Threat Intelligence Brief - Friday, June 12, 2026

Executive Signal

• AI agent infrastructure is under active attack on two confirmed fronts: a critical RCE vulnerability chain in LangGraph (self-hosted deployments) and a novel “Agentjacking” technique targeting AI coding agents via crafted fake error reports — both with confirmed exploitation.
• Organizations running AI-assisted development pipelines face compounding risk: compromised coding agents can expose source code, credentials, and developer endpoints simultaneously.
• Iranian threat group Handala claims a breach of California Water Service (Cal Water), publishing 5GB of data including customer PII and RTKBase platform credentials — critical infrastructure operators should treat this as a sector-relevant warning.
• Novo Nordisk disclosed a breach of clinical trial patient data, continuing a pattern of targeted attacks against sensitive healthcare and life sciences data.
• Dark web forums show early-stage supply chain positioning — GitHub access sales, leaked repositories, and stolen API keys — indicating pre-attack activity with potential downstream software impact.

Immediate Action Required

Patch LangGraph now if self-hosting. LangChain has patched three vulnerabilities, including a critical RCE chain. Exploitation is confirmed. Validate patch status on all self-hosted LangGraph instances and review exposure to untrusted input or network access.

Audit AI coding agent deployments. Agentjacking requires no CVE — it manipulates agent behavior through crafted error reports. Identify which AI coding agents are deployed, what system-level permissions they hold, and whether sandboxing or execution controls are in place.

Critical infrastructure operators: review RTKBase exposure. If your organization uses RTKBase or shares infrastructure patterns with water utilities, rotate credentials and validate access controls against the Cal Water breach claim.

High-Impact Developments

LangGraph RCE Vulnerability Chain — Active Exploitation Confirmed

• What happened: Researchers disclosed three now-patched vulnerabilities in LangGraph, LangChain’s open-source multi-agent framework. The critical chain enables remote code execution on self-hosted deployments.
• Why it matters: LangGraph is widely used in production AI agent systems. A successful exploit against a self-hosted instance can result in full system compromise, including access to credentials, data, and connected services.
• Who should care: Application security, cloud security, and developer security teams running self-hosted LangGraph. Security architects evaluating AI infrastructure risk.
• Recommended action: Confirm patched version is deployed. Identify all self-hosted LangGraph instances. Assess network exposure and input trust boundaries. Review logs for anomalous execution activity.
• Confidence: High — exploitation confirmed, patches available.
• Search metadata: T1059, LangGraph, LangChain, remote code execution

Agentjacking — New Attack Class Targeting AI Coding Agents

• What happened: Tenet Security described “Agentjacking,” a technique that tricks AI coding agents into executing arbitrary code on developer machines via crafted fake error reports. Exploitation is confirmed.
• Why it matters: AI coding agents operate with elevated trust and frequently broad filesystem and network access on developer endpoints. Successful exploitation can result in credential theft, source code exfiltration, or lateral movement from developer machines into broader environments.
• Who should care: Developer security, application security, endpoint security, and any team that has deployed AI coding assistants with autonomous execution capabilities.
• Recommended action: Inventory AI coding agents in use and their permission scopes. Apply least-privilege principles to agent execution environments. Restrict agents from executing code without explicit human confirmation where sandboxing is not feasible.
• Confidence: High — technique confirmed by researchers, exploitation observed.
• Search metadata: T1059, Agentjacking, AI coding agents, malicious code execution

Handala Claims Cal Water Breach — Customer Data and Credentials Exposed

• What happened: Iranian cyber group Handala claims to have breached California Water Service, publishing approximately 5GB of data including customer PII and credentials for the RTKBase platform.
• Why it matters: This is a named Iranian threat actor targeting U.S. critical infrastructure. Exposure of RTKBase credentials carries operational significance — RTKBase is used in geospatial and infrastructure contexts. Attribution is claimed, not independently verified; the data publication is confirmed.
• Who should care: Critical infrastructure security teams, incident response, privacy and legal functions, and organizations sharing infrastructure or vendor relationships with water utilities.
• Recommended action: If RTKBase is in use, rotate credentials and audit access logs immediately. Monitor for downstream use of exposed customer data. Assess vendor and platform overlap with Cal Water.
• Confidence: Medium — breach claim sourced from threat actor; data publication confirmed, full scope independently unverified.
• Search metadata: Handala, Cal Water, RTKBase, data breach, espionage

Monitor Only

• Novo Nordisk clinical trial data breach: Novo Nordisk disclosed a breach affecting patient data from clinical trials. Attack vector and full scope have not been disclosed. Relevant to healthcare, life sciences, and organizations with clinical data obligations. Watch for regulatory and third-party risk implications. (Source: Bleeping Computer)

• Dark web supply chain precursors: Underground forum activity — GitHub access sales, leaked repositories, stolen API keys — flagged as early supply chain attack indicators. No specific active campaign identified. Relevant for organizations monitoring third-party developer risk and software pipeline integrity. (Source: Bleeping Computer)

Analyst Observation

Today’s brief reflects a maturing threat surface around AI tooling that security teams have been slow to treat with the same rigor as traditional infrastructure. Two separate, confirmed exploitation paths against AI agents — one a framework-level RCE, one a behavioral manipulation technique — surfacing on the same day is not coincidence; it reflects attacker interest catching up to enterprise adoption rates. Agentjacking is particularly concerning because it requires no CVE and no patch: it exploits the fundamental design of autonomous agents that act on inputs they are built to trust. Organizations that have deployed AI coding assistants without reviewing execution permissions and sandboxing posture are carrying unquantified risk on developer endpoints today. The Cal Water breach, if independently verified, extends a documented pattern of Iranian actors targeting U.S. critical infrastructure for data collection and disruption signaling — water utilities and their technology vendors should treat this as a sector-wide alert, not an isolated incident.

Source Links

• LangGraph Flaw Chain Exposes Self-Hosted AI Agents to Remote Code Execution — https://thehackernews.com/2026/06/langgraph-flaw-chain-exposes-self.html
• Agentjacking Attack Tricks AI Coding Agents Into Running Malicious Code — https://thehackernews.com/2026/06/agentjacking-attack-tricks-ai-coding.html
• Iranian Cyber Group Handala Claims Cal Water Hack — https://www.securityweek.com/iranian-cyber-group-handala-claims-cal-water-hack/
• Pharma giant Novo Nordisk discloses breach of clinical trials data — https://www.bleepingcomputer.com/news/security/pharmaceutical-giant-novo-nordisk-discloses-security-breach/
• Early Warning Signs of Supply-Chain Attacks Live in the Dark Web — https://www.bleepingcomputer.com/news/security/early-warning-signs-of-supply-chain-attacks-live-in-the-dark-web/

Generated by DevSecOpsDadAttack cyber threat intelligence.