For the latest discoveries in cyber research for the week of 29th June, please download our Threat Intelligence Bulletin.TOP ATTACKS AND BREACHESPolymarket, a large cryptocurrency-based prediction market, has confirmed a supply chain attack after a third-party frontend vendor breach led to malicious JavaScript being injected into its website. Attackers tricked users into approving fraudulent transactions, stealing about $3 million from fewer than 15 accounts, while the backend remained unaffected.KDDI, a Japanese telecom operator, has reported a breach of its ISP email platform after detecting an intrusion on June 17. Up to 14.22 million email addresses and passwords may have been compromised across services from six ISPs, including J:COM and Biglobe.Indian electronics and semiconductor manufacturer Tata Electronics, a supplier to Apple and Tesla, has suffered a cyberattack and data breach. The company said IT systems were affected, while the World Leaks group claimed 630GB of data, including alleged supplier and customer documents.Brazil’s National Civil Defense warning platform, managed by telecom regulator Anatel, has faced a cyberattack that sent a fake “Extreme Alert” to phones across several regions. Officials took the system offline after the message reached users in Paraná, São Paulo, and Rio de Janeiro.The National Association of Insurance Commissioners, a US insurance regulatory standards body, has confirmed a cyberattack after ShinyHunters claimed theft of 3.1TB of data through an Oracle PeopleSoft zero-day. The group claimed access to regulatory filings, production logs, cloud configuration files, and other internal records.AI THREATSResearchers have detailed EvilTokens, an AI-powered phishing-as-a-service operation abusing device-code authentication to steal Microsoft 365 tokens. Huntress observed a 1,380% surge in device-code phishing in early 2026, with AI-generated lures and automated workflows lowering attacker effort.Researchers have crafted a fake AI skill that hijacked more than 26,000 AI agents by abusing trusted marketplaces and Instagram ads in a supply chain attack. The package initially appeared clean, then used attacker-controlled external instructions after approval to trigger data exfiltration across agent platforms.LayerX researchers have demonstrated BioShocking AI, a technique that tricks agentic browsers into bypassing their guardrails. Test cases against ChatGPT Atlas, Perplexity Comet, Claude in Chrome, and other AI browsers showed how game-like prompts could expose credentials and user data.VULNERABILITIES AND PATCHESCisco has addressed CVE-2026-20245, a high-severity command injection flaw in Catalyst SD-WAN Manager that attackers exploited as a zero-day for months. The flaw allows an administrator to run root commands through a crafted file, affecting on-premises and Cisco-managed cloud deployments.Dify has released version 1.14.2 to fix four vulnerabilities in its open-source AI platform, including critical CVE-2026-41947 and CVE-2026-41948. The flaws could allow unauthenticated access and cross-tenant data exposure, including chat content and uploaded files.Ubiquiti UniFi OS is affected by three flaws, CVE-2026-34908, CVE-2026-34909, and CVE-2026-34910, which are reportedly being exploited against network appliances. The vulnerabilities allow unauthorized changes, file access, and command execution, with exploitation observed in Mirai botnet activity.Check Point IPS provides protection against these threats (Ubiquiti UniFi OS Privilege Escalation (CVE-2026-34908), Ubiquiti UniFi OS Directory Traversal (CVE-2026-34909), Ubiquiti UniFi OS Command Injection (CVE-2026-34910))Langflow, an open-source AI workflow tool, is reportedly being targeted through exploitation of CVE-2026-55255, alongside ongoing mass exploitation of CVE-2026-33017. Attackers enumerated flow IDs to run victim pipelines and extract embedded API keys, while remote code execution enabled malware deployment and cloud credential theft.Check Point IPS provides protection against this threat (Langflow Remote Code Execution (CVE-2026-33017))THREAT INTELLIGENCE REPORTSResearchers have uncovered the FortiBleed campaign, which converts compromised FortiGate firewalls into passive credential stealers across 24 protocols. The operation targeted more than 430,000 devices worldwide and siphoned more than 110 million credentials.Researchers have attributed the StockStay espionage malware to Russia-linked Turla and described targeting of Ukrainian government and defense organizations. The malware evolved from a fake stock app to PDF reader and calculator lookalikes, delivered through phishing with malicious remote desktop configuration files.Researchers have revealed that the Chinese DCloud Uni-App framework powers at least 236,493 scam domains since 2022, including fake crypto exchanges, wallet drainers, WhatsApp phishing, and gambling schemes. Technical fingerprints suggest centralized operators, likely China-based, supporting a broad fraud ecosystem.Researchers have analyzed the FulcrumSec cloud extortion group targeting cloud-native organizations. The group exploits exposed credentials, unpatched applications, and misconfigured storage, then uses broad permissions to move across environments, collect data for months, and exfiltrate it using legitimate tools.The post 29th June – Threat Intelligence Report appeared first on Check Point Research.