StegoAd, Hijacked Packages, and a Critical SSH Flaw: Three Infrastructure Security Incidents Hit in Late June

Three separate infrastructure security incidents emerged in late June 2026, each targeting a different layer of the software supply chain. Microsoft removed 119 malicious Edge extensions that hid payloads inside image and font files. JFrog disclosed hijacked npm and Go packages that deploy a Python infostealer via VS Code tasks. And a public proof-of-concept was released for CVE-2026-55200, a critical flaw in the libssh2 client library.

The Edge extensions, which Microsoft calls StegoAd, had a combined install base of up to 2.6 million users. Microsoft cautions that this is a ceiling, not a victim count, because the malware used multi-day dormancy and server-side validation to avoid triggering on every install.

Steganography and Supply Chain Attacks

StegoAd used steganography to hide executable code inside PNG icons, WebP images, and WOFF2 font files. The extensions appeared to function normally as ad blockers, VPNs, or translators, earning reviews while the malicious code remained dormant. The payloads eventually stole Google credentials, WordPress admin logins, and session cookies, and ran ad fraud by hijacking affiliate commissions on Amazon, eBay, and AliExpress. Microsoft suspended more than 90 developer accounts behind the operation.

Separately, JFrog researchers identified two hijacked npm packages and a cluster of Go packages that deploy a Python-based information stealer on Windows, Linux, and macOS hosts. The attack avoids lifecycle scripts, likely to bypass npm v12 security hardenings. Instead, it uses VS Code tasks to execute the payload. The stealer exfiltrates credentials, browser data, and cryptocurrency wallet files.

• 119 Edge extensions removed, 90+ developer accounts suspended
• Combined install base up to 2.6 million users (ceiling, not confirmed victims)
• Hijacked npm and Go packages target multiple operating systems
• libssh2 CVE-2026-55200 carries a CVSS 4.0 score of 9.2
• Public PoC available for the SSH client flaw

Critical SSH Library Flaw Exposes Clients

The libssh2 vulnerability, CVE-2026-55200, affects all versions up to and including 1.11.1. A malicious or compromised SSH server can trigger memory corruption on a connecting client without requiring credentials or user interaction. The public proof-of-concept raises the risk of exploitation, especially for applications that use libssh2 for client-side SSH connections. The library is widely used in network tools, file transfer clients, and automation scripts.

Microsoft has published indicators of compromise for StegoAd, including extension IDs and C2 domains. JFrog recommends that organizations audit their npm and Go dependencies for the hijacked packages. libssh2 users should update to the patched version immediately. These incidents underscore the breadth of attack surfaces in modern infrastructure, from browser extensions to package registries to core networking libraries.