Information Security News | AI Aggregator

Please be mindful of possible hallucinations. Verify information prior to taking action.
PRC-linked spies hid inside medical and military networks for more than a year, snooping through Gmail and stealing data
Date: 2026-06-15 | Source: The Register
Chinese government-linked hackers, tracked as UNC6508, infiltrated multiple North American medical and military networks for over a year, using custom malware named InfiniteRed to steal sensitive data. They exploited REDCap servers, capturing login credentials and deploying compliance rules to BCC emails to an attacker-controlled Gmail account. The operation targeted various organizations, including defense and medical research entities, with a focus on topics like drone technology and specific pathogens. Google has notified affected organizations.
PRC-linked spies hid inside medical and military networks for more than a year, snooping through Gmail and stealing data
2026-06-15 | Google Cloud: Public and Private Medical Community Targeted by China-Nexus Threat Actor Pursuing Artificial Intelligence, Cyber, Medical, and National Defense Research
A campaign attributed to the China-nexus threat actor UNC6508 targeted North American academic, medical, and military research institutions, remaining undetected for over a year. The actor compromised REDCap servers, deployed custom malware (INFINITERED) to capture login credentials, and accessed sensitive internal networks. GTIG disrupted the infrastructure and recommended best practices, including enabling 2-Step Verification. The earliest compromise was noted in September 2023, with ongoing activity observed through November 2025.
2026-06-15 | Cybersecurity Dive: China-nexus group linked to multiyear campaign targeting US, Canadian medical research
A China-nexus threat group, UNC6508, has conducted a multiyear espionage campaign targeting North American medical research centers, focusing on medical, AI, and military information. Exploiting vulnerable REDCap servers, they installed custom malware, Infinitered, to steal credentials. The campaign, traced back to September 2023, compromised multiple organizations until November 2025. GTIG recommends implementing two-step verification, updating REDCap software, and monitoring audit logs to enhance security.
2026-06-15 | Help Net Security: Chinese hackers breached North American research institutions via REDCap servers
Chinese hackers, linked to the UNC6508 group, breached North American medical research institutions via compromised REDCap servers, using custom malware named INFINITERED for persistent access and data collection. The operation, ongoing since September 2023, involved credential harvesting and email monitoring for sensitive information. Google notified affected organizations and disrupted the attackers' infrastructure, recommending upgrades to REDCap and enhanced security practices, including 2-step verification.
2026-06-15 | The Hacker News: Chinese Hackers Abused Google Workspace Rules to Steal Research and Defense Emails
A China-linked espionage group, UNC6508, exploited vulnerabilities in REDCap servers to steal sensitive emails from North American medical, academic, and military organizations. They used Google Workspace's content compliance rules to BCC emails containing specific keywords to an attacker-controlled address. The campaign, ongoing since September 2023, involved custom malware named INFINITERED. Google recommends patching REDCap servers, reviewing email rules, and implementing phishing-resistant MFA for admin accounts.
2026-06-15 | Cyberscoop: Google exposes China espionage group that’s been lurking in networks undetected since 2023
Google's Threat Intelligence Group identified a Chinese state-sponsored espionage group, UNC6508, which infiltrated U.S. and Canadian organizations since September 2023. The group targeted sectors like academia and military health, using a custom backdoor, INFINITERED, to steal credentials. They exploited vulnerabilities in REDCap servers, with ongoing investigations into their methods. Google disrupted some of their infrastructure and notified affected organizations, indicating a broader campaign may still be active.
Maine Takes Data Breach Reporting Portal Offline After Fake VRChat and Discord Filings
Date: 2026-06-14 | Source: Cyber Security News
The Maine Attorney General's Office has taken its data breach reporting portal offline after discovering fake breach notifications for VRChat and Discord submitted by an unidentified entity. On June 12, 2026, the AG confirmed these reports were hoaxes, with claims of significant user data exposure being fabricated. The incident exposed a vulnerability in the portal's design, which allowed unverified submissions. The AG's office is reviewing procedures to prevent future abuses while maintaining access to legitimate reports.
Maine Takes Data Breach Reporting Portal Offline After Fake VRChat and Discord Filings
2026-06-15 | Infosecurity Magazine: Maine Takes Breach Reporting Portal Offline After Fake Entries
Maine has taken its breach reporting database offline after two false reports were submitted, impersonating VRChat and Discord. The reports claimed significant data breaches affecting 2.4 million and 10 million users, respectively. The Maine Attorney General's Office is reviewing procedures to prevent such abuses while the database remains unavailable. No legitimate breaches from VRChat or Discord have been reported. In 2022, the US saw a record 3,332 publicly reported breaches, impacting 279 million individuals.
2026-06-15 | Security Magazine: Maine Data Breach Reporting Portal Abused, Taken Offline
The Maine Attorney General's Office has taken its public data breach reporting portal offline due to abuse, specifically false reports involving Discord and VRChat. The fraudulent claims suggested breaches affecting 10 million and 2.4 million users, respectively, with sensitive information allegedly exposed. The office confirmed no legitimate breaches occurred and is reviewing procedures to prevent future abuse while maintaining public access. The online reporting service remains available for legitimate submissions.
2026-06-15 | Recorded Future: Maine closes data breach portal to the public after fake reports
Maine's data breach reporting portal was closed to the public after two fake breach notices were submitted, one claiming 2.4 million VRChat customers were affected and another for Discord. The notices were removed, and Maine's attorney general stated there are no legitimate breach reports from either company. The portal will remain offline during an audit to prevent future abuses. VRChat criticized Maine for not promptly removing the fake notice, asserting no data compromise occurred.
Anthropic Fable 5 and Mythos 5 Access Blocked to All Users Following Government Directive
Date: 2026-06-13 | Source: Cyber Security News
On June 12, 2026, the U.S. government directed Anthropic to block access to its AI models, Fable 5 and Mythos 5, for all foreign nationals due to national security concerns. This led to a global shutdown of these models, as enforcing selective access was deemed impractical. The government cited a potential jailbreak method that could exploit software flaws. Anthropic acknowledged the challenge of achieving perfect jailbreak resistance and has implemented a 30-day data retention policy for ongoing research.
Anthropic Fable 5 and Mythos 5 Access Blocked to All Users Following Government Directive
2026-06-13 | The Guardian: Anthropic to disable its most advanced AI models after US order limiting foreign access
Anthropic will disable its advanced AI models, Fable 5 and Mythos 5, for all users following a US government order limiting foreign access due to national security concerns. The directive cites potential methods to bypass safeguards that could allow these models to identify software vulnerabilities. Anthropic disagrees with the government's assessment and is working to restore access. The order reflects escalating US efforts to control foreign adversaries' AI capabilities, particularly in cybersecurity.
2026-06-13 | Security Affairs: Washington Pulled the Plug on Anthropic ‘s Fable 5 and Mythos 5 models. The Rest of the World Is Watching.
On June 12, 2026, the US Commerce Department ordered Anthropic to suspend access to its AI models, Fable 5 and Mythos 5, for all foreign nationals, including employees. Anthropic disputes the lack of transparency and claims the directive stems from a narrow jailbreak technique that can identify software vulnerabilities, which is also possible with other models. The company argues that this action sets a concerning precedent for AI deployment and calls for a transparent process for any future restrictions.
2026-06-13 | Cyberscoop: Anthropic disables new models after government calls them a national security concern
The U.S. government ordered Anthropic to suspend foreign access to its AI models, Fable 5 and Mythos 5, due to national security concerns over a reported method to bypass safety restrictions. The directive, issued by Secretary of Commerce Howard Lutnick, affects all foreign nationals, including Anthropic employees. The company disabled the models for compliance, disputing the severity of the concerns and asserting that similar capabilities exist in publicly accessible models. The implications for AI regulation remain uncertain.
2026-06-13 | TechCrunch: Amazon CEO reportedly raised Anthropic model concerns before government crackdown
Amazon CEO Andy Jassy raised security concerns regarding Anthropic's models, specifically the Claude Fable 5, to U.S. government officials, suggesting they could be exploited for cyberattacks. This led to the government imposing an export control ban on the Fable 5 and Mythos 5 models. An Amazon spokesperson confirmed the company advises on security risks but did not disclose details. David Sacks mentioned a credible source alerted the government about a jailbreak in the models, prompting discussions with Anthropic's CEO.
2026-06-15 | Infosecurity Magazine: Cybersecurity Experts Urge US to Lift Ban on Anthropic's Frontier AI Models
Over 50 cybersecurity professionals urged the US government to lift a ban on Anthropic's AI models, Fable 5 and Mythos 5, imposed due to national security concerns. The ban followed claims of a method to bypass Fable 5’s guardrails. The professionals argued that restricting access hinders defenders while adversaries advance, creating market uncertainty. They emphasized that similar capabilities exist in other models and called for a transparent process for AI risk assessments. Notable signatories included CISOs and industry leaders.
2026-06-15 | DIGIT: US Government Order Forces Anthropic to Disable Advanced AI Models
Anthropic has disabled access to its advanced AI models, Fable 5 and Mythos 5, following a US government export control directive aimed at foreign nationals. The directive, received on June 12, cites national security concerns related to a potential method for bypassing the models' safeguards. Anthropic stated that while its safeguards are more effective than previous models, it acknowledges the possibility of non-universal jailbreaks. The company has implemented a "defense in depth strategy" to mitigate risks associated with these vulnerabilities.
2026-06-15 | Recorded Future: Anthropic says US government forced it to disable cybersecurity AI models
Anthropic disabled its cybersecurity AI models, Fable 5 and Mythos 5, in response to a U.S. government export control directive prohibiting foreign access, including its own employees. The directive, citing national security, is unprecedented for AI models. Anthropic disputes the basis for the directive, arguing the identified vulnerabilities were minor and known. The company supports government oversight of unsafe AI but calls for a transparent process. The directive follows tensions with the Trump administration and Anthropic's IPO plans.
2026-06-15 | Malwarebytes Labs: Claude Fable 5 and Mythos 5 “abruptly disabled” after US gov. ban
Anthropic has disabled its Claude Fable 5 and Mythos 5 AI models globally following a US government order due to national security concerns about potential misuse for vulnerability discovery. The government cited fears that a jailbreak could allow adversaries to exploit these models. Mythos 5, used by select agencies, is effective at identifying software vulnerabilities, raising dual-use concerns. Existing older Claude models remain available, but access to the advanced models will be restricted for the foreseeable future.
2026-06-15 | TechCrunch: Cybersecurity vets protest ‘dangerous’ US government ban on Anthropic’s most powerful models
A group of 76 cybersecurity experts, including notable figures, urged the U.S. government to lift its export control order on Anthropic's Fable and Mythos AI models, arguing it hinders defenders' ability to identify vulnerabilities. The government cited national security concerns without specifics, leading Anthropic to suspend global access. Critics claim the order is unwarranted and that the methods described in a related Amazon paper do not constitute a real jailbreak, emphasizing the need for AI in defensive security.
2026-06-15 | Times Now: Why Cybersecurity Experts Are Defending Anthropic's Most Powerful AI Models
A letter signed by over 50 cybersecurity executives, including leaders from Nvidia and Adobe, urges the Trump administration to reconsider restrictions on Anthropic's advanced AI models, Fable 5 and Mythos 5. The experts argue that limiting access could hinder efforts to defend against cyberattacks, highlighting the importance of these AI technologies in enhancing cybersecurity measures. The dispute arises amid growing concerns over artificial intelligence's role in national security.
2026-06-15 | Cyberscoop: Cybersecurity experts don’t think Anthropic’s Fable 5 presents a unique threat
The Trump administration imposed export controls on Anthropic's AI model Fable 5 due to concerns over its potential cybersecurity threats after reports of jailbreaking. Anthropic has limited the model's release and implemented guardrails. Experts argue that no significant vulnerabilities have been demonstrated, asserting that Fable 5's capabilities are not uniquely dangerous compared to other models. An open letter from cybersecurity professionals criticized the restrictions as excessive, highlighting the model's defensive utility.
2026-06-15 | The Register: Feds freaked over Fable 5 after simple 'fix this code' prompt, not jailbreak, says researcher
The US government issued an export control directive to suspend access to Anthropic's Fable 5 and Mythos 5 models, citing national security concerns. This action followed a research paper revealing that a simple prompt, "Fix this code," allowed the models to generate security patches. Katie Moussouris, a cybersecurity expert, criticized the ban, arguing it hampers defensive capabilities against adversaries. Over 100 cybersecurity leaders signed a letter urging the administration to reverse the restrictions, emphasizing the need for robust defensive tools.
Novo Nordisk reports cyberattack as UK gives Wegovy pill the nod
Date: 2026-06-12 | Source: The Register
Novo Nordisk reported a cyberattack resulting in the theft of pseudonymized data related to clinical trial participants, including patient ID, trial participation details, and health data. While the data is not directly linked to individuals, the company warned that additional personal information of healthcare partners was also compromised, potentially leading to targeted phishing attempts. The attack affected a limited number of internal IT systems, which are being restored cautiously. No impact on core operations was reported.
Novo Nordisk reports cyberattack as UK gives Wegovy pill the nod
2026-06-15 | Security Affairs: Novo Nordisk Confirms Data Theft: What Attackers Took and What They Didn’t
Novo Nordisk confirmed a cyberattack on June 15, 2026, resulting in the theft of clinical trial data. The breach involved unauthorized access to internal IT systems, affecting pseudonymized data of clinical trial patients, including patient IDs, trial details, and health data. However, identifiable patient information was not exposed. Healthcare providers' data, including names and contact details, was compromised. No threat actor has claimed responsibility, and the company has engaged cybersecurity experts to manage the incident.
2026-06-15 | TechRadar: Novo Nordisk reveals cyberattack: Ozempic and Wegovy maker says clinical trials data breached
Novo Nordisk confirmed a cyberattack that breached pseudonymized clinical trial patient data, including IDs, biomarkers, and lifestyle factors. The company stated no direct personally identifiable information (PII) was leaked, minimizing risks of phishing or identity theft. The incident involved unauthorized access to internal IT systems, prompting a shutdown for containment and an investigation by third-party experts. Core operations remain unaffected, and patients are advised to stay vigilant for unusual activities.
2026-06-15 | Security Magazine: Breaking Down the Novo Nordisk Data Breach
Danish pharmaceutical firm Novo Nordisk reported a data breach involving clinical trials, where a threat actor accessed internal IT systems, compromising deidentified patient and healthcare provider (HCP) data. Affected data includes patient IDs, trial participation info, and HCP contact details. While immediate patient risk is low, experts warn of potential long-term risks, including targeted phishing attacks on HCPs. The breach raises concerns about corporate espionage, given the value of the accessed information related to ongoing trials.
400+ Arch Linux AUR Packages Compromised in a Supply Chain Attack Deploying Infostealers
Date: 2026-06-12 | Source: Cyber Security News
A supply chain attack on the Arch User Repository (AUR) compromised over 400 packages by injecting malicious build scripts to deploy credential-stealing malware. Identified around June 11, 2026, attackers targeted orphaned packages, modifying PKGBUILD scripts to install rogue npm packages. The malware exfiltrated sensitive data, including browser credentials and SSH keys, while employing rootkit techniques for persistence. The Arch Linux team responded by reverting changes and banning attackers. Users are advised to audit installed packages and rotate credentials.
400+ Arch Linux AUR Packages Compromised in a Supply Chain Attack Deploying Infostealers
2026-06-12 | The Hacker News: 400+ Arch Linux AUR Packages Hijacked to Install Rust Credential Stealer
Attackers hijacked over 400 Arch Linux AUR packages, modifying build scripts to install a Rust-based credential stealer. This malware targets developer secrets, collecting data from browsers, Electron apps, and various tokens. It installs a persistent systemd service and can load an optional eBPF rootkit to hide itself. Users are advised to check AUR packages installed after June 11, rotate compromised credentials, and inspect for persistence mechanisms. The attack exploits trust in package history rather than software flaws.
2026-06-12 | The Hacker News: Over 400 Arch Linux AUR Packages Hijacked to Deploy Infostealer and eBPF Rootkit
Attackers hijacked over 400 packages in the Arch User Repository (AUR) to deploy a Rust credential stealer and an optional eBPF rootkit. The malware targets developer secrets, including tokens and SSH keys, and communicates via HTTP and Tor. Users who installed or updated AUR packages after June 11 should verify against affected lists and rotate compromised credentials. Arch maintainers are resetting malicious commits and advising caution with recently adopted packages. No CVE has been assigned; the campaign is tracked as Sonatype-2026-003775 (CVSS 8.7).
2026-06-15 | Risky.Biz: Risky Bulletin: Arch Linux supply chain attack spreads to 1,900+ AUR packages
More than 1,900 Arch Linux packages were hijacked in a supply chain attack aimed at distributing a rootkit and credentials harvester. Attackers exploited the AUR portal's mechanism to adopt abandoned packages, initially hijacking 400 before expanding to nearly 2,000. The malware can collect credentials from browsers and developer secrets. Affected users are advised to change passwords and remove the rootkit. The attack is ongoing, with the hacker modifying installation procedures to evade detection.
2026-06-15 | The Register: Arch Linux locks down AUR signups amid wave of malicious commits
A wave of malicious commits affected the Arch User Repository (AUR), leading to the suspension of new account registrations on June 12. Over 1,500 user-submitted packages were compromised, attempting to introduce hostile JavaScript dependencies. The core Arch distribution remains unaffected. The AUR, a community-run repository, relies on user inspection of packages. This incident underscores vulnerabilities in the AUR's open model. New account creation is still disabled as the team works on cleanup and future prevention strategies.
Google fires sueball at alleged Chinese phishers over AI-powered fraud ops
Date: 2026-06-12 | Source: The Register
Google has filed a lawsuit against a China-based cybercrime group known as the "Outsider Enterprise," which allegedly used AI-powered phishing kits to send millions of scam texts and create over 9,000 fraudulent websites. The operation has reportedly defrauded hundreds of thousands of victims by impersonating trusted brands. Google is collaborating with the FBI and major telecom providers to disrupt these scams and block malicious messages. The lawsuit aims to dismantle the infrastructure supporting these phishing campaigns.
Google fires sueball at alleged Chinese phishers over AI-powered fraud ops
2026-06-12 | Help Net Security: Google sues China-based scammers over Gemini AI abuse
Google has sued China-based Outsider Enterprise for using AI tools, including Gemini, to create phishing websites, impacting hundreds of thousands of victims with estimated losses in the millions. The operation is linked to over 9,000 fake websites and 1 million fraudulent URLs. During May, Android users reported 55,000 spam texts related to this operation. Google aims to dismantle the group's infrastructure and is collaborating with the FBI and telecom companies to block malicious messages.
2026-06-12 | Cyber Security News: Google Sues Chinese Cybercrime Network for Using Gemini AI to Launch Cyberattacks
Google has sued the "Outsider Enterprise," a Chinese cybercrime network, for using its Gemini AI to conduct large-scale phishing campaigns against U.S. consumers. The network, operating as a phishing-as-a-service platform, has sent 2.5 million smishing messages and created over 9,000 fake websites. Google seeks damages under the RICO Act and is collaborating with carriers to block fraudulent messages. The lawsuit highlights the legal implications of AI misuse in cybercrime, setting a precedent for future cases.
2026-06-12 | TechCrunch: Google sues alleged Chinese cybercrime operation that used AI to send scam texts
Google is suing the alleged Chinese cybercrime network Outsider Enterprise for using AI to send scam texts impersonating Google and other brands, targeting victims to steal passwords and credit card information. The operation has reportedly scammed hundreds of thousands, with losses estimated in the millions. In a two-week span, 9,000 fake websites and 2.5 million texts were sent to Android users. Google collaborates with telecoms to block these messages and is working with the FBI on law enforcement actions.
2026-06-12 | The Hacker News: Google Sues Chinese Smishing Network Accused of Using Gemini AI in Phishing
Google is suing a Chinese cybercrime network for using its Gemini AI to conduct phishing attacks targeting Americans. The network operates a phishing-as-a-service kit called Outsider, which generates fraudulent websites and sends smishing texts impersonating legitimate brands. Over 100,000 victims have suffered millions in losses. Google aims to dismantle the network and has partnered with AT&T, T-Mobile, and Verizon to block these messages. The service offers tools for creating phishing sites and tracking campaigns, lowering entry barriers for novice fraudsters.
2026-06-12 | TechCrunch: Chinese cybercrime operation that used AI to scam ‘hundreds of thousands of victims’ sued by Google
Google is suing the Chinese cybercrime network Outsider Enterprise, which allegedly used AI to scam hundreds of thousands of victims, resulting in millions in losses. The group deployed 9,000 fake websites and sent 2.5 million scam texts in two weeks. Google claims the operation has stolen approximately 3.87 million credit cards, leading to $1.9 billion in losses. The lawsuit seeks damages and aims to dismantle the group's infrastructure, which includes a phishing software suite marketed to criminals.
2026-06-12 | Cyberscoop: FBI takes down massive China-based cybercrime network that caused $1.9B in losses
The FBI, in collaboration with Google and Lumen Technologies, dismantled a China-based cybercrime network named Outsider, responsible for $1.9 billion in losses through phishing attacks in 55 countries since July 2023. The operation, “Operation Ghost Hook,” led to the seizure of domains, $100,000 from payment wallets, and access to customer data via a Telegram bot. Outsider's phishing kits, available for $88 weekly, exploited various authentication methods, prompting Google to seek legislative action against such scams.
2026-06-13 | Times Now: 9,000 Fake Websites, 2.5 Million Texts: Google Takes Legal Action Against AI-Powered Scam Ring
Google has taken legal action against an AI-powered scam ring responsible for disseminating over 2.5 million scam messages to Android users in May. During this period, users reported 55,000 text scams. Although exact financial damages remain unclear, it is confirmed that hundreds of thousands of users have lost millions of dollars in the United States due to these scams.
2026-06-15 | TechRadar: FBI takes out huge AI-powered phishing service: Outsider Enterprise was using over a million phishing URLs to steal credit card data and passwords
The FBI dismantled the Chinese phishing-as-a-service (PhaaS) operation "Outsider Enterprise," seizing servers, $100,000 in USDT, and a Telegram bot. The service operated for three years, generating around 9,000 fake sites and over 1 million phishing URLs, stealing 3.8 million credit card records, causing $1.9 billion in losses. Google filed a civil lawsuit against the operation, which sent 2.5 million fraudulent SMS messages targeting Android users in two weeks.
Ukrainian National Pleads Guilty to Wire Fraud Conspiracy in Connection with Conti Ransomware
Date: 2026-06-12 | Source: US Department of Justice
Oleksii Oleksiyovych Lytvynenko, a Ukrainian national, pleaded guilty to conspiracy to commit wire fraud related to the Conti ransomware, which infected over 1,000 systems globally, causing at least $150 million in ransom payments. From 2020 to 2022, the ransomware targeted victims in 47 states and 31 countries. Lytvynenko admitted to working on malicious software for the group. He faces up to 20 years in prison, with sentencing set for September 10, 2026. The case is part of Operation Riptide, targeting cybercrime.
Ukrainian National Pleads Guilty to Wire Fraud Conspiracy in Connection with Conti Ransomware
2026-06-12 | Cyberscoop: Conti ransomware group member pleads guilty, faces up to 20 years in prison
Oleksii Oleksiyovych Lytvynenko, a former member of the Conti ransomware group, pleaded guilty to conspiracy to commit wire fraud, facing up to 20 years in prison. He admitted to developing malware used in attacks on over 1,000 victims globally, including eight in the U.S., causing millions in damages. Lytvynenko extorted approximately $634,000 in Bitcoin from two Tennessee victims, including a government entity. He was arrested in Ireland in July 2023 and extradited to the U.S. in October 2025.
2026-06-13 | Hack Read: Extradited Ukrainian Man Admits Role in Conti Ransomware Attacks
Oleksii Oleksiyovych Lytvynenko, a 44-year-old Ukrainian man extradited from Ireland, pleaded guilty in the US for his involvement in the Conti ransomware operation, which attacked over 1,000 computers and networks between 2020 and 2022, resulting in at least $150 million in ransom payments. He admitted to stealing data from 12 victims and coding a "loader" for further attacks. Lytvynenko faces up to 20 years in prison, with sentencing scheduled for September 10, 2026.
2026-06-14 | Security Affairs: Ukrainian Extradited from Ireland Pleads Guilty Over Role in Conti Ransomware Scheme
Ukrainian national Oleksii Lytvynenko pleaded guilty in the U.S. for conspiracy to commit wire fraud related to the Conti ransomware scheme, which targeted over 1,000 computers globally between 2021 and 2022. He admitted to encrypting victims' systems, stealing data, and developing malware components. Lytvynenko faces up to 20 years in prison, with sentencing scheduled for September 10, 2026. The Conti group, linked to significant ransom payments, ceased operations in 2022 amid law enforcement pressure.
2026-06-15 | Help Net Security: Ukrainian national pleads guilty in connection with Conti ransomware
A Ukrainian national, Oleksii Oleksiyovych Lytvynenko, pleaded guilty to conspiracy to commit wire fraud related to the Conti ransomware, which affected over 1,000 victims globally. He admitted to working on malware coding and participated in breaching networks to extort ransoms, generating at least $150 million in payments. Lytvynenko is set to be sentenced on September 10, 2026, facing up to 20 years in prison. Conti, active since 2020, targeted various sectors before ceasing operations in 2022.
Global Law Enforcement Dismantles ‘AudiA6’ Crypto Laundering Network Linked to Ransomware Gangs
Date: 2026-06-11 | Source: Chainalysis
On June 11, 2026, global law enforcement dismantled the "AudiA6" cryptocurrency laundering network, arresting two administrators in Georgia. The operation seized infrastructure across multiple countries, disrupting a service that processed approximately 10,333 bitcoin (valued at $389 million) since 2021. AudiA6 utilized over 6,000 KYC-verified money mule accounts to obscure the origin of stolen funds, linking it to ransomware and cybercrime. The associated "Dark2Web" forum was also taken down.
Global Law Enforcement Dismantles ‘AudiA6’ Crypto Laundering Network Linked to Ransomware Gangs
2026-06-12 | The Hacker News: Europol Disrupts AudiA6 Crypto Laundering Service Used by Ransomware Gangs
Europol has disrupted AudiA6, a cryptocurrency laundering service linked to ransomware gangs, cutting off a financial pipeline that laundered over €336 million since 2021. The operation on June 10, 2026, led to the arrest of two individuals, seizure of 30 servers, and freezing of €692,000 in cryptocurrency. AudiA6 facilitated illicit transactions through fraudulent accounts, charging 3-10% fees. The investigation involved multiple international law enforcement agencies, highlighting the rise of industrial-scale laundering in cybercrime.
2026-06-12 | Help Net Security: Authorities dismantle crypto laundering service that moved €336 million for cybercriminals
An international law enforcement operation has dismantled the cryptocurrency laundering service AudiA6, linked to ransomware groups, processing over €336 million in illicit funds from 2022 to 2025. On June 10, two administrators were arrested in Georgia, with over 30 servers and 25 domains seized. The operation also froze €692,000 in cryptocurrency and seized €86,000. The investigation involved multiple agencies, including Europol and the U.S. Secret Service, building on prior arrests and evidence.
2026-06-12 | Hack Read: Feds Seize AudiA6 and Dark2Web in $389M Crypto Laundering Case
A joint operation by the US Secret Service and IRS has shut down the cryptocurrency laundering service AudiA6 and arrested its operators, Ruslan Tkachuk and Alexander Ledenev, in Georgia. They face charges of money laundering, with a potential 20-year prison sentence. Investigators found AudiA6 received over 10,333 Bitcoin, including 393.39 BTC from ransomware and dark web activities. Authorities seized digital assets, servers, and domains across multiple countries, blocking accounts linked to the operation.
2026-06-12 | Cyber Security News: Authorities Dismantle Cryptocurrency Laundering Services ‘AudiA6’ Used by Ransomware Gangs
Authorities dismantled the cryptocurrency laundering service “AudiA6,” used by ransomware groups to obscure financial flows, processing over EUR 336 million from 2022 to 2025. The June 10 operation involved U.S. Secret Service, IRS, Polish law enforcement, and Europol, resulting in two arrests and the seizure of 30 servers, 25 domains, and significant cryptocurrency assets. AudiA6 facilitated rapid laundering through complex transaction chains, charging 3-10% commissions, and was linked to over 15 ransomware investigations.
2026-06-12 | Infosecurity Magazine: Ransomware Payment Crypto Laundering Platform Taken Out by FBI and Europol
An international law enforcement operation dismantled the cryptocurrency laundering service ‘AudiA6’, suspected of laundering over €336m ($389m) for cybercriminals from 2022 to 2025. The operation involved agencies from the US and Europe, resulting in the arrest of two suspects in Georgia, the seizure of €692,000 in cryptocurrency, and the takedown of 25 domains. AudiA6 was linked to at least 15 ransomware operations and utilized money mules to obscure the origin of funds.
Interpol Dismantles SniperDz Phishing-as-a-Service Platform
Date: 2026-06-11 | Source: Infosecurity Magazine
Interpol's Operation Ramz dismantled the SniperDz phishing-as-a-service platform, leading to 201 arrests and the seizure of 53 servers across 13 MENA countries from October 2025 to February 2026. SniperDz, operational since 2015, provided phishing kits and infrastructure, with over 140,000 phishing pages identified. The platform exploited social engineering and had significant OpSec failures, aiding investigators in tracing its main developer in Algeria. Group-IB emphasized the importance of adversary-centric intelligence in combating cybercrime.
Interpol Dismantles SniperDz Phishing-as-a-Service Platform
2026-06-11 | Hack Read: Decade-Long SniperDz Phishing Network Disrupted in Operation Ramz
A collaborative operation involving Group-IB, INTERPOL, and the Algerian National Police has dismantled the SniperDz phishing network, operational since 2015, which provided phishing tools to hackers. The network targeted over 30 platforms, using 20,000 domains to steal user data. The operation, part of Operation Ramz, led to 201 arrests and the seizure of 53 servers across 13 countries. Key operator Guedz was arrested after being traced through video tutorials revealing his identity.
2026-06-11 | Cyber Security News: Hackers Abuse SniperDz PhaaS Ecosystem for Brand Impersonation and Browser Hijacking
A Phishing-as-a-Service (PhaaS) platform named SniperDz is facilitating extensive online fraud, particularly in the Middle East and North Africa. It offers over 50 phishing templates impersonating 70+ brands, enabling low-skilled criminals to execute scams via social media. Victims are misled through trusted link-aggregation services to phishing sites that capture browser notifications, leading to unsolicited ads and scams. Key indicators include specific domains and IP addresses linked to the operation, along with a recurring VAPID public key.
2026-06-12 | The Hacker News: INTERPOL Operation Takes Down Sniper Dz Phishing Platform, Arrests Administrator
INTERPOL's Operation Ramz disrupted the Sniper Dz phishing-as-a-service platform, resulting in 201 arrests across 13 MENA countries between October 2025 and February 2026. Guedz, the platform's main developer, was arrested by Algerian authorities. Sniper Dz, active since 2015, targeted major organizations like PayPal and Facebook, using 80 phishing templates in multiple languages. The operation dismantled the platform's infrastructure and seized phishing software, highlighting its role in credential theft and various scams.
2026-06-15 | The Hacker News: Sniper Dz Scams Target MENA Users via Fake Facebook Offers and Browser Alerts
Cybersecurity researchers revealed a scam targeting users in the MENA region, involving fake Facebook accounts impersonating public figures to promote fraudulent offers. Victims were misled into clicking links that led to phishing sites and monetization schemes. The operation, linked to the Sniper Dz phishing-as-a-service platform, utilized social engineering, browser notification abuse, and history manipulation to trap users and generate illicit revenue through scams. The campaign highlights the exploitation of legitimate web technologies for fraud.
Chaotic Eclipse Strikes Again: New Zero-Day Unlocks BitLocker in Four Hours of Research
Date: 2026-06-11 | Source: Security Affairs
On June 10, 2026, researcher Chaotic Eclipse revealed a zero-day exploit named GreatXML that bypasses BitLocker, granting SYSTEM shell access during Windows Recovery Mode. This vulnerability arises from Microsoft Defender's offline scan artifacts, affecting any machine that has run the scan. No patch is available. The exploit requires physical access to the target machine or the ability to modify the recovery partition. This follows other disclosures by the researcher, raising concerns about Microsoft's vulnerability reporting process.
Chaotic Eclipse Strikes Again: New Zero-Day Unlocks BitLocker in Four Hours of Research
2026-06-11 | Cyber Security News: GreatXML BitLocker Bypass 0-Day Exploited Via Windows Defender Offline Scan
A zero-day vulnerability, named GreatXML, allows attackers with physical access to bypass BitLocker encryption on Windows systems via Windows Defender Offline Scan. By placing a crafted `unattend.xml` and Recovery directory in the recovery partition, attackers can access the encrypted volume without login. This affects any Windows system that has run a Defender Offline Scan. No patch is available, and the proof-of-concept has been publicly released, increasing risks for high-value targets.
2026-06-11 | The Hacker News: New GreatXML Exploit Bypasses Windows BitLocker via Recovery Partition XML Files
A new exploit named GreatXML has been released by security researcher Chaotic Eclipse, allowing a bypass of Windows BitLocker via recovery partition XML files. The exploit requires copying specific XML files to the recovery partition and rebooting into the Windows Recovery Environment. If Windows Defender Offline Scan has been used, systems are vulnerable. This follows the release of another exploit, RoguePlanet, which allows local privilege escalation in Microsoft Defender. GreatXML is the second BitLocker bypass from Chaotic Eclipse.
2026-06-11 | The Register: Microsoft's worst 'Nightmare' unleashes BitLocker bypass 0-day
A new zero-day vulnerability, GreatXML, has been released by Nightmare Eclipse, allowing a BitLocker bypass on systems that have run a Microsoft Defender Offline scan. This exploit can provide unrestricted access to the BitLocker volume. Microsoft is investigating the claims but has not yet issued a patch. Security expert Will Dormann has raised concerns about the exploit's reproducibility, noting that administrative access is required to trigger the Defender Offline scan necessary for the exploit to work.
2026-06-12 | CSO Online: GreatXML zero-day BitLocker bypass doesn’t seem to work, yet
A zero-day vulnerability related to BitLocker has been identified, allowing potential bypass of encryption under specific conditions. If a Defender offline scan was previously initiated, the system remains vulnerable without login credentials. The exploit involves copying two files to the unencrypted WinRE partition, enabling access to the BitLocker volume. The researcher, Nightmare Eclipse, notes that if executed correctly, this method grants unrestricted access to the encrypted drive.
Cybercriminals claim breach of Oracle PeopleSoft servers at 100-plus organizations
Date: 2026-06-10 | Source: TechCrunch
Cybercrime group ShinyHunters claimed to have breached Oracle PeopleSoft servers at over 100 organizations, primarily universities. The hackers exfiltrated sensitive data, including student records with personal information. This incident highlights ShinyHunters' strategy of exploiting vulnerabilities in widely used software for mass hacks. The group's initial target was an FBI PeopleSoft server, aiming to deny involvement in recent swatting attempts, but that attempt was unsuccessful. Oracle has not commented on the breach.
Cybercriminals claim breach of Oracle PeopleSoft servers at 100-plus organizations
2026-06-11 | Times Now: Hackers Target Oracle PeopleSoft, Claim Data Theft Across 100 Firms
Hackers have targeted Oracle PeopleSoft, claiming data theft from over 100 firms. Cybersecurity researcher Michael R discovered multiple exposed online directories linked to the attacks, including staging materials and a credential spray script. Organizations using Oracle PeopleSoft are advised to check logs for connections from specific IP addresses: 142.11.200.186, 142.11.200.187, 142.11.200.188, 142.11.200.189, 142.11.200.190, 108.174.202.99, and 176.120.22.24. Any findings should prompt immediate reporting and server isolation for investigation and security.
2026-06-11 | Help Net Security: Oracle PeopleSoft servers under attack, Oracle pushes out-of-band security alert
A zero-day vulnerability (CVE-2026-35273) in Oracle PeopleSoft PeopleTools is being actively exploited, allowing remote code execution without authentication. Affected versions include 8.61 and 8.62. Oracle issued an out-of-band security alert but has not confirmed if a patch is available. Concurrently, the extortion group ShinyHunters claims to have breached over 100 organizations, including the University of Nottingham, stealing personal and academic data of nearly half a million individuals.
2026-06-11 | Google Cloud: ShinyHunters Targets Education Sector with Oracle PeopleSoft Exploit
On June 9, 2026, ShinyHunters exploited vulnerabilities in the education sector, particularly targeting Oracle PeopleSoft configurations. They set up a staging environment using MeshCentral, installing agent binaries disguised as Microsoft Azure services. Over 100 organizations were notified, with many blocking the attack, but some suffered data breaches. The attackers conducted reconnaissance within compromised networks, mapping configurations and establishing a command and control server. Key operations included SSL certificate provisioning and reconnaissance activities.
2026-06-11 | The Register: ShinyHunters hacked 100+ orgs by exploiting an Oracle PeopleSoft 0-day
ShinyHunters claims to have exploited CVE-2026-35273, a critical Oracle PeopleSoft zero-day vulnerability, to hack over 100 organizations, including the University of Nottingham. They stole 40 GB of personal data and billing records from the university, which was publicly confirmed after the data was leaked due to the institution's refusal to pay a ransom. The vulnerability has a CVSS score of 9.8, allowing remote, unauthenticated access. Oracle issued a security alert, but it is unclear if a patch has been released.
2026-06-11 | Hack Read: ShinyHunters Leak 40GB of University of Nottingham Student Data
The University of Nottingham suffered a data breach by the ShinyHunters hacking group, exposing over 40GB of student data, including contact details, student IDs, course information, and National Insurance numbers. The breach affected current students and alumni from its China and Malaysia campuses. Following the attack on June 9, the university took systems offline and launched an investigation with Action Fraud and the Information Commissioner’s Office. The hackers published the stolen data on their dark web site, including sensitive financial information.
2026-06-11 | TechCrunch: Oracle warns of security bug that hackers abused to breach 100+ companies
Oracle has identified a critical vulnerability in its PeopleSoft software, exploited by the hacking group ShinyHunters to breach over 100 organizations, primarily in higher education. The flaw, a zero-day, allows exploitation without authentication. Mandiant confirmed that some compromised data includes extensive student records. Oracle has not yet issued a patch but recommends mitigations for affected customers. The ShinyHunters group has a history of targeting organizations with similar vulnerabilities.
2026-06-11 | The Hacker News: ShinyHunters Exploits Oracle PeopleSoft Zero-Day (CVE-2026-35273) to Breach Universities
The ShinyHunters extortion group exploited Oracle PeopleSoft's zero-day vulnerability (CVE-2026-35273) to breach university systems, stealing sensitive data and demanding ransom. The flaw, rated 9.8/10, allows remote code execution without user interaction. The campaign occurred between May 27 and June 9, with the University of Nottingham confirmed as a victim. Oracle advises disabling the Environment Management Hub service and blocking external access to mitigate risks. Mandiant notified over 100 organizations, primarily in higher education.
2026-06-12 | Cyber Security News: Oracle PeopleSoft 0-Day RCE Vulnerability Exploited in Attacks by ShinyHunters
A critical warning has been issued regarding an active compromise-and-extortion campaign targeting Oracle PeopleSoft infrastructure, attributed to the threat actor ShinyHunters. Exploiting CVE-2026-35273, a zero-day RCE vulnerability, attacks occurred between May 27 and June 9, 2026, affecting versions 8.61 and 8.62. The University of Nottingham reported 40 GB of stolen data. Organizations are urged to apply Oracle's emergency advisory and ensure all Critical Patch Updates are implemented promptly.
2026-06-12 | Times Now: Explained: How ShinyHunters Hacked Over 100 Organisations Using An Oracle Bug
ShinyHunters exploited an Oracle vulnerability to hack over 100 organizations, utilizing a zero-day exploit before Oracle's public disclosure of the flaw. This indicates that the attackers were able to leverage the software vulnerability without any prior knowledge from the vendor, highlighting the risks associated with undisclosed security flaws.
2026-06-12 | CSO Online: Oracle PeopleSoft zero‑day fuels ShinyHunters extortion spree
A zero-day vulnerability in Oracle PeopleSoft was exploited by ShinyHunters between May 27 and June 9, leading to data breaches at various organizations, primarily in the higher education sector. Google Cloud's threat intelligence team notified over 100 potentially affected organizations, with 68% in higher education. Compromised data, including over 40 GB of sensitive billing, payment records, and student finance data, was published on ShinyHunters' Data Leak Site on June 9.
2026-06-12 | Security Affairs: Oracle PeopleSoft RCE Flaw Used as Zero-Day in Ongoing ShinyHunters Campaign
ShinyHunters exploited a critical zero-day vulnerability (CVE-2026-35273, CVSS 9.8) in Oracle PeopleSoft's Environment Management component, affecting over 100 organizations, primarily universities, from May 27 to June 9, 2026. The flaw allows remote code execution without authentication. Mandiant's analysis revealed attackers used exposed infrastructure to deploy MeshCentral agents for lateral movement and data exfiltration. Immediate recommendations include isolating the Environment Management Hub service and blocking sensitive endpoints to mitigate risks.
2026-06-12 | DIGIT: University of Nottingham Data Breached by ShinyHunters
The University of Nottingham experienced a data breach attributed to the ransomware group ShinyHunters, which claimed to have stolen approximately 40 GB of student data, including personal payment details. The university is collaborating with government and regulatory bodies to address the incident and has contacted affected students and alumni. The breach reportedly involved data from campuses in England, Malaysia, and China, with 455,000 email addresses and extensive personal information leaked online.
2026-06-12 | TechRadar: Oracle warns customers of critical PeopleSoft attack after hundreds of servers hacked by apparent ShinyHunters data theft attacks
Oracle has warned customers about a critical attack on PeopleSoft servers, attributed to the ShinyHunters group, which exploited vulnerability CVE-2026-35273. This flaw affects versions 8.61 and 8.62, allowing for remote code execution without authentication. Over 100 organizations, primarily in higher education, have been compromised. Oracle advises immediate patch application following their June 10 advisory. Google’s Mandiant tracked this zero-day vulnerability and alerted affected organizations to check for suspicious activity.
2026-06-12 | Rapid7: Active Exploitation of Oracle PeopleSoft Zero-Day (CVE-2026-35273)
On June 10, 2026, Oracle issued a security alert for CVE-2026-35273, a critical SSRF vulnerability in PeopleSoft Enterprise PeopleTools, with a CVSS score of 9.8. Exploitation was observed from May 27 to June 9, 2026, attributed to the ShinyHunters group, primarily targeting higher education institutions. Organizations should urgently apply the patch, disable the EMHub service, block access to specific endpoints, and monitor outbound SMB traffic. Indicators of compromise and further mitigation guidance are provided.
2026-06-12 | Hack Read: ShinyHunters Target Universities in Oracle PeopleSoft Zero-Day Attack
A cyberattack by the group ShinyHunters targeted over 100 organizations, primarily universities, exploiting a zero-day vulnerability (CVE-2026-35273) in Oracle PeopleSoft software between May 27 and June 9, 2026. The University of Nottingham was notably affected, with 450,000 students' personal data leaked. The attackers used remote code execution techniques and credential spraying to gain access and exfiltrate data. Oracle issued a security advisory on June 10, urging immediate remediation actions.
2026-06-12 | Cybersecurity Dive: ShinyHunters linked to exploitation of critical flaw in Oracle PeopleSoft
A zero-day vulnerability (CVE-2026-35273) in Oracle PeopleSoft has been exploited by the ShinyHunters threat group, affecting over 100 organizations, primarily in the U.S., including the University of Nottingham, which reported significant data compromise. The flaw, with a severity score of 9.8, allows remote code execution without authentication. Mandiant recommends disabling the Environment Management Hub and monitoring outbound traffic to mitigate risks. Stolen data has been posted on a ShinyHunters leak site.
2026-06-12 | Cyberscoop: ShinyHunters is actively extorting universities after exploiting an unpatched Oracle flaw
ShinyHunters is exploiting an unpatched Oracle PeopleSoft zero-day vulnerability (CVE-2026-35273) to extort over 100 organizations, primarily in higher education. The University of Nottingham confirmed a significant data breach. Mandiant reported the attacks began on May 27, with Oracle disclosing the flaw and recommending mitigation steps but not providing a patch. Google alerted organizations of potential vulnerabilities, while ShinyHunters continues active extortion efforts.
2026-06-12 | Ars Technica: PeopleSoft 0-day affecting hundreds of organizations steals gigabytes of data
A critical vulnerability (CVE-2026-35273) in Oracle's PeopleSoft software, rated 9.8, has been exploited by the ShinyHunters ransomware group for over two weeks, targeting around 100 organizations, primarily in higher education. The University of Nottingham confirmed a significant data breach, with gigabytes of student data stolen. Oracle has issued a temporary mitigation but has not fully patched the flaw. Victims are reportedly receiving extortion demands from the attackers.
2026-06-13 | Security Affairs: U.S. CISA adds Oracle PeopleSoft Enterprise PeopleTools flaw to its Known Exploited Vulnerabilities catalog
U.S. CISA added Oracle PeopleSoft Enterprise PeopleTools flaw CVE-2026-35273 (CVSS 9.8) to its Known Exploited Vulnerabilities catalog. This remote code execution vulnerability requires no authentication and can be exploited via network access. Mandiant reported an active ShinyHunters campaign exploiting this flaw from May 27 to June 9, 2026, affecting over 100 organizations, primarily universities. Immediate recommendations include disabling the Environment Management Hub service and blocking external access. Federal agencies must address this by June 15, 2026.
2026-06-14 | Help Net Security: Week in review: Exploited Check Point VPN zero-day, Oracle PeopleSoft servers under attack
CISA confirmed that a zero-day vulnerability (CVE-2026-50751) in Check Point VPN is being exploited by a Qilin ransomware affiliate. Additionally, a command injection vulnerability (CVE-2026-42271) in BerryAI's LiteLLM is under active attack. CISA also warned about a DoS vulnerability (CVE-2026-28318) in SolarWinds Serv-U and urged federal agencies to address it by June 19, 2026. Oracle issued an alert for a zero-day vulnerability (CVE-2026-35273) in PeopleSoft being exploited in the wild.
2026-06-15 | The Hacker News: ⚡ Weekly Recap: Chrome 0-Day, UniFi Exploits, macOS Stealers, VPN Flaw and More
Google patched a high-severity Chrome 0-day (CVE-2026-11645, CVSS 8.8) under active exploitation. The ShinyHunters gang exploited an Oracle PeopleSoft zero-day (CVE-2026-35273, CVSS 9.8) for data exfiltration, targeting higher education. Check Point reported exploitation of a critical VPN flaw (CVE-2026-50751, CVSS 9.3). A campaign compromised Arch Linux packages to deploy a credential-harvesting rootkit. Additionally, a phishing-as-a-service operation was taken down, linked to $1.9 billion in losses.
2026-06-15 | The Register: Council of Europe hacked in ShinyHunters' PeopleSoft heist
ShinyHunters has breached the Council of Europe, stealing over 297 GB of data by exploiting a zero-day vulnerability in Oracle PeopleSoft (CVE-2026-35273). The stolen files include HR records, payslips, and sensitive employee information. The Council is investigating the incident. ShinyHunters has compromised over 100 organizations, including the University of Nottingham, and has been linked to malicious activity from May 27 to June 9, affecting many US-based entities, particularly in higher education.
China-Linked JDY Botnet Expands to 1,500+ Devices for Cyber Reconnaissance
Date: 2026-06-10 | Source: The Hacker News
Cybersecurity researchers report the JDY botnet, linked to Chinese state-sponsored actors, has expanded to over 1,500 compromised SOHO and IoT devices, up from 650 in January 2024. The botnet conducts targeted reconnaissance and service fingerprinting, leveraging newly disclosed vulnerabilities (e.g., CVE-2026-35616) to facilitate scanning. Its architecture uses Tor for command-and-control operations, enabling evasion of traditional defenses. JDY's growth highlights the resilience of such networks despite prior takedowns.
China-Linked JDY Botnet Expands to 1,500+ Devices for Cyber Reconnaissance
2026-06-11 | The Register: Chinese agents caught rebuilding botnets and stirring the pot on AI datacenter debate
Chinese operatives are reportedly rebuilding botnets, including the Volt Typhoon, to exploit vulnerabilities in US networks. The FBI previously dismantled the KV-botnet, but the JDY cluster remains active with over 1,500 compromised devices. Lumen’s Black Lotus Labs warns of targeted reconnaissance against US military sectors. Additionally, OpenAI banned ChatGPT accounts linked to China for generating content to influence public opinion on AI datacenters and US tech policies, while the DOJ seized 13 fake consulting websites used to recruit individuals for sensitive information.
2026-06-11 | Security Affairs: JDY Botnet Evolves After KV Takedown, Targets Military Networks
The JDY botnet, linked to Chinese state-sponsored groups, has evolved post-KV takedown, targeting U.S. military networks. It comprises over 1,500 SOHO and IoT devices, scanning for vulnerabilities and mapping services. JDY uses Tor for command-and-control, ensuring stealth. Following the disclosure of CVE-2026-35616, it rapidly scanned for unpatched Fortinet devices, indicating a focus on reconnaissance rather than direct attacks. This evolution highlights the persistence of cyber threats despite takedowns.
2026-06-11 | Cyber Security News: China-Linked JDY Botnet Uses 1,500+ SOHO and IoT Devices for Rapid Vulnerability Exploitation
A resurgence of the JDY botnet, linked to China, now controls over 1,500 SOHO and IoT devices globally, primarily targeting U.S. military networks. It scans for vulnerabilities, notably exploiting CVE-2026-35616 within hours of disclosure. The botnet operates through a command-and-control server via Tor, making detection difficult. Security teams are advised to follow CISA guidelines, regularly reboot devices, apply patches promptly, and consider Secure Access Service Edge solutions to mitigate risks.
2026-06-11 | CSO Online: China-linked recon botnet outpaces enterprise defenses
Lumen reported that a China-linked botnet, associated with nation-state actors like Volt Typhoon, poses significant challenges for enterprise security. Many edge systems lack traditional endpoint monitoring, allowing adversaries to exploit vulnerabilities rapidly. The JDY botnet's distributed infrastructure can bypass geofencing and IP defenses, appearing as legitimate traffic. IDC's Sakshi Grover noted that reliance on geofencing and static blocklists is ineffective against such botnets, highlighting a visibility gap in monitoring edge devices.
GitHub pulls pin on npm's auto-run scripts
Date: 2026-06-10 | Source: The Register
GitHub will modify npm's defaults in version 12, set for July, to prevent automatic execution of install-time scripts, a common attack vector exploited by malware like the Shai-Hulud worm. Key changes include disabling script execution unless explicitly allowed, turning off the --allow-git flag, and blocking remote dependency downloads by default. Developers are advised to review their packages and set necessary permissions. While these changes enhance security, concerns remain about malware potentially shifting to module code.
GitHub pulls pin on npm's auto-run scripts
2026-06-11 | CSO Online: GitHub finally pulls the plug on automatic install script execution for npm
GitHub has disabled automatic execution of install scripts for npm, with the default setting for allowScripts now being off. This change prevents the execution of preinstall, install, or postinstall scripts from dependencies unless explicitly allowed. While analysts commend the move for reducing supply chain attack exposure, they caution that it does not eliminate risks, as attackers may shift to other methods such as malicious package code, compromised accounts, and dependency confusion.
2026-06-11 | The Hacker News: GitHub to Disable npm Install Scripts by Default to Stop Supply Chain Attacks
GitHub will disable npm install scripts by default in version 12 to mitigate supply chain attacks. This change prevents automatic execution of scripts from dependencies, requiring explicit user approval. Key updates include blocking preinstall, install, and postinstall scripts, as well as Git and remote URL dependencies unless allowed. Developers are advised to upgrade to npm 11.16.0 or newer, review warnings, and approve trusted scripts to maintain functionality. The release is scheduled for next month.
2026-06-11 | Cyber Security News: GitHub to Automate Disable npm Script Installs to Block Supply Chain Attacks
GitHub will implement significant security changes in npm v12, set for July 2026, to mitigate supply chain attack risks. Automatic execution of installation scripts will be disabled by default, requiring explicit approval from developers. This includes blocking implicit behaviors and external dependencies unless permitted. Developers can preview blocked scripts and manage trusted packages through new commands. These changes aim to enhance security in open-source software development and necessitate adjustments in CI/CD practices.
2026-06-12 | Infosecurity Magazine: GitHub to Update npm to Thwart Software Supply Chain Attacks
GitHub's npm announced version 12, set for July 2026, to enhance security against software supply chain attacks. Key changes include blocking automatic execution of install scripts, disallowing Git dependencies from custom URLs, and forbidding sourcing from external URLs by default. Developers are encouraged to upgrade to version 11.16.0 for warnings and use the npm approve-scripts command for auditing. Experts caution that while these measures improve security, they may lead attackers to target private repositories and create friction for developers.
Justice Department, FBI Disable 13 Websites Backed by Suspected Chinese Agents That Sought Sensitive U.S. Information from Security Clearance Holders
Date: 2026-06-10 | Source: US Department of Justice
Thirteen domains targeting U.S. security clearance holders were seized by the FBI, revealing a scheme by suspected Chinese agents to recruit Americans for sensitive information. The fake consulting sites offered vague job postings and pressured candidates to share confidential data. Methods included AI-generated content, aliases, and international money transfers. The domains seized include centrikglobalconsulting.com and rightinfoconsult.com. The FBI warns against suspicious job offers and encourages reporting to authorities.
Justice Department, FBI Disable 13 Websites Backed by Suspected Chinese Agents That Sought Sensitive U.S. Information from Security Clearance Holders
2026-06-10 | Hack Read: FBI Seizes China-Linked Fake Consulting Sites Targeting US Clearance Holders
US Federal authorities seized 13 domains linked to a suspected Chinese intelligence operation targeting US clearance holders. The sites posed as consulting firms, offering vague roles to recruit individuals with access to sensitive information. The operation, which began in November 2023, utilized fake websites, job ads, and social media. It involved bribery, identity theft, and money laundering. Payments were funneled from overseas accounts, and the domains displayed an FBI notice post-seizure.
2026-06-11 | Help Net Security: FBI seizes 13 websites linked to alleged Chinese intelligence-gathering effort
Federal authorities seized 13 domains linked to a Chinese intelligence-gathering operation targeting U.S. government employees with security clearances. The websites posed as consulting firms offering jobs, using social media for recruitment. The operation began in November 2023, involving fake identities and encrypted communications. Recruits were pressured to provide insider information for substantial payments. The FBI issued notices on the seized domains, urging vigilance against suspicious job offers.
2026-06-11 | Times Now: FBI Seizes 13 Websites Behind Fake Consulting Job Scam
The FBI seized 13 websites involved in a fake consulting job scam, displaying warnings that the domains were taken over as part of law enforcement action. The agency advises job seekers to verify the legitimacy of organizations before submitting detailed applications.
CVE-2026-10520, CVE-2026-10523 - Multiple critical vulnerabilities affecting Ivanti Sentry
Date: 2026-06-10 | Source: Rapid7
On June 9, 2026, Ivanti disclosed two critical vulnerabilities in Ivanti Sentry: CVE-2026-10520 (OS command injection, CVSS 10.0) and CVE-2026-10523 (authentication bypass, CVSS 9.9). Both allow remote unauthenticated attackers to execute commands and gain administrative access. A public PoC for CVE-2026-10520 was released, increasing exploitation risk. Affected versions include Ivanti Sentry 10.7.0 and below. Updates are available in versions 10.7.1, 10.6.2, and 10.5.2. Rapid7 recommends urgent remediation.
CVE-2026-10520, CVE-2026-10523 - Multiple critical vulnerabilities affecting Ivanti Sentry
2026-06-10 | The Register: Ivanti tells Sentry customers to patch now as critical bugs hit 10.0 and 9.9
Ivanti has disclosed two critical vulnerabilities in its Sentry product, affecting versions 10.0 and 9.9. CVE-2026-10520 allows remote, unauthenticated RCE with root privileges, rated 10.0, stemming from an exposed API in Apache Tomcat. CVE-2026-10523, rated 9.9, enables remote attackers to create admin accounts. Customers are urged to upgrade to versions 10.5.2, 10.6.2, or 10.7.1 to mitigate these risks. No known exploits have been reported yet.
2026-06-10 | Help Net Security: Critical Ivanti Sentry flaw allows root-level remote code execution (CVE-2026-10520)
Ivanti has patched two critical vulnerabilities in Ivanti Sentry (CVE-2026-10520 and CVE-2026-10523) and urged immediate implementation of the fixes. CVE-2026-10520 allows remote unauthenticated users to achieve root-level remote code execution, while CVE-2026-10523 enables the creation of admin accounts. Affected versions include 10.5.1, 10.6.1, and 10.7.0, with fixes in 10.5.2, 10.6.2, and 10.7.1. A script is available to check for vulnerabilities.
2026-06-10 | CSO Online: Ivanti patches critical Sentry flaws that lead to full device takeover
Ivanti has released patches for critical vulnerabilities in Ivanti Sentry, specifically CVE-2026-10520, a command injection flaw allowing remote code execution with root privileges, rated CVSS 10. The vulnerabilities were reported through Ivanti's responsible disclosure program, with no known public exploitation. Security firm watchTowr has analyzed CVE-2026-10520, providing a Python script for organizations to test their systems for vulnerability. Ivanti Sentry secures traffic between mobile devices and enterprise servers.
2026-06-11 | Cyber Security News: Ivanti Command Injection Vulnerability Exploited in Attacks Following PoC Release
Threat actors are exploiting a critical command injection vulnerability in Ivanti Sentry (CVE-2026-10520) with a CVSS score of 10.0, allowing remote code execution. Following the public release of a proof-of-concept exploit, at least 19 vulnerable instances were identified, with two confirmed backdoored. Ivanti has released patched versions (10.5.2, 10.6.2, 10.7.1) and urges immediate upgrades. Organizations are advised to conduct compromise assessments and implement incident response actions due to confirmed backdoors.
2026-06-11 | Security Affairs: CVE-2026-10520 Exploited: Ivanti Sentry Gateways Compromised Shortly After Patch Release
Attackers are exploiting the critical CVE-2026-10520 flaw in Ivanti Sentry, allowing remote code execution with root privileges. This OS command injection vulnerability affects versions prior to R10.5.2, R10.6.2, and R10.7.1. Shadowserver researchers found multiple internet-exposed gateways compromised shortly after patches were released. Ivanti has not confirmed active exploitation, but the vulnerability poses significant risks as it allows attackers to gain internal network access.
2026-06-12 | Security Affairs: U.S. CISA adds Ivanti Sentry flaw to its Known Exploited Vulnerabilities catalog and urges patching by June 14
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the Ivanti Sentry flaw (CVE-2026-10520, CVSS 10.0) to its Known Exploited Vulnerabilities catalog, urging patching by June 14, 2026. This OS command injection vulnerability allows remote code execution with root privileges. Despite Ivanti's initial report of no active attacks, researchers found many exposed Sentry gateways had been backdoored. CISA mandates federal agencies to address this vulnerability, and experts advise private organizations to do the same.
ServiceNow Flaw Exploited to Gain Unauthorized Access to Customer Instances
Date: 2026-06-10 | Source: The Hacker News
On June 5, 2026, ServiceNow issued a security update addressing a flaw that allowed unauthorized access to customer instances. The vulnerability, which does not have a CVE identifier, affected customers on the Australia platform release or those with specific configuration changes on earlier releases. ServiceNow detected anomalous activity and notified impacted customers. A Reddit user claimed the vulnerability was reported to ServiceNow on April 7, 2026, but was initially deemed non-urgent.
ServiceNow Flaw Exploited to Gain Unauthorized Access to Customer Instances
2026-06-10 | TechRadar: ServiceNow reveals security issue affecting customer data, but won't reveal much on what actually happened
ServiceNow addressed a security issue on June 5, 2026, involving an API flaw that allowed unauthenticated attackers to query customer instance tables, primarily affecting customers on the Australia platform release or older versions with custom configurations. While the specific data accessed was not disclosed, sensitive information could have been at risk. Admins are advised to review logs for requests from IP 51.159.98.241 and ensure API logging is enabled. Affected customers have been notified.
2026-06-10 | TechCrunch: ServiceNow tells customers a bug left some of their data exposed to the internet
ServiceNow notified customers of a software bug that exposed data to the internet, allowing unauthenticated users to access sensitive information. The issue was patched on June 5, but the extent of the data accessed remains unclear. The vulnerability primarily affected Australian customer instances, though reports suggest external access may have occurred elsewhere. An IP address, 51.159.98.241, has been flagged as a potential indicator of compromise. ServiceNow has not disclosed the number of affected customers or the duration of the exposure.
2026-06-10 | Hack Read: ServiceNow Discloses Security Incident Exposing Customer Data
ServiceNow applied a security update on June 5, 2026, addressing an unauthenticated access issue affecting hosted customer instances. The vulnerability, linked to an API endpoint configuration, allowed unauthorized access to certain data. Evidence of successful queries was observed, but specific data accessed remains unconfirmed. Affected customers are being notified, and IT teams are advised to review logs and sensitive records. ServiceNow is still assessing the need for a CVE publication.
2026-06-10 | Cyber Security News: ServiceNow Confirms Vulnerability Allowing Unauthorized Access to Customer Instance Tables
ServiceNow has confirmed a vulnerability allowing unauthorized access to customer instance tables due to improper access controls. This flaw could enable attackers to execute queries on sensitive data, including user records and incident logs. ServiceNow has deployed security updates to mitigate the issue. Organizations are advised to apply patches, review access controls, monitor logs for unusual activity, and conduct audits. The vulnerability highlights risks in SaaS platforms and the need for strict access management.
2026-06-11 | CSO Online: ServiceNow fixes API issue after reports of suspicious tenant activity
ServiceNow addressed a vulnerability in an unauthenticated API endpoint that allowed access to tenant data without authentication under specific conditions. Reported through the bug bounty program in April, security updates were issued on June 5 for hosted customers (KB3067321) and guidance for self-hosted deployments (KB3067372). The flaw could expose sensitive information, including IT service requests and employee data, posing significant risks to enterprises.
New Windows Defender 0-Day Exploit “RoguePlanet” Grants SYSTEM Access to Attackers
Date: 2026-06-10 | Source: Cyber Security News
A new proof-of-concept exploit named RoguePlanet has been released, targeting a race condition vulnerability in Microsoft Windows Defender, allowing attackers to gain SYSTEM-level access. Confirmed to work on fully patched Windows 10 and 11, it exploits a Time-of-Check to Time-of-Use (TOCTOU) flaw. This is part of a series of Defender-related exploits disclosed by the researcher Nightmare Eclipse. Organizations are advised to monitor for emergency patches due to active exploitation of similar tools.
New Windows Defender 0-Day Exploit “RoguePlanet” Grants SYSTEM Access to Attackers
2026-06-10 | The Hacker News: Microsoft Defender RoguePlanet Zero-Day Grants SYSTEM Access on Updated Windows
A proof-of-concept exploit for a Microsoft Defender zero-day, named RoguePlanet, has been released by the researcher Chaotic Eclipse. The exploit, which is a race condition, can grant SYSTEM-level privileges on updated Windows 10 and 11 machines. It does not currently work on Windows Server. The researcher criticized Microsoft's handling of vulnerability disclosures, claiming retaliation for uncoordinated disclosures. Microsoft condemned public disclosures, stating they pose unnecessary risks to customers.
2026-06-10 | Security Affairs: Chaotic Eclipse Unveils RoguePlanet Exploit Targeting Fully Patched Windows
Chaotic Eclipse released a proof-of-concept exploit for the RoguePlanet zero-day vulnerability in Microsoft Defender, which can grant SYSTEM privileges on fully patched Windows 10 and 11 systems. The exploit relies on a race condition and was tested against the June 2026 Patch Tuesday updates. The researcher claims additional memory corruption vulnerabilities exist in Defender. Microsoft criticized the public disclosure of these vulnerabilities, stating it puts customers at risk and emphasizes the importance of coordinated vulnerability disclosure.
2026-06-10 | CSO Online: Microsoft feud escalates as researcher drops new Windows zero-day
A new Windows zero-day exploit, named "MSNightmare," has been released by a researcher, targeting a race condition in Microsoft Defender that could grant SYSTEM-level privileges on updated Windows systems. This follows Microsoft's June 2026 Patch Tuesday, which addressed over 200 security flaws. The exploit requires users to open a ".vhd(x)" file from a remote SMB server. Previous disclosures from the researcher have led to real-world attacks, prompting warnings from Microsoft and security vendors.
2026-06-10 | The Register: Angry bug hunter with Microsoft beef drops new Windows 0-day
A new zero-day vulnerability, RoguePlanet, has been disclosed by Nightmare Eclipse, targeting Microsoft Defender on fully patched Windows 10 and 11 systems. This flaw allows local privilege escalation to SYSTEM-level control. Nightmare, claiming to be a former Microsoft employee, has released proof-of-concept exploit code following frustrations with Microsoft’s communication regarding previous vulnerabilities. Microsoft is investigating the claims and has patched six prior zero-days disclosed by Nightmare.
2026-06-10 | TechRadar: This Microsoft Defender zero-day could give hackers unprecedented access to your system
A new zero-day vulnerability named "RoguePlanet" has been disclosed by the researcher Chaotic Eclipse, allowing attackers to gain SYSTEM privileges on fully patched Windows 10 and 11 devices. This race condition exploit was revealed shortly after Microsoft's June Patch Tuesday update. ThreatLocker confirmed the exploit's viability and recommended application allowlisting as a protective measure. This marks the seventh zero-day disclosure from Chaotic Eclipse amid ongoing disputes with Microsoft regarding vulnerability handling.
Microsoft Patch Tuesday June 2026 – 198 Vulnerabilities Fixed, Including 3 Zero-days
Date: 2026-06-09 | Source: Cyber Security News
Microsoft's June 2026 Patch Tuesday, released on June 9, addresses 198 vulnerabilities, including three zero-days: CVE-2026-50507 (BitLocker bypass), CVE-2026-49160 (HTTP.sys DoS), and CVE-2026-45586. Critical RCE vulnerabilities include multiple CVEs in Remote Desktop Client and Windows Hyper-V. Administrators are urged to prioritize these updates, especially for BitLocker and HTTP.sys, and to implement network segmentation if immediate patching is not feasible.
Microsoft Patch Tuesday June 2026 – 198 Vulnerabilities Fixed, Including 3 Zero-days
2026-06-09 | Rapid7: Patch Tuesday - June 2026
Microsoft's June 2026 Patch Tuesday addresses 200 vulnerabilities, with no known exploitation in the wild. Notably, six vulnerabilities were disclosed by researcher Nightmare Eclipse, including elevation of privilege flaws in Defender. Microsoft has patched several CVEs but two remain unaddressed. Additionally, new denial-of-service vulnerabilities affecting HTTP/2 and HTTP/3 standards have emerged, with CVE-2026-49975 allowing trivial attacks on web servers. PowerToys also has a local elevation of privilege vulnerability (CVE-2026-42902) fixed in a prior update.
2026-06-09 | Cisco Talos: Microsoft Patch Tuesday for June 2026 — Snort rules and prominent vulnerabilities
Microsoft's June 2026 Patch Tuesday addresses 206 vulnerabilities, including 32 marked as "critical." Key vulnerabilities include CVE-2026-42985 (RCE in Remote Desktop Client), CVE-2026-47291 (RCE in HTTP Protocol Stack), and CVE-2026-44803 (RCE in Windows Graphics). Talos highlights additional vulnerabilities across various Microsoft products, with recommendations for users to update their systems. Snort rules have been released to detect exploitation attempts for several vulnerabilities.
2026-06-09 | Krebs on Security: A Record-Breaking Patch Tuesday for June 2026
Microsoft's June 2026 Patch Tuesday addressed nearly 200 security vulnerabilities, including three critical zero-day flaws: CVE-2026-49160 (denial of service in IIS), CVE-2026-45586 (elevation of privilege in Windows Collaborative Translation Framework), and CVE-2026-50507 (BitLocker elevation of privilege). The month also saw a spike in browser vulnerabilities, with 360 patches issued. Microsoft faced backlash over its handling of security researchers and dealt with a Shai-Hulud worm infection in its code repositories.
2026-06-09 | The Register: AI is making Patch Tuesday (kinda) fun again
Microsoft's June Patch Tuesday addressed 206 CVEs, including 38 critical vulnerabilities. Notably, CVE-2026-49160 is an HTTP.sys denial of service flaw, while CVE-2026-50507 allows bypassing BitLocker encryption. CVE-2026-45657 and CVE-2026-47291 are critical RCE vulnerabilities rated 9.8, with the latter posing severe risks to HTTP traffic processing services. Recommendations include quick patch deployment and registry adjustments to mitigate risks.
2026-06-09 | Security Affairs: Microsoft Releases Record-Breaking Patch Tuesday With 208 CVEs
Microsoft's June 2026 Patch Tuesday addresses a record 208 CVEs, including one actively exploited zero-day (CVE-2026-41091) and multiple critical RCE vulnerabilities (CVE-2026-45657, CVE-2026-47291, CVE-2026-44815), all with CVSS scores of 9.8. The updates affect various Microsoft products, including Windows and Office. Notably, ten Secure Boot patches address serious vulnerabilities. Sysadmins are advised to prioritize testing and deployment due to the high volume of updates. Next patch day is July 14.
2026-06-10 | Cyber Security News: Windows BitLocker 0-Day Vulnerability Allows Attackers to Bypass Security Feature
Microsoft disclosed a Windows BitLocker Security Feature Bypass vulnerability (CVE-2026-50507) on June 9, 2026. The flaw allows unauthorized attackers with physical access to bypass BitLocker encryption, affecting various Windows versions. It has a CVSS score of 6.8 and requires no privileges or user interaction. Microsoft released patches for affected systems and recommends enforcing multi-factor configurations and revisiting physical security measures. Exploitation is deemed likely due to existing proof-of-concept code.
2026-06-10 | Infosecurity Magazine: Microsoft Fixes 200 CVEs in June Patch Tuesday
Microsoft's June Patch Tuesday addressed 200 vulnerabilities, including three zero-days: CVE-2026-49160 (HTTP/2 Bomb), a DoS vulnerability; CVE-2026-50507, a BitLocker bypass allowing access to encrypted data; and CVE-2026-45586, an EoP flaw in Windows CTFMON. The updates included 33 critical CVEs, with EoP vulnerabilities being the most prevalent. System administrators are advised to prioritize these patches to mitigate risks of data exposure and system compromise.
2026-06-10 | Hack Read: Microsoft June 2026 Patch Tuesday Fixes 206 Flaws and 3 Zero-Days
Microsoft's June 2026 Patch Tuesday addresses 206 vulnerabilities, including three zero-days: CVE-2026-49160 (DoS in HTTP.sys), CVE-2026-45586 (privilege escalation in CTFMON), and CVE-2026-50507 (BitLocker bypass). Critical flaws include CVE-2026-45657 (use-after-free) and CVE-2026-47291 (integer overflow). Recommendations emphasize immediate patching of identity controllers and internet-facing servers to mitigate risks. Security experts highlight the urgency due to the high volume of vulnerabilities and active exploitation.
2026-06-10 | The Hacker News: Microsoft Patches Record 206 Flaws, Including Three Zero-Days and Critical RCE Bugs
Microsoft released patches for a record 206 vulnerabilities, including three zero-days and 39 critical flaws. Key vulnerabilities include CVE-2026-45657 (RCE, CVSS 9.8), CVE-2026-47291 (RCE, CVSS 9.8), and CVE-2026-44815 (buffer overflow, CVSS 9.8). Notably, CVE-2026-45585 addresses a BitLocker bypass. The increase in patches is attributed to AI-assisted vulnerability discovery. Microsoft advises prioritizing updates for systems handling DHCP traffic due to high risk from network exploitation.
2026-06-10 | Help Net Security: Record Microsoft Patch Tuesday, fresh zero-day
Microsoft's largest-ever Patch Tuesday addressed nearly 200 vulnerabilities, including critical ones like CVE-2026-42897 (Exchange Server) and CVE-2026-45586 (Windows CTFMON). A new zero-day, "RoguePlanet," exploits a Windows Defender race condition for privilege escalation. Other notable vulnerabilities include CVE-2026-49160 (HTTP.sys) and CVE-2026-50507 (BitLocker bypass). Experts emphasize the need for rapid patch deployment due to AI-driven exploit development, raising concerns about patch quality and prioritization.
2026-06-10 | TechRadar: Microsoft breaks Patch Tuesday record with fixes for over 200 security flaws
Microsoft's June 2026 Patch Tuesday release addresses nearly 200 vulnerabilities, marking its largest update to date. Key issues include GreenPlasma (CVE-2026-45586), a high-severity elevation-of-privilege flaw, and YellowKey (CVE-2026-45585), a medium-severity BitLocker bypass. Both were disclosed by Chaotic Eclipse without coordination, prompting Microsoft to consider legal action. The update reflects a trend of increasing patch volumes driven by AI in vulnerability discovery.
2026-06-10 | Malwarebytes Labs: Microsoft’s biggest-ever Patch Tuesday fixes 206 bugs, including 3 zero-days
Microsoft's October Patch Tuesday addresses 206 vulnerabilities, the largest release to date. It includes three zero-day vulnerabilities: CVE-2026-50507 (BitLocker, CVSS 6.8) allows bypassing encryption with physical access; CVE-2026-49160 (HTTP.sys, CVSS 7.5) enables remote denial-of-service attacks; and CVE-2026-45586 (CTFMON, CVSS 7.8) allows elevation of privileges. Users are advised to update their systems via Windows Update to mitigate these risks.
2026-06-10 | Recorded Future: Microsoft ships largest Patch Tuesday on record, with one bug under active attack
Microsoft's June Patch Tuesday released fixes for over 200 security flaws, marking the largest monthly release in its history. Key vulnerabilities include CVE-2026-45657, rated 9.8, which could allow remote control of machines, and CVE-2026-41091, rated 7.8, affecting Microsoft Defender and actively exploited. Three zero-day flaws were also disclosed, including a BitLocker bypass (CVE-2026-50507). The surge in vulnerabilities is attributed to AI-driven discovery, with organizations urged to apply patches promptly.
2026-06-10 | CSO Online: June Patch Tuesday marks a ‘new normal’ with over 200 CVEs, 32 rated ‘critical’
Microsoft's June Patch Tuesday revealed over 200 CVEs, with 32 rated as 'critical.' The company anticipates a continued rise in vulnerabilities, influenced by AI tools enhancing vulnerability discovery. Senior Software Engineer Nirwan Dogra noted that this CVE count is the new baseline, with AI uncovering flaws in complex components like hypervisor code. He advised organizations to adopt risk-based vulnerability prioritization, automated patching pipelines, and focus on exploitable flaws to adapt to this new norm.
2026-06-10 | Cyber Security News: Windows Collaborative Translation Framework 0-Day Vulnerability Allows Privilege Escalation
A zero-day vulnerability in the Windows Collaborative Translation Framework (CTFMON), tracked as CVE-2026-45586, allows local attackers to escalate privileges to SYSTEM. Classified as CWE-59, it enables exploitation through unsafe link following. Microsoft rated it "Important" with a CVSS score of 7.8. Patches are available for various Windows versions, including Windows 10 and 11, and Windows Server. Until patched, monitoring CTFMON activity and abnormal processes is recommended.
Anthropic’s new model is Mythos on a leash
Date: 2026-06-09 | Source: Cyberscoop
Anthropic has released a modified version of its AI model, Claude Mythos, named Fable 5, with enhanced safety measures to mitigate risks in cybersecurity and bioweapons research. The model will draw cybersecurity responses from the earlier Claude Opus 4.8, which has shown capabilities in identifying vulnerabilities. Fable 5's safeguards aim to prevent misuse, although concerns remain about potential circumvention by adversaries. User data will be retained for 30 days, aligning with government frameworks for AI safety.
Anthropic’s new model is Mythos on a leash
2026-06-09 | Wired: Anthropic Offers Mythos Upgrade for Cyber Partners and a ‘Safe’ Version for the Rest of You
Anthropic released two AI models, Claude Fable 5 and Claude Mythos 5, with enhanced capabilities. Mythos 5 is limited to select industry partners due to concerns over potential misuse for hacking. Fable 5, publicly released, includes "guardrails" to prevent cybersecurity-related queries, rerouting them to an older model. Anthropic is collaborating with the US government and aims to refine its protective mechanisms over time. The launch emphasizes the need for robust safeguards against misuse of AI in cybersecurity.
2026-06-09 | CSO Online: Anthropic releases Mythos-class Fable 5 model with safeguards for cyber risks
Anthropic has released the Mythos-class Fable 5 model, aiming to provide advanced intelligence while mitigating cyber risks. Initially restricted to 50 users due to concerns over vulnerability discovery and offensive cybersecurity, access has now expanded to 150 organizations. Safeguards route cybersecurity-related queries to the less capable Claude Opus 4.8 in under 5% of sessions. However, early tests by SANS Institute suggest these safeguards may broadly classify requests, potentially impacting routine cybersecurity tasks.
2026-06-10 | Cyber Security News: Anthropic Released Claude Fable 5, the First Model in Mythos Class
Anthropic has launched Claude Fable 5, the first model in its Mythos class, designed with built-in cybersecurity safeguards. This model excels in discovering and exploiting software vulnerabilities and features a fallback mechanism for risky prompts, routing them to a less capable model. Internal evaluations indicate robust defenses against offensive tasks, with no universal jailbreaks found in extensive testing. Additionally, Claude Mythos 5 is available to select cyber defenders through Project Glasswing, emphasizing strong cybersecurity capabilities.
2026-06-10 | The Hacker News: Anthropic Releases Claude Fable 5, Its Most Powerful AI Yet, With Cyber Safeguards
On June 9, Anthropic launched Claude Fable 5, its most advanced AI model, alongside Claude Mythos 5, which has elevated cybersecurity capabilities restricted to vetted users. Fable 5 includes classifiers to prevent misuse, routing flagged requests to a less capable model. Internal tests showed it effectively blocked harmful cyberattack planning. Anthropic also introduced a 30-day data retention policy for traffic on these models to enhance security. The company aims to expand access to Mythos 5 while addressing the rapid discovery and exploitation of vulnerabilities.
2026-06-10 | DIGIT: Anthropic to Release Claude Mythos to the Public
Anthropic has publicly released Claude Mythos, an advanced AI cybersecurity model, despite previous concerns about its power. The model can identify hidden vulnerabilities, leading to over 10,000 critical security flaws discovered by preview users. While it offers opportunities for firms to enhance security, it also poses risks of exploitation by threat actors. Access was granted to around 150 organizations, but many UK banks were blocked. The release raises questions about the necessity and risks for general public access.
2026-06-10 | Help Net Security: Anthropic’s Claude Fable 5 is out for public use, with safeguards for high-risk requests
Anthropic released Claude Fable 5, a Mythos-class AI model with safeguards for high-risk cybersecurity requests. These safeguards route flagged requests to Claude Opus 4.8, activating in under 5% of sessions. The model aims to assist both cybersecurity professionals and potential malicious actors. Industry experts predict a rise in disclosed vulnerabilities due to increased AI-assisted software development. Additionally, Claude Mythos 5 is available for select cyber defenders through Project Glasswing, expanding from 50 to 200 partners. Pricing is set at $10 per million input tokens.
2026-06-10 | TechCrunch: Cybersecurity researchers aren’t happy about the guardrails on Anthropic’s Fable
Anthropic's new AI model, Fable, has faced criticism from cybersecurity researchers for its restrictive guardrails, which block requests related to cybersecurity topics, even benign ones like code reviews. This limitation aims to prevent misuse in developing malware. While the model is designed to revert to Claude Opus 4.8 when guardrails are triggered, experts argue that the keyword-based system is overly broad. Anthropic's Cyber Verification Program offers approved professionals fewer restrictions for cybersecurity tasks.
CISA is rethinking how it prioritizes risks and vulnerabilities for feds, private sector
Date: 2026-06-09 | Source: Cyberscoop
CISA plans to revise its approach to prioritizing risks and vulnerabilities for federal agencies and critical infrastructure, focusing on the risk associated with each vulnerability rather than simply applying patches. Acting Director Nick Andersen emphasized the need for a more granular understanding of critical assets and their importance. The agency aims to hire 329 personnel to enhance operational capabilities and is preparing to implement the Cyber Incident Reporting for Critical Infrastructure Act of 2022, requiring major incident reporting within 72 hours.
CISA is rethinking how it prioritizes risks and vulnerabilities for feds, private sector
2026-06-09 | Recorded Future: CISA to transform how it assesses cyber vulnerabilities and risks, Andersen says
The Cybersecurity and Infrastructure Security Agency (CISA) is set to revamp its approach to assessing cyber vulnerabilities, prioritizing certain threats to enhance effectiveness. A new directive will guide federal agencies in vulnerability management, focusing on risk rather than merely patching. CISA aims to engage critical infrastructure entities more deeply and plans to hire over 300 staff to bolster its capabilities. The initiative seeks to ensure essential services remain operational during cyber incidents.
2026-06-10 | Cyberscoop: CISA directive orders agencies to prioritize vulnerability patching in a new way
CISA has issued a directive mandating federal agencies to prioritize vulnerability patching based on four criteria: exposure of assets, automation of exploitation, potential for system takeover, and evidence of active exploitation. Agencies must remediate vulnerabilities within specified timelines, with immediate updates to vulnerability management policies. The directive reflects concerns over AI's impact on vulnerability discovery and weaponization. CISA encourages the private sector to adopt similar practices.
2026-06-10 | Recorded Future: CISA to require federal agencies to patch some cyber vulnerabilities within 3 days
CISA has issued a directive requiring federal civilian agencies to patch certain cyber vulnerabilities within three days, focusing on those exposed to the internet, listed in the KEV catalog, automatable, or allowing adversarial control. Agencies have 180 days to comply. Vulnerabilities meeting three of four criteria must be patched within 72 hours, while others have up to two weeks. CISA emphasizes the need for rapid response due to AI advancements and offers support for agencies in implementing these changes.
2026-06-10 | CSO Online: CISA tells agencies to patch smarter, not harder — foreshadowing broader industry practice
The US Cybersecurity and Infrastructure Security Agency (CISA) issued Binding Operational Directive 26-04, emphasizing the need for smarter patching strategies in response to the increasing volume of vulnerabilities exacerbated by AI advancements. CISA officials highlighted the importance of prioritizing at-risk assets, as threat actors can exploit vulnerabilities rapidly. The directive reflects over a decade of insights from federal vulnerability management and aims to help organizations adapt their remediation efforts effectively.
2026-06-10 | Wired: CISA Tells US Agencies to Fix Security Bugs in as Little as 3 Days Thanks to AI Threats
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a directive mandating federal agencies to patch critical vulnerabilities within three days, driven by the rapid discovery and exploitation capabilities of AI. The directive prioritizes vulnerabilities based on exposure, inclusion in CISA's Known Exploited Vulnerabilities Catalog, automation potential for exploitation, and access gained if exploited. This replaces previous timelines of 15 and 30 days. Experts emphasize the need for architectural changes alongside patching efforts.
2026-06-11 | Infosecurity Magazine: CISA Orders Agencies to Patch by Risk, Not Severity
US federal agencies must adopt a risk-based approach to vulnerability management, as directed by CISA's Binding Operational Directive 26-04 issued on June 10. Agencies are to prioritize patching based on risk factors rather than CVSS severity scores, focusing on asset exposure, KEV status, exploit automation, and technical impact. Agencies have 180 days to comply. Experts express concerns about execution and the need for thorough risk assessments amidst budget cuts to CISA.
2026-06-11 | Help Net Security: CISA orders federal agencies to “patch smarter”
CISA has issued Binding Operational Directive 26-04 to enhance vulnerability management for federal agencies, focusing on risk-based decisions for patching. Agencies must prioritize vulnerabilities based on factors like internet exposure and exploitability. High-risk vulnerabilities require remediation within three days. The directive emphasizes perimeter vulnerabilities, while internal network issues are addressed through configuration hardening and MFA. Experts recommend considering dynamic EPSS scores and global CVE data for patching urgency. CISA plans ongoing updates to the directive.
2026-06-11 | Cyber Security News: CISA Requires Federal Agencies to Patch Critical Vulnerabilities Within 3 Days
CISA's Binding Operational Directive (BOD) 26-04 mandates federal agencies to patch critical vulnerabilities within three days, effective June 10, 2026. This directive shifts to a risk-based approach, assessing vulnerabilities based on exposure, KEV status, exploit automation, and technical impact. Agencies must update policies immediately, align processes within 60 days, and fully comply within 180 days. The directive addresses the rising threat of AI in cyberattacks and aims to reduce critical vulnerabilities in federal systems.
2026-06-12 | Risky.Biz: Risky Bulletin: In the age of AI, CISA changes federal patching rules
The US Cybersecurity and Infrastructure Security Agency (CISA) has updated federal patching rules, prioritizing vulnerabilities based on risk due to AI-automated attacks. New deadlines can be as short as three days for critical vulnerabilities. Agencies can extend deadlines if systems are disconnected from the internet. This directive aims to streamline patching processes amid ongoing challenges, including a lack of leadership and issues with the NIST NVD vulnerability database.
2026-06-15 | SC Magazine: Why CISA's 3-day patching mandate misses the point
CISA's new 72-hour patching mandate for critical vulnerabilities is criticized for being disconnected from the realities of government IT environments, which often include legacy systems requiring thorough testing. This rush could lead to catastrophic failures rather than enhanced security. The article advocates for a shift towards preemptive cyber defense strategies that focus on preventing exploitation rather than merely speeding up patching, as current mandates reinforce a reactive security culture that favors attackers.
France probes compromise of gov messaging platform after account hijack
Date: 2026-06-09 | Source: The Register
French authorities are investigating a breach of the Tchap encrypted messaging service after an account hijack on June 7. While officials claim only public chat rooms were accessed, an alleged hacker asserts they accessed over 73,000 user accounts and 643,000 messages through social engineering. The French Digital Affairs Directorate is reviewing logs to assess the extent of the breach and has notified the data protection watchdog, CNIL, about potential personal information exposure.
France probes compromise of gov messaging platform after account hijack
2026-06-09 | Help Net Security: French government messaging platform breached through account hijacking
French authorities are investigating a breach of Tchap, their secure messaging platform, after hackers hijacked a user account on June 7. The Interministerial Directorate for Digital Affairs (DINUM) confirmed that the compromised account was blocked to prevent further access. While officials stated the breach was limited to public chat rooms, an alleged hacker claimed to have accessed 73,467 accounts and 643,459 messages. DINUM has notified the CNIL regarding potential personal data exposure.
2026-06-10 | Security Affairs: France’s Government Messaging App Tchap Got Breached
On June 7, 2026, France's government messaging app Tchap was breached after a single user account was compromised through social engineering. The attacker accessed nearly 650,000 messages and data from over 73,000 accounts, including email addresses and device metadata. DINUM confirmed that while public chat content was exposed, private messages remained encrypted. The incident prompted notifications to France's data protection authority and reminders to users about the risks of sharing sensitive information in public chats.
2026-06-10 | TechRadar: French government internal messaging tool Tchap hit by data breach — but it doesn't know if any data was compromised
The French government messaging app Tchap was breached, allegedly resulting in the exfiltration of 13.5GB of data, including 73,467 user accounts and over 640,000 messages. The attacker, known as “misere,” claimed to have used social engineering to access the data. While private chats are encrypted, public rooms are not. The incident is under investigation by ANSSI and DINUM. The breach raises concerns about state-targeted espionage, particularly following warnings from intelligence agencies regarding similar threats.
Attackers exploiting unpatched Cisco SD-WAN flaw
Date: 2026-06-08 | Source: CSO Online
A cyberespionage threat actor, tracked by Cisco Talos as UAT-8616, is exploiting an unpatched authentication bypass vulnerability in Cisco SD-WAN. Reported by Google’s Mandiant, the flaw allows attackers to upload crafted files, enabling command injection and privilege escalation to root. Cisco advises upgrading to the latest version to mitigate risks from previous exploits and recommends checking edge device configurations, as exploitation has led to unauthorized changes. A patch is not yet available.
Attackers exploiting unpatched Cisco SD-WAN flaw
2026-06-09 | Cyberscoop: Cisco customers encounter another SD-WAN zero-day under attack
Cisco has disclosed a zero-day vulnerability, CVE-2026-20245, in its SD-WAN management software, marking the seventh such vulnerability this year. Active exploitation was first noted earlier this month, but no patch or workarounds are available. The flaw allows authenticated attackers to execute commands as root, potentially leading to command-injection attacks. Cisco recommends upgrading to fixed software from May as a protective measure against related vulnerabilities. The Cybersecurity and Infrastructure Security Agency has cataloged seven other Cisco vulnerabilities this year.
2026-06-10 | Security Affairs: U.S. CISA adds Cisco Catalyst SD-WAN, Arista Extensible Operating System (EOS), and Google Chromium V8 flaws to its Known Exploited Vulnerabilities catalog
U.S. CISA added vulnerabilities to its Known Exploited Vulnerabilities catalog: 1. **CVE-2026-7473** (Arista EOS, CVSS 6.9) - Incomplete comparison vulnerability affecting tunnel decapsulation, leading to potential traffic misrouting. 2. **CVE-2026-11645** (Google Chromium V8) - Out-of-bounds memory access, risking denial of service and remote code execution; fifth Chrome zero-day in 2026. 3. **CVE-2026-20245** (Cisco Catalyst SD-WAN, CVSS 7.1) - Privilege escalation flaw allowing arbitrary command execution; no patch available. Federal agencies must address these by June 23, 2026.
2026-06-10 | Cybersecurity Dive: CISA, researchers warn of escalating attacks using Cisco Catalyst SD-WAN flaws
CISA added the zero-day flaw CVE-2026-20245 in Cisco Catalyst SD-WAN to its Known Exploited Vulnerabilities catalog. This vulnerability, with a severity score of 7.8, allows attackers to execute arbitrary commands as root. Cisco reported limited exploitation cases for configuration changes. Attackers need network administrator privileges and may exploit CVE-2026-20182 (severity 10) for access. CISA warns of ongoing exploitation of Cisco SD-WAN vulnerabilities and advises customers to upgrade to the fixed software from May.
2026-06-10 | The Hacker News: CISA Adds Cisco, Chrome, and Arista Flaws to KEV Catalog Amid Active Exploitation
CISA added three vulnerabilities to its Known Exploited Vulnerabilities catalog due to active exploitation: 1. CVE-2026-20245 (Cisco Catalyst SD-WAN Manager, CVSS 7.8) allows command execution by local attackers. 2. CVE-2026-11645 (Google Chrome V8, CVSS 8.8) enables remote code execution via crafted HTML. 3. CVE-2026-7473 (Arista EOS, CVSS 6.9) affects tunnel traffic processing; no patch planned. Mitigations include applying ACLs. FCEB agencies must implement fixes by June 23, 2026.
New Linux Kernel Vulnerability Lets Attackers Escalate Privileges to Root
Date: 2026-06-08 | Source: Cyber Security News
A use-after-free vulnerability in the Linux kernel's nftables subsystem, tracked as CVE-2026-23111, allows unprivileged local attackers to escalate privileges to root on Debian Bookworm, Debian Trixie, Ubuntu 22.04 LTS, and Ubuntu 24.04 LTS. Discovered in early 2025 and patched on February 5, 2026, the exploit manipulates transaction batches to bypass security mechanisms. Administrators should apply the upstream kernel patch or update to a patched kernel release. A related bug, CVE-2026-23278, was also identified.
New Linux Kernel Vulnerability Lets Attackers Escalate Privileges to Root
2026-06-08 | The Hacker News: One-Character Linux Kernel Flaw Enables Local Root Access, Exploits Now Public
A Linux kernel flaw, CVE-2026-23111, allows unprivileged local users to escalate to root via a use-after-free vulnerability in nf_tables. Patched on February 5, 2026, the exploit was detailed by Exodus Intelligence on June 8, following an earlier reproduction by FuzzingLabs in April. Ubuntu rates the flaw CVSS 7.8. The vulnerability requires unprivileged user namespaces and affects various distributions, including Debian and Ubuntu. Users are advised to update their kernels and reboot.
2026-06-09 | Security Affairs: CVE-2026-23111: Linux nf_tables Flaw Enables Root Exploits
CVE-2026-23111 is a Linux kernel nf_tables vulnerability allowing local users to gain root privileges via a use-after-free condition caused by a logic error. Discovered by Oliver Sieber in early 2025, it was patched on February 5, 2026, by removing a single character from the code. The exploit requires unprivileged user namespaces and is present in multiple distributions, including Debian and Ubuntu. Users are advised to update their kernels and reboot to mitigate the risk.
2026-06-09 | Ars Technica: High-severity vulnerability in Linux caused by a single faulty character
A high-severity vulnerability in Linux, tracked as CVE-2026-23111, allows untrusted users to escalate privileges to root due to a single errant character in the nf_tables subsystem. This use-after-free vulnerability corrupts memory, enabling exploitation by unprivileged users to elevate system rights. The flaw disrupts the deletion of verdicts within the nf_tables framework, which manages firewall rules and utilizes catchall elements for unmatched lookups.
2026-06-09 | TechRadar: A single character could be enough to let hackers crack your Linux kernel
A logic-inversion bug in the Linux kernel, tracked as CVE-2026-23111, allows local privilege escalation, potentially leading to full device takeover. Discovered by Oliver Sieber in early 2025, it affects major distributions including Debian, Ubuntu, and RHEL. The vulnerability has a severity score of 7.8/10. Fixes have been rolled out unevenly, with Ubuntu and Debian addressing it, while Red Hat, SUSE, and Amazon Linux have not yet provided patches.
Stop Children From Taking and Sharing Nudes, UK Prime Minister Tells Tech Companies
Date: 2026-06-08 | Source: CNET
British Prime Minister Keir Starmer urged tech companies in the UK to implement device controls to prevent children from taking, sending, and receiving nude images within three months, threatening legal action if they do not comply. This initiative aims to combat online child sexual abuse and protect minors from exploitation. The UK's National Crime Agency supports these measures, while some critics argue they may lead to excessive ID checks for all users.
Stop Children From Taking and Sharing Nudes, UK Prime Minister Tells Tech Companies
2026-06-09 | The Register: Signal says UK plan to scan devices for nude images 'endangers us all'
Signal criticized the UK government's plan to mandate device scanning for nude images of children, claiming it poses risks to privacy and could lead to state surveillance. The proposal, announced by PM Keir Starmer, aims to block nudity by default on devices, requiring age verification for adults to remove the block. Signal argues this approach undermines trust in encrypted communications and could expand to censor other content. The company advocates for alternative child safety measures, emphasizing the dangers of such surveillance infrastructure.
2026-06-10 | CSO Online: UK move to filter photos and messages triggers encryption worries for CISOs
Concerns have arisen regarding the UK government's plan to filter photos and messages, particularly its implications for encryption. Analysts suggest that while on-device processing could preserve encryption, many users rely on older hardware that may not handle the additional load, leading to performance issues. Flavio Villanustre, CISO at LexisNexis, argues that on-device scanning is impractical and would render most devices unusable, necessitating a shift to cloud processing, which raises encryption concerns.
2026-06-11 | Malwarebytes Labs: Children’s phones must block nude images by September, UK says
The UK government has mandated Apple and Google to implement device-level protections against nude images on smartphones and tablets by September, or face legislation and potential criminal charges for executives. Current features from both companies are deemed insufficient as they do not cover all apps. Privacy advocates express concerns over age verification and data collection risks. Parents are advised to activate existing safety features and educate children about online risks and secure account practices.
AI brands as bait: How threat actors are using the AI hype in social engineering
Date: 2026-06-08 | Source: Microsoft Security
Threat actors are exploiting the AI hype for social engineering, using brands like ChatGPT and Claude to lure victims into phishing and malware campaigns. Microsoft observed a ChatGPT-themed phishing attack on May 5, 2026, targeting South Africa, with 4,500 emails aimed at credential theft. Another campaign impersonated Claude from April 20-22, 2026, affecting over 2,000 organizations. Malvertising campaigns, including one for an "Awesome AI Windows Plugin," delivered Vidar Stealer. Microsoft recommends enhanced security measures to mitigate these threats.
AI brands as bait: How threat actors are using the AI hype in social engineering
2026-06-09 | Cyber Security News: Threat Actors Abuse ChatGPT, Claude, and DeepSeek Brands as Phishing Lures to Steal Credentials
Cybercriminals are exploiting popular AI tools like ChatGPT, Claude, and DeepSeek in phishing campaigns to steal credentials. Microsoft Threat Intelligence reported that these attacks, identified in early 2026, use social engineering tactics to lure victims through legitimate services. For instance, a ChatGPT-themed email sent 4,500 messages in May 2026, while a Claude campaign reached over 2,000 organizations. Recommendations include enabling multi-factor authentication and verifying communications through official websites.
2026-06-09 | CSO Online: Security shifts to the human layer as AI scams surge
Google's Fraud & Scams Advisory highlights the rise of AI-driven scams, including Adversary-in-the-Middle and QR-code phishing attacks, alongside the misuse of trusted cloud services. Microsoft notes that AI-themed lures are evolving from opportunistic attacks to persistent social engineering tactics, utilizing urgency-driven messaging and trusted branding. Campaigns include ChatGPT-themed emails and fake repositories distributing Vidar Stealer malware, indicating a significant shift in threat actor strategies.
2026-06-10 | Infosecurity Magazine: Fake Software Tutorials on TikTok Spread Vidar Stealer
Threat actors are using TikTok and Instagram Reels to promote the Vidar infostealer, disguised as tutorials for free software like Spotify Premium. Two campaigns exploit platform algorithms, with one video gaining over 100,000 views. The first campaign uses fake accounts to distribute a PowerShell command that downloads Vidar. The second campaign employs social engineering tactics to lure users into surveys before accessing downloads. ReversingLabs recommends auditing software privileges, updating phishing training, and encouraging reporting of suspicious content.
2026-06-10 | Malwarebytes Labs: Free Spotify Premium hacks on social media are spreading infostealers
Cybercriminals are using social media platforms like TikTok and Instagram Reels to spread malware disguised as offers for free Spotify Premium and other software. Researchers at ReversingLabs identified campaigns that trick users into executing harmful PowerShell commands, leading to the installation of the Vidar infostealer. This malware targets sensitive information, including passwords and 2FA data. Users are advised to download software only from official sites, be cautious of free offers, and verify file signatures to enhance security.
2026-06-10 | Security Magazine: Global Interest in AI Exploited as Social Engineering Lure
Cybercriminals are exploiting the hype around AI as a social engineering lure for phishing attacks, according to Microsoft Security. Attackers, identified as Storm 3075, use trusted AI names to disguise their activities, targeting credential theft and malware delivery. Notably, a fake GitHub repository mimicking DeepSeek's branding was created shortly after its new version announcement. Organizations should implement AI governance, monitor suspicious activities, and train employees on current AI-themed threats to mitigate risks.
2026-06-10 | Hack Read: Scammers Use TikTok and Instagram Reels to Spread Vidar Infostealer
Scammers are exploiting TikTok and Instagram Reels to distribute the Vidar infostealer by embedding malicious commands in tutorial-style videos. Users are misled into executing commands that download malware, often under the guise of accessing free premium applications. The videos leverage social media algorithms to gain visibility, with one video receiving over 109,000 views. Researchers advise against entering untrusted commands and recommend training staff to recognize such scams on social media.
2026-06-11 | Help Net Security: Fake Spotify Premium tutorials on TikTok and Instagram Reels spread malware
Cybercriminals are exploiting TikTok and Instagram Reels to distribute Vidar, an infostealer malware, through fake software tutorials. Two campaigns were identified: one used polished graphics to promote fake installation guides, while the other engaged users with claims of free premium software access. Both methods directed viewers to malicious download sites. Vidar collects sensitive information from infected devices. ReversingLabs provided indicators of compromise (IoCs) to aid in detection and defense against these threats.
2026-06-11 | DIGIT: Phishing Campaigns Using AI Brands As Lures
Threat actors are leveraging popular AI brands like ChatGPT and Claude in phishing campaigns, according to Microsoft’s Threat Intelligence group. These attacks involve impersonating AI services to lure victims into providing personal information or credentials. Examples include emails urging users to update payment methods with malicious links. Microsoft recommends mitigating these threats by enforcing multifactor authentication (MFA) and using authentication methods like passkeys.
2026-06-11 | TechRadar: Hackers are using TikTok videos offering 'free Spotify Premium' to spread malware and steal passwords
Hackers are exploiting TikTok and Instagram Reels to distribute malware under the guise of offering free subscriptions to services like Spotify Premium. A report from ReversingLabs highlights that these videos instruct users to run commands in tools like PowerShell, leading to the installation of Vidar, an infostealer that targets sensitive information. This shift from email phishing to social media-based attacks underscores the importance of basic security measures, such as multi-factor authentication and cautious downloading practices.
2026-06-12 | Cyber Security News: Hackers Use Free Spotify Premium Hacks on TikTok and Instagram to Spread Vidar Infostealer
Hackers are exploiting TikTok and Instagram to distribute the Vidar infostealer by promising free software like Spotify Premium. These polished videos mislead users into executing malicious PowerShell commands that install the malware, which collects sensitive data such as passwords and cryptocurrency wallet details. Vidar also disables Windows Defender, increasing vulnerability to future attacks. Experts advise downloading software only from official sources and being cautious with unfamiliar instructions.
North Korean Hackers Use Fake Coding Tasks to Steal Crypto
Date: 2026-06-08 | Source: Infosecurity Magazine
North Korean hackers, identified as UNK_DeadDrop, targeted software developers at nearly 100 organizations, primarily in the US tech, education, and finance sectors, using fake job offers and coding tasks to steal cryptocurrency and credentials. The campaign involved over 250 phishing emails in April and May 2026, leading to malicious repositories that executed hidden scripts upon opening. The malware scans for browser data, cryptocurrency wallets, and captures passwords to drain assets, with distinct payloads for macOS, Linux, and Windows.
North Korean Hackers Use Fake Coding Tasks to Steal Crypto
2026-06-08 | The Register: Norks blast 250+ fake job offers to developers over 6 weeks to try and snarf creds and crypto
A North Korean-linked phishing campaign, dubbed UNK_DeadDrop, targeted developers with over 250 fake job offers between April and May. The emails, appearing to come from legitimate companies, lured victims to malicious GitHub repositories. The malware, affecting macOS, Linux, and Windows, installs a malicious VS Code extension to steal credentials and cryptocurrency. The campaign reflects an evolution in tactics, moving from social media to email, indicating a more industrialized approach to phishing.
2026-06-09 | Cyber Security News: North Korea-Aligned Hackers Abuse GitHub Repositories to Infect Developers
North Korea-aligned hackers, tracked as UNK_DeadDrop, are targeting developers by embedding malware in fake GitHub repositories. Between April and May 2026, over 250 phishing emails were sent to nearly 100 organizations, primarily in finance, cryptocurrency, education, and technology. The malware, capable of running on macOS, Linux, and Windows, facilitates credential theft and cryptocurrency wallet draining. Security teams are advised to scrutinize developer repositories for hidden malicious files and restrict automatic task execution in VS Code.
2026-06-09 | TechRadar: North Korean hackers are at it again — phishing scheme targets hundreds of workers to try and steal crypto and more
North Korean hacking group UNK_DeadDrop is targeting software developers through a phishing campaign using unsolicited job offers and code review requests via email. This approach differs from the Lazarus group's tactics, which involved fake interviews and LinkedIn outreach. The attackers deploy a new self-contained payload to infect victims with infostealers, allowing them to exfiltrate crypto wallet information. Proofpoint researchers note this evolution indicates a maturation of North Korea-aligned operations for financial gain.
Chrome Patches 429 Vulnerabilities Including 22 Critical Ones – Update Now!
Date: 2026-06-08 | Source: Cyber Security News
Chrome 149.0.7827.x addresses 429 vulnerabilities, including 22 critical ones, across Windows, macOS, Linux, and iOS. Key issues include memory-safety defects in graphics and core components, with CVEs like CVE‑2026‑10881 and CVE‑2026‑10898 posing risks for remote code execution and privilege escalation. The update emphasizes the need for enterprises to prioritize deployment, enforce automatic updates, and prepare for potential exploitation of these vulnerabilities.
Chrome Patches 429 Vulnerabilities Including 22 Critical Ones – Update Now!
2026-06-09 | Times Now: Govt Warns Google Chrome Users Of Critical Security Risk: Update Browser Immediately
Multiple vulnerabilities in Google Chrome have been identified, including out of bounds write and read, use after free, heap buffer overflow, and more, affecting various components such as GPU, V8, and WebRTC. These issues stem from insufficient validation of untrusted input and improper implementation in rendering and media components. A remote attacker could exploit these vulnerabilities by tricking users into opening specially crafted web requests. Users are urged to update their browsers immediately.
2026-06-09 | Infosecurity Magazine: Google Releases Patch for Chrome Vulnerability Exploited in the Wild
Google released an emergency update on June 8, 2026, to address 74 Chrome vulnerabilities, including CVE-2026-11645, a high-severity flaw exploited in the wild. This zero-day vulnerability affects V8 in Chrome versions prior to 149.0.7827.103, allowing remote code execution via a crafted HTML page. The researcher who reported it received $55,000. The update will roll out for Windows, Mac, and Linux users over the coming days/weeks. Access to detailed bug information may be restricted until most users are updated.
2026-06-09 | Security Affairs: Google fixes the fifth actively exploited Chrome zero-day of 2026
Google has addressed a new Chrome zero-day vulnerability, CVE-2026-11645, in the V8 JavaScript engine, which is actively exploited in the wild. This marks the fifth Chrome zero-day of 2026. The vulnerability involves out-of-bounds memory access, potentially leading to denial of service, privilege escalation, or remote code execution. Google has not disclosed specific attack details. Other zero-days fixed this year include CVE-2026-2441, CVE-2026-3909, CVE-2026-3910, and CVE-2026-5281.
2026-06-09 | Malwarebytes Labs: Update Chrome: Google patches actively exploited vulnerability and 73 others
Google has released Chrome version 149.0.7827.102/.103, addressing 74 vulnerabilities, including CVE-2026-11645, which is actively exploited. This vulnerability allows remote code execution via a crafted HTML page, affecting the V8 engine in Chrome. Users are advised to update manually or enable automatic updates to mitigate risks. The update also introduces new features, such as signing PDF forms without extensions.
2026-06-09 | Help Net Security: Google patches Chrome zero-day exploited in the wild (CVE-2026-11645)
Google has patched 74 vulnerabilities in Chrome, including a high-severity zero-day (CVE-2026-11645) exploited in the wild. This out-of-bounds read and write vulnerability in the V8 JavaScript engine allows remote code execution via a crafted HTML page. The fix is included in Chrome versions 149.0.7827.102/.103 for Windows and macOS, and 149.0.7827.102 for Linux. The vulnerability was reported on April 27, 2026, by an anonymous researcher who received a $55,000 bug bounty.
2026-06-09 | The Hacker News: Chrome V8 Zero-Day CVE-2026-11645 Exploited in the Wild - Patch Now
Google has released security updates addressing 74 vulnerabilities, including a high-severity zero-day, CVE-2026-11645 (CVSS score: 8.8), which is actively exploited. This out-of-bounds memory access flaw in Chrome's V8 engine allows remote code execution via a crafted HTML page. Discovered by a researcher on April 27, 2026, it has a $55,000 bug bounty. Users should update to Chrome versions 149.0.7827.102/.103 for Windows and macOS, and 149.0.7827.102 for Linux, and apply fixes for other Chromium-based browsers.
2026-06-09 | The Register: Chrome's zero-day Whac-A-Mole continues with fifth exploited bug of the year
Google has patched its fifth actively exploited Chrome zero-day of 2026, tracked as CVE-2026-11645, an out-of-bounds memory access bug in the V8 JavaScript engine. The vulnerability, reported on April 27, earned the finder a $55,000 bounty. The patch is available for Windows, macOS, and Linux. Google has withheld technical details to prevent further exploitation. Users are advised to restart the browser and install the update to mitigate risks.
2026-06-09 | TechRadar: Update Chrome now — Google patches new zero-day flaw already being exploited
Google has patched a high-severity vulnerability in Chrome (CVE-2026-11645) that allows remote code execution via crafted HTML on versions prior to 149.0.7827.103. The flaw, rated 8.8/10, could enable attackers to access sensitive information by exploiting users who open a malicious page. Patches are now available for Windows, Mac, and Linux. Users are urged to update immediately to mitigate potential risks. Google has not disclosed specific attack details but confirms the exploit is active in the wild.
2026-06-09 | Cyber Security News: Google Chrome 0-Day Vulnerability Exploited in the Wild — Update Now
Google released an emergency update for Chrome, patching a critical zero-day vulnerability (CVE-2026-11645) in the V8 JavaScript engine, which is actively exploited. The update addresses 74 vulnerabilities, including 17 critical ones. CVE-2026-11645 allows for out-of-bounds memory access, potentially leading to remote code execution. Users are urged to manually update to version 149.0.7827.102/.103 for Windows and Mac, and 149.0.7827.102 for Linux, due to the severity of the exploit.
2026-06-10 | Cyber Security News: CISA Warns of Google Chromium 0-Day Vulnerability Exploited in Attacks
CISA has issued a warning about a zero-day vulnerability in Google Chromium, tracked as CVE-2026-11645, affecting the V8 JavaScript engine. This flaw allows remote code execution via specially crafted HTML pages. It poses a significant risk as it can be exploited in various Chromium-based browsers, including Microsoft Edge and Opera. CISA has mandated remediation by June 23, 2026, and recommends immediate patching or discontinuation of affected products. Organizations should monitor browser activity and enforce strict patch management.
Qilin ransomware affiliate exploited Check Point VPN zero-day (CVE-2026-50751)
Date: 2026-06-08 | Source: Help Net Security
A Qilin ransomware affiliate is exploiting CVE-2026-50751, an authentication bypass vulnerability in Check Point VPN solutions, which affects configurations using the deprecated IKEv1 protocol. The first known attacks occurred in early May 2026, with suspicious activity noted on June 4, 2026. Check Point advises incident response teams to conduct forensic log audits and configuration reviews. Customers are urged to upgrade affected instances and avoid using IKEv1.
Qilin ransomware affiliate exploited Check Point VPN zero-day (CVE-2026-50751)
2026-06-08 | The Hacker News: Critical Check Point VPN Flaw Exploited to Bypass Passwords in IKEv1 Setups
Check Point has reported active exploitation of a critical vulnerability (CVE-2026-50751, CVSS 9.3) in Remote Access VPNs using the deprecated IKEv1 protocol, allowing attackers to bypass authentication. Affected products include Security Gateways R82.10 and below, R81.20 and below, and Spark Firewalls R80.20.X and R81.10.X. Exploitation began on May 7, 2026, with links to Qilin ransomware. A second vulnerability (CVE-2026-50752, CVSS 7.40) was also identified but has not been exploited.
2026-06-08 | Rapid7: Critical Check Point VPN Zero-Day Exploited in the Wild (CVE-2026-50751)
On June 8, 2026, Check Point disclosed CVE-2026-50751, a critical authentication bypass vulnerability in Remote Access VPN, Mobile Access, and Spark Firewall products, with a CVSS score of 9.3. Exploitation allows unauthenticated VPN access. Active exploitation began May 7, 2026, affecting dozens of organizations, linked to Qilin ransomware. Hotfixes are available; organizations should apply them urgently. A related vulnerability, CVE-2026-50752, poses a potential man-in-the-middle risk but has not been exploited.
2026-06-08 | The Register: Ransomware crims got a month-long head start on Check Point VPN 0-day that now has a fix
Check Point released an emergency fix for a critical authentication bypass vulnerability (CVE-2026-50751) affecting its Remote Access and Mobile Access VPNs, which attackers exploited starting May 7. The flaw allows remote attackers to bypass authentication without a password. Check Point also identified CVE-2026-50752, a related vulnerability that could enable man-in-the-middle attacks. Customers are urged to apply hotfixes and review logs for potential exploitation indicators from May 7 to June 5.
2026-06-08 | Cyber Security News: Check Point VPN 0-day Vulnerability Exploited in the Wild to Deploy Ransomware
Check Point Research has identified active exploitation of CVE-2026-50751, a critical authentication bypass vulnerability (CVSS 9.3) in Check Point Remote Access VPN and Mobile Access deployments, linked to the Qilin ransomware gang. This flaw affects versions R80.20.X to R82.10, allowing unauthenticated access via IKEv1. A related vulnerability, CVE-2026-50752 (CVSS 7.4), poses a potential MitM risk. Customers are urged to apply hotfixes and implement interim security measures. Malicious IPs and file hashes are provided for threat detection.
2026-06-09 | Security Affairs: U.S. CISA adds BerriAI LiteLLM and Check Point Security Gateway flaws to its Known Exploited Vulnerabilities catalog
U.S. CISA added two vulnerabilities to its Known Exploited Vulnerabilities catalog: CVE-2026-42271 (BerriAI LiteLLM Command Injection, CVSS 8.7) and CVE-2026-50751 (Check Point Security Gateway Improper Authentication, CVSS 9.3). The BerriAI flaw allows privilege escalation and remote code execution in versions 1.74.2-1.83.6, fixed in 1.83.7. The Check Point flaw, affecting IKEv1, enables unauthenticated VPN access and is actively exploited. Federal agencies must address these by June 11 and June 22, 2026, respectively.
2026-06-09 | Infosecurity Magazine: Check Point Warns Critical Auth Bypass Bug Exploited in the Wild
Check Point has identified and warned about a critical zero-day vulnerability, CVE-2026-50751, in its Remote Access VPN and Mobile Access solutions, which is actively exploited. This authentication bypass flaw affects configurations using the deprecated IKEv1 protocol, allowing attackers to bypass user authentication. Exploitation began on May 7, with increased activity noted in early June, primarily targeting a few dozen organizations. Additionally, CVE-2026-50752 was discovered, with a CVSS score of 7.4, but is not currently exploited. Customers are urged to apply updates.
2026-06-09 | CSO Online: Check Point warns of ransomware-linked attacks exploiting outdated VPN protocol
Check Point has reported ransomware-linked attacks exploiting vulnerabilities in outdated VPN protocols, specifically IKEv1, affecting Remote Access VPN, Mobile Access VPN, and certain Spark Firewall products. The exploitation has targeted a limited number of organizations, with confirmed activity from a Qilin ransomware affiliate. Check Point advises immediate application of hotfixes and recommends migrating to the newer IKEv2 protocol. The vulnerability is tracked as CVE-2026-50571.
2026-06-09 | TechRadar: Check Point says VPN attacks caused by Qilin ransomware group — who had a month's head start on them
Check Point has patched a critical authentication bypass vulnerability (CVE-2026-50751) in its VPN products, exploited since May 7, 2026, by the Qilin ransomware group. This flaw, with a severity score of 9.3/10, allowed unauthorized remote access. Check Point noted that attacks have targeted several dozen organizations globally, with at least one case leading to Qilin ransomware deployment. Customers are urged to apply fixes and implement mitigations immediately.
2026-06-09 | Cybersecurity Dive: Check Point warns of zero-day flaw targeted by ransomware affiliate
A critical authentication bypass vulnerability, CVE-2026-50751, in Check Point Remote Access VPN and Mobile Access has been exploited for over a month, allowing attackers to establish VPN sessions without passwords. The flaw affects deployments using the deprecated IKEv1 protocol. Check Point identified targeted organizations and linked some activity to Qilin ransomware. A second vulnerability, CVE-2026-50752, could enable man-in-the-middle attacks but has not been exploited. Check Point recommends immediate upgrades and has provided security guidance.
2026-06-09 | TechCrunch: CISA gives US federal agencies three days to fix a VPN bug under attack by a ransomware gang
CISA has mandated that all U.S. federal civilian agencies remediate a critical VPN vulnerability exploited by the ransomware group Qilin by June 11. The flaw affects various remote access tools and firewalls from Check Point Software, which confirmed the exploitation began on May 7 and intensified recently. CISA invoked BOD 22-01 to enforce this directive due to the significant risk posed to government networks.
NSO Group back in Meta's crosshairs after alleged WhatsApp targeting
Date: 2026-06-08 | Source: The Register
Meta has requested a federal judge to hold NSO Group in contempt of court for allegedly continuing to target WhatsApp users despite a permanent injunction. Meta reported disrupting NSO-linked phishing attempts that involved luring users to malicious external links. WhatsApp identified domains associated with the campaign and released indicators for detection. This follows a legal battle where NSO was found liable for hacking WhatsApp users, with a significant damages award later reduced.
NSO Group back in Meta's crosshairs after alleged WhatsApp targeting
2026-06-08 | Cyber Security News: WhatsApp Disrupts NSO-Linked Cyberattack Targeting Users with Pegasus Spyware
Meta’s WhatsApp has disrupted a spear-phishing campaign linked to NSO Group, targeting users with Pegasus spyware. Following a 2025 court ruling that ordered NSO to pay damages for a 2019 breach, WhatsApp is now petitioning the court to hold NSO in contempt for violating a permanent injunction. The recent campaign targeted fewer than 10 users in Jordan and Lebanon, with no successful compromises detected. WhatsApp identified malicious domains associated with NSO's phishing infrastructure.
2026-06-08 | TechCrunch: WhatsApp says it caught new spyware attacks linked to NSO Group in violation of court order
WhatsApp disrupted a new hacking campaign linked to NSO Group, alleging violations of a court order prohibiting NSO from targeting its users. The campaign involved spear phishing attempts to lure users into clicking malicious links, potentially leading to spyware infection. WhatsApp filed a contempt order against NSO, citing a previous injunction stemming from a 2019 mass-hacking incident. NSO has faced scrutiny and sanctions from the U.S. government, which has yet to remove it from the Commerce Department blocklist.
2026-06-08 | Recorded Future: WhatsApp says NSO targeted users with spearfishing attacks in violation of court order
WhatsApp accused NSO Group of violating a court order by conducting spearfishing attacks against its users. The attacks were detected after users reported suspicious activity. WhatsApp is filing a contempt order against NSO for breaching a permanent injunction issued in October, which prohibits such actions. The latest attacks involved social engineering techniques to trick users into clicking malicious links. WhatsApp shared threat indicators and urged users to check for NSO-linked methods across platforms.
2026-06-08 | The Hacker News: Meta Blocks NSO Group's New WhatsApp Phishing Attack, Files Contempt Order
Meta has blocked spear-phishing attempts linked to NSO Group, filing a federal court contempt order against the company for violating a permanent injunction. NSO attempted to trick users into clicking malicious links, similar to past phishing campaigns. Meta identified and removed test accounts created by NSO on WhatsApp. Users are advised to enable strict account settings, including two-step verification and limiting visibility of personal information, to enhance security against sophisticated cyber attacks.
2026-06-08 | Cyberscoop: Meta accuses NSO Group of defying spyware injunction, files contempt of court complaint
Meta has filed a contempt-of-court complaint against NSO Group for allegedly violating a court injunction prohibiting it from targeting WhatsApp users. Despite a previous ruling that awarded Meta $168 million in damages, NSO Group reportedly engaged in spearphishing campaigns and created test accounts on WhatsApp. Meta argues that NSO's actions justify its continued designation on the U.S. sanctions "entity" list, emphasizing the risks to national security and secure communications.
2026-06-08 | Help Net Security: Meta claims NSO Group still targets WhatsApp users despite court order
Meta has disrupted spear-phishing attempts linked to NSO Group, seeking to hold the vendor in contempt for violating a court order prohibiting targeting of WhatsApp users. The campaign involved social engineering tactics to trick users into malicious links. WhatsApp shared threat indicators to help users identify potential targeting. Meta criticized the spyware industry, emphasizing the risks to national security and secure communications. They also announced support for the Spyware Accountability Initiative.
2026-06-08 | Security Affairs: Meta Accuses NSO of Violating WhatsApp Court Injunction
Meta has accused NSO of violating a court injunction by targeting WhatsApp users through phishing campaigns. Meta disrupted these attempts, which involved creating test accounts and using spear phishing tactics to lure users outside the app. They are filing a contempt motion against NSO, which is on the US Entity List for national security threats. Meta emphasizes the importance of maintaining restrictions on NSO and encourages users to enable strict account settings for enhanced security.
2026-06-08 | Hack Read: WhatsApp Says It Blocked Pegasus Spyware Campaign Linked to NSO
WhatsApp has disrupted a spyware campaign linked to NSO Group, seeking to hold the firm in contempt of court for violating a prior injunction. The latest activity involved spear phishing attempts directing users to malicious websites, not exploiting any WhatsApp vulnerabilities. WhatsApp identified and removed related accounts and shared three domains used in the attacks. The company emphasizes the ongoing threat of mercenary spyware and encourages users to remain vigilant against suspicious links.
2026-06-09 | Infosecurity Magazine: WhatsApp Discovers NSO Group-Linked Spearphishing Attempts
WhatsApp has reported disrupting spearphishing attempts linked to NSO Group, claiming violations of a court injunction against targeting users. On June 8, WhatsApp revealed that NSO attempted to trick users into clicking malicious links and created test accounts on the platform. NSO Group, previously ordered to pay over $167 million for hacking 1,400 users, is appealing the injunction. WhatsApp emphasized the need for strict enforcement to protect secure communications and published domains used in the phishing campaign.
2026-06-09 | The Guardian: Spyware firm targeted WhatsApp users in defiance of US court order, Meta says
Meta reported that NSO Group has been targeting WhatsApp users with malicious links, violating a US court order that prohibits such actions. The attacks, aimed at users in Jordan and Lebanon, involved creating test accounts on WhatsApp. NSO, which developed the Pegasus spyware, was previously fined $4 million and permanently enjoined from targeting WhatsApp. Meta is seeking to hold NSO in contempt of court for these violations, highlighting concerns over NSO's disregard for legal consequences.
2026-06-10 | Risky.Biz: Risky Bulletin: Meta says NSO violated court order with new campaign targeting WhatsApp
Meta has disrupted a new NSO Group hacking campaign targeting WhatsApp users, violating a US court order from October 2024. The spear-phishing operation aimed to lure users into clicking malicious links. Meta filed a legal complaint against NSO, which was previously found liable for hacking thousands of users and ordered to pay $4 million in damages. Meta urged lawmakers to maintain sanctions against NSO, citing its continued defiance as a threat to national security.
Meta AI Bug Exposes Over 20,000 Instagram Accounts
Date: 2026-06-08 | Source: Infosecurity Magazine
Unauthorized access to over 20,000 Instagram accounts occurred due to a vulnerability in Meta's AI-powered High Touch Support tool, discovered on May 31. The bug allowed password reset links to be sent to unassociated email addresses. Affected data included contact information, date of birth, social media content, and account activity. Meta disabled the tool, invalidated existing reset links, and enrolled affected users in a security checkpoint. Users are advised to reset passwords and enable two-factor authentication.
Meta AI Bug Exposes Over 20,000 Instagram Accounts
2026-06-08 | Security Affairs: Meta AI Recovery Tool Flaw Exposed 20,000+ Instagram Accounts
A flaw in Meta's AI-powered Instagram recovery tool exposed over 20,000 accounts, allowing attackers to reset passwords without verifying email ownership. The vulnerability existed from April 17 to early June 2026, affecting 20,225 accounts. Meta disabled the tool upon discovery on May 31, invalidated reset links, and enforced password resets for impacted users. The company plans to notify users and encourage enabling two-factor authentication. This incident highlights significant security gaps in account recovery processes.
2026-06-08 | Hack Read: Instagram Recovery Tool Bug Exposed 20,225 Accounts to Password Reset Abuse
Meta disclosed a security incident involving an Instagram recovery tool that exposed 20,225 accounts to password reset abuse due to a validation flaw. The issue, discovered on May 31, 2026, allowed unauthorized users to request password resets for accounts without two-factor authentication. Affected users are advised to reset passwords and enable two-factor authentication. Meta disabled the tool and plans to fix the authentication check before reinstating it. Notifications to impacted users will occur on June 19, 2026.
2026-06-08 | TechRadar: Meta reveals over 20,000 Instagram accounts hacked and stolen using AI support bot
Meta confirmed that 20,225 Instagram accounts were compromised due to a flaw in its AI-powered High Touch Support (HTS) system, which allowed attackers to request password resets to unassociated emails. Although there is no evidence of data exfiltration, sensitive information may have been accessed. Meta has disabled the HTS system, reset affected passwords, and is reviewing account recovery processes to enhance security. Recommendations include rigorous access controls for AI systems involved in sensitive operations.
2026-06-08 | Help Net Security: Hackers used Meta’s AI support system to hijack over 20,000 Instagram accounts
Hackers exploited a flaw in Meta's AI-assisted account recovery system, hijacking 20,225 Instagram accounts. A bug in High Touch Support allowed unauthorized password resets by mismatching email addresses. The vulnerability was identified on May 31, with the first incidents dating back to April 17. Compromised accounts could expose personal data. Meta disabled the tool, invalidated password reset links, and mandated additional authentication for affected users. A fix for the authentication issue is planned before re-launching the tool.
2026-06-09 | Times Now: Meta Confirms More Than 20000 Instagram Accounts Were Hijacked By Hackers
Meta confirmed that over 20,000 Instagram accounts were hijacked by hackers, with reports indicating that the attackers interacted with the AI support assistant. A data breach notification filed with the Maine Office of the Attorney General revealed that the breach may have begun as early as April 17, 2026. While Meta has not confirmed the specifics of the stolen data, it is believed to include photos, email addresses, direct messages, account activity records, and dates of birth.
2026-06-09 | CNET: Hackers Conned a Chatbot to Hijack 20,000 Instagram Accounts
Hackers exploited a vulnerability in Meta's AI-assisted account recovery system, compromising 20,225 Instagram accounts, including those of high-profile users. The attack involved social engineering, where hackers requested email changes and password resets without needing the original email or password. Meta acknowledged the issue in a letter to the Maine Attorney General and fixed the exploit on June 1. Users are advised to enable multifactor authentication to prevent similar attacks.
New ChatGPT Lockdown Mode Limits Tools That Could Enable Data Exfiltration
Date: 2026-06-06 | Source: The Hacker News
OpenAI has introduced a Lockdown Mode for ChatGPT to mitigate data exfiltration risks from prompt injection attacks. This optional security setting limits outbound network requests and disables features like live web browsing, image support, and file downloads. It aims to protect sensitive data for users handling such information but does not eliminate all risks associated with prompt injections. Additionally, a new account management feature allows users to monitor and log out of active ChatGPT sessions.
New ChatGPT Lockdown Mode Limits Tools That Could Enable Data Exfiltration
2026-06-06 | Cyber Security News: New ChatGPT Lockdown Mode to Mitigate Prompt Injection and Data Exfiltration Attacks
OpenAI has introduced ChatGPT Lockdown Mode to mitigate risks of prompt injection and data exfiltration. This feature limits outbound network access for eligible users, blocking unauthorized data transfers while allowing prompt injections to still influence model behavior. Key restrictions include disabling live web browsing, image retrieval, and deep research. Administrators must manually configure role-based access controls for effective protection. Lockdown Mode does not guarantee complete security, as risks from third-party apps and hidden prompt injections remain.
2026-06-06 | TechCrunch: OpenAI unveils Lockdown Mode to protect sensitive data from prompt injection attacks
OpenAI has introduced Lockdown Mode to enhance protection against prompt injection attacks, which involve embedding malicious instructions in web content. This feature disables live web browsing, image retrieval from the web, deep research, and agent mode. While it aims to reduce the risk of sensitive data exposure, OpenAI warns that vulnerabilities may still exist. Lockdown Mode is targeted at users handling sensitive data and is being rolled out to ChatGPT Business and eligible personal accounts.
2026-06-08 | Help Net Security: OpenAI is locking down parts of ChatGPT to reduce data theft risks
OpenAI has introduced Lockdown Mode for ChatGPT, enhancing security for users handling sensitive data by restricting access to external resources and capabilities. This mode employs sandboxing and monitoring to prevent data exfiltration risks from prompt injections. Key features are limited, including web browsing and file downloads. Administrators are advised to assess app access and data risks before enabling Lockdown Mode, which cannot be used simultaneously with Developer Mode.
2026-06-08 | Infosecurity Magazine: OpenAI Unveils ChatGPT Account Security Controls
OpenAI has introduced two new security controls for ChatGPT: Lockdown Mode and Active Sessions. Lockdown Mode limits web access to prevent data theft via prompt injection, targeting outbound requests to block data exfiltration. Active Sessions allows users to audit sign-ins, showing device details and locations, with options to end sessions. However, Active Sessions is not available for accounts using single sign-on (SSO) and does not track third-party app sessions.
2026-06-09 | CSO Online: OpenAI’s Lockdown Mode is trying to solve the problem that it created
OpenAI's Lockdown Mode aims to mitigate data exfiltration by restricting external capabilities in its products. When activated, it limits web browsing to cached content, disables image support, and prevents network access for Canvas-generated code. However, it does not fully block exfiltration and may complicate governance for enterprises using multiple AI vendors. OpenAI's blog post outlines these features, but the company did not provide further comments on the implementation.
CISA Warns of SolarWinds Serv-U Vulnerability Exploited in Attacks
Date: 2026-06-06 | Source: Cyber Security News
CISA has added the critical SolarWinds Serv-U vulnerability (CVE-2026-28318) to its Known Exploited Vulnerabilities catalog, warning of active exploitation. This Uncontrolled Resource Consumption flaw allows unauthenticated attackers to crash the service via malicious HTTP requests. Affected organizations must remediate by June 19, 2026. SolarWinds released a hotfix (version 15.5.4 Hotfix 1) and recommends restricting service exposure, monitoring logs, and consulting official advisories for guidance.
CISA Warns of SolarWinds Serv-U Vulnerability Exploited in Attacks
2026-06-06 | The Hacker News: CISA Adds Actively Exploited SolarWinds Serv-U DoS Flaw to KEV Catalog
CISA has added a high-severity denial-of-service vulnerability in SolarWinds Serv-U (CVE-2026-28318, CVSS 7.5) to its KEV catalog due to active exploitation. This flaw allows crashes via specially crafted POST requests without authentication. SolarWinds advises upgrading to version 15.5.4 HF1 and recommends limiting access and blocking requests with "content-encoding." Federal agencies must address the flaw by June 19, 2026. Previous vulnerabilities in Serv-U have been exploited by groups like the Cl0p ransomware gang.
2026-06-06 | Security Affairs: U.S. CISA adds SolarWinds Serv-U flaw to its Known Exploited Vulnerabilities catalog
U.S. CISA has added the SolarWinds Serv-U flaw, CVE-2026-28318, with a CVSS score of 7.5, to its Known Exploited Vulnerabilities catalog. This unauthenticated DoS vulnerability allows remote attackers to crash the Serv-U service via a crafted HTTP POST request. Affected versions include Serv-U 15.5.4 and earlier, with a fix available in Serv-U 15.5.4 HF1. Federal agencies must address this by June 19, 2026, while private organizations are advised to review and mitigate the vulnerability.
2026-06-08 | Help Net Security: CISA: Patch actively exploited SolarWinds Serv-U DoS vulnerability (CVE-2026-28318)
A vulnerability (CVE-2026-28318) in SolarWinds Serv-U file transfer servers is being actively exploited, allowing remote, unauthenticated attackers to crash the service via crafted HTTP POST requests. CISA has mandated US federal agencies to patch or mitigate this by June 19, 2026. SolarWinds released a fix on June 3, 2026. Users are advised to implement the patch or restrict access through web application firewalls. Previous vulnerabilities in Serv-U have been exploited for cyber espionage and ransomware attacks.
Miasma Worm Hits 73 Microsoft GitHub Repositories in Major Supply Chain Attack
Date: 2026-06-06 | Source: The Hacker News
A major supply chain attack, dubbed the Miasma Worm, has impacted 73 Microsoft GitHub repositories across four organizations, including Azure and MicrosoftDocs. GitHub has disabled access to these repositories due to violations of its terms of service. The attack is linked to a re-compromise of the "durabletask" PyPI package, previously infected by TeamPCP. Miasma exploits the trust model of software delivery, propagating through legitimate channels without exploiting specific vulnerabilities, making it a significant threat.
Miasma Worm Hits 73 Microsoft GitHub Repositories in Major Supply Chain Attack
2026-06-08 | The Register: GitHub nukes 70+ Microsoft repos, breaks CI/CD pipelines, following suspected worm infections
On June 5, GitHub disabled 73 Microsoft repositories due to a suspected worm infection, specifically the Miasma worm. The attack began when a compromised contributor account pushed a malicious commit to Azure/durabletask, leading to remote code execution risks. This incident disrupted CI/CD pipelines, particularly affecting Azure/functions-action. The Miasma worm had previously targeted Microsoft’s durabletask PyPi package, suggesting compromised tokens were not fully rotated. Security firm Snyk linked Miasma to the Mini Shai Hulud worm.
2026-06-08 | 404 Media: Microsoft Hacked to Deliver Malware to Claude and Gemini Users
Microsoft has disabled over 70 of its GitHub repositories, including those related to Azure and AI coding tools, due to a data breach involving malware that harvested user credentials. The breach was linked to a malicious commit in the durabletask repository, which was previously compromised by hackers from TeamPCP. This incident has rendered GitHub actions using these repositories non-functional, raising concerns about Microsoft's security measures following the earlier compromise.
2026-06-08 | Ars Technica: For the 2nd time in weeks, Microsoft packages laced with credential stealer
Dozens of Microsoft open source packages were compromised with credential-stealing code, affecting 73 packages flagged as malicious on GitHub. The malware, tracked as Miasma, steals credentials from various platforms and spreads through cloud infrastructures. This incident follows a similar attack in May involving the durabletask Python SDK. Microsoft acknowledged the issue after researchers flagged the packages, advising developers to assume compromise. The attack is linked to the threat actor TeamPCP.
2026-06-08 | TechCrunch: Microsoft’s open source tools were hacked to steal passwords of AI developers
Microsoft has disabled access to over 70 of its open-source projects on GitHub after hackers injected password-stealing malware into the code. The affected projects are linked to Azure and AI development tools. The malware compromised user credentials when developers used the tools. This incident follows a previous breach involving Microsoft's Durable Task project, indicating a potential re-compromise or new breach. Microsoft is investigating the situation but has not disclosed the number of affected users.
2026-06-09 | TechRadar: Microsoft disables over 70 GitHub repos after hackers compromised them with dangerous malware
Microsoft disabled 73 GitHub repositories after a threat actor compromised them using unrotated GitHub Actions secrets. The attack, attributed to TeamPCP, involved the deployment of the Miasma worm across Azure, Azure-Samples, microsoft, and MicrosoftDocs organizations. Microsoft has removed affected repos, notified impacted customers, and is investigating the incident. The fallout is significant, affecting workflows that reference Azure/functions-action@v1. The number of impacted customers is estimated to be in the tens of thousands.
2026-06-09 | Security Affairs: Miasma Worm Compromises 73 Microsoft GitHub Repositories
The Miasma worm has compromised 73 Microsoft GitHub repositories, exploiting AI coding tools to steal cloud credentials from developers. Originating from a compromised Red Hat account, it injected malicious workflows that published 32 harmful package versions to the npm registry, using legitimate OIDC tokens for validation. This incident follows a previous breach involving the same malware family. Organizations are advised to rotate exposed credentials and monitor for suspicious activity in their CI/CD environments.
2026-06-09 | The Hacker News: Microsoft Restores Some GitHub Repos, Keeps Others Offline as Miasma Probe Continues
Microsoft temporarily removed some GitHub repositories after 73 open-source projects were compromised, injecting an information stealer into the code as part of the Miasma supply chain campaign. Some repositories have been restored, while others remain offline for investigation. Infected projects included the "durabletask" Python package. The malware targets developer environments, harvesting secrets and exfiltrating them to public GitHub repositories. New delivery mechanisms have been identified, indicating evolving tactics by threat actors.
2026-06-09 | The Register: Miasma worms its way onto GitHub as attack kit goes open source
The Miasma worm attack toolkit has been open-sourced on GitHub, utilizing compromised developer accounts. SafeDep identified malicious repositories that enable various attacks on public registries and GitHub Actions. The toolkit allows for credential theft and lateral movement without requiring custom command-and-control infrastructure. It employs three GitHub commit search channels for command execution and data exfiltration. As of Tuesday, 473 package artifacts have been tracked as affected.
2026-06-10 | Cyber Security News: 73 Microsoft Packages Weaponized to Deploy Password Stealer Malware
Seventy-three Microsoft GitHub repositories were disabled on June 8, 2026, due to a self-replicating worm named Miasma, which compromised Azure Functions. The worm spread through malicious versions of the durabletask PyPI package, stealing developer credentials and Azure OIDC tokens. This incident caused widespread disruption in CI/CD pipelines. Security experts recommend pinning actions to full commit SHAs and rotating credentials. The attack highlights significant vulnerabilities in Microsoft's supply chain security.
Google and FBI warn of ransomware group that sends fake IT workers to hack victims in person
Date: 2026-06-05 | Source: TechCrunch
A ransomware group, Silent Ransom Group, has escalated attacks on law firms by sending fake IT workers to steal data directly from victims' computers using USB drives or enabling remote access. Google and the FBI reported these incidents occurring from January to May 2023. The gang employs social engineering and phishing tactics, impersonating IT support to gain access. They threaten to publish stolen data if victims do not comply with ransom demands, utilizing both physical and remote intrusion methods.
Google and FBI warn of ransomware group that sends fake IT workers to hack victims in person
2026-06-05 | Security Affairs: Silent Ransom Group (SRG): Switching To DNS Fast Flux Infrastructure
Researchers have uncovered the Silent Ransom Group (SRG), also known as Luna Moth, utilizing Fast Flux infrastructure to target U.S. law firms and businesses. Active since 2022, SRG focuses on data theft and extortion. The FBI has issued warnings about their social engineering tactics. Fast Flux nodes were identified across multiple regions, relying on compromised IoT devices. New underground projects linked to SRG, such as Spy Corporate, have emerged. Collaboration between public and private sectors is emphasized in combating this threat.
2026-06-05 | The Register: If you don't fall for these extortionists' calls, they'll show up with USB sticks
A data-theft and extortion gang, tracked as UNC3753, has targeted numerous US banks and law firms from January to May 2023, employing social engineering tactics like fake help desk calls. When remote methods fail, they physically visit offices posing as IT staff to steal data via USB drives. The group has rapidly executed operations, often completing data theft within an hour. Recommendations include verifying visitor credentials and implementing strict remote access policies to mitigate risks.
2026-06-08 | Security Affairs: UNC3753 Escalates: From Vishing Calls to Physical Office Intrusions at US Legal and Financial Firms
UNC3753, also known as Luna Moth, has escalated its extortion tactics against US legal and financial firms, employing vishing and physical intrusions. The group uses social engineering to gain remote access via screen-sharing and legitimate remote management tools. They target sensitive documents, exfiltrating data through personal devices and cloud services. The FBI has issued alerts regarding physical break-ins where operatives pose as IT staff. Recommendations include blocking unauthorized tools, enforcing access controls, and training staff on these tactics.
2026-06-08 | Hack Read: Silent Ransom Group Uses Fast Flux Botnet to Hide Law Firm Leak Sites
The Silent Ransom Group (SRG) employs a fast flux botnet to conceal data leak sites targeting law firms, which hold sensitive client information. This technique involves linking websites to a rotating network of home internet connections across 18 countries, complicating law enforcement efforts. SRG focuses on data theft and extortion, threatening to publish stolen files. Their infiltration tactics include vishing and impersonating IT support. Law firms are urged to enhance security measures to mitigate these threats.
2026-06-08 | Cyber Security News: UNC3753 Attacking US Law Firms Using Vishing and RMM Tools to Exfiltrate Data
A cybercriminal group, UNC3753, has targeted US law firms since early 2026, using vishing and remote monitoring tools to exfiltrate sensitive data. Their attacks, which can lead to data theft within a day, begin with invoice-themed emails to prompt follow-up calls. They impersonate IT staff to gain trust, then use screen-sharing to install remote access tools. The group threatens victims with public exposure if ransom demands are ignored. Recommendations include staff training, restricting remote access tool installations, and enforcing MFA.
2026-06-08 | TechRadar: Even your physical offices aren't safe from hackers — experts warn of Silent Ransom Group breaking into businesses to launch ransomware and extortion campaign
Hackers known as the Silent Ransom Group (SRG) have targeted dozens of US firms, particularly in the legal and financial sectors, from January to May 2026. They impersonate IT support to gain access to victims' computers, using onsite USB exfiltration to steal data. Following the theft, they demand ransom, threatening to leak the data if not paid. SRG has been linked to previous ransomware campaigns, including Conti and Ryuk, and is noted for its in-person intrusion tactics.
Bluesky X Buy Me a Coffee RSS Feed