Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

Sharing applications with the world is no easy task. Developers struggle to ensure compatibility across different platforms, vendors continually search for new channels to showcase and distribute their software, and users often encounter hurdles when installing and updating the applications. To help solve this challenge, Microsoft offers multiple solutions including its Microsoft Store, the native Windows Installer component (.msi packages), and a lesser-known but powerful option: ClickOnce technology.

Following our deep dive into the internals of ClickOnce application deployment in Part 1 of this two-part blog series, let’s focus on the security implications of this technology. In this blog, we examine how threat actors can weaponize ClickOnce features, and we reveal what we believe to be a new abuse that security teams need to be aware of.

On June 17th we detected a large-scale supply chain attack targeting the entire @mastra npm scope, a popular open-source AI agent framework. An attacker republished 141 packages in a burst between 01:15 and 02:00 UTC, silently injecting a malicious dependency into every one of them. The affected packages include @mastra/core, which has 918K weekly npm downloads, as well as mastra and create-mastra.

In mid-June 2026, security researchers identified an active, large-scale credential compromise campaign affecting Fortinet FortiGate firewalls, dubbed FortiBleed. Threat actors have been systematically extracting configuration files from internet-facing FortiGate devices and cracking the stored credential hashes, resulting in verified working administrator credentials for between 30,000 and 75,000 devices across 194 countries.

Small and medium businesses are increasingly exposed to email-based attacks that rely on compromised accounts and trusted communication patterns. In a typical business email compromise scenario, attackers gain access to an executive’s email account and monitor communication over time. This allows them to understand how financial requests are handled and when key individuals are unavailable. At the right moment, they send emails that appear legitimate.

Brand impersonation account takeover (ATO) happens when attackers use fake brand assets to expose customers, harvest credentials, and attempt access on the legitimate site. The impersonation stage happens outside the enterprise’s login environment, but the ATO risk appears when stolen credentials, attacker devices, or exposed users reach the legitimate login environment. That distinction matters because brand impersonation and account takeover are often handled as separate problems.