Front Page

Web Threat

Hiding in Plain Sight: 2,000 Hacked WordPress Sites Pull Their Orders From Steam Profile Comments

A campaign uncovered this week compromised nearly 2,000 WordPress sites and stashed its command-and-control instructions where almost no defender thinks to look — inside the comment fields of legitimate Steam Community profiles. Invisible Unicode characters encode a payload that, once decoded, resolves to a malicious script URL.

By turning Valve's trusted platform into a dead-drop resolver, the operators skip standing up their own C2 infrastructure and slide past reputation- and domain-based blocking entirely; a takedown means editing a Steam profile, not seizing a server. Forensic priority: capture the injected plugin and theme code, decode the zero-width Unicode strings to recover the resolver URL, and pivot on outbound requests to Steam profile endpoints from server-side hosts that have no business talking to a gaming platform.

Supply Chain

IronWorm Burrows Through npm: 36 Packages Turned Into a Self-Spreading Harvester of AI and Cloud Keys

Researchers disclosed IronWorm, an infostealing worm that infected 36 npm packages and hunts a sweeping target list — 86 environment variables and 20 credential files spanning Anthropic, OpenAI, AWS, and npm tokens, Vault configuration files, SSH keys, and Exodus cryptocurrency wallets. Each compromised maintainer becomes a launch pad for the next wave of infections.

The shift is notable: AI-provider API keys now sit alongside cloud and crypto secrets as first-class loot, a reflection of how deeply LLM gateways have wired themselves into modern build pipelines. Forensic priority: reconstruct npm publish events and maintainer-token usage, diff package-lock histories to scope the blast radius, and treat every secret exposed to an affected CI runner — AI keys most of all — as burned and rotate it.

Threat Bulletin

CRITICAL
CVE-2026-50751

Check Point Remote Access & Mobile Access VPN — an improper-authentication logic flaw in how IKEv1 validates certificates lets an unauthenticated attacker establish a VPN session without valid credentials; CVSS 9.3. Exploited in the wild since May 7 and tied with medium confidence to a Qilin ransomware affiliate; added to CISA KEV June 8. Forensic Note: Audit VPN and IKEv1 logs from May 7 onward for sessions lacking a machine certificate, flag gateways still accepting legacy IKEv1 clients, and check for the related site-to-site MitM bug CVE-2026-50752.

ACTIVE EXPLOIT
CVE-2026-42271

BerriAI LiteLLM (AI gateway) — two Model Context Protocol preview endpoints accept full stdio-transport server configs, letting any authenticated API-key holder spawn subprocesses and run arbitrary commands as the proxy; CVSS 8.7. Chained with Starlette's CVE-2026-48710 for unauthenticated RCE; CISA KEV June 8, fix v1.83.7. Forensic Note: Hunt POSTs to /mcp-rest/test/connection and /tools/list, review proxy process-spawn telemetry, and rotate every model-provider key the gateway holds.

Malware Spotlight

Magecart — GTM & Stripe Skimming

A renewed Magecart campaign abuses Google Tag Manager and the Stripe API to load client-side card-skimming code from inside trusted, already-allow-listed domains. Because the skimmer rides Google and Stripe infrastructure, it sails straight past Content-Security-Policy rules and network blocklists that implicitly trust those origins, harvesting payment data at checkout without ever touching attacker-owned hosts. Forensic Note: Inspect the GTM container's change history, hunt rogue localStorage artifacts staging captured card data, review CSP exceptions and Stripe customer metadata, and capture the live checkout DOM at the moment of payment to preserve the injected logic.