Published Sunday, June 21, 2026 at 09:01 AM PT

PRESIDENTIAL DAILY BRIEF — INFRASTRUCTURE & THREAT INTELLIGENCE

21 JUN 2026 | FOR: SENIOR SRE/INFRASTRUCTURE ENGINEER, LOS ANGELES

BLUF: Iranian-affiliated actors actively exploiting Rockwell PLCs across US critical infrastructure; North Korean supply chain attack (144 npm packages, 88 min execution) confirmed; Boyle Heights cold-storage fire producing caustic smoke requiring air quality precautions; three open incidents on local infrastructure including a possible kernel rootkit on pi require immediate attention.

CYBER

  • CISA advisory confirmed: Iranian-affiliated actors exploiting Rockwell Automation/Allen-Bradley PLCs and potentially other branded PLCs across US critical infrastructure sectors. Exploitation method unspecified in public release; OT/ICS operators should audit PLC network segmentation and remote access paths immediately. [CISA] [HIGH CONFIDENCE]

  • North Korean threat group Sapphire Sleet executed supply chain attack against Mastra AI npm ecosystem: 144 JavaScript/AI packages backdoored, full compromise executed in 88 minutes via hijacked stale contributor account. Any environment pulling Mastra AI packages should treat dependency tree as compromised pending audit. [Microsoft, BleepingComputer] [HIGH CONFIDENCE]

  • Google Threat Intelligence (UNC6201) disclosed active exploitation of a Dell RecoverPoint for Virtual Machines zero-day. Novel backdoor GRIMBOLT deployed alongside known malware BRICKSTORM and SLAYSTYLE. VMware/Dell RecoverPoint environments should be treated as potentially compromised if internet-exposed. [Google Threat Intelligence] [HIGH CONFIDENCE]

  • CISA KEV catalog updated with two new known-exploited vulnerabilities (specific CVEs not fully parsed from feed). BOD 22-01 remediation deadlines apply to FCEB; all operators should treat as priority patching. [CISA] [HIGH CONFIDENCE]

  • Google Project Zero published bypass for Windows Administrator Protection. Exploitation path not yet confirmed in the wild; privilege escalation risk on Windows endpoints elevated. [Google Project Zero] [MODERATE CONFIDENCE]

  • Notepad++ 8.9.6 arbitrary code execution exploit published to Exploit-DB. Remote exploitation vector. Patch or remove from production endpoints. [Exploit-DB] [HIGH CONFIDENCE]

  • Booz Allen report: Chinese AI models (DeepSeek, Qwen) assessed to produce statistically more vulnerable code for US government users. Possible deliberate behavior; treat AI-generated code from these models as untrusted in any production or security-sensitive context. [Booz Allen, live news] [MODERATE CONFIDENCE]

  • “Agentjacking” attack class documented: AI coding agents (Copilot-class tools) manipulated into executing malicious code via prompt injection in repository context. Relevant to any CI/CD pipeline using AI-assisted code generation. [The Hacker News] [MODERATE CONFIDENCE]

  • ASP.NET ViewState deserialization vulnerability (pre-shared machine key reuse across deployments) being actively exploited; tracked CVE confirmed. Any ASP.NET application using default or shared machine keys is at risk. [Google Threat Intelligence] [HIGH CONFIDENCE]

  • Ransomware ecosystem under pressure from law enforcement disruption but new variant “Prinz Eugen” identified; prioritizes recently-accessed files for encryption, likely to maximize operational damage before detection. [BleepingComputer] [MODERATE CONFIDENCE]

LOCAL INFRASTRUCTURE (YOUR NETWORK)

  • [CRITICAL] Three services down: plex, searxng, tinychat. No security causation confirmed; may be unrelated service failure. Investigate process state, disk, and memory before assuming benign cause given other concurrent alerts.

  • [CRITICAL] pi host: syslog flagging possible kernel-level rootkit. SSH event volume on nuk (2,624 events in 24h) is anomalous and may indicate brute-force or active session abuse. Treat pi as compromised until forensically cleared. Isolate from network segment. Do not trust logs generated on pi itself — pull from Wazuh/remote syslog only.

  • [WARNING] wazuh.manager threat score 45.0 — highest on network. Investigate whether this reflects legitimate alert aggregation or indicates the manager itself is a target. A compromised SIEM manager would blind all downstream detection.

  • [WARNING] itunes host threat score 20.0. Correlated with 12 sensitive_access syslog events and 25 crash_storm events across the environment. Crash storms can indicate exploitation attempts triggering process instability.

  • [WARNING] nuk: 5 correlated security events, threat score 5.0, 2,624 SSH events. SSH volume alone warrants immediate review of auth logs, failed/successful login ratio, and source IP geolocation. If SSH is not required on nuk, disable or restrict to known IPs now.

  • 520,555 syslog events with 64,138 warnings in 24h is elevated baseline. No firewall blocks recorded — if egress filtering is active, absence of blocks alongside elevated internal events may indicate lateral movement using permitted protocols.

  • Zero Wazuh security events recorded against 520K+ syslog events is a detection gap worth investigating. Either Wazuh rules are not ingesting the relevant log sources, or alert suppression/tuning has created blind spots.

MILITARY / GEOPOLITICAL

  • 18 JUN: US and Iran confirmed agreement ending the 110-day war and reopening Strait of Hormuz. Strait now operationally open; maritime insurance and shipping disruption risk declining. [Arms Control Association] [HIGH CONFIDENCE]

  • Post-war analysis underway on lessons Iran’s new leadership will draw from the conflict. Iranian cyber doctrine likely to evolve; CISA’s concurrent PLC advisory may reflect pre-ceasefire or retaliatory positioning by Iranian-affiliated actors operating independently of state command. [Arms Control Association, CISA] [MODERATE CONFIDENCE]

  • Israel conducting strikes in Lebanon despite exclusion from US-Iran talks. Regional escalation risk remains elevated in Eastern Mediterranean; no direct CONUS infrastructure implication assessed at this time. [Arms Control Association] [MODERATE CONFIDENCE]

  • France arrested members of a humanitarian charity assessed as a Russian intelligence front. Consistent with ongoing Russian use of NGO/civil society cover for intelligence collection in Europe. [intelNews] [MODERATE CONFIDENCE]

  • Mossad plan to destabilize Iranian regime reportedly leaked. If authentic, complicates post-ceasefire normalization and elevates risk of Iranian cyber retaliation against Israeli and US targets. [intelNews] [LOW CONFIDENCE — single source, unverified]

  • USMC F-35Bs conducted first-ever highway strip operations in Finland during Ramstein Flag exercise. Demonstrates NATO dispersed basing capability; operationally significant for European deterrence posture. [The Aviationist] [HIGH CONFIDENCE]

  • USCENTCOM: US forces conducted joint aviation integration exercise with UAE and Saudi Arabia. Consistent with post-ceasefire coalition maintenance in Gulf region. [USCENTCOM] [HIGH CONFIDENCE]

  • Three RQ-4 Global Hawks permanently relocated to Yokota Air Base, Japan. Signals increased ISR posture in Western Pacific; consistent with Taiwan Strait tension management. [Task & Purpose] [HIGH CONFIDENCE]

PHYSICAL / LOCAL (LOS ANGELES / SOCAL)

  • Boyle Heights cold-storage warehouse fire ongoing as of 21 JUN. Local emergency declaration issued. Fire producing caustic, toxic smoke across the region. Air quality advisory in effect. If your infrastructure includes physical assets or personnel in eastern LA, assess air quality before dispatching on-site. [Live news, LA local] [HIGH CONFIDENCE]

  • Smash-and-grab crew active in Arcadia and Eagle Rock. Small business targets; no direct infrastructure relevance but pattern indicates organized retail crime activity in San Gabriel Valley and northeast LA corridors. [Live news] [HIGH CONFIDENCE]

  • SNAP fraud federal arrests (8 individuals, $1.3M) — no infrastructure relevance. NOSIG for this audience.

NUCLEAR / WMD

  • Strait of Hormuz ceasefire removes near-term risk of Iranian mining or closure operations that could have triggered broader escalation. No IAEA reporting on Iranian nuclear program status post-ceasefire in current feed. [MODERATE CONFIDENCE]

  • No test activity, IAEA alerts, or WMD-relevant signals in current feed beyond above. NOSIG otherwise.

KEY JUDGMENTS

The convergence of the Iranian PLC advisory, the North Korean npm supply chain attack, and the active Dell RecoverPoint zero-day exploitation represents the highest-density 24-hour threat window for US infrastructure operators in recent reporting cycles — at least two of these three vectors are confirmed actively exploited, not theoretical. The possible kernel rootkit on pi and anomalous SSH volume on nuk must be treated as a live incident, not a monitoring artifact, particularly given that Wazuh is reporting zero security events against a half-million syslog lines — a detection configuration that warrants immediate validation. The Hormuz ceasefire reduces maritime and energy supply chain risk but does not reduce Iranian cyber actor activity, which CISA’s advisory suggests is ongoing and may intensify as post-war Iranian factions seek leverage outside diplomatic channels.