FortiSandbox, Arch Linux, and Teams: A Week of Diverse Security Threats

Security teams faced a barrage of threats this week as attackers exploited vulnerabilities in Fortinet's FortiSandbox, hijacked over 1,500 packages in the Arch User Repository, and deployed malware that hides command-and-control traffic inside Microsoft Teams. The incidents highlight the expanding attack surface across enterprise and open-source ecosystems.

On Monday, threat intelligence firm Defused warned that attackers are actively exploiting three vulnerabilities in FortiSandbox: CVE-2026-39813, CVE-2026-39808, and CVE-2026-25089. FortiSandbox is a critical platform that other Fortinet security products rely on for threat verdicts, making it a high-value target. Defused noted that the exploit for one of the flaws appears to be "vibecoded" and likely faulty, suggesting AI-assisted development may be lowering the barrier for attackers.

Arch Linux AUR Supply Chain Attack

In a separate incident, the Arch User Repository (AUR) spent a weekend cleaning up after attackers seized control of more than 1,500 packages. The campaign did not require breaking into any systems; instead, attackers used compromised maintainer accounts to push malicious updates designed to steal developer credentials and secrets. The scale of the attack makes it one of the largest supply chain compromises targeting a Linux distribution.

• Over 1,500 AUR packages were hijacked in the campaign.
• Attackers targeted developer secrets, including SSH keys and API tokens.
• No infrastructure breach was needed; the attack relied on compromised maintainer accounts.
• Arch Linux maintainers have since revoked access and are auditing affected packages.

Microsoft Teams as a C2 Channel

Researchers also uncovered a novel malware campaign that uses Microsoft Teams to hide command-and-control (C2) traffic. Custom malware routes communications through legitimate Microsoft services, making malicious activity appear as routine corporate collaboration. The technique allows attackers to bypass network security controls that trust Microsoft's domains. The campaign may be linked to the ransomware and data extortion group Vice Society, according to Dark Reading.

Meanwhile, digital health company iRhythm confirmed on June 8 that attackers stole data in a breach and demanded a ransom. The company did not disclose the number of affected patients but said it is working with law enforcement.

These incidents underscore a broader trend: attackers are increasingly targeting trusted platforms and supply chains. The FortiSandbox exploits, the AUR hijack, and the Teams C2 technique all rely on abusing legitimate systems rather than breaking into them directly. As AI tools accelerate exploit development, defenders must expect more such attacks. Organizations should prioritize patching FortiSandbox, audit their use of community package repositories, and monitor for anomalous traffic to trusted cloud services.