Squidbleed and FortiBleed: 86K creds and cleartext HTTP

A 29‑year‑old heap over‑read in Squid’s FTP parser (CVE‑2026‑47729) can spill another user’s cleartext HTTP requests, credentials, and session tokens to anyone sharing the same proxy. The flaw survives default configurations, exposing multi‑tenant environments like schools and corporate networks that still run Squid.

Researchers found that the universal uniqueness of bucket names across AWS, GCP and Azure lets an attacker delete a victim’s bucket and recreate it under their own account, silently rerouting logs and other streams. The flaw could exfiltrate sensitive telemetry without detection, forcing organizations to lock down bucket ownership and monitor deletions.

A path‑traversal bug (CVE‑2026‑41948) in Dify 1.14.1 and earlier lets authenticated users bypass tenant isolation and send crafted requests to the Plugin Daemon’s internal API, exposing other customers’ AI conversation data. Because Dify Cloud permits free self‑registration, attackers can easily acquire a tenant ID and read cross‑tenant chats until a fix lands in version 1.14.2.

Researchers dissected a SilverFox‑style loader that pretends to be Panasonic PC Notification software. The chain hops through Alibaba OSS staging, signed side‑load hosts, and an RPC Task Scheduler module before delivering a Sauron backdoor, revealing a sophisticated multi‑stage supply‑chain evasion technique.

SOCRadar uncovered an active FortiBleed operation that has exfiltrated and cracked credentials from 86,644 Fortinet FortiGate firewalls in 194 countries. The attackers deploy a bespoke sniffer to pull config files, then brute‑force passwords, giving them unrestricted network access. Organizations must rotate credentials and apply the latest firmware patches immediately.

In June 2026 CSIS disclosed its first use of a Federal Court threat‑reduction warrant to infiltrate and destroy two foreign‑run botnets on Canadian servers, SOHO routers and IoT gear. The operation, authorized to alter or delete malicious code, stopped adversaries from abusing everyday devices to probe or disrupt critical infrastructure such as the energy sector.

FulcrumSec claims it exfiltrated 1.3 TB of Novo Nordisk data, including the exact Ozempic formula, after hijacking a GitHub personal access token in March. The breach shows how a lone credential can give attackers months of undetected access to source code, clinical trial records, and patient data, highlighting a glaring gap in credential hygiene.