SocGholish Botnet Takedown, Klue Supply Chain Attack, and FortiBleed Expose Systemic Cyber Risks

International law enforcement and private partners cleaned malware from 15,000 WordPress websites, Salesforce disabled the Klue Battlecards app integration, and CISA warned Fortinet users after 74,000 firewall credentials leaked. The three incidents, all reported in June 2026, underscore systemic vulnerabilities in the software supply chain and internet infrastructure.

The SocGholish takedown, announced June 18 as part of Operation Endgame, removed malware from 15,000 compromised WordPress sites and dismantled 106 command-and-control servers and domains. The botnet had been used by the Russia-based ransomware group Evil Corp to infect visitors with fake browser update prompts, according to the Dutch National High Tech Crime Unit.

Salesforce and Klue: OAuth Token Abuse

Salesforce disabled the Klue Battlecards app integration on June 11 after attackers abused OAuth tokens to access customer data. Cybersecurity firms Huntress and Recorded Future were among the affected customers whose Salesforce instances were breached. Salesforce said organizations will be unable to connect to the platform via the app until further notice.

• Attackers used compromised OAuth tokens to read and exfiltrate data from Klue's Salesforce integration.
• Huntress and Recorded Future confirmed their data was accessed, though neither reported lateral movement inside their own networks.
• Salesforce issued an alert recommending customers review connected apps and rotate any API keys potentially exposed.

FortiBleed: 74,000 Credentials Exposed

CISA urged Fortinet customers on June 17 to secure devices after a threat actor leaked nearly 74,000 firewall and VPN credentials in a dump labeled FortiBleed. The leaked data included IP addresses, usernames, and passwords for FortiGate and FortiVPN appliances, likely harvested via compromised devices or credential stuffing attacks.

CISA advised users to change passwords immediately, enable multi-factor authentication, and ensure devices run the latest firmware. The agency also recommended disabling unused remote access services and monitoring logs for unauthorized activity.

The three events converged on a common theme: attackers are targeting trust relationships in software supply chains. SocGholish exploited compromised WordPress sites to deliver malware, Klue's OAuth integration was abused to reach downstream customers, and FortiBleed demonstrated how unpatched or misconfigured edge devices become entry points for broader attacks.

What comes next will depend on how quickly organizations respond. For WordPress site owners, the Dutch police advised changing credentials, enabling multi-factor authentication, deleting unknown accounts, and keeping sites updated. For Salesforce customers, the path forward includes auditing OAuth apps and reviewing access logs. For Fortinet users, CISA's directive is clear: assume compromise and lock down devices now.