, revenue, and geographical location.
The exposed data's formatting, associated with cybercrime operations, suggests that the FortiBleed campaign functions as an initial access operation, providing entry points for further malicious activity. While no specific threat actor attribution has been publicly confirmed, analysis of tooling, infrastructure, and victim selection points to Russian-speaking cybercrime groups. Geographically, nearly one-third of the exposed entries originate from organizations in the United States and India.
The method by which these configuration files were initially obtained is not definitively known but is strongly suspected to be linked to successful exploitation of previously identified vulnerabilities in Fortinet devices. Organizations that applied patches to these vulnerabilities but did not subsequently rotate credentials remain susceptible to credential-based attacks using the newly exposed data.
| CVE ID | Description |
|---|---|
| CVE-2024-55591 | Privilege escalation vulnerability |
| CVE-2025-59718 | Authentication bypass vulnerability |
| CVE-2025-59719 | Authentication bypass vulnerability |
Organizations using Fortinet VPN and firewall appliances need to act immediately. Security teams should prioritize rotating administrator credentials and enforcing multi-factor authentication across accounts. Access to Fortinet Management Interfaces must be restricted to trusted networks and IP addresses. An audit of accounts on Fortinet devices is advised to identify and remove any unauthorized or suspicious entries. Ensuring all Fortinet devices are running the latest firmware, with patches for identified CVEs, provides a basic layer of defense.
How is ShinyHunters exploiting the Oracle PeopleSoft zero-day?
ShinyHunters actively exploits CVE-2026-35273, a critical unauthenticated Remote Code Execution (RCE) vulnerability in Oracle PeopleSoft PeopleTools, to establish initial access for data extortion operations. Oracle disclosed the flaw on June 10th, 2026, with a CVSS score of 9.8, affecting PeopleSoft Enterprise PeopleTools versions 8.61 and 8.62. Mandiant and Google Threat Intelligence Group (GTIG) confirmed active exploitation of this zero-day since at least May 27th, 2026.
Upon successful exploitation of CVE-2026-35273, ShinyHunters deploys customized MeshCentral agents, often disguised as legitimate cloud endpoints, to maintain persistence and enable further malicious activities. These agents allow the threat actors to run queries, perform lateral movement within the compromised environment, and execute custom scripts. Data exfiltration follows, with stolen information subsequently posted on ShinyHunters' dedicated Data Leak Site (DLS), as observed on June 9th.
GTIG notified over 100 global organizations whose IP addresses correlated with potentially vulnerable endpoints; 68% of these were in the higher education sector in the United States. This sector's reliance on Enterprise Resource Planning (ERP) platforms like Oracle PeopleSoft for managing sensitive student, financial, and HR data makes it a high-value target for extortion.
| Type | Value | Description |
|---|---|---|
| IP Address | 142[.]11[.]200[.]186 | Staging & C2 IP Address |
| IP Address | 142[.]11[.]200[.]187 | Staging & C2 IP Address |
| IP Address | 142[.]11[.]200[.]188 | Staging & C2 IP Address |
| IP Address | 142[.]11[.]200[.]189 | Staging & C2 IP Address |
| IP Address | 142[.]11[.]200[.]190 | Staging & C2 IP Address |
| Domain | azurenetfiles[.]net | Staging & C2 Domain |
| SHA256 Hash | 2ab684d93c1553fad87041b4dea97188a97e78589deee2a7bacff905564f3a35 | Attacker Command History |
| SHA256 Hash | f02a924c9ff92a8780ce812511341182c6b509d45bc59f3f7b522e37225d24fc | Pre-configured Windows Agent |
| SHA256 Hash | d83fdb9e53c5ff03c4cb0451ea1bebd79b53f29eadc1e2fa394c7af13a86ce2f | Pre-configured Windows Agent |
| SHA256 Hash | c7e9332731b06644fc73e0046a2a89eaa59b09f54250e9bd622467187351711f | Pre-configured Windows Agent |
| SHA256 Hash | 68257a6f9ff196179ec03624e849927f26599eb180a7c82e14ef5bc4e39bc309 | Unconfigured Linux agent |
Organizations using Oracle PeopleSoft must apply the relevant security patches for CVE-2026-35273 as soon as possible. If immediate patching is not feasible, mitigation steps include disabling the Environment Management Hub (EMHub) Service and blocking external network access to sensitive PeopleSoft PeopleTools endpoints, specifically /PSEMHUB/hub/ and /PSIGW/HttpListeningConnector, at the network perimeter. Auditing PIA WebLogic access logs for suspicious HTTP POST requests, monitoring outbound SMB traffic from PeopleSoft hosts, and conducting forensic audits of web-tier filesystems are recommended to identify potential compromise.
What vulnerability exists in the Amazon Q VS Code Extension?
CVE-2026-12957, a high-severity vulnerability in the Amazon Q Developer Extension for Visual Studio Code (VS Code), enabled arbitrary code execution and cloud credential theft when a developer opened a malicious repository. This flaw stemmed from Amazon Q automatically loading Model Context Protocol (MCP) server configurations from workspace files (specifically .amazonq/mcp.json) without requiring explicit user consent or performing workspace trust checks.
This automatic loading, combined with full environment inheritance for spawned processes, created a critical exposure. Attackers could craft a malicious repository that, when opened in VS Code with Amazon Q active, would silently execute arbitrary commands with full access to the developer's environment. This environment includes sensitive data such as AWS credentials (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN), cloud CLI authentication tokens, API keys, and SSH agent sockets.
Amazon has remediated this issue in language server version 1.65.0. The updated Amazon Q Developer Extension now displays a consent prompt before loading MCP servers from workspace configurations, giving users the opportunity to review and reject untrusted commands.
| Impact Assessment | Details |
|---|---|
| Immediate Impact | Arbitrary code execution on developer machines, requiring minimal user interaction (opening a folder). Silent execution without visible indicators. |
| Escalation Potential | Theft of cloud credentials (AWS, GCP, Azure), potential cloud persistence through backdoor IAM users or access keys, access to internal services via inherited network context, and supply chain attacks targeting maintainers of popular projects. |
| Attack Scenarios | Malicious pull requests, typosquatted package names, compromised dependencies with added config files, or social engineering tactics. |
This vulnerability is part of a broader pattern of security issues in AI coding tools where workspace configurations auto-execute without sufficient user consent. Other similar findings have been reported.
| CVE | Product | Researchers |
|---|---|---|
| CVE-2025-59536 | Claude Code | Check Point Research |
| CVE-2026-21852 | Claude Code | Check Point Research |
| CVE-2025-54136 | Cursor | Check Point Research |
| CVE-2026-30615 | Windsurf | OX Security |
| CVE-2021-26700 | NPM Extension | Slack |
| CVE-2020-17023 | VS Code Core | Justin Steven |
Developers should exercise caution with untrusted repositories, carefully review any MCP consent prompts from Amazon Q, and regularly audit their workspace directories for unexpected .amazonq/ folders. This reinforces the broader security lesson that any file within a Git repository should be treated as untrusted input, requiring validation, sanitization, and explicit user consent before execution.
How is Miasma malware targeting developer supply chains?
Miasma malware, an evolution of earlier Mini Shai-Hulud and Hades variants, continues to adapt its supply chain attack tactics, compromising npm packages, abusing GitHub Actions workflows, and expanding into the Go ecosystem. The main goal remains harvesting developer and maintainer credentials, which are then used to propagate across package registries, code repositories, and trusted developer workflows.
In the latest iteration, threat actors breached an npm developer account, czirker, associated with LeoPlatform. This access allowed publication of trojanized versions of over 20 packages within a six-second window. These malicious npm packages bypass typical lifecycle hooks by incorporating a binding.gyp file, which executes arbitrary code during installation. This process typically launches a JavaScript loader to install the Bun runtime if absent, followed by a stealer payload designed to harvest secrets, credentials, and tokens.
The campaign extends to GitHub Actions, where the malware drops a workflow named "Run Copilot." This workflow captures CI/CD environment secrets from the runner memory and exfiltrates the information to public GitHub repositories, often identified by the description "Alright Lets See If This Works." As of detection, 559 repositories matched this description. This activity also involves the use of token relay markers, with "RevokeAndItGoesKaboom" observed in current artifacts, a shift from previous strings like "IfYouInvalidateThisTokenItWillNukeTheComputerOfTheOwner." This current marker has been used as a GitHub dead drop resolver in connection with the compromise of the codfish/semantic-release-action GitHub Action.
The scope of the campaign further expanded to the Go ecosystem with the compromise of the Verana Blockchain project on GitHub. In this instance, the Miasma execution pattern is triggered through source-repository execution when a developer clones or opens the repository in a trusted IDE or AI coding assistant environment, rather than relying on native Go module resolution. The malware also features a Russian locale killswitch and checks for endpoint security software presence. This persistence and adaptation across package ecosystems is a significant concern for developers, building on lessons from threats like the Shai Hulud npm worm. Further context on these types of threats can be found in our Miasma Phantom Gyp supply chain research, and PurpleOps has previously analyzed the impact of Miasma on npm and GitHub Actions.
| Affected Packages (Selected Examples) |
|---|
hexo-deployer-wrangler@1.0.4 |
leo-auth@4.0.6 |
leo-cdk-lib@0.0.2 |
leo-sdk@6.0.19 |
rstreams-metrics@2.0.2 |
github.com/verana-labs/verana-blockchain@v0.10.1-dev.20 (Go) |
Technical Takeaways
- The FortiBleed campaign exposed credentials for over 86,000 Fortinet appliances across 194 countries, indicating a large-scale initial access operation impacting diverse critical sectors.
- ShinyHunters actively exploited CVE-2026-35273, a critical Oracle PeopleSoft zero-day, as an unauthenticated RCE vector for data extortion, primarily targeting over 100 organizations in the higher education sector.
- CVE-2026-12957 in the Amazon Q Developer Extension allowed arbitrary code execution and cloud credential theft via auto-execution of malicious Model Context Protocol (MCP) server configurations in VS Code workspaces.
- The Miasma malware continues to adapt its supply chain attacks, compromising npm packages, abusing GitHub Actions workflows, and infecting the Go ecosystem through credential theft and malicious code execution during installation or project loading.
- The persistent targeting of developer tools, critical enterprise platforms, and widely deployed network infrastructure shows the importance of rigorous vulnerability management, strong access controls, and full supply chain security practices.
