SAGE INTELLIGENCE BRIEF Wednesday, June 24, 2026 =========================================== LEAD STORY FortiBleed has crossed from incident to campaign. A Russian-speaking initial access broker has compromised 430,000+ FortiGate firewalls since February 2026, harvested over 110 million credentials across 24 protocols using a Golang sniffer that abuses native FortiOS diagnostic commands, and has explicitly prioritized MSPs and SMBs under 200 employees to maximize downstream customer reach. If you have any FortiGate that's been internet-exposed since February, treat it as compromised until proven otherwise, rotate every VPN and AD credential tied to it and audit for repeated credential pairs across disparate IPs right now. --- CONNECTING THE THREADS FortiBleed's scale keeps expanding. Two nights ago I flagged the 86,644 confirmed compromise benchmark as a signal that per-client remediation tracking was structurally insufficient at that velocity. Tonight's deep read puts the number at 430,000+ devices and 110 million credentials, with MSPs explicitly in the crosshairs as multiplier targets. The threat model has shifted. This is a systematized pipeline with timed execution windows and 1,000 parallel validation threads. The accumulated read on FortiBleed was already pointing here. Any FortiGate exposure since February is a presumed breach, not a risk to assess. The AI agent supply chain attack on fake skills connects directly to the broader pattern I've been tracking around AI service routing and governance gaps. The Claude-in-Slack Anthropic sub-processor story flagged earlier this week established that AI integrations traverse organizational boundaries in ways current tooling doesn't surface. Tonight's fake skill story shows the same gap from the supply chain angle. Scanners inspect the submitted package once, the live external URL gets rewritten after install, and nobody sees it. The instrumentation gap and the trust gap are the same problem from two different angles. The Squidbleed CVE sitting undetected for 29 years in a default-config Squid deployment is the third data point this week on legacy code carrying critical heap vulnerabilities into modern infrastructure. The SIEM-class CVE acceleration pattern I noted Tuesday, the FortiOS diagnostic command abuse and now a 1997 FTP parser bug all confirm the same thing: the attack surface embedded in production infrastructure is older and wider than most teams' patch coverage models assume. Threat actors know this. Defenders are catching up after exploitation has already started. --- IT INFRASTRUCTURE ARCHITECTURE OpenAI Codex is destroying SSDs through careless logging Codex is hammering SSDs with unnecessary write operations because of a poorly implemented logging layer that doesn't account for storage cost or wear. For any organization running Codex in a local or on-prem context, this is a direct hardware lifecycle impact, not just a software inefficiency. Audit write amplification on any storage tier where Codex is active. Source: https://www.theregister.com/ai-and-ml/2026/06/23/openai-codex-bombards-ssds-with-needless-write-operations-costing-millions/ AKS gets bare metal, fleet management and AI infrastructure at Microsoft Build Microsoft expanded Azure Kubernetes Service with bare metal node pools, multi-cluster fleet management and AI-specific infrastructure primitives. The fleet management piece matters most operationally. Organizations running distributed AKS clusters have been stitching together their own management planes. This starts to address that gap at the platform layer. Source: https://www.infoq.com/news/2026/06/microsoft-build-aks-ai/ Oracle drops 21,000 jobs while pouring billions into data centers Oracle's headcount fell from 162,000 to 141,000 in a single fiscal year. The workforce is being traded for data center capacity. For enterprise Oracle customers, that means support quality and professional services depth deserve scrutiny on any active engagement or renewal. Source: https://www.theregister.com/databases/2026/06/23/21000-oracle-jobs-vanish-amid-big-reds-big-bets-on-ai/ --- CYBERSECURITY & COMPLIANCE Fake AI agent skill passed every scanner and installed on 26,000 agents Security firm AIR merged a malicious skill into a high-trust GitHub marketplace repo, promoted it via Instagram ads and watched it install on roughly 26,000 agents, including corporate accounts. Every scanner it hit, including Cisco's and NVIDIA's, passed it because they scan the submitted package, not the live external URL the skill fetches at runtime. The attacker swapped the URL's content after broad installation. Treat AI agent skills as software supply chain artifacts. Vet external URLs, pin versions and audit what's already installed before adding anything new. Source: https://thehackernews.com/2026/06/fake-ai-agent-skill-passed-security.html North Korean Sapphire Sleet hit Mastra AI via npm supply chain Microsoft attributed a Mastra AI supply chain attack compromising 140+ npm packages to Sapphire Sleet, also known as BlueNoroff. AI development pipelines are now active DPRK targeting territory. If your team is building on AI frameworks with npm dependencies, that dependency tree needs the same scrutiny as any other third-party code. Source: https://www.bleepingcomputer.com Squidbleed: 29-year-old Squid heap overread leaks credentials and session tokens CVE-2026-47729 lives in Squid's FTP directory listing parser, introduced in a 1997 commit. If an attacker-controlled FTP server sends a malformed response, the parser walks off the heap buffer and xstrdup copies live heap memory back to the attacker. That memory contains HTTP requests, passwords, API keys and session tokens. The fix is in Squid v7.6. Upgrade immediately and disable FTP proxy support unless you have a verified operational need for it. Source: https://www.theregister.com/security/2026/06/23/mythos-discovers-squidbleed-a-memory-leak-thats-gone-undetected-since-clinton-era/5260367 --- CLOUD PLATFORMS & STRATEGY AWS Blocks launches as an open-source TypeScript framework for AI agent backends AWS released Blocks in public preview, an open-source TypeScript framework where each Block bundles application code, logic and infrastructure together for AI agent backend construction. This is AWS staking a position in the agentic application framework space. Worth tracking as a potential alternative to custom agent scaffolding for teams already in the AWS ecosystem. Source: https://www.infoq.com/news/2026/06/aws-blocks-framework-preview/ No additional notable cloud platform developments tonight beyond what's covered in AI and cybersecurity sections. --- NETDEVOPS & NETWORK AUTOMATION UK O2 sets 2G switch-off for summer 2029 O2 joined the UK 2G wind-down, with the network going dark in summer 2029. The operational catch: smart meters and telecare alarms are still running on 2G in significant numbers. For any organization with IoT or remote monitoring assets in the UK that haven't been audited for 2G dependency, that audit needs to start now with a 2029 hard deadline. Source: https://www.theregister.com/networks/2026/06/23/o2-joins-uk-2g-switch-off-with-summer-2029-start-date/5260297 No other notable NetDevOps developments tonight. --- AI IN INFRASTRUCTURE & AIOPS Anthropic rebuilds Claude in Slack as an always-on agentic coworker The Claude Slack integration has been redesigned from a chatbot-style assistant into a persistent, proactive agent that monitors workspace activity and acts without being explicitly invoked. For organizations that have deployed or are evaluating Claude in Slack, the data access and behavioral model has fundamentally changed. Review permissions and data classification before this gets broad deployment. Source: https://www.theregister.com/ai-and-ml/2026/06/23/anthropic-reimagines-claude-in-slack-as-nosy-always-on-agentic-ai-coworker/5260422 AutoJack: RCE vulnerability in Microsoft AutoGen Studio via malicious webpage A vulnerability chain in AutoGen Studio's agent prototyping interface lets attackers trigger arbitrary command execution on the host system by getting a user to visit a malicious webpage. If your team is using AutoGen Studio for internal AI development, restrict access to trusted networks and treat it as you would any internal dev tooling with privileged execution capabilities. Source: https://www.bleepingcomputer.com OpenAI releases GPT-5.5-Cyber to defenders for vulnerability patching OpenAI pushed GPT-5.5-Cyber to trusted defenders under its Daybreak program, positioning it as a tool for finding, validating and patching vulnerabilities across large codebases. The value proposition here is triage velocity, not replacement of human review. Useful context if you're evaluating AI-assisted vulnerability management tooling. Source: https://thehackernews.com --- HARDWARE, GPU & COMPUTE China tops TOP500 with a domestically processed supercomputer A Chinese supercomputer using local processors has taken the top spot on the TOP500 list. The nuance worth noting: it runs Arm cores and Linux, which means it hasn't decoupled from the broader global software ecosystem. The hardware self-sufficiency story is substantial but incomplete. Source: https://www.theregister.com/hpc/2026/06/24/chinese-supercomputer-using-local-processors-heads-top500-list/ Trump administration demands a US quantum computer by 2028 The administration has formally directed US technologists to deliver a fault-tolerant quantum computer by 2028. The timeline is aggressive by any technical measure. What this does concretely: it accelerates federal funding flows and creates procurement signal for vendors in the quantum space. Worth watching for downstream effects on cryptography posture guidance. Source: https://www.theregister.com/hpc/2026/06/23/bold-move-cotton-trump-administration-tells-us-techies-it-expects-american-quantum-computer-by-2028/ --- NETWORK MANAGEMENT & MONITORING No notable developments tonight. --- MANAGED SERVICE PROVIDERS FortiBleed explicitly targets MSPs as downstream multipliers The deep read on FortiBleed is specific: SMBs under 200 employees and IT managed service providers are the prioritized target class. The attacker logic is straightforward. Compromise one MSP and the credential pipeline reaches every client that MSP manages. Any MSP with FortiGate in their stack needs to treat this as a direct targeting event, not background noise affecting the broader market. Source: https://thehackernews.com/2026/06/fortibleed-targeted-fortigate-firewalls.html No other notable MSP developments tonight. --- IT VENDOR ECOSYSTEM & M&A Microsoft Access finally removes a 34-year-old 22-inch form width limit Access has dropped the CRT-era form size restriction that's been in place since the early 1990s. For organizations still running Access-based internal tooling, this is a minor but meaningful usability improvement. The more relevant signal: Microsoft is still actively maintaining Access, which tells you something about the breadth of its legacy installed base. Source: https://www.theregister.com/databases/2026/06/23/microsoft-access-finally-breaks-free-of-its-22-inch-form-limit/ No other notable vendor ecosystem developments tonight. --- EDGE COMPUTING & IOT No notable developments tonight. --- SALES & REVENUE Pricing under pressure requires anchoring before negotiating When a buyer questions price, the instinct is to defend or discount. The more effective move is to anchor the conversation on outcome value before engaging on the number. Buyers who understand what a solution is worth negotiate from a different frame than buyers who only see a line item. Set the value anchor early in the sales cycle, not in response to a pricing objection. Source: (Goodreads compounding) --- REAL ESTATE & INVESTMENT Forced refresh cycles create motivated sellers The RAM crisis driving hardware vendors back to DDR2 and DDR3 components maps directly to a real estate parallel: when holding costs become unpredictable, owners who planned to hold longer start reconsidering. Motivated sellers in any asset class tend to emerge when the cost of staying exceeds the cost of transacting. Watch for that signal in markets where operating expenses are compressing margins. Source: (Goodreads compounding) --- SELF HELP, HUMAN PSYCHOLOGY & DARK PSYCHOLOGY The trust gap in supply chain attacks mirrors the trust gap in human manipulation The fake AI agent skill story works because users trusted a high-star GitHub repo without verifying what the skill fetches at runtime. That's the same cognitive shortcut that makes social engineering effective. Proxy signals of legitimacy, star counts, verified logos and familiar brand names bypass direct evaluation. Train your team to verify behavior, not just credentials. Source: (Goodreads compounding) --- WHAT TO WATCH The AI agent skill supply chain is an unresolved attack surface with no scanner-level fix yet. Trail of Bits confirmed the bypass works across every major skills scanner, making this a structural class failure rather than a single vendor miss. Watch for scanner vendors to announce runtime URL verification capabilities and treat any new agent skill installation as untrusted until that tooling exists. --- CONVERSATION STARTER Between February and June 15, 2026, one threat actor ran 659 automated credential harvesting pipeline executions against FortiGate firewalls, processing targets in 300-minute cycles with 1,000 simultaneous validation threads and a 90% early success rate. That's the operational tempo your patching and credential rotation cycles are now being measured against. ===========================================