InfoSec Briefing - June 02, 2026

🎧 Audio Briefing

Playback Speed:

Cyber security developments for Tuesday the 2nd of June 2026 covering articles added to the BlueTeamSec community on infosec.pub. Today we have 7 articles to cover. All attribution is by the article authors. All article analysis is automated.

LevelBlue have documented a North Korean campaign targeting macOS users in finance and cryptocurrency sectors. Sapphire Sleet are using social engineering to deliver malicious AppleScript files disguised as Zoom updates, then abusing legitimately signed macOS binaries to steal credentials and cryptocurrency wallets. Worth flagging if you're dealing with high-value targets in those sectors.

The Army Cyber Institute have published something a bit unusual — an investigation showing commercial web trackers, including foreign-owned ones like TikTok, are extensively present on U.S. Army unclassified networks, representing 20% of top domains. The concern is pattern-of-life profiling and foreign intelligence collection from browsing habits and geolocation data. One for anyone thinking about tracker exposure on defence networks.

Veeam have disclosed a critical remote code execution flaw in their Service Provider Console, version 9.2.0 and earlier, with a patch now available. Authenticated attackers can execute arbitrary code when alarm script execution is enabled — CVSS 9.4.

SafeBreach Labs disclosed a Windows 11 sandbox escape vulnerability they're calling 'Click or Trick'. It chains misconfigurations across COM infrastructure, notifications, and URI handling to let low-integrity processes escalate to medium-integrity with a single user click. Microsoft patched it last October, so this is disclosure after fix.

Cryptika reported that a now-patched vulnerability in Meta's AI-powered account recovery for Instagram allowed attackers to hijack high-value accounts through prompt injection against the chatbot. Password reset codes were obtained by bypassing identity verification entirely, and accounts were quickly sold on Telegram before Meta closed it down. Accounts with two-factor authentication enabled remained protected.

Aikido Security have written up a supply chain attack on the npm package 'codexui-android', which has 27,000 weekly downloads. Malicious code was injected only in published versions to exfiltrate OpenAI tokens, including non-expiring refresh tokens, with the payload XOR-encrypted and disguised as Sentry traffic. The malicious code was absent from the GitHub repository, which is either quite deliberate or a very unfortunate accident.

And another supply chain story — SafeDep documented the OOB-Moika campaign, where attackers published 179 malicious npm packages using scoped namespaces that mimic internal services of a cloud platform provider and a financial services company. The attack exploited high version numbers to trick build systems into pulling public packages instead of private ones. Following on from the stories we covered over the weekend, this is yet another dependency confusion campaign.

That concludes today's briefing.

📰 Articles Covered

Sapphire Sleet Targets macOS in Multi-Stage Intrusion Campaign - LevelBlue

The following precis outlines the multi-stage macOS intrusion campaign orchestrated by the North Korean state-sponsored threat actor Sapphire Sleet (also known as BlueNoroff/UNC1069) 【1】.

### Overview
Sapphire Sleet has launched a sophisticated campaign targeting high-value individuals and organizations within the financial, venture capital, Web3, and cryptocurrency sectors 【1】. The campaign is notable for its shift toward "trust abuse," where the attackers leverage legitimate, signed macOS binaries—such as Script Editor and Finder—to execute malicious code while evading traditional security detection mechanisms 【1】.

### Technical Details
The attack follows a multi-stage lifecycle:

* **Initial Access:** Attackers use social engineering via professional platforms (e.g., LinkedIn, Telegram) to pose as recruiters or investors. Victims are tricked into running a malicious "Zoom SDK update" file (`Zoom SDK Update.scpt`), which opens in the native macOS Script Editor 【1】.
* **Execution & Obfuscation:** The malicious script uses extensive whitespace padding to hide its logic. It triggers a chain of `Script Editor` → `osascript` → `curl` to download further payloads 【1】.
* **Credential & Privacy Bypass:** The malware displays a fake system password prompt (`systemupdate.app`) and abuses the native Finder application to modify the system privacy database (`TCC.db`), granting itself unauthorized permissions 【1】.
* **Persistence & Exfiltration:** Persistence is maintained via a `LaunchDaemon` (`com.google.webkit.service.plist`) that executes a backdoor (`icloudz`) at startup. The malware then profiles and exfiltrates sensitive data, including browser extension storage, SSH keys, and cryptocurrency wallets 【1】.

### Security Implications
While some of the initial infrastructure has been mitigated, the core tradecraft remains highly dangerous 【1】. Because the attackers utilize native, trusted binaries, they can easily pivot to new domains and file names, rendering static indicators of compromise (IoCs) insufficient for long-term defense 【1】.

### Recommendations for Defenders
Defenders should prioritize behavioral monitoring over static indicators, specifically focusing on:

* **Execution Chains:** Alert on suspicious sequences involving `Script Editor` spawning `osascript` and `curl` 【1】.
* **System Integrity:** Monitor for unauthorized modifications to the `TCC.db` privacy database 【1】.
* **Persistence Mechanisms:** Inspect for unusual `LaunchDaemons` or configuration files, specifically `com.google.webkit.service.plist` 【1】.
* **Forensic Artifacts:** Look for the presence of suspicious files in paths such as `~/Library/Application Support/Authorization/auth.db` or `~/Library/Application Support/iCloud/icloudz` 【1】.
Tracking The Trackers: Commercial Surveillance Occurring on U.S. Army Networks - Army Cyber Institute

The article from the Army Cyber Institute (ACI) details an investigation into the prevalence and security risks of commercial web tracking on U.S. Army unclassified networks (DoDIN-A) 【1】.

### What Happened
The ACI utilized data from the Cloud-Based Internet Isolation (CBII) platform to analyze web traffic on government networks. The study revealed that a significant portion of web traffic on these networks involves commercial trackers, which collect user data for advertising and analytics purposes 【1】.

### Who is Affected
The primary targets are service members, civilian employees, and military-affiliated personnel who access the internet via government-provided unclassified networks. Their browsing habits, geolocation, and device information are being harvested by commercial entities 【1】.

### Security Implications
The report identifies several high-stakes risks stemming from this commercial surveillance:
* **Force Protection and OPSEC:** The aggregation of Commercially Available Information (CAI) allows for the construction of detailed "patterns of life" profiles. This can expose home addresses, daily routines, and the locations of sensitive military facilities, creating physical security vulnerabilities 【1】.
* **Foreign Intelligence Risks:** The presence of trackers associated with foreign-owned entities (such as TikTok/ByteDance) on government networks creates a direct pathway for foreign intelligence collection 【1】.
* **Malvertising:** The AdTech ecosystem can be weaponized by malicious actors to deliver malware directly to government workstations via compromised advertisements 【1】.
* **Data Brokerage:** Sensitive data points are often sold to third-party data brokers with minimal oversight, making it difficult to control how or where that information is ultimately used 【1】.

### Technical Details
* **Methodology:** Researchers analyzed the top 1,000 requested URLs on DoDIN-A during two separate periods in 2024, cross-referencing them with the "WhoTracks.me" database 【1】.
* **Prevalence:** Tracker domains represented roughly 20% of the top accessed resources. In the second study period, these domains accounted for nearly 42% of all web connection requests 【1】.
* **Tracker Composition:** The majority of these trackers are categorized as site analytics (~46-47%) or advertising (~24-27%). Major entities identified as frequent operators include Adobe, Akamai, Microsoft, Quantum Metric, and TikTok 【1】.

### What Defenders Should Know
The ACI suggests a multi-layered defense strategy to mitigate these risks:
* **CBII Policy Hardening:** Tracker domains should be moved to an "isolate, read-only" policy rather than an "allow" policy to strip out tracking scripts before content is rendered to the user 【1】.
* **Endpoint Configuration:** Administrators should use Intune and Group Policy Objects (GPO) to block cross-site cookies, tracking content, and unnecessary scripts by default on all workstations 【1】.
* **Policy and Contracting:** The DoD should update internal policies to explicitly categorize "Advertising" and "Tracking" as restricted content. Furthermore, future commercial software contracts should mandate data minimization and strictly limit third-party data transfers 【1】.
* **Personnel Awareness:** Increased training is required to ensure that service members and civilian staff understand the risks associated with commercial tracking and how their digital footprint can be exploited 【1】.
KB4853: Vulnerability Resolved in Veeam Service Provider Console 9.2.1 - "A vulnerability in Veeam Service Provider Console allows for remote code execution." - CVSS 9.4 - Veeam Software

This precis summarizes the security vulnerability disclosed in Veeam KB4853 regarding the Veeam Service Provider Console.

### Overview
A critical remote code execution (RCE) vulnerability, tracked as **CVE-2026-32998**, was identified in the Veeam Service Provider Console. This vulnerability allows an authenticated attacker to execute arbitrary code on the affected server 【1】.

### Affected Versions
The vulnerability affects **Veeam Service Provider Console 9.2.0.33215 and all earlier version 9 builds** (including versions 9.1, 9.0, and 8) 【1】.

### Security Implications
With a CVSS v3.1 score of **9.4 (Critical)**, this vulnerability poses a severe risk. Successful exploitation grants an attacker the ability to execute code remotely, potentially leading to full system compromise, data exfiltration, or further lateral movement within the network 【1】.

### Technical Details
* **Vulnerability Type:** Remote Code Execution (RCE) 【1】.
* **Exploit Condition:** The vulnerability can only be exploited if **alarm script execution** is enabled 【1】.
* **Default State:** In version 9.2.0.33215, alarm script execution is disabled by default for new deployments and upgrades where no alarms had a script execution action configured 【1】.

### Guidance for Defenders
Defenders should take the following actions to secure their environments:

1. **Primary Remediation:** Upgrade to **Veeam Service Provider Console 9.2.1.33875** or later, which contains the fix for this vulnerability 【1】.
2. **Mitigation (for 9.2.0.33215 only):** If an immediate upgrade is not possible, administrators can verify and mitigate the risk by checking the configuration file:
* Locate `C:\ProgramData\Veeam\Veeam Availability Console\Configuration\Service\configuration.overrides.json` 【1】.
* Identify the `AlarmManagement_ScriptExecutionEnabled` setting 【1】.
* If the value is `True`, change it to `False` and restart the **Veeam Management Portal Service** 【1】.
* If the setting is missing or set to `False`, the deployment is not affected 【1】.
3. **Note on Older Builds:** Mitigation via the configuration file is **not possible** for builds older than 9.2.0.33215 (e.g., 9.1, 9.0, 8). These versions must be upgraded to the patched build 【1】.
Click Or Trick (CVE-2025-59199): Escaping the Sandbox with Windows URIs - SafeBreach Labs

The summary provided accurately captures the core components of the "Click or Trick" vulnerability (CVE-2025-59199). To ensure you have the complete picture, here is the finalized precis based on the research.

### **Precise: CVE-2025-59199 ("Click or Trick")**

#### **What Happened**
SafeBreach Labs researchers identified a sandbox escape vulnerability in Windows 11 that enables a low-integrity process to escalate privileges to a medium-integrity level and perform arbitrary file writes, requiring only a single user interaction (a click) 【1】.

#### **Who is Affected**
The vulnerability impacted Windows 11 systems. It was responsibly disclosed to Microsoft on July 13, 2025, and subsequently addressed in the October 2025 Patch Tuesday updates 【1】.

#### **Security Implications**
This vulnerability demonstrates a sophisticated "chaining" attack that bypasses Windows Mandatory Integrity Control (MIC). By leveraging misconfigurations across disparate Windows subsystems, an attacker can escape a restricted sandbox environment to execute code and write files with the permissions of a medium-integrity process, effectively escalating their reach within the system 【1】.

#### **Technical Details**
The exploit chain relies on the interaction between four distinct security domains:
* **COM Infrastructure:** A misconfigured COM object (`editionupgradebroker`) utilized the `APPIDREGFLAGS_IUSERVER_UNMODIFIED_LOGON_TOKEN` flag, which incorrectly allowed a low-integrity process to spawn a medium-integrity server process 【1】.
* **Windows App Identity & Notifications:** The `ShowToast` function was abused to trigger a toast notification appearing to come from a trusted application (e.g., the Snipping Tool), while simultaneously appending a malicious command-line argument 【1】.
* **URI Handling:** The Snipping Tool’s `/uri` command-line switch was weaponized to redirect execution to a target application via a `redirect-uri` parameter 【1】.
* **Browser DevTools Protocol (CDP):** By injecting parameters into an MS-Teams URI, the researchers launched the application with the `--remote-debugging-port` flag. This enabled interaction via the Chrome DevTools Protocol, allowing the attacker to use commands like `Browser.setDownloadBehavior` to write arbitrary files to the disk 【1】.

#### **What Defenders Should Know**
This research underscores the danger of "interconnectedness" in modern operating systems. Vulnerabilities often emerge in the gaps between unrelated subsystems that were never intended to interact. Defenders should recognize that:
* Complex, multi-component applications significantly expand the attack surface.
* Security boundaries can be bypassed by chaining seemingly benign features across different subsystems.
* Regular patching remains critical, as this exploit relied on specific misconfigurations within Windows components that required vendor-level remediation 【1】.
Instagram Meta AI Vulnerability Allegedly Enables Password Reset for Accounts via prompt injection with bot - now patched - Cryptika

This report summarizes the security incident involving a vulnerability in Meta’s AI-powered account recovery tool on Instagram.

### **Incident Overview**
A critical flaw in Meta’s AI-driven account recovery system allowed unauthorized individuals to hijack high-value Instagram accounts 【1】. By engaging the AI chatbot in conversation, attackers successfully tricked the system into forwarding password reset codes without performing any identity verification 【1】.

### **Affected Parties**
The attack specifically targeted "high-value" accounts, particularly those with short, premium usernames (e.g., @hey and @jowo) that hold significant resale value in underground markets 【1】. Some of these compromised accounts were valued at over $1 million combined and were quickly sold through private Telegram channels before Meta could intervene 【1】.

### **Technical Details**
The incident was not a result of a traditional server breach or a compromise of Meta’s backend systems 【1】. Instead, the vulnerability resided in the AI’s logic layer, which lacked the necessary authentication enforcement and rate-limiting to prevent malicious actors from initiating unauthorized account takeovers simply by knowing a target's username 【1】【1】.

### **Security Implications**
This event highlights the significant risks introduced when AI-assisted support tools are granted access to sensitive functions like account recovery 【1】. It demonstrates that as AI tools gain deeper integration into account management, they become a critical attack surface susceptible to social engineering, necessitating much stricter security safeguards 【1】.

### **Recommendations for Defenders**
Accounts protected by two-factor authentication (2FA) remained secure during this incident 【1】. Security experts recommend the following protective measures:

* **Prioritize App-Based 2FA:** Use authentication apps (e.g., Google Authenticator or Authy) rather than SMS-based verification 【1】.
* **Enhance Privacy:** Use a private, dedicated email address that is not publicly linked to your Instagram profile 【1】.
* **Practice Good Password Hygiene:** Avoid reusing passwords across different platforms and utilize a reputable password manager 【1】.
* **Monitor Account Activity:** Regularly review login activity via Instagram’s Security Settings 【1】.
* **Secure Backup Codes:** Maintain and store backup codes in a secure location for emergency recovery scenarios 【1】.
Legitimate-Looking Codex Remote UI Secretly Steals Your AI Tokens - Aikido Security

The article details a sophisticated supply chain attack involving the `codexui-android` npm package, a popular tool for interacting with OpenAI Codex that was weaponized to exfiltrate sensitive AI authentication tokens 【1】.

### What Happened
A threat actor created a functional and widely used tool, `codexui-android`, which garnered 27,000 weekly downloads 【1】. For approximately one month, the published versions of this package contained malicious code that was absent from the corresponding GitHub repository 【1】. This code quietly exfiltrated user authentication tokens to an attacker-controlled server every time the tool was invoked 【1】.

### Who Is Affected
Users who installed the `codexui-android` npm package or the associated Android application, "OpenClaw Codex Claude AI Agent" (package ID `gptos.intelligence.assistant`), are affected 【1】.

### Security Implications
The attack exfiltrates the entire `auth.json` file, including the `access_token`, `refresh_token`, `id_token`, and account ID 【1】. Because the `refresh_token` does not expire, attackers gain the ability to silently impersonate the victim indefinitely, granting them persistent access to all capabilities associated with the compromised account 【1】【1】.

### Technical Details
* **Injection Point:** The malicious code is injected into `dist-cli/index.js` and executes immediately upon module load 【1】【1】.
* **Exfiltration Process:** The script reads the user's `auth.json` file, XOR-encrypts the content using the key `"anyclaw2026"`, and sends it via a POST request to `sentry.anyclaw.store/startlog` 【1】.
* **Evasion:** The attacker used a domain name (`sentry.anyclaw.store`) designed to mimic legitimate Sentry error-reporting traffic to blend in with normal network activity 【1】.
* **Android Vector:** The Android app uses a PRoot sandbox to run Node.js, which automatically pulls the latest (compromised) version of the npm package upon launch 【1】.

### What Defenders Should Know
* **Trust is not a security control:** Threat actors are increasingly building legitimate, useful tools to establish trust and grow a user base before introducing malicious functionality 【1】.
* **Source vs. Artifact Discrepancy:** Auditing the source code on GitHub is insufficient, as the published npm package may contain code that is not present in the repository 【1】.
* **High-Value Targets:** AI developer tools are prime targets because they handle powerful, long-lived authentication tokens that provide broad, persistent access to sensitive systems 【1】.
179 npm Packages Target Cloud and Finance via oob.moika.tech - SafeDep

The "OOB-Moika" campaign is a sophisticated dependency confusion attack identified in late May 2026, targeting internal software ecosystems of specific organizations 【1】.

### What Happened
Starting May 27, 2026, malicious actors published hundreds of packages to the public npm registry using scoped namespaces that mirrored internal service names of a cloud platform provider and a financial services company 【1】. By using high version numbers (e.g., `99.99.99`), the attackers tricked automated build systems and developers into downloading the malicious public packages instead of the intended private internal ones 【1】.

### Who is Affected
The campaign specifically targets developers and CI/CD pipelines within organizations that use private npm scopes but have not strictly locked those scopes to a private registry 【1】. The targeted scopes include:
* **Cloud/ML:** `@cloudplatform-single-spa`, `@mlspace` 【1】
* **Financial/Banking:** `@car-loans`, `@fb-deposit`, `@debit-ib`, `@t-in-one`, `@capibar.chat`, `@sber-ecom-core` 【1】

### Security Implications
* **Credential Exfiltration:** Upon installation, the malicious `postinstall` script captures the full `process.env`—including API keys, tokens, and other secrets—and exfiltrates them to a command-and-control (C2) server 【1】.
* **Persistence:** The malware downloads and executes a second-stage payload as a detached process, ensuring it continues to run even after the `npm install` command finishes 【1】.
* **Targeted Profiling:** The specificity of the package names (e.g., `vpn`, `ml-inference`, `sberpay-widget`) suggests the attackers performed reconnaissance on the victims' internal infrastructure before launching the attack 【1】.

### Technical Details
* **Execution Flow:** The malware uses a 3-second delay to evade sandboxes, identifies the OS, downloads a second-stage script to the system temp directory, and spawns it as a detached process 【1】.
* **Obfuscation:** While the initial wave used cleartext, subsequent variants employed three-layer obfuscation (including `obfuscator.io` and custom base64 encoding) to hide their logic 【1】.
* **C2 Infrastructure:** All malicious activity reports back to `hxxps://oob[.]moika[.]tech/report` using a shared `X-Secret` header (`l95HdDaz3kQx1Zsg3WxH6HvKANf51RY1`), confirming a single author behind the multiple npm accounts (`mr.4nd3r50n`, `pik-libs`, `t-in-one`) 【1】.

### What Defenders Should Know
* **Immediate Mitigation:**
* **Lock Scopes:** Ensure all targeted scopes are explicitly locked to a private registry in your `.npmrc` file to prevent public registry resolution 【1】.
* **Rotate Secrets:** If any of the flagged package versions were installed, assume all environment secrets are compromised and rotate them immediately 【1】.
* **Detection:**
* Search for temporary files like `._cloudplatform-single-spa_init.js` or `._t-in-one_init.js` in the OS temp directory 【1】.
* Monitor network logs for connections to `oob.moika.tech` 【1】.
* Check for the marker directory `~/.cache/._t-in-one_init/` on developer machines or CI runners 【1】.