HARDENED Cybersecurity Intelligence | Issue No. 062 · June 22, 2026 · Weekly Flagship · hardened.news |
|
| > The signal. Not the noise. — For teams that defend. |
|
| Enterprise | Cloud & DevOps | Developers | End Users |
|
| Gates cleared: | Gate 1 Exploitation | Gate 2 Blast Radius | Gate 3 Canadian |
|
| 01 — // Lead Story — Deep Dive |
|
|
Your AI API Keys Are the New Crown Jewels
Two disclosures last week pointed at the same prize: the keys and gateways your developers use to reach AI models. JetBrains pulled 15 plugins caught siphoning API keys to an attacker, and a LiteLLM flaw chain turned an ordinary gateway user into root. Stolen AI credentials are spend, data, and access in one.
This week the target came into focus. Attackers are going after the credentials and infrastructure that connect your organization to AI models — because an AI key is worth more than a password. It is metered spend an attacker can run up, a data path into whatever the key’s application can read, and free use of models you are paying for. Adopting AI tools remains the right call. The job now is to protect the keys and gateways that make them work, because the research last week showed two practical ways to steal them.
The first route is the developer’s editor. JetBrains confirmed 15 malicious plugins on its Marketplace — AI assistants, code-review helpers, and Git utilities — that worked as advertised while quietly sending the AI provider key a developer pasted into the settings to an attacker server in plaintext. Published under seven vendor accounts since October 2025, with new ones as recent as June 10, the plugins were installed close to 70,000 times; the two largest were DeepSeek AI Assist (27,727) and CodeGPT AI Assistant (25,571). JetBrains removed them, blocked the accounts, and disabled them in installed IDEs on June 16. Bleeping Computer → JetBrains →
The second route is the gateway. LiteLLM is a popular AI gateway — a proxy that fronts many model providers behind one API and one pool of keys. We flagged LiteLLM’s MCP exposure in our May 28 briefing; the chain disclosed last week is a deeper problem in the same gateway. Obsidian Security disclosed a chain of three flaws that takes any low-privilege gateway user to full control: CVE-2026-47101 lets a non-admin grant their own key the route permissions it should never hold, CVE-2026-47102 lets that account rewrite its own role to proxy_admin, and CVE-2026-40217 breaks out of the guardrail sandbox that runs custom Python through exec(). Rated 9.9 together, the chain ends in remote code execution on the gateway host. The fix is LiteLLM v1.83.14-stable or later. A separate flaw, CVE-2026-42271, was exploited in the wild and added to CISA’s catalogue this month. Obsidian Security → The Hacker News →
The two stories meet at the same point. Whoever holds the gateway holds every downstream key and the data flowing through it; whoever harvests keys one developer at a time gets there more slowly but just as surely. In both cases the loot is a non-human identity — a credential that authenticates a machine, rarely rotates, and almost never shows up in the monitoring built for human logins. That is exactly why this class of theft stays quiet: the first sign is often a model bill that does not add up or data leaving through an account that looks legitimate.
The takeaway for leaders is not to slow AI adoption. It is to treat AI keys and gateways like the production credentials they are. Scope them to the minimum, vault them, rotate them, cap their spend, and put their usage in front of the same monitoring that watches everything else — and govern what your developers are allowed to install, because a helpful-looking plugin is now a credential-collection channel. The organizations that do this keep the productivity. The ones that do not are funding an attacker’s inference bill and handing over a data path with it.
// Risk Taxonomy — Four Ways AI Credentials Leak
AIK-01 — Critical Editor-Plugin Key Theft A developer pastes an AI provider key into a plugin’s settings; the plugin works as advertised and ships the key to an attacker. The JetBrains campaign did this across 15 plugins and roughly 70,000 installs, sending keys in plaintext. The IDE is now part of your credential attack surface. |
AIK-02 — Critical AI Gateway Takeover An AI gateway concentrates every provider key behind one control plane. The LiteLLM chain (CVE-2026-47101 → CVE-2026-47102 → CVE-2026-40217) walks a low-privilege user up to admin and then to code execution on the host — handing over every key and request the gateway touches. |
AIK-03 — High Non-Human Identity Sprawl AI keys are machine credentials that are issued fast, shared freely, and rarely rotated. Most carry no spend cap and no expiry, and they sit outside the identity monitoring built for people. A stolen key can run for weeks before anyone notices the cost or the data movement. |
AIK-04 — High Marketplace & Supply-Chain Trust Plugin and package marketplaces are trusted by default and reviewed lightly. Attackers ship genuinely useful AI tools, build an install base over months, then collect. The download count is social proof, not a security signal — popularity is part of the lure. |
// Five Actions — Start This Week
| [✓] | Rotate exposed AI keys and audit IDE plugins. Ask whether any developer machine ran one of the flagged JetBrains plugins; if so, revoke and reissue the affected OpenAI, DeepSeek, and SiliconFlow keys. Inventory installed IDE plugins across the team. |
| [✓] | Patch your AI gateway. Upgrade LiteLLM to v1.83.14-stable or later to close the privilege-escalation chain, and confirm CVE-2026-42271 — exploited in the wild and on CISA’s catalogue — is remediated. |
| [✓] | Treat AI keys as non-human identities. Move them into a secrets vault, scope each key to the least privilege it needs, set spend caps, and enforce a rotation schedule. A key with no cap and no expiry is a standing liability. |
| [✓] | Govern what developers can install. Restrict IDE and browser extensions to a vetted allowlist, and make the approved AI tooling easy to adopt. An install count is marketing, not assurance — require review before a plugin can touch credentials. |
| [✓] | Monitor gateway and provider usage. Alert on new admin roles, unusual gateway routes, and sudden changes in model spend or request volume. A bill that jumps overnight is often the first evidence a key has been taken. |
|
|
|
|
Canada’s Critical-Infrastructure Cyber Law Is Now in Force
Bill C-8 received Royal Assent on June 16. For designated operators, AI keys and gateways inside critical systems just moved from good practice to legal obligation — and two existing frameworks already reach the same credentials.
The stolen-credential problem in this week’s lead is not only an operational risk in Canada. It is increasingly a compliance one. The frameworks below now reach the AI keys, gateways, and service accounts your systems depend on.
Framework 1 — Critical Infrastructure Operators Bill C-8 — Now Law (Royal Assent June 16, 2026) Bill C-8 — the successor to the prorogued Bill C-26 — received Royal Assent on June 16, 2026, enacting the Critical Cyber Systems Protection Act (CCSPA) and amending the Telecommunications Act. The Telecommunications Act changes take effect immediately; the CCSPA comes into force in phases. Designated operators in the finance, telecommunications, energy, and transportation sectors will face mandatory cyber-security programs, incident reporting, and access controls — obligations that cover the machine credentials and AI gateways running inside critical systems. The action: Move from gap assessment to implementation. Confirm whether your organization is a designated operator, and put AI key and gateway governance into the cyber-security program you will need to attest to. Watch for the phase-in dates and sector regulations that follow. Primary source: Parliament of Canada — Bill C-8 (LEGISinfo) → |
Framework 2 — Federally Regulated Financial Institutions OSFI Guideline E-23 — Model Risk Management OSFI’s Guideline E-23, effective May 1, 2027, extends model risk management to AI and machine-learning systems at all federally regulated financial institutions, with explicit accountability for third-party models. An AI gateway and the provider keys behind it are part of how a model is accessed and controlled; a takeover like the LiteLLM chain is a model-risk and access-control failure that E-23 expects to be governed and monitored. The action: Banks, insurers, and pension funds should fold AI-gateway patch status, key scoping, and usage monitoring into their E-23 readiness now — not in 2027. Primary source: OSFI Guideline E-23 → |
Framework 3 — All Private Sector Organizations PIPEDA — Mandatory Breach Notification Under PIPEDA, an organization must report to the Office of the Privacy Commissioner and notify affected individuals when a breach of security safeguards involving personal information creates a real risk of significant harm. A stolen AI key that reaches a system holding personal data — or a gateway takeover that exposes the requests passing through it — is a safeguard failure, and if personal information was involved the reporting clock starts. The action: Map which AI keys can reach personal data, scope them away from what they don’t need, and log gateway access so you can answer the “what was exposed” question quickly. Primary source: OPC — PIPEDA Overview → |
|
| 03 — // Threat & Defence Matrix |
|
|
This week’s AI-credential threats mapped to the control that contains them
| Threat | Defence |
Malicious IDE plugin exfiltrates AI keys (JetBrains campaign)
A useful-looking plugin ships the developer’s provider key to an attacker in plaintext. | Vetted plugin allowlist + key rotation
Restrict IDE extensions to a reviewed allowlist; rotate any keys exposed to flagged plugins; alert on plaintext credential egress. |
AI gateway privilege escalation to RCE (LiteLLM CVE-2026-47101 → 47102 → 40217)
A low-privilege user becomes proxy admin, then runs code on the host. | Patch + restrict the control plane
Upgrade to LiteLLM v1.83.14-stable; lock down admin routes; run the gateway with least privilege and network isolation. |
AI gateway flaw exploited in the wild (LiteLLM CVE-2026-42271, CISA KEV)
A separate MCP-endpoint flaw allowed attacker-spawned subprocesses. | KEV-driven patching + disable unused endpoints
Treat KEV entries as priority; patch now and turn off MCP or preview endpoints you do not use. |
Unrotated, uncapped AI keys (non-human identity sprawl)
Long-lived keys with broad scope and no spend cap sit outside identity monitoring. | Vault, scope, rotate, cap
Store keys in a vault, scope to least privilege, enforce rotation and spend limits, and feed key usage into the SIEM. |
Stolen key drives runaway spend and data access
A valid key authenticates as a legitimate service — no malware, no login anomaly. | Spend and usage anomaly alerting + fast revoke
Baseline normal model spend and request volume; alert on spikes and new regions; keep a one-step key-revocation runbook. |
|
| 04 — // On Our Radar + Patch Priority |
|
// On Our Radar — Not Yet at Critical Threshold
| → | UEFI Secure Boot KEK certificate expiry — June 24, 2026 (2 days): Microsoft’s Corporation KEK CA 2011 expires June 24, with the UEFI CA 2011 following June 27 and the Windows Production PCA 2011 in October. Dual-boot Linux and air-gapped systems that do not receive automatic firmware updates need their remediation done now, not after the date passes. Tracking since Issue #039. Microsoft Support → |
| → | Deepfake fraud moves mainstream on crime forums: Weekly threat-intelligence reporting noted a sharp rise in deepfake-related discussion across criminal forums, alongside continued voice- and video-impersonation fraud against finance teams. Brief executives and finance staff on call-back verification for any payment or credential request made over video or voice. TechNadu → |
| → | KEV additions are accelerating: CISA added a Joomla editor flaw (June 16), and Cisco SD-WAN, Chrome, and Arista flaws (June 9), all on evidence of active exploitation. The pace means a vulnerability-management program anchored only to monthly patch cycles is now running behind the threat. CISA KEV → |
|
| // Patch Priority — This Week |
| P1 — NOW | Joomla Content Editor (JCE) CVE-2026-48907 (CVSS 10.0) — unauthenticated PHP code execution, CISA KEV June 16, actively exploited. Update JCE to 2.9.99.7 (2.9.99.6 has an upload regression) and restrict editor-profile creation. | Enterprise · Dev |
|
| P1 — NOW | LiteLLM CVE-2026-47101 + CVE-2026-47102 + CVE-2026-40217 (CVSS 9.9 chain) — low-privilege user to admin and RCE on the AI gateway. Upgrade to v1.83.14-stable or later. | Dev · Cloud+DevOps |
|
| P1 — NOW | LiteLLM CVE-2026-42271 — MCP-endpoint subprocess flaw, exploited in the wild and on CISA KEV. Confirm it is patched on every gateway instance. | Dev · Cloud+DevOps |
|
| P2 — WEEK | Google Chrome V8 CVE-2026-11645 — out-of-bounds read/write, CISA KEV June 9, actively exploited. Update Chrome and Chromium-based browsers. | All Teams |
|
| P2 — WEEK | UEFI Secure Boot KEK certificate expiry (June 24) — remediate dual-boot and air-gapped systems before the date; confirm firmware-update delivery. | IT Ops |
|
|
HARDENED | HARDENED is published for general informational and educational purposes. All threat data is sourced from publicly available security research and cited accordingly. This newsletter does not constitute professional security advice. Security configurations and threat landscapes vary by organization. Consult a qualified security professional for implementation guidance specific to your environment. All data as of June 22, 2026. hardened.news |
|
|
