FortiClient EMS, GitHub secrets, CISA breach: critical exploitation ongoing

This briefing highlights multiple high-priority threats: an actively exploited FortiClient EMS authentication bypass (CVE-2026-35616) used to deliver the EKZ credential stealer; a CISA contractor's public GitHub repository that exposed privileged AWS GovCloud keys and internal secrets; the BTMOB Android RAT spreading via phishing with a malware-builder service; over 4,300 fraudulent FIFA domains targeting 2026 World Cup buyers; and a critical authenticated RCE in Gogs — recommended actions include immediate patching, credential rotation, forensic audits, endpoint and mobile threat scanning, and blocking known malicious domains and IOCs.