Subscribe

Social Media Links

Insights

 | 3 minute read

Ankura CTIX FLASH Update – July 2, 2026

Recent research highlights a growing trend in which threat actors are abusing trusted development tools, automation, and open-source ecosystems to compromise software developers and gain access to valuable systems. In one proof-of-concept attack, researchers demonstrated how AI coding assistants can be manipulated into executing malicious commands hidden behind seemingly legitimate GitHub projects, allowing attackers to gain remote access without placing malware directly in the repository. At the same time, cybersecurity researchers uncovered hijacked npm and Go packages that leveraged automatically executed Visual Studio Code tasks to deploy malware disguised as harmless project files. These attacks use deceptive techniques such as fake setup instructions, hidden payloads, blockchain-based command retrieval, and fraudulent job recruitment themes to bypass traditional security controls and user suspicion. Successful compromise can expose sensitive assets including API keys, environment variables, browser credentials, cryptocurrency wallets, and other developer data while establishing long-term access to infected systems. Together, these incidents underscore how attackers are increasingly exploiting trust, automation, and developer workflows rather than relying on traditional software vulnerabilities, reinforcing the need for stronger oversight of AI-assisted development tools, open-source dependencies, and automated execution processes. CTIX analysts will continue to report on the latest malware strains and attack methodologies. CTIX analysts will continue to report on the latest malware strains and attack methodologies.


Polish authorities have arrested four (4) members of an organized cybercrime group accused of breaching telecom partners and hijacking email accounts to conduct SIM-swapping attacks. Working with the FBI and US Homeland Security Investigations, the Polish Cybercrime Bureau (CBZC) says the group used specialized software and social engineering to gain unauthorized access to infrastructure supporting mobile operators and employee email accounts. They then illegally cloned victims’ phone numbers, intercepted SMS messages and emails, and took over accounts at cryptocurrency exchanges, stealing and laundering funds through multiple bank accounts and digital wallets. Losses are estimated at several tens of millions of Polish złoty (at least $5 million). The suspects, now in pre-trial detention, face charges including participation in an organized criminal group, hacking to commit theft, and money laundering, with a maximum penalty of twenty-five (25) years in prison. Blockchain investigator ZachXBT identified one (1) of the arrested as Wojtek Kulisz, aka “Merry.”


The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two (2) critical vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, requiring federal Civilian Executive Branch (FCEB) agencies to remediate both by no later than June 28, 2026, under Binding Operational Directive (BOD) 26-04. The first flaw, tracked as CVE-2026-20230, is a critical unauthenticated server-side request forgery (SSRF) vulnerability affecting Cisco Unified Communications Manager (Unified CM) that Cisco patched on June 3, 2026, after initially reporting only proof-of-concept exploit availability. However, researchers at Defused have since observed active exploitation, with attackers using the flaw to write arbitrary text files to vulnerable systems. The second flaw, tracked as CVE-2026-12569 is a critical remote code execution (RCE) vulnerability caused by the deserialization of untrusted data in PTC’s Windchill and FlexPLM product lifecycle management (PLM) platforms, which are widely used across manufacturing, engineering, retail, apparel, and consumer products industries. CTIX analysts urge customers to immediately apply security updates, as the flaws affect numerous supported software versions. Although the threat actors behind the exploitation remain unknown, CISA is advising organizations to prioritize patching or implement vendor-recommended mitigations immediately to reduce the risk of compromise.

📧 Never Miss a Briefing

Stay informed and secure. Subscribe to Ankura’s Cyber Flash Update, a bi-weekly briefing curated by our top cybersecurity experts. Receive timely insights on emerging threats, vulnerabilities and malicious actors to keep your systems secure. 


© Copyright 2026. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.

Let’s Connect

We solve problems by operating as one firm to deliver for our clients. Where others advise, we solve. Where others consult, we partner.

I’m interested in
I need help with