AI Security Roundup: LLM, MCP, RAG, and Agentic Vulnerabilities (June 19, 2026)

The week of June 12 to 19, 2026 delivered a concentrated wave of AI framework vulnerabilities, supply chain compromises, and perimeter security crises that collectively illustrate how rapidly the attack surface is expanding across both the agentic AI stack and the traditional network edge. LiteLLM, the widely deployed open-source AI gateway, is now the subject of a four-CVE vulnerability chain rated CVSS 9.9 that allows any low-privilege user to escalate to administrator and achieve remote code execution, with CVE-2026-42271 already confirmed exploited in the wild and added to CISA's Known Exploited Vulnerabilities catalog on June 8. LangGraph, LangChain's framework for stateful multi-agent applications, disclosed three security flaws on June 12 including CVE-2025-67644 (CVSS 7.3), CVE-2026-28277 (CVSS 6.8), and CVE-2026-27022 (CVSS 6.5), with the first two chainable to achieve remote code execution in self-hosted deployments. On the supply chain front, the Mastra npm scope takeover on June 17 backdoored 144 packages with a cross-platform RAT that harvests credentials and cryptocurrency wallet data, while the Hades campaign compromised 26 PyPI packages across graph-ML and bioinformatics ecosystems using AI-analyst misdirection techniques designed to defeat automated security scanning. Network security vendors faced their own crises: Fortinet's FortiBleed incident exposed working administrator credentials for 73,932 FortiGate firewalls across 194 countries, while Check Point patched a critical VPN authentication bypass zero-day, CVE-2026-50751 (CVSS 9.3), that the Qilin ransomware affiliate had already exploited in targeted attacks. The Forum of Incident Response and Security Teams raised its 2026 CVE forecast to approximately 66,000, driven by autonomous vulnerability discovery agents from Anthropic and OpenAI, and Microsoft shipped a record 208 Patch Tuesday fixes in June with one vulnerability attributed to OpenAI's Codex. The convergence of AI framework flaws, supply chain weaponization, and perimeter credential exposure underscores that the AI gateway layer, where all model requests, agent tool calls, and token flows converge, has become the single most critical security chokepoint in the enterprise stack.

LiteLLM Vulnerability Chain Turns AI Gateways into Attack Infrastructure

Obsidian Security published a detailed analysis on June 15, 2026 of a vulnerability chain in the LiteLLM AI gateway proxy that allows any low-privilege user on the platform to escalate to full administrator privileges and execute arbitrary code on the host. The chain combines four distinct CVEs. CVE-2026-42271 (CVSS 8.7) is a command injection flaw in two MCP REST endpoints that accept a full server configuration including command, args, and env fields, spawning subprocess execution with full proxy process privileges and no input validation or sandboxing. CVE-2026-47101 is an authorization bypass that allows non-admin users to generate virtual API keys with wildcard route access by setting allowed_routes to a catch-all pattern. CVE-2026-47102 is a privilege escalation where the user update endpoint fails to restrict which fields a user can modify. CVE-2026-40217 rounds out the chain. Together, the four vulnerabilities compose into a CVSS 9.9 critical path from default low-privilege user to full remote code execution. All versions prior to v1.83.14-stable are affected. CISA added CVE-2026-42271 to the Known Exploited Vulnerabilities catalog on June 8 with a federal agency remediation deadline of June 22.

Why it matters. LiteLLM is among the most widely deployed open-source AI gateways, serving as the centralized proxy through which organizations route requests to cloud AI providers including OpenAI, Anthropic, and AWS Bedrock. A compromised LiteLLM instance does not merely expose the proxy host. It exposes every model provider credential stored in the gateway's database, every API key for every tenant, and every conversation log passing through the proxy. The attacker gains the ability to intercept, modify, or redirect any AI interaction across the organization, a position of leverage that exceeds what traditional network compromises typically deliver.

The LiteLLM chain also sharpens the competitive argument for enterprise-grade AI gateway alternatives. Palo Alto Networks completed its acquisition of Portkey on May 29, folding Portkey's AI gateway into the Prisma AIRS platform with enterprise authentication, role-based access controls, and audit logging that LiteLLM's open-source proxy lacks by default. Cloudflare AI Gateway offers rate limiting, model routing, and observability as a managed service with Cloudflare's existing DDoS and WAF protections layered in front. IBM DataPower Interact Gateway and ServiceNow AI Control Tower similarly provide hardened enterprise gateways. For organizations running LiteLLM in production, the vulnerability chain is a forcing function to either patch immediately and implement defense-in-depth controls or migrate to a managed gateway that does not expose raw subprocess execution to authenticated users. Fortinet's organic approach through FortiAI with native MCP support avoids the open-source gateway risk entirely by keeping AI traffic governance within the FortiGate appliance perimeter, though this trades flexibility for the security of a closed platform.

LangGraph Three-CVE Chain Exposes Self-Hosted AI Agents to RCE

On June 12, 2026, cybersecurity researchers disclosed three now-patched security flaws in LangGraph, the open-source framework from LangChain used to build complex, stateful, multi-agent AI applications. Security researcher Yarden Porat discovered and reported all three vulnerabilities. CVE-2025-67644 (CVSS 7.3) is a SQL injection vulnerability in LangGraph's SQLite checkpoint implementation that allows attackers to manipulate SQL queries through metadata filter keys. CVE-2026-28277 (CVSS 6.8) is an unsafe msgpack deserialization vulnerability that can trigger arbitrary object reconstruction when a checkpoint is loaded by an attacker who can modify checkpoint data. CVE-2026-27022 (CVSS 6.5) is a RediSearch query injection in the @langchain/langgraph-checkpoint-redis package that enables access control bypass. The first two vulnerabilities can be chained to achieve remote code execution in self-hosted deployments using the SQLite or Redis checkpointer with user-controlled filter input. LangChain's managed LangSmith platform is not affected.

Why it matters. LangGraph is the most widely adopted framework for building production agentic AI systems, and the checkpoint layer is where agents persist their conversation state, memory, and task progress between interactions. A SQL injection into the checkpoint store followed by deserialization-triggered code execution means an attacker can embed a payload that fires every time an agent resumes a saved conversation, turning the agent's own memory into a persistent backdoor. This attack pattern is particularly dangerous in multi-agent deployments where one compromised checkpoint can propagate malicious state to downstream agents that load shared conversation history.

The LangGraph disclosure also highlights a pattern emerging across the agent framework ecosystem. Microsoft disclosed CVE-2026-25592 (CVSS 10.0) and CVE-2026-26030 (CVSS 9.9) in Semantic Kernel in May, showing how prompt injection can escalate to sandbox escape and arbitrary code execution through the framework's plugin system and vector store filter evaluation. Hugging Face patched CVE-2026-4372 in Transformers version 5.3.0, closing a config injection path that allowed RCE through standard model loading APIs. The common thread is that AI framework developers have been treating internal data flows, such as configuration files, checkpoint metadata, and vector store filters, as trusted input when they are in fact attacker-controllable surfaces. For organizations deploying agents on Check Point's AI Defense Plane or behind CrowdStrike's Charlotte AI AgentWorks, the lesson is that securing the agent runtime requires inspecting the framework's own internal data paths, not just the prompts and model responses that external security layers typically monitor.

Mastra npm Scope Takeover Backdoors 144 AI Framework Packages

On June 17, 2026, an attacker compromised the @mastra npm organization and mass-published 144 malicious package versions in an 88-minute window. The attack targeted the Mastra AI framework, a popular open-source JavaScript and TypeScript toolkit for building AI applications. The payload was hidden inside a dependency called easy-day-js, a typosquatted copy of the legitimate dayjs date library engineered to survive casual code review by duplicating dayjs's author name, homepage, repository URL, license, and version numbering. The attack exploited a dormant npm contributor account (ehindero), a real former Mastra contributor whose scope access was never revoked after the account went inactive in early 2025. Affected packages had a combined weekly download count exceeding 1.1 million, with @mastra/core alone receiving over 918,000 weekly downloads.

The second-stage payload is a cross-platform Node.js RAT that installs OS-level login persistence on Windows, macOS, and Linux, inventories 166 cryptocurrency wallet browser extensions, harvests browser history from Chrome, Brave, and Edge, and opens a remote module execution channel for arbitrary follow-on tasks. Mastra packages are routinely installed in environments holding LLM API keys, cloud provider credentials, CI/CD tokens, and database connection strings.

Why it matters. The Mastra compromise is the third major AI-targeted supply chain attack in June 2026, following the Hades PyPI campaign on June 8 and the ongoing Shai-Hulud worm activity. The attack demonstrates that AI framework ecosystems have inherited all of the supply chain vulnerabilities of traditional software development while adding new attack surfaces specific to AI workloads, particularly the concentration of model provider API keys and cloud credentials in development environments. The 88-minute publication window and the use of a legitimate dormant contributor account both underscore that npm's current access control model is insufficient for the trust requirements of AI infrastructure packages.

For security vendors, the Mastra attack validates the need for runtime supply chain monitoring at the AI gateway layer. Palo Alto Networks' Prisma AIRS with Portkey integration can detect anomalous API key usage patterns that would result from credential theft, while CrowdStrike's Falcon platform with Pangea AI detection can identify malicious process behavior on developer workstations. Fortinet's FortiSandbox provides static and dynamic analysis of packages before deployment. However, none of these controls would have prevented the initial compromise of a trusted npm scope through a dormant contributor account, a gap that requires registry-level authentication hardening such as mandatory two-factor authentication and automatic scope access expiration for inactive contributors.

Hades Campaign Poisons PyPI Graph-ML Packages with AI-Analyst Misdirection

On June 8, 2026, security researchers identified version 0.8.101 of the popular graph machine learning package ensmallen on PyPI as containing a sophisticated supply chain payload. The campaign, tracked as the Hades Campaign and attributed to the Miasma/Shai-Hulud threat lineage, compromised 26 packages totaling 37 malicious wheel files across bioinformatics, graph ML, deep learning, and developer tooling ecosystems. The operation uses a self-contained Bun executable embedded in wheel files to execute a multi-layer payload silently on package import, leveraging Python .pth files that allow import statements to execute automatically when the Python interpreter initializes. The primary objective is aggressive harvesting of cloud credentials and exfiltration of tokens from compromised environments, with stolen GitHub tokens enabling worm-like self-propagation to additional packages.

Two features of the Hades campaign distinguish it from previous supply chain attacks. First, the payload includes an AI misdirection capability that embeds fake analysis output specifically designed to mislead AI-powered security scanning tools, representing the first documented instance of a supply chain payload explicitly engineered to defeat automated AI threat analysis. Second, a "gh-token-monitor" persistence daemon threatens destructive actions if stolen tokens are revoked, creating a novel extortion mechanism that discourages immediate credential rotation, the standard incident response procedure.

Why it matters. The AI-analyst misdirection technique in the Hades campaign signals a new phase in the adversarial arms race between attackers and defenders. Security vendors including CrowdStrike, Palo Alto Networks, and Check Point have invested heavily in AI-powered threat detection, with CrowdStrike's Charlotte AI and Check Point's Lakera integration both relying on language model analysis to classify suspicious code. A payload that can generate convincing false-negative output for AI analysts undermines the detection confidence of these platforms and forces a return to manual review for supply chain artifacts, a process that does not scale to the volume of packages modern AI development consumes.

The Hades campaign also intersects with the broader AI gateway security narrative. Graph-ML and bioinformatics packages are commonly used in RAG pipeline data processing, feature engineering for model training, and scientific computing workflows that feed into enterprise AI systems. A compromised dependency in these pipelines can exfiltrate model training data, poison feature stores, or intercept credentials used to authenticate against AI gateway APIs. Cloudflare AI Gateway, LiteLLM, and IBM DataPower all assume that the client-side environment sending API requests is trustworthy, an assumption that supply chain attacks like Hades systematically invalidate. Fortinet's FortiGuard threat intelligence feed and Check Point's ThreatCloud AI both track malicious package indicators, but detection of Bun-based payloads with AI misdirection requires new behavioral signatures that these platforms are still developing.

FortiBleed Exposes Credentials for 73,000 Fortinet Firewalls Across 194 Countries

On June 17, 2026, security researcher Bob Diachenko publicly disclosed a dataset containing working administrator credentials for 73,932 Fortinet FortiGate firewalls spanning 194 countries. The incident, dubbed FortiBleed, is not a new software vulnerability but rather the resurfacing of credentials originally harvested through exploitation of CVE-2022-40684, a path traversal vulnerability in FortiOS that Fortinet patched in October 2022. The exposed records include usernames, email addresses, and in many cases plaintext passwords for devices sitting at the edge of corporate networks. Researchers estimate that approximately 50% of all internet-reachable FortiGate devices may be affected. CISA issued an urgent advisory on June 18 directing impacted organizations to immediately terminate active sessions, reset all credentials, review configuration files for unauthorized changes, and upgrade to the latest supported FortiOS version.

Why it matters. FortiBleed demonstrates that vulnerability remediation without credential rotation is incomplete remediation. The credentials in the June 2026 dump trace back to exploitation activity from October 2022, meaning attackers may have maintained persistent access to thousands of corporate networks for nearly four years using credentials that were never changed after the original CVE-2022-40684 patch was applied. For Fortinet, which reported a 389% increase in ransomware victims year-over-year in its 2026 Global Threat Landscape Report, the FortiBleed incident creates a reputational challenge precisely when the company is positioning its FortiGate G Series AI data center appliances and FortiAI MCP integration as next-generation security infrastructure.

The competitive implications are significant. Palo Alto Networks moved quickly to highlight its own credential rotation enforcement and zero trust architecture as differentiators, while Check Point can point to its own rapid response to CVE-2026-50751 (described below) as evidence of faster incident handling. CrowdStrike's acquisition of SGNL for $740 million in agent identity governance is specifically designed to prevent credential-based lateral movement, a capability that would have limited the blast radius of FortiBleed-style credential dumps. For organizations evaluating AI gateway deployments, FortiBleed is a reminder that the perimeter devices protecting the enterprise network are themselves high-value targets, and that an AI gateway sitting behind a compromised FortiGate inherits all of the risk of that compromised perimeter.

Check Point VPN Zero-Day CVE-2026-50751 Exploited by Qilin Ransomware

Check Point disclosed CVE-2026-50751 (CVSS 9.3), a critical authentication bypass vulnerability in its Remote Access VPN, Mobile Access, and Spark Firewall products, on June 8, 2026. The flaw stems from a logic weakness in how the Remote Access and Mobile Access components validate certificates during IKEv1 key exchange, allowing an unauthenticated attacker to establish a VPN session without providing valid credentials. Exploitation requires that the target gateway is configured to use the deprecated IKEv1 protocol and accepts legacy Remote Access clients without requiring machine certificates. Check Point's investigation also identified a second vulnerability, CVE-2026-50752 (CVSS 7.4), affecting certificate validation in IKEv1 for site-to-site VPN configurations that could enable man-in-the-middle attacks. Hotfixes shipped the same day for all affected products. CISA added CVE-2026-50751 to the KEV catalog on June 8 with a mandatory remediation deadline of June 11 for federal agencies, one of the shortest remediation windows CISA has imposed.

Exploitation was confirmed in a small number of targeted organizations globally, with at least one case involving post-compromise activity attributed to the Qilin ransomware affiliate. The narrow exploitation scope suggests that the vulnerability was discovered and weaponized by a sophisticated threat actor before Check Point's own security team identified it.

Why it matters. The CVE-2026-50751 disclosure arrives in the same week as the FortiBleed credential exposure, creating a rare moment where two of the three largest network security vendors, Check Point and Fortinet, are simultaneously managing high-profile VPN security incidents. Palo Alto Networks disclosed its own PAN-OS VPN vulnerabilities earlier in June, including CVE-2026-0263 (buffer overflow in IKEv2 processing), meaning all three major firewall vendors have faced VPN-layer security challenges within a single month. For enterprises evaluating which vendor's security platform to trust with AI gateway and agent traffic governance, this concentration of VPN vulnerabilities raises fundamental questions about the trustworthiness of the perimeter devices that sit in front of those gateways.

Check Point's rapid patching and transparent disclosure of CVE-2026-50751, including proactive identification of the related CVE-2026-50752 before exploitation was observed, contrasts favorably with the FortiBleed timeline where credentials stolen through a 2022 vulnerability circulated for years. For CrowdStrike, which competes primarily at the endpoint and identity layers rather than the network perimeter, the simultaneous VPN crises at Check Point and Fortinet reinforce the argument that network-centric security architectures are inherently vulnerable and that identity-first approaches, such as CrowdStrike's SGNL agent identity platform, provide more resilient security boundaries for agentic AI workloads.

FIRST Projects 66,000 CVEs in 2026 as AI Agents Accelerate Vulnerability Discovery

The Forum of Incident Response and Security Teams published its mid-year vulnerability forecast on June 15, raising its 2026 projection to approximately 66,000 CVEs, a historic surge driven by autonomous AI vulnerability discovery agents. Anthropic's Mythos Preview agent identified 271 bugs in Firefox 150 during a single assessment cycle, and OpenAI's GPT-5.4-Cyber hunting agent is operating at comparable scale. Microsoft announced its MDASH (Multi-Model Agentic Scanning Harness) system at Build 2026 on June 2, a pipeline of more than 100 specialized AI agents that identified 16 vulnerabilities in the May Patch Tuesday release alone. The June 2026 Patch Tuesday set a new record at 208 CVEs, with CVE-2026-49160, an HTTP/2 Bomb denial-of-service flaw, attributed to OpenAI's Codex as one of the first named AI-system attributions in a major Patch Tuesday cycle. The previous Patch Tuesday record was 177.

The Five Eyes coalition published its 30-page "Careful Adoption of Agentic AI Services" guidance on May 1, 2026, identifying 5 risk categories, 23 specific risks, and over 100 best practices for safe deployment. The NSA followed on May 20 with a 17-page notice titled "Model Context Protocol (MCP): Security Design Considerations for AI-Driven Automation," covering access control, prompt handling, tool execution, agent permissions, and auditability of third-party integrations.

Why it matters. The FIRST forecast crystallizes a structural shift in vulnerability management. When AI agents can discover hundreds of bugs in a single product within days, the traditional quarterly patch cycle becomes a liability. Security teams cannot verify and remediate faster than AI discovers flaws, making analyst capacity, not vulnerability discovery, the binding constraint. Tenable's Satnam Narang observed that "Pandora's proverbial box has been opened," noting that both Microsoft's internal engineers and the broader security community are using AI to find vulnerabilities at an accelerating rate.

For the AI gateway market, the CVE explosion has a direct commercial implication. Every newly discovered vulnerability in an AI framework, gateway, or agent runtime creates demand for the detection and governance capabilities that Palo Alto Networks (Prisma AIRS), Check Point (AI Defense Plane with Lakera), CrowdStrike (Charlotte AI AgentWorks), and Fortinet (FortiAI with FortiGuard intelligence) sell. The NSA's MCP security guidance specifically calls for logging all tool and model invocations and validating every tool invocation against well-defined schemas, requirements that effectively mandate an AI gateway layer. Cloudflare AI Gateway, IBM DataPower, and ServiceNow AI Control Tower are all positioned to meet these requirements, but the VIPER-MCP research, which swept 39,884 MCP server repositories and discovered 106 zero-day vulnerabilities with 67 CVEs assigned, demonstrates that even the MCP infrastructure itself remains deeply vulnerable. The Censys scan finding 12,520 internet-accessible MCP services, most unauthenticated, confirms that deployment is far outpacing security hardening across the agentic ecosystem.

Semantic Kernel and Hugging Face Transformers Close Critical Framework RCE Paths

Microsoft disclosed two critical vulnerabilities in its Semantic Kernel agent framework in May 2026 that remain relevant to this week's broader pattern of AI framework exploitation. CVE-2026-25592 (CVSS 10.0) is a sandbox-escape vulnerability in the .NET Semantic Kernel SDK's SessionsPythonPlugin, where an internal method accidentally tagged with a KernelFunction attribute allowed a prompt injection to drive the agent to write arbitrary files to the host filesystem outside the Azure Container Apps Python sandbox. CVE-2026-26030 (CVSS 9.9) is a code-injection flaw in the Python SDK's InMemoryVectorStore filter function, where Semantic Kernel builds filter expressions as Python lambdas and executes them using eval(), allowing a malicious record injected into a RAG corpus to execute arbitrary Python code the moment a search query triggers filtering. Patches shipped in semantic-kernel 1.39.4 (Python) and 1.71.0 (.NET). Separately, Hugging Face patched CVE-2026-4372 in Transformers version 5.3.0 in March 2026, closing a config injection path through the _attn_implementation_internal attribute that allowed RCE via standard model loading APIs without requiring trust_remote_code=True. Vulnerable Transformers versions were downloaded approximately 232 million times before the patch, and affected versions still account for roughly a quarter of weekly installations at 7 to 8 million downloads per week.

Why it matters. The Semantic Kernel and Hugging Face vulnerabilities share a common architectural flaw with this week's LangGraph and LiteLLM disclosures: framework internals that treat attacker-controllable data as trusted input. Semantic Kernel's eval()-based filter execution and Hugging Face's config.json code loading both demonstrate that the boundary between data and code in AI frameworks is far more porous than in traditional software. For enterprises running RAG pipelines, a malicious document indexed into a vector store can trigger code execution through the framework's own query processing, without ever touching the LLM prompt layer that Check Point's Lakera and Palo Alto Networks' Prisma AIRS prompt inspection are designed to monitor.

The cumulative impact of Semantic Kernel, Hugging Face, LangGraph, and LiteLLM vulnerabilities disclosed within a six-week window suggests that the AI framework layer is undergoing the same painful security maturation that web application frameworks experienced in the early 2000s. CrowdStrike's 2026 Global Threat Report noted that 42% of vulnerabilities were exploited before public disclosure, and the rapid weaponization of LiteLLM's CVE-2026-42271 within days of disclosure confirms this pattern holds for AI infrastructure. Fortinet's FortiGuard Labs and Check Point's ThreatCloud AI both need to develop specialized detection signatures for framework-layer exploitation patterns that differ fundamentally from the network and endpoint attack signatures these platforms were originally designed to identify.

Numbers at a Glance

LiteLLM patched a CVSS 9.9 four-CVE chain affecting all versions prior to v1.83.14-stable, with CVE-2026-42271 already in CISA's KEV catalog. LangGraph disclosed three CVEs, with CVE-2025-67644 and CVE-2026-28277 chainable to RCE in self-hosted deployments. Mastra lost 144 npm packages in an 88-minute scope takeover affecting over 1.1 million weekly downloads. The Hades campaign poisoned 26 PyPI packages with 37 malicious wheels across graph-ML ecosystems. FortiBleed exposed credentials for 73,932 FortiGate firewalls across 194 countries. Check Point patched CVE-2026-50751 at CVSS 9.3 with Qilin ransomware exploitation confirmed. FIRST projects 66,000 CVEs for 2026, with Microsoft shipping a record 208 Patch Tuesday fixes in June. VIPER-MCP discovered 106 zero-day vulnerabilities across 39,884 MCP server repositories, with 67 CVEs assigned. Censys identified 12,520 internet-accessible MCP services with most lacking authentication. The Five Eyes published guidance covering 23 risks and 100+ best practices for agentic AI, and the NSA issued its first MCP-specific security design guidance.

References

1. The Hacker News: LiteLLM Vulnerability Chain Lets Low-Privilege Users Take Over AI Gateway Servers
2. The Hacker News: LangGraph Flaw Chain Exposes Self-Hosted AI Agents to Remote Code Execution
3. StepSecurity: Mastra npm Supply Chain Attack, 140+ Packages Backdoored via easy-day-js Typosquat
4. StepSecurity: The Hades Campaign, Graph ML PyPI Packages Deploy Cross-Platform Memory Scrapers
5. SecurityWeek: FortiBleed, 86,000 Fortinet Device Credentials Compromised
6. CISA: Urges Hardening Fortinet Devices After Reports of Credential Exposure
7. Rapid7: Critical Check Point VPN Zero-Day Exploited in the Wild, CVE-2026-50751
8. Help Net Security: FIRST Mid-Year Vulnerability Forecast, AI Discovery Pushing 2026 CVEs Toward 66,000
9. Microsoft Security Blog: When Prompts Become Shells, RCE Vulnerabilities in AI Agent Frameworks
10. Rescana: Critical LiteLLM Vulnerability Chain Enables Remote Code Execution and Full AI Gateway Server Takeover
11. NSA: Security Design Considerations for AI-Driven Automation Leveraging the Model Context Protocol
12. Arxiv: VIPER-MCP, Detecting and Exploiting Taint-Style Vulnerabilities in Model Context Protocol Servers
13. Censys: MCP Servers on the Internet
14. Palo Alto Networks Unit 42: Pickle in the Middle, Hijacking Vertex AI Model Uploads
15. Snyk: Mastra npm Scope Takeover, A Forgotten Contributor Account Compromised the Entire Scope
16. Anthropic: Disrupting the First Reported AI-Orchestrated Cyber Espionage Campaign