crashrun — Daily Threat Intelligence

Morning brief · 2026-06-16 19:23:30 UTC

No Review Now items passed evidence gates today. 3 Monitor items are notable but not urgent. 29 background items are low-signal.

0 review now 0 hunt today 0 patch priority 3 monitor 29 background

What changed (2)

_ New item: 'Steam Workshop abused to spread malware via Wallpaper Engine app' in Monitor

_ New item: 'ClickFix Campaigns Expand Malware Delivery With New Loaders and Fake Update Lures' in Monitor

Monitor Notable but not urgent — watch for escalation 3

CVE-2026-32625 Monitor

score25

LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. I...

Notable but not urgent; score=25, CVSS=9.6

LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. In versions up to and including 0.8.3, the Model Context Protocol (MCP) server integration resolves …

no exploit conf high CVSS 9.6 EPSS 0.0025 1 src 4 KQL 1 caveat

Immediately upgrade LibreChat installations to version 0.8.4-rc1 or later.
Audit all MCP server configurations for any URLs containing environment variable placeholders (e.g., ${VAR}) and remove them.
Rotate all secrets exposed in process.env (CREDS_KEY, CREDS_IV, JWT_SECRET, MONGO_URI) even after patching.

MDE exposure: devices with CVE-2026-32625 Sentinel identity/M365 suspicious admin and … Sentinel suspicious sign-in activity MDE endpoint behaviour hunt

https://nvd.nist.gov/vuln/detail/CVE-2026-32625

Open workbench →

Monitor changed

score25

Steam Workshop abused to spread malware via Wallpaper Engine app

Notable but not urgent; score=25

Threat actors are abusing Steam Workshop, Valve's community hub for downloading game-related content, to push various malware hidden in wallpaper packages. [...]

no exploit conf medium 1 src 2 caveats

Block Steam Workshop domains (e.g., steamcommunity.com, steamusercontent.com) on corporate endpoints if not required for business.
Deploy application control policies to restrict execution of files downloaded from Steam Workshop directories.

_ _

Steam Workshop abused to spread malware via Wallpaper …

Monitor changed

score25

ClickFix Campaigns Expand Malware Delivery With New Loaders and Fake Update Lures

Notable but not urgent; score=25

Cybersecurity researchers have flagged multiple ClickFix campaigns that deliver three malware loaders called BabaDeda Loader, Lorem Ipsum Loader, and Potemkin, per independent …

no exploit conf high 1 src 2 caveats

Block known ClickFix campaign domains and IPs from threat intel feeds (e.g., Morphisec, BlueVoyant, Huntress reports).
Deploy YARA rules for BabaDeda Loader, Lorem Ipsum Loader, and Potemkin loader on endpoints and email gateways.

_ _

ClickFix Campaigns Expand Malware Delivery With New …

Background 29 items

web/apicloudidentity/authlinux/serveredge devices

Source coverage

exploit_cves ok 30

exploit_kev ok 50

exploit_news ok 2

exploit_epss ok 79

exploit_vulncheck ok 500

exploit_msrc ok 1451

exploit_intel_objects ok 32

exploit_exploit_refs:nuclei ok

exploit_exploit_refs:metasploit ok

exploit_exploit_refs:exploitdb ok

exploit_exploit_refs:greynoise missing_credentials

exploit_exploit_refs:shadowserver missing_credentials

exploit_enrichment:pai_local missing_credentials