"The internet did not break this week. It got used exactly as designed, which is worse." — The Hacker News, opening the ThreatsDay Bulletin
The June 2026 ThreatsDay Bulletin, published June 11, documents an escalation in trust abuse targeting AI platforms and open-source ecosystems. The main thread is the abuse of Anthropic Claude’s shared chat feature for malware delivery, set against a backdrop of compromised AI coding agents and the leak of the Miasma toolkit for supply chain attacks. The dossier draws primarily on The Hacker News with additions from Rescana; some aspects are not confirmed by structured advisories.
- Threat actors abused Anthropic Claude’s shared chat feature to distribute the MacSync credential stealer, after an initial phase on Google Ads: over 2,000 confirmed victims, with 67.2% in Asia-Pacific and 30.5% in Taiwan alone, across 6 waves in 7 weeks using 106 unique malicious hostnames.
- Anthropic banned the responsible accounts, disabled the malicious chats, and is implementing additional mitigations.
- The Miasma toolkit for supply chain attacks was leaked on June 10, 2026 via GitHub, affecting 304 components and 73 Microsoft repositories; it includes C2 strings such as ‘DontRevokeOrItGoesBoom’ and ‘firedalazer’.
- The Claude Code GitHub Action was vulnerable before version 2.1.128, patched on May 5, 2026 after responsible disclosure by Microsoft.
- The Cline VS Code extension, with over 4.3 million installs, has a command execution vulnerability via a malicious repository classified ‘out of scope’.
From Google Ads to claude.ai: How Delivery Shifted
According to Trend Micro, cited by The Hacker News, cybercriminals began with Google Ads for popular AI development tools, diverting over 2,000 victims to malicious download pages. They then moved the operation onto the platform itself, using Claude’s shared chat feature to distribute MacSync, a credential stealer for macOS.
The campaign unfolded in 6 distinct waves over 7 weeks, with 106 unique malicious hostnames identified. The geographic distribution is lopsided: 67.2% of confirmed victims are concentrated in the Asia-Pacific region, with Taiwan alone accounting for 30.5% of the total. Anthropic responded by banning the responsible accounts, disabling the malicious chats, and implementing additional mitigations.
The mechanism is what the dossier calls trust inversion: the claude.ai domain is implicitly trusted by URL filters and domain reputation, making the payload harder to intercept than a generic suspicious domain. Traditional controls are not designed to inspect shared content on legitimate AI platforms.
Miasma Leaked and AI Coding Agents: The Immediate Context
The Miasma toolkit for supply chain attacks was leaked on June 10, 2026 via GitHub, impacting 304 components and 73 Microsoft repositories. Identified C2 strings include ‘DontRevokeOrItGoesBoom’, ‘TheBeautifulSandsOfTime’, and ‘firedalazer’. The source does not specify whether Miasma has been actively adopted by threat actors beyond the leak, nor whether an operational link exists with the Claude campaign.
The Claude Code GitHub Action, pre-v2.1.128, had a vulnerability patched on May 5, 2026 after responsible disclosure by Microsoft. The fixed version is 2.1.128.
More problematic is the Cline VS Code extension, with over 4.3 million installs. According to Ax Sharma of Manifold Security, cited by The Hacker News, clicking a file’s URL preview in the repository executes a system-level command, bypassing the Approve/Deny dialog and the ‘Safe Commands’ filter. Sharma notes: “‘Safe Commands’ doesn’t inspect commands. It asks the AI agent whether its own command is safe, and trusts the answer, even after the same agent has been manipulated by attacker content.” The vulnerability is classified ‘out of scope’; the dossier does not confirm a definitive patch or CVE assignment.
What Changes
The countermeasures documented in the dossier are those already implemented by vendors. Anthropic has banned accounts and disabled malicious chats; the 2.1.128 patch resolves the Claude Code GitHub Action vulnerability. For Cline, the ‘out of scope’ classification means no confirmed fix is available.
The source does not specify whether the Claude campaign is fully mitigated or if new variants are underway. It also remains unknown whether the Miasma toolkit will be actively adopted by threat actors beyond the documented leak.
Why It Matters
The abuse of Claude’s shared chat represents a documented case of trust inversion: not a platform compromise, but its use as a delivery channel. Traditional security controls, built for suspicious domains, do not intercept shared content on legitimate domains with established reputation.
The mechanism is not technically new — delivery via trusted platforms has existed for years — but the specificity of AI platforms as an attack surface is what the June 2026 bulletin documents. The convergence with vulnerable AI coding agents and leaked toolkits for supply chain amplifies the context, without the dossier establishing an operational connection among these elements.
The key numerical datum remains the asymmetric scale: over 2,000 confirmed victims, with two-thirds concentrated in a single geographic region, over a seven-week span. The distribution suggests specific targeting rather than random global spread.
Information has been verified against cited sources and is current as of publication.
Sources
- https://thehackernews.com/2026/06/threatsday-bulletin-claude-chat-abuse.html
- https://www.rescana.com/post/threatsday-bulletin-june-2026-miasma-supply-chain-worm-leak-claude-code-github-action-vulnerability-ai-agent-phishing-to
- https://www.wiu.edu/cybersecuritycenter/cybernews.php
- https://www.wiu.edu/visit/
- https://www.wiu.edu/global_studies/
- https://www.wiu.edu/libraries/
- https://www.wiu.edu/registrar/courses.php