This CISO Executive Cyber Risk Intelligence Briefing covers the Past Week (July 8–14, 2026) and the Past Month (June 15–July 14, 2026). Analysis draws exclusively from verified incident disclosures, CISA KEV activity, threat intelligence platforms, and platform telemetry. Focus remains on material risk to AppSec posture, software supply chain integrity, cloud/IaC, identity fabrics, and business enablement.
Executive Summary / Key Takeaways
- Supply chain worms accelerated across ecosystems. Coordinated campaigns (PolinRider/North Korea-linked, Miasma/TeamPCP) published 100+ malicious packages and extensions targeting npm, PyPI, GitHub, VS Code, and Chrome. Preventive ingestion controls now deliver measurable risk reduction where post-facto SCA alone cannot.
- Ransomware velocity hit record levels. H1 2026 averaged 23 disclosed attacks per day (up 11% from H2 2025). The Gentlemen group overtook Qilin in June volume; MSP and OAuth supply-chain vectors enabled scaled impact on finance and manufacturing. Healthcare remained the top vertical.
- High-severity, actively exploited vulnerabilities dominated. Multiple CVSS 9.8–10.0 issues (Ivanti Sentry, Check Point, Cisco SD-WAN, Node.js TLS CVE-2026-48930, Splunk) entered KEV with ransomware or state-linked exploitation. Patch discipline and risk-based prioritization directly determine residual exposure.
- Third-party integration and credential abuse extended blast radius. The Klue OAuth compromise (June 2026) enabled downstream Salesforce data exfiltration across customer environments. Identity and integration trust boundaries remain high-leverage attack surfaces.
- Container/IaC and external surface misconfigurations persisted as reliable initial access. Cryptojacking campaigns against Kubernetes and exposed management interfaces (FortiBleed) demonstrated continued control gaps in cloud workloads.
- Leading programs are shifting from reactive detection to preventive control at ingestion and unified ASPM visibility. This reduces mean-time-to-remediate and contains blast radius before code reaches production pipelines.
The Past Week in Review: Critical Developments (July 8–14, 2026)
Material events reflected ongoing supply-chain pressure and opportunistic ransomware following credential or third-party compromise.
- KDDI (Japan telecom) disclosed exploitation of a zero-day in third-party email platform software (initial access May, detected June, public reporting early July). Impact: Unauthorized access with potential data exposure. First-principles risk: Third-party software update trust remains a high-velocity vector when patching cadence lags.
- AssuranceAmerica (U.S. insurer) confirmed credential-based breach (detected March, investigation concluded mid-June, disclosed ~July 9). ~6.9 million records exposed (names, DL numbers, policy/claims data). High material exposure for PII-heavy sectors.
- Foxconn North America operations faced ransomware claims by Nitrogen group using BYOVD techniques to disable defenses. Attacker alleged theft of ~8 TB engineering documents and client schematics—direct IP and downstream supply-chain risk.
- Ongoing supply-chain worm activity (PolinRider, Miasma/TeamPCP lineage) continued propagation via malicious npm/PyPI packages, VS Code auto-run tasks, and hidden loaders. North Korea-aligned actors published additional artifacts stealing CI/CD tokens and credentials. Atomic risk remains 8–9/10: One compromised maintainer or registry poisons thousands of downstream builds.
- Supporting signals: FortiBleed credential-harvesting campaign against Fortinet devices (linked to INC/Lynx ransomware ops) and residual effects from earlier June incidents (ServiceNow misconfig, Aflac Japan 4.4M record exposure).
Risk posture note: Most incidents stemmed from valid credential abuse, third-party trust failure, or unpatched edge devices rather than novel zero-days in custom code. Control effectiveness of signature-based or post-ingestion tools alone proved insufficient against worm-style propagation.
The Past Month: Trends & Persistent Risks (June 15–July 14, 2026)
Velocity and patterns across the 30-day window reveal structural exposure rather than isolated events.
Supply chain vector acceleration (highest signal): Multiple overlapping campaigns poisoned npm, PyPI, Go, Packagist, Chrome extensions, and GitHub workflows. Red Hat Cloud Services npm namespace compromise (early June), TanStack package trojanization, Mastra malicious dependency, and Binding.gyp worm propagation demonstrated cross-ecosystem coordination. North Korea-linked PolinRider alone delivered 108+ malicious packages. MSP compromise (Qilin example) enabled lateral movement into 32 South Korean financial institutions from a single foothold. Trust in OSS registries and CI/CD pipelines eroded further.
Ransomware ecosystem fragmentation with scaled impact: Record pace continued. Qilin remained prolific overall; Gentlemen led June claims. Healthcare, manufacturing, and government targeted heavily. Data exfiltration + encryption remained dominant. MSP and supply-chain initial access lowered attacker cost and increased blast radius.
Vulnerability volume and exploitation velocity: June saw ~7,454 CVEs published (14.5% MoM increase). Multiple high-severity issues (Ivanti Sentry CVSS 10 RCE, Check Point auth bypass, Cisco SD-WAN privilege escalation, Oracle PeopleSoft, Splunk unauth RCE, Node.js TLS flaws) added to CISA KEV with active exploitation or ransomware linkage. AI/ML infrastructure (Langflow, vLLM) also surfaced in campaigns. First-principles: High CVE volume + KEV concentration + public PoCs compress defender windows dramatically.
Identity and integration abuse: Klue OAuth token harvesting (June 18) exposed downstream customer Salesforce/Gong data. Persistent pattern of legacy credential or integration-platform compromise.
Cloud/IaC and external surface: Cryptojacking campaigns against K8s clusters (June 25) and FortiBleed-style portal scanning showed misconfiguration and exposed management interfaces remain reliable. EASM coverage gaps directly correlate with successful initial access.
What accelerated: Coordinated multi-registry supply-chain worms and MSP-scale initial access.
What stabilized: Awareness of OSS risk, though execution of preventive controls lags.
What compounds: Agentic/AI-assisted TTPs (e.g., ransomware operators using LLMs for login correction and lateral movement) and expanding attack surface from rapid container/AI framework adoption.
Overall residual risk: Elevated in software supply chain and identity fabrics. Control effectiveness highest where organizations combined preventive ingestion blocking with unified risk visibility and rapid remediation automation.
Strategic Foresight: Signals for the Next 30–90 Days
- Attacker TTP evolution: Continued refinement of supply-chain worms targeting developer ecosystems, AI frameworks (e.g., Semantic Kernel, FastAPI stacks), and CI/CD secret exfiltration to fuel ransomware. Increased OAuth token and cross-tenant abuse. Expect more MSP/MSSP targeting for scale.
- Technology inflection points: Container runtime and IaC misconfigurations will remain high-ROI for cryptojacking and ransomware operators as K8s adoption grows. Node.js and enterprise platform (Ivanti, Cisco, Splunk, Oracle) exploitation windows will stay compressed post-disclosure.
- Regulatory and compliance momentum: Building pressure for demonstrable software supply chain controls, SBOM consumption, and third-party risk transparency (extending SEC disclosure trends and CISA directives). Programs without preventive tooling and auditable policy enforcement will face increasing scrutiny in assessments and insurance.
- Signals to monitor: Velocity of new malicious packages in npm/PyPI (Veracode Threat Research and registry integrity reports); CISA KEV additions and BOD deadlines; MSP compromise reports; container/IaC finding trends in centralized platforms.
Confidence assessment: High on supply-chain persistence and ransomware volume (multiple independent corroborating sources). Medium on precise regulatory timelines (historical pattern-based). Grounded exclusively in observed incidents and telemetry through mid-July 2026.
Veracode Recommendations: How Leading Programs Are Responding
Leading AppSec programs treat the current environment as a control-effectiveness problem, not solely a detection problem. They deploy preventive controls at ingestion, unify visibility in Risk Manager, and automate remediation where possible. Below are targeted mappings to observed threats.
Software Supply Chain Worms & Malicious Packages (PolinRider, Miasma/TeamPCP, Red Hat npm)
Capabilities: Veracode Package Firewall (primary preventive) + SCA (supplemental in-use analysis) + Risk Manager (visibility).
Action guidance: Immediately create and enforce policies in Package Firewall for npm, PyPI, Maven, and other critical ecosystems. Proxy artifact repositories (Artifactory, Nexus) through Veracode registry URLs. Block untrusted, malicious, vulnerable, or policy-violating packages at ingestion. Run agent-based SCA for ongoing dependency hygiene.
Expected measurable outcome: Blocks malicious packages before they enter pipelines (Veracode enhancements report blocking 60% more malicious packages than alternatives); materially reduces downstream SCA finding volume and remediation workload; lowers atomic supply-chain risk exposure from 8–9/10 to manageable residual.
Container, IaC, and Secrets Risks (Cryptojacking, Misconfigurations)
Capabilities: Veracode Container Security (CLI + Platform results) + Risk Manager (centralized ASPM and policy evaluation).
Action guidance: Integrate Veracode CLI container and IaC scans (with secret detection rules) into build and deployment pipelines. Route results and policy pass/fail into the Veracode Platform Container and IaC Analysis view and Risk Manager for unified triage and ownership assignment.
Expected measurable outcome: Early detection of vulnerabilities, misconfigurations, and embedded secrets in images and IaC; improved control effectiveness over cloud workloads; faster risk-based remediation via centralized visibility and automated workflows (recent VRM enhancements).
High-Severity/KEV Vulnerabilities & Ransomware Initial Access Vectors
Capabilities: Risk Manager (prioritization, KEV context, root-cause analysis, next-best-action, automated workflows) + Veracode Fix (AI-assisted remediation) + EASM + DAST (external surface validation).
Action guidance: Ingest all findings (SAST, SCA, DAST, Container, EASM) into Risk Manager. Leverage new automated workflows for ticket creation and status updates. Use Fix for rapid, expert-curated code-level patches on applicable flaws. Run targeted EASM discovery on exposed assets and DAST on web/API/RMM endpoints.
Expected measurable outcome: Significant reduction in mean-time-to-remediate (Fix delivers hours vs. days in many cases); prioritized focus on material/KEV risks; lower residual risk from unpatched externally reachable vulnerabilities.
Identity, OAuth, and Third-Party Integration Risks (Klue-style token abuse)
Capabilities: EASM (discover exposed integrations) + DAST (API/runtime testing) + Package Firewall/SCA (on integration tooling and dependencies) + Risk Manager (contextual prioritization).
Action guidance: Expand EASM coverage to map integration points and exposed OAuth surfaces. Apply DAST to critical APIs and portals. Enforce Package Firewall policies on any CI/CD or integration tooling dependencies.
Expected measurable outcome: Reduced blast radius from compromised third-party integrations; earlier detection of token abuse vectors; stronger control effectiveness across the identity fabric.
DevSecOps Maturity, Governance, and Automation:
Capabilities: Integrations (GitHub, Azure DevOps, IDE plugins with OAuth SSO) + Policies (new built-in OWASP Top 10:2025 and CWE Top 25:2025) + CLI + Security Labs training + Risk Manager analytics (including new Firewall Usage dashboard).
Action guidance: Enforce consistent policies platform-wide. Shift left via IDE plugins and CLI in pipelines. Use automated workflows and labeling in Risk Manager. Track Firewall usage and remediation analytics.
Expected measurable outcome: Higher developer velocity with secure-by-default guardrails; auditable governance; data-driven program optimization via unified dashboards.
What CISOs Should Do Now (Prioritized Actions)
0–72 hours (Immediate containment of highest-velocity vector): Audit all CI/CD pipelines for direct pulls from public npm/PyPI registries. Deploy and enforce Veracode Package Firewall policies for critical ecosystems (npm and PyPI first). Block unvetted packages at ingestion. Verify results via Firewall Usage analytics.
This week (7 days): Implement Veracode CLI Container Security and IaC scans (with secrets rules) in priority pipelines. Centralize results in the Platform and Risk Manager. Ingest recent KEV additions (Ivanti Sentry, Node.js TLS, Cisco SD-WAN, Check Point) into Risk Manager for immediate triage and ownership assignment. Confirm compensating controls or patch status.
Next 30 days (Structural hardening): Activate automated workflows and labeling in Risk Manager for ticket creation, status updates, and role-specific views. Expand EASM coverage to integration and management surfaces. Update third-party/MSP risk assessments to include OAuth token and supply-chain dependency exposure. Drive IDE plugin adoption with OAuth SSO for developer enablement.
Ongoing measurement: Track risk reduction via Risk Manager dashboards (finding velocity, policy pass rates, Firewall blocks, MTTR). Tie metrics to board-level residual risk reporting.
These actions address root causes at the trust boundaries—OSS ingestion, container/IaC runtime, and identity fabrics—while improving control effectiveness from reactive detection to preventive and automated response.
Closing
The current environment tests whether AppSec programs operate as cost centers or business enablers. Organizations that treat software supply chain integrity and unified risk visibility as non-negotiable control domains will materially reduce material exposure and sustain delivery velocity. Those that remain reliant on post-ingestion detection alone will continue absorbing preventable blast radius. The technical and operational path forward is clear and executable today.
This report is provided for informational purposes only and is not intended as legal, technical, or professional advice. While we strive for accuracy, Veracode does not warrant the completeness or accuracy of the information. Recipients should not rely solely on this report and must conduct their own thorough investigation and verification. Please work with your internal teams and relevant stakeholders to properly assess, implement, and remediate any identified threats or vulnerabilities. The information has been compiled from multiple sources, and Veracode assumes no liability for any errors, omissions, or actions taken based on this content.