Accelerated by:
Certifications:
Light Eyes is part of Apolo Cybersecurity
ENG
ENG
%402x.svg){kind=icon}
A week with three readings that go beyond the usual CVE: a mass campaign with no patch because the problem is passwords that were never rotated, a first-tier government agency warning that AI adoption in development is moving too fast, and research proving that GitHub Actions .yml files are security-critical code that almost nobody treats as such. The summary you need before the weekend.
🔴 FortiBleed: Russian actors compromised 86,644 Fortinet firewalls with credentials that were never rotated as CISA issues urgent alert
Researchers discovered the active infrastructure of a Russian-speaking group that had executed 1.16 billion authentication attempts against more than 320,000 FortiGate devices. Result: 86,644 verified credentials across 194 countries, with username, email and plaintext password. 64.3% correspond to generic administrator accounts or built-in Fortinet accounts never renamed from factory defaults. CISA issued an urgent alert on 19 June. There is no CVE to fix with a patch: the problem is operational. Credentials were never rotated, management interfaces are internet-exposed, and devices on versions prior to FortiOS 7.2.11 store passwords with GPU-crackable SHA-256.
→ What you should do: Terminate all active VPN sessions. Rotate all administrative passwords, especially if not changed in the last 12 months. Verify PBKDF2 on versions 7.2.11, 7.4.8, 7.6.1 or later. Block external access to the management interface. Check if the FortiGate IP appears in the dataset using the Hudson Rock FortiBleed lookup tool. Full analysis →
🔴 NCSC warns: AI-generated code without supervision could become 2026’s biggest vulnerability vector
The UK's National Cyber Security Centre, the British equivalent of Spain's CCN-CERT, published a formal warning about vibe coding: the practice of delegating code writing to generative AI models with minimal human oversight. The defect rate per line of code has not improved over time, but vibe coding multiplies the total volume of code in production. The result is functional code with invisible security debt. The NCSC does not ban using AI for coding: it distinguishes between low-risk projects, where it is acceptable, and critical systems, where it requires thorough review before reaching production. The warning connects directly to Cordyceps (see below): AI agents generating CI/CD configurations reproduce the same insecure patterns at scale.
→ What you should do: Calibrate oversight level to system risk. Developers must understand code before deploying it. Incorporate AI-code-specific security review into the development process. For CI/CD agents, apply Microsoft’s Agents Rule of Two: no AI workflow should simultaneously have untrusted input, sensitive secrets and the ability to act externally. Full analysis →
🔴 Cordyceps: the new CI/CD vulnerability class in GitHub that any free account can exploit to compromise repositories at Microsoft, Google, Apache and Cloudflare
Novee Security published the full research on Cordyceps, a systemic class of vulnerabilities in GitHub Actions workflows. It is not a CVE for a specific tool: it is a pattern of insecure workflow composition that traditional scanners do not detect. The chain: a PR or comment from a free account triggers a low-privilege workflow, whose output crosses unvalidated into a high-privilege workflow with access to permanent cloud keys. Of the 30,000 repositories scanned, more than 300 were fully exploitable. Concrete cases: on Microsoft Azure Sentinel, a PR comment stole a non-expiring GitHub App key with write access to customer workspaces. On Google, a PR granted roles/owner over a Google Cloud project. On Python Black (130 million monthly installs), any PR allowed forging approvals and poisoning official Docker images.
→ What you should do: Treat GitHub Actions .yml files as security-critical code. Audit all workflows for PR inputs interpolated directly into shell commands. Update actions/checkout to the latest version. Rotate all GitHub Actions tokens and secrets. Include CI/CD auditing in the next pentesting scope. Full analysis →
Every Friday we break down the news that really matters for your organisation’s security. If you want to know how exposed your business is to any of these threats, we’re one click away.
