The Defensive Line Weekly — Episode 25 (28 June – 5 July 2026). A new CitrixBleed exploited in 24 hours; FortiBleed theft turns to ransomware; device-code phishing goes pro; AI runs ransomware end-to-end.
🤖 Voices are AI-generated. Story curation and analysis is human.
A new CitrixBleed (CVE-2026-8451)
* Citrix Security Bulletin CTX696604 — fixed builds
* watchTowr Labs — CitrixBleed to Infinity and Beyond: technical analysis
* Field Effect — Citrix NetScaler memory disclosure: patch guidance
* SecurityWeek — New CitrixBleed vulnerability exploited immediately after public disclosure
FortiBleed → INC Ransom and Lynx ransomware
* SOCRadar — FortiBleed: INC / Lynx ransomware link
* Dark Reading — FortiBleed actors tied to INC and Lynx ransomware gangs
* SecurityWeek — FortiBleed campaign linked to INC, Lynx ransomware attacks
* BleepingComputer — FortiBleed credential theft campaign linked to Lynx ransomware
ARToken — device-code phishing as a service
* Cisco Talos — ARToken: inside an EvilTokens affiliate panel targeting Microsoft 365
* Sekoia — EvilTokens: AI-augmented phishing-as-a-service for automating BEC fraud
* Microsoft — AI-enabled device-code phishing campaign (April 2026)
* Microsoft Learn — Conditional Access: block authentication flows (device code)
JADEPUFFER — AI-agent-run ransomware
* Sysdig — JADEPUFFER: agentic ransomware for automated database extortion
* BleepingComputer — JADEPUFFER ransomware used AI agent to automate entire attack
* SecurityWeek — Agentic AI used to conduct ransomware attack via Langflow
Honourable mentions
* Socket — PolinRider: North Korea-linked supply chain campaign expands
* OpenSourceMalware — PolinRider rides again: North Korean attack expands across GitHub
* The Hacker News — North Korean hackers publish 108 malicious packages
* The Hacker News — New ChocoPoC RAT targets vulnerability researchers
Vulnerabilities
* MSRC — CVE-2026-45659: Microsoft SharePoint RCE
* The Hacker News — SharePoint RCE CVE-2026-45659 added to KEV
* Cisco — Unified Communications Manager security advisory
* SecurityWeek — Cisco confirms in-the-wild exploitation of Unified CM vulnerability
Subscribe
* This week’s written edition — The Defensive Line Weekly #28
This is a public episode. If you would like to discuss this with other subscribers or get access to bonus episodes, visit thedefensiveline.substack.com