Signals

Recent public signals

Crawlable detail links for recent public signal pages, so search engines can discover more than the live brief.

• Two new Linux kernel local privilege escalation flaws with public exploits emerge

  In June 2026, two critical Linux kernel vulnerabilities were publicly disclosed, each enabling local privilege escalation to root. DirtyClone, a variant of the DirtyFrag vulnerability class, allows attackers to corrupt file-backed memory via cloned network packets. The pedit COW flaw involves an out-of-bounds write in the packet-editing subsystem that poisons shared page-cache memory. Both vulnerabilities have working public exploits, underscoring the need for immediate patching to prevent system compromise.

• CISA adds exploited PTC Windchill remote code execution flaw to KEV amid active attacks

  A critical remote code execution vulnerability (CVE-2026-12569) in PTC Windchill and FlexPLM product lifecycle management software is being actively exploited in the wild.

• Turla deploys new StockStay backdoor in espionage targeting Ukraine and Italy

  The Russian state-sponsored threat actor Turla has developed and deployed a new .NET-based backdoor named StockStay against government and military targets in Ukraine, as well as entities linked to Italian foreign policy.

• Amazon Q developer flaw allowed malicious repos to execute code and steal cloud credentials

  A high-severity vulnerability (CVE-2026-12957) in Amazon Q Developer, an AI coding assistant for Visual Studio Code, allowed attackers to execute arbitrary commands by embedding malicious code in workspace configuration files.

• AI fuels evolution of ransomware and malware evading detection in 2026

  In 2026, ransomware attacks are surging with AI enhancements making them more accessible on the dark web, warns former FBI cyber deputy director Cynthia Kaiser.

• CISA adds PTC Windchill remote code execution flaw to exploited vulnerabilities catalog

  The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has officially added the critical remote code execution vulnerability CVE-2026-12569 affecting PTC Windchill PDMlink and FlexPLM software to its Known Exploited Vulnerabilities (KEV) catalog.

• Miasma malware campaign poisons npm packages and targets developer credentials

  The Miasma malware family has launched a sophisticated supply chain attack by compromising over 20 npm packages, including those used by LeoPlatform and RStreams.

• New backdoors linked to China and ransomware access brokers target critical infrastructure and corporate networks

  Recent reports reveal two distinct backdoors actively used in cyber intrusions. A China-linked threat group is deploying a custom TinyRCT backdoor against critical infrastructure in Southeast Asia.

• Multiple critical vulnerabilities fixed across popular open source projects

  Several widely used open source projects including File Browser, Keycloak, FOSSBilling, GitLab, pretix, pnpm, and Gogs have released security updates addressing multiple critical and important vulnerabilities.

• Important remote code execution vulnerabilities disclosed in Vim and GIMP

  Two significant vulnerabilities have been disclosed affecting widely used software: Vim and GIMP.

• Critical vulnerabilities fixed in Dell, HP, and Schneider Electric products

  Multiple important security vulnerabilities have been addressed in Dell Wyse Management Suite, Dell Display and Peripheral Manager, HP Dock Accessory WMI Provider installer, and Schneider Electric EasyLogic T150 and PowerLogic P7 devices.

• Multiple high-severity vulnerabilities fixed in NSD, Rapid7 InsightConnect, NetVault, PowerDNS, and Nessus

  Several critical security vulnerabilities have been addressed across multiple products including NSD DNS server, Rapid7 InsightConnect plugins, Quest NetVault Backup, PowerDNS Recursor, and Tenable Nessus.

• Multiple critical security updates released for Linux kernel, Red Hat, and industrial control systems

  On June 25-26, 2026, several high-severity security advisories were published addressing vulnerabilities in the Linux kernel, Red Hat products, and industrial control systems.

• Multiple high-severity vulnerabilities fixed in containerd, NSD, xrdp, and AMD microcode on Ubuntu

  On June 25-26, 2026, Ubuntu released security updates addressing several critical vulnerabilities across key components including containerd, NSD, xrdp, and AMD microcode. Containerd patches fix multiple issues allowing denial of service and remote code execution, with CVSS scores up to 8.8.

• Microsoft extends free Windows 10 security updates for consumers until October 2027

  Microsoft has extended the free Extended Security Updates (ESU) program for Windows 10 consumer devices through October 12, 2027. This move ensures that users who have not yet upgraded to Windows 11 can continue receiving critical security patches, helping to protect their systems from vulnerabilities during the transition period. The extension was quietly implemented, emphasizing Microsoft's commitment to supporting its user base amid ongoing platform migrations.

• Cisco SD-WAN zero-day exploited months before patching

  A critical vulnerability (CVE-2026-20245) in Cisco Catalyst SD-WAN Manager was actively exploited by threat actors for at least three months before its public disclosure and patch release in early June 2026.

• New backdoors STOCKSTAY and Mistic linked to espionage and ransomware access brokers

  Coverage centers on: Google Threat Intelligence Group on STOCKSTAY backdoor.

• Multiple critical security advisories issued for GitLab, Jenkins, Drupal, and n8n products

  On June 24-25, 2026, several major software vendors released security advisories addressing critical vulnerabilities in widely used products.

• Chrome 149 update fixes 18 critical security vulnerabilities

  Google's latest Chrome stable channel update, version 149, delivers critical security fixes for 18 vulnerabilities, many of which are use-after-free defects that pose significant risks such as remote code execution. The update, rolling out across Windows, Mac, and Linux platforms, addresses a broad set of CVEs with a CVSS score of 9.6, reflecting the urgency for users to apply the patch promptly to mitigate potential exploitation.

• International law enforcement disrupts StealC, Amadey, and SocGholish malware operations

  Coverage discusses speculative scenarios around ~$47M; treat as market chatter and see linked sources.

• Multiple critical vulnerabilities fixed in curl, poweradmin, tryghost, and geovision products

  Recent security advisories reveal multiple critical vulnerabilities addressed across several widely used software and hardware products. Curl patched numerous issues including connection reuse errors and password leaks.

• Critical Cisco vulnerabilities actively exploited including zero-day in SD-WAN Manager

  Multiple critical vulnerabilities in Cisco products, including Unified Communications Manager and Catalyst SD-WAN Manager, are being actively exploited by threat actors.

• New Mistic backdoor linked to ransomware access broker Woodgnat targets multiple sectors

  Researchers have identified Mistic, a stealthy backdoor active since April 2026, used in attacks on organizations across insurance, education, IT, and professional services sectors.

• Microsoft and allies disrupt shared infrastructure of Amadey and StealC malware

  Microsoft, Europol, and international partners have jointly disrupted hundreds of command-and-control servers used by the Amadey botnet and StealC infostealer malware.

• New macOS backdoor uses prompt injection to evade AI triage while ClickFix attack spreads infostealer via DMGs

  Researchers have uncovered a North Korea-linked macOS backdoor named macOS.Gaslight that uses prompt injection to disrupt AI-assisted triage tools, evading detection.

• Multiple critical vulnerabilities addressed in SUSE Linux and related software products

  On June 23-24, 2026, SUSE released a comprehensive set of security updates addressing numerous critical vulnerabilities across a wide range of products including the Linux Kernel, Apache2, Tomcat, OpenSSL, and others.

• Critical CI/CD vulnerabilities expose millions of repositories to hijacking

  Security researchers have identified a new class of critical vulnerabilities in continuous integration and continuous deployment (CI/CD) workflows, dubbed Cordyceps, which allow unauthenticated attackers to hijack open-source software supply chains.

• The evolving cybersecurity landscape demands new mental models beyond human vigilance

  Coverage centers on: CSO Online.

• Webinars highlight proactive cyber defense and exposure validation in the ai era

  Two recent webinars focus on enhancing cybersecurity through proactive risk identification and modern exposure validation techniques.

• Japanese telco and Canadian electricity provider disclose major data breaches

  Japanese telecommunications company KDDI revealed unauthorized access to its managed email service affecting up to 14.2 million users, potentially exposing email addresses and hashed passwords.

• Critical vulnerabilities fixed in n8n, FOSSBilling, and Squid releases

  Recent updates for n8n, FOSSBilling, and Squid address multiple critical security vulnerabilities. n8n patched numerous issues including credential exfiltration, cross-tenant takeover, prototype pollution, and various XSS flaws.

• Critical vulnerabilities found in FFmpeg and AVideo media processing components

  Two high-severity vulnerabilities have been disclosed affecting widely used media processing software.

• Xsolis data breach exposes sensitive information of 1.4 million people

  On January 20, 2026, healthcare technology firm Xsolis experienced a phishing attack that allowed unauthorized access to its network, resulting in the compromise of sensitive personal and health information of approximately 1.4 million people. The breach underscores the increasing risks associated with AI-powered business decision support software vendors in healthcare, prompting experts to urge organizations to enhance AI governance and oversight to mitigate such threats.

• Xsolis data breach exposes personal and health information of 1.4 million individuals

  Xsolis, a Tennessee-based healthcare technology vendor specializing in AI-powered decision support software, suffered a data breach impacting approximately 1.4 million people.

• Fake AI agent skill exposes vulnerabilities in AI skill marketplaces and supply chain security

  A security experiment by AIR demonstrated that a fake AI agent skill, designed solely to collect email addresses, successfully bypassed all tested security scanners and was distributed via a popular skill marketplace and Instagram ads, reaching approximately 26,000 agents...

• New macOS malware campaigns use stealthy techniques to deploy info stealers

  Two recent macOS malware campaigns have been uncovered employing sophisticated methods to evade detection and steal information.

• Webinars highlight challenges and strategies in proactive cyber defense and email security alert management

  Recent webinars address critical cybersecurity challenges faced by security teams, focusing on managing overwhelming email security alerts and adopting proactive cyber defense measures.

• Malicious npm packages impersonate PostCSS tools to deliver Windows RAT

  Security researchers have uncovered several malicious npm packages mimicking popular PostCSS tools to distribute a multi-stage Windows remote access trojan (RAT).

• OpenAI expands Daybreak initiative with GPT-5.5 to enhance software vulnerability patching

  OpenAI has released an improved GPT-5.5-Cyber model as part of its Daybreak initiative to assist cybersecurity defenders in identifying and patching software vulnerabilities.

• OpenAI launches AI-driven initiative to patch open-source software vulnerabilities

  OpenAI has expanded its Daybreak program with the release of GPT-5.5-Cyber to assist defenders in identifying and fixing security flaws in widely used open-source projects.

• IBM patches critical vulnerabilities across multiple products including Integration Bus, WebSphere, Langflow OSS, MQ containers,

  IBM has released security updates addressing numerous critical and severe vulnerabilities affecting a range of its software products.

• Multiple severe vulnerabilities fixed in Angular, Grafana, and Red Hat OpenShift

  Recent security updates address multiple severe vulnerabilities across popular platforms including Angular, Grafana, and Red Hat OpenShift Container Platform. The fixes cover critical issues such as SSRF, cross-site scripting, privilege escalation, and denial of service, with CVSS scores reaching up to 9.6.

• Multiple high-severity vulnerabilities patched across open source and enterprise software

  On June 22-23, 2026, numerous security updates were released addressing critical vulnerabilities in widely used software including MISP, openvswitch, containerized-data-importer, libarchive, Linux Kernel, and others.

• North Korean hackers linked to malicious supply chain attack on Mastra AI framework

  Security researchers have attributed a significant supply chain attack on the Mastra AI development environment to North Korean threat actors.

• AryStinger botnet hijacks thousands of legacy D-Link routers to form proxy network

  The AryStinger botnet has compromised over 4,300 outdated D-Link routers, primarily models DIR-850L and DIR-818LW, exploiting vulnerabilities disclosed 13 years ago.

• Brazil investigates suspected cyberattack after false emergency alerts

  On June 20, Brazil's national emergency alert system was compromised, sending unauthorized 'extreme' alerts to mobile devices across multiple states including São Paulo, Rio de Janeiro, Paraná, and the Federal District.

• WhatsApp phishing campaign uses fake business documents to deploy remote access malware

  This ongoing malware campaign exploits trusted WhatsApp communication channels by sending deceptive VBScript attachments posing as business documents. Once executed, these scripts install legitimate RMM software, enabling attackers to remotely access victims' systems. The campaign's global reach and use of legitimate software complicate detection and response, underscoring the need for heightened user vigilance and robust security controls.

• Klue breach exposes Salesforce data of multiple cybersecurity firms via stolen OAuth tokens

  A breach at business intelligence platform Klue compromised OAuth tokens used to connect with Salesforce and other platforms, impacting at least seven cybersecurity firms including Huntress, Recorded Future, and HackerOne.

• Recent cyberattacks highlight supply chain risks, ransomware complexity, and data breaches

  Recent cybersecurity incidents reveal persistent exploitation of supply chains and third-party vendors, increasing exposure of sensitive data. The complexity of ransomware campaigns is growing, with multiple threat actors operating in parallel to evade detection and maintain long-term access. Meanwhile, attacker groups like ShinyHunters show that significant damage can occur without advanced malware or zero-day vulnerabilities, emphasizing the need for robust defenses and incident response capabilities.

• AryStinger malware hijacks thousands of legacy D-Link routers to form proxy network

  The AryStinger botnet has compromised over 4,300 end-of-life D-Link routers, primarily DIR-850L and DIR-818LW models, turning them into a distributed reconnaissance and proxy network.

• Attackers exploit Gravity SMTP WordPress plugin vulnerability to leak sensitive data

  The Gravity SMTP plugin for WordPress contains a security flaw involving an exposed REST API endpoint. Attackers have leveraged this vulnerability to extract sensitive information such as API keys, secrets, tokens, and server details from vulnerable WordPress installations. This unauthorized data access highlights the critical need for site administrators to promptly patch or mitigate the issue to prevent further compromise.

• Unpatchable bootrom exploit affects millions of iPhones with A12 and A13 chips

  A newly discovered exploit named Usbliter8 targets a hardware vulnerability in Apple's BootROM affecting devices with A12 and A13 chips. This flaw bypasses Apple's boot defenses and cannot be patched, putting millions of iPhones at risk.

• North Korean hackers linked to Mastra AI supply chain attack

  Microsoft security researchers have attributed a recent supply chain attack on Mastra, an AI-related project, to the North Korean threat actor known as Sapphire Sleet.

• Hackers actively exploit information disclosure vulnerability in Gravity SMTP WordPress plugin

  The Gravity SMTP WordPress plugin, widely used on about 100,000 websites, contains a medium-severity information disclosure vulnerability identified as CVE-2026-4020. This flaw enables unauthenticated attackers to retrieve sensitive configuration details such as API keys and OAuth tokens. Since the vulnerability was patched, threat actors have been actively exploiting it, making immediate patching critical to prevent further compromise.

• Klue OAuth token theft leads to Salesforce data breach affecting cybersecurity firms

  Klue, a marketing intelligence platform, confirmed a security breach involving a compromised legacy credential that allowed attackers to steal OAuth tokens. These tokens were used to access and exfiltrate data from customers' Salesforce and Gong instances.

• Klue confirms OAuth token theft led to Salesforce data breach by Icarus group

  Klue recently disclosed a security breach involving the theft of OAuth tokens through a compromised legacy credential. This allowed attackers to access integrated services and directly exfiltrate data from Klue customers' Salesforce and Gong instances. The extortion group known as Icarus publicly claimed responsibility for the incident, which has led to a growing list of affected victims. The breach highlights the risks associated with legacy credentials and OAuth token security in cloud-based integrations.

• The Gentlemen ransomware group equips affiliates with advanced EDR-killing tools

  The Gentlemen ransomware-as-a-service (RaaS) platform has developed and distributed a sophisticated suite of endpoint detection and response (EDR) disabling tools called GentleKiller to its affiliates.

• Law enforcement disrupts SocGholish malware network linked to Evil Corp

  An international law enforcement operation called Operation Endgame successfully dismantled the SocGholish malware infrastructure, linked to the Russian cybercrime group Evil Corp.

• Data breach at Texas Parks and Wildlife vendor exposes personal data of over 3 million Texans

  A data breach at a vendor handling license sales for the Texas Parks and Wildlife Department has compromised personal information of more than three million Texans.

• Authorities dismantle SocGholish botnet linked to Evil Corp, cleaning nearly 15,000 infected WordPress sites

  A coordinated international law enforcement operation, dubbed Operation Endgame, successfully disrupted the SocGholish malware network associated with the Russian cybercrime group Evil Corp.

• Critical vulnerabilities patched in Splunk, SimpleHelp, and NGINX products

  Multiple critical vulnerabilities affecting widely used enterprise software have been disclosed and patched.

• Microsoft warns of new AI agent exploits enabling host-level code execution and data leaks

  Microsoft researchers have disclosed a novel remote code execution (RCE) attack called AutoJack that exploits web-enabled AI agents, allowing malicious web pages to hijack these agents and execute arbitrary code on the host machine by bypassing localhost security boundaries....

• Apple patches high-severity Beats Studio Buds vulnerability enabling nearby eavesdropping

  Apple has released a security update for its Beats Studio Buds wireless earbuds to fix a critical Bluetooth vulnerability (CVE-2025-20701) in the Airoha Bluetooth audio SDK.

• Apple patches high-severity Beats Studio Buds vulnerability enabling nearby eavesdropping

  Apple has released a security update addressing a critical Bluetooth vulnerability (CVE-2025-20701) in Beats Studio Buds earbuds that could allow nearby attackers to eavesdrop via the microphone without user consent.

• Microsoft Windows updates cause issues with Office automation and Recycle Bin prompts

  The June 2026 Windows updates have introduced multiple bugs affecting user experience. One issue disrupts OLE automation, causing third-party applications to fail silently when opening Microsoft Office files.

• CISA warns Fortinet users to secure devices after FortiBleed credential leak

  CISA has raised alarms after the FortiBleed campaign exposed credentials for tens of thousands of Fortinet devices, including firewalls and VPNs. This widespread compromise threatens critical network infrastructure, with Russian-speaking threat actors actively exploiting the vulnerability. Organizations using Fortinet appliances are urged to promptly secure their devices to mitigate risks of unauthorized access and potential breaches.

• Enterprise AI security shifts from data leakage to access control challenges

  Enterprise AI security concerns have evolved from preventing data leakage via public AI tools to managing complex access control and identity governance challenges posed by autonomous AI agents.

• Critical vulnerabilities in Splunk Enterprise exploited shortly after disclosure

  Splunk Enterprise and Splunk Cloud Platform have multiple security flaws, including a critical unauthenticated remote code execution vulnerability (CVE-2026-20253) in the PostgreSQL sidecar service. Another serious issue (CVE-2026-20251) allows remote code execution via unsafe deserialization of KV Store data.

• Security risks in autonomous AI agents: AutoJack exploit and orphaned agents in enterprise networks

  Recent research highlights critical security challenges in autonomous AI agents. Microsoft disclosed AutoJack, an exploit chain in AutoGen Studio that allows malicious web content to execute arbitrary code on the host by bypassing localhost trust boundaries.

• Multiple critical security updates released for Linux kernel, ICS products, and popular software

  On June 19, 2026, numerous security advisories were published addressing critical vulnerabilities across a wide range of software and industrial control systems.

• Critical NGINX vulnerabilities patched by Debian and F5 in June 2026

  In June 2026, two critical security vulnerabilities affecting NGINX Open Source were disclosed and patched.

• Ubuntu issues critical security patches for libheif, LXD, and Net::CIDR::Lite vulnerabilities

  Ubuntu has released security updates addressing multiple vulnerabilities in libheif, LXD, and Net::CIDR::Lite affecting various LTS releases.

• Critical vulnerabilities patched in Tomcat and Vim affecting Ubuntu systems

  On June 18, 2026, Ubuntu released security updates addressing multiple high-severity vulnerabilities in Tomcat and Vim.

• Threat actors exploit trusted platforms and reputation manipulation in malware campaigns

  Recent malware campaigns have leveraged trusted platforms such as Google Ads, GitLab pages, and the Claude AI chat feature to deliver malicious payloads through social engineering tactics.

• Icarus threat actors exploit Klue OAuth breach to steal Salesforce data

  Threat actors known as Icarus exploited an OAuth breach in Klue's Battlecards integration to steal Salesforce CRM data from multiple organizations. The attackers used stolen OAuth tokens to access and exfiltrate customer Salesforce data, which they are now holding for ransom.

• Nintendo confirms employee survey data stolen in third-party service cyberattack

  Nintendo of America confirmed that sensitive employee survey data was stolen from the third-party service TinyPulse, used internally for employee surveys. The Shadowbyt3$ threat group claimed responsibility, alleging the exfiltration of sensitive employee information including bank statements and W-9 forms.

• F5 releases urgent patches for two critical NGINX vulnerabilities enabling remote code execution

  F5 has issued out-of-band security updates to fix two critical vulnerabilities in NGINX Open Source that could allow remote unauthenticated attackers to execute code on affected systems. One flaw is a use-after-free vulnerability in the ngx_http_v3_module (CVE-2026-42530) with a CVSS v4 score of 9.2.

• DragonForce hackers hide backdoor traffic in Microsoft Teams; persistent access gained in French business via OpenSSH and Tailscale

  Threat actors linked to the DragonForce ransomware group have been detected using a custom Go-based remote access trojan named Backdoor.Turn to conceal command-and-control traffic within Microsoft Teams relay infrastructure.

• DragonForce ransomware operators exploit Microsoft Teams relay to conceal command traffic

  The DragonForce ransomware group has been observed using a custom remote access trojan named Backdoor.Turn to hide command-and-control (C2) traffic within Microsoft Teams relay infrastructure.

• Microsoft confirms RoguePlanet vulnerability in Defender, working on patch

  Microsoft has acknowledged a critical elevation of privilege vulnerability in Microsoft Defender, tracked as CVE-2026-50656 and nicknamed RoguePlanet. This flaw allows attackers to escalate privileges from a standard user to full system control (NT AUTHORITY\SYSTEM) without needing administrator rights.

• Massive credential exposures highlight risks to Fortinet firewalls and global accounts

  A large-scale campaign named FortiBleed has compromised over 75,000 Fortinet FortiGate firewalls worldwide by harvesting passwords and configuration files, likely by Russian-speaking threat actors.

• Splunk patches critical vulnerabilities in AI Toolkit

  Splunk has issued urgent security updates for its AI Toolkit to fix critical vulnerabilities, including a high-severity OS command injection flaw exploitable by admin users. These patches, released on June 17, 2026, address risks that could lead to full system compromise if left unpatched. The simultaneous patching by Atlassian underscores ongoing challenges in software supply chain security and the importance of timely updates.

• Critical Command Execution Vulnerability Patched in Cisco ISE

  AUSCERT External Security Bulletin Redistribution ESB-2026.6780 Cisco Webex App Open Redirect Vulnerability 18 June 2026 =========================================================================== AUSCERT Security Bulletin Summary --------------------------------- Product: Cisco Webex Publisher: Cisco Systems...

• Mastra AI framework compromised in large-scale npm supply chain attack

  A widespread npm supply chain attack targeted over 140 packages within the Mastra and @mastra scopes, introducing a malicious typosquat package called easy-day-js.

• Multiple critical security updates released for Linux kernel, OpenSSL, Firefox, and other key software

  On June 18, 2026, numerous security advisories were published addressing critical vulnerabilities across widely used software including the Linux kernel, OpenSSL, Firefox, OpenShift Container Platform, and others.

• Oracle issues critical June 2026 security patch update alongside IBM DB2 vulnerabilities

  Oracle released its June 2026 Critical Security Patch Update addressing over 245 vulnerabilities across multiple products including MySQL, JD Edwards, and Oracle Communications. The update includes critical fixes with CVSS scores up to 9.9.

• Microsoft confirms RoguePlanet zero-day in Defender, patch in development

  Microsoft has disclosed a critical zero-day vulnerability in Microsoft Defender antivirus, tracked as CVE-2026-50656 and dubbed RoguePlanet.

• Crypto clipper campaign uses fake reputation and Tor-based persistence to evade detection

  Since early 2026, a sophisticated Windows-based cryptocurrency clipboard hijacker campaign has employed multiple deceptive tactics to boost legitimacy and evade detection.

• DragonForce ransomware abuses Microsoft Teams relay servers for command-and-control

  The DragonForce ransomware group has been observed leveraging Microsoft Teams relay infrastructure to conceal command-and-control (C2) traffic. Attackers deployed a new Go-based backdoor that uses Microsoft Teams servers as a relay to evade detection and maintain communication with compromised systems.

• EU includes Ukraine in cybersecurity reserve to aid in major cyber incidents

  As Ukraine advances toward formal EU membership, the European Union has integrated the country into its Cybersecurity Reserve. This reserve consists of vetted cybersecurity incident response firms prepared to assist organizations facing major cyber incidents. Ukraine's inclusion ensures it can receive expert support promptly during large-scale cyberattacks, enhancing its resilience amid ongoing cyber threats.

• Google Cloud Vertex AI SDK vulnerability allowed model hijacking and remote code execution

  A critical design flaw in Google Cloud's Vertex AI SDK for Python enabled attackers to hijack AI model uploads and execute arbitrary code.

• Attackers actively exploiting critical Fortinet and Cisco SD-WAN vulnerabilities

  In June 2026, attackers have been observed actively exploiting multiple critical vulnerabilities in Fortinet's FortiSandbox and Cisco's SD-WAN products.

• Malicious JetBrains plugins steal AI API keys in coordinated malware campaign

  Security researchers have uncovered a coordinated malware campaign on the JetBrains Marketplace involving at least 15 malicious plugins published under seven vendor accounts.

• Oracle’s Second Monthly Security Updates Deliver 245 Patches

  AUSCERT External Security Bulletin Redistribution ESB-2026.6735 Oracle Critical Security Patch Update Advisory - June 2026 17 June 2026 =========================================================================== AUSCERT Security Bulletin Summary --------------------------------- Product: Oracle Communications...

• 2026 Breach trends highlight challenges in vulnerability management and ransomware impact

  The 2026 Verizon Data Breach Investigations Report analyzed over 22,000 breaches, revealing that exploitation of vulnerabilities is the leading cause of incidents, with remediation times increasing and critical vulnerabilities rising sharply.

• Mozilla releases critical Firefox updates fixing multiple severe vulnerabilities

  Mozilla has issued security advisories addressing numerous severe vulnerabilities in Firefox and related products, including Firefox for iOS and Firefox ESR. The updates fix multiple memory safety bugs that could allow remote code execution.

• Multiple severe vulnerabilities disclosed in Rockwell Automation and Moxa industrial devices

  Several severe security vulnerabilities have been identified and officially fixed in Rockwell Automation products including Logix 5370 & 5570 controllers, CompactLogix controllers, RSLinx software, FLEX I/O EtherNet/IP adapters, and FactoryTalk Analytics PavilionX.

• Multiple important security updates released for Linux kernel and related software

  On June 16-17, 2026, coordinated security advisories were published addressing numerous vulnerabilities in the Linux kernel, kernel-rt, 389-ds, openssl-1_1, opensc, qemu, libcaca, openvswitch, sqlite3, and other components primarily for SUSE and Red Hat operating systems.

• Multiple critical vulnerabilities patched in OpenImageIO, FreeRDP, and rabbitmq-c on Ubuntu

  Ubuntu has released security updates addressing several high-severity vulnerabilities across OpenImageIO, FreeRDP, and rabbitmq-c components.

• China-linked SprySOCKS backdoor expands to Windows with new stealthy variants

  Security researchers have identified two previously undocumented Windows variants of the China-linked SprySOCKS backdoor, previously believed to target only Linux systems.

• Malware spread via Steam Workshop wallpapers abusing Wallpaper Engine app

  Threat actors are exploiting the Steam Workshop platform, specifically targeting the Wallpaper Engine application, to distribute malware hidden within wallpaper packages.

• DragonForce ransomware hides command-and-control traffic in Microsoft Teams

  The DragonForce ransomware group has been using a sophisticated technique to conceal its command-and-control (C2) communications within legitimate Microsoft Teams traffic.

• China-linked UNC6508 targets US and Canadian research via legacy REDCap exploits and email abuse

  Coverage discusses speculative scenarios; treat as market chatter and see linked sources.

• Google Vertex AI SDK vulnerability enables cross-tenant remote code execution via bucket squatting

  A critical vulnerability in the Google Cloud Vertex AI Python SDK allows attackers without project access to hijack machine learning model uploads and execute code within Google's serving infrastructure.

• IRhythm and Novo Nordisk suffer recent data breaches with stolen sensitive information

  In June 2026, digital health company iRhythm Holdings confirmed a data breach involving the theft of patients' personal and health information, with attackers demanding a ransom.

• Multiple critical vulnerabilities patched in Ruby, rabbitmq-c, rsync, and FreeRDP on Ubuntu

  Ubuntu has released security updates addressing several critical vulnerabilities across multiple packages including Ruby, rabbitmq-c, rsync, and FreeRDP. Notably, Ruby's Net::IMAP library had flaws allowing potential man-in-the-middle attacks and command injection.

• Cisco patches actively exploited SD-WAN zero-day; Fortinet and Check Point vulnerabilities also targeted

  Cisco has released security updates for a medium-severity zero-day vulnerability (CVE-2026-20262) in its Catalyst SD-WAN Manager software, which allows authenticated attackers to write arbitrary files and potentially escalate privileges.

• China-linked UNC6508 group targets US and Canadian research via legacy REDCap exploits

  Coverage discusses speculative scenarios for 2023; treat as market chatter and see linked sources.

• Multiple critical security updates issued for key open source software in June 2026

  Between June 15 and 16, 2026, coordinated security updates were released for a range of widely used open source software including OpenSSL, OpenSSH, Linux Kernel, Samba, MariaDB, KubeVirt, CUPS, and others.

• Active exploitation of file write vulnerabilities in Cisco SD-WAN Manager and Langflow

  Cisco has released patches for a medium-severity arbitrary file write vulnerability (CVE-2026-20262) in its Catalyst SD-WAN Manager web UI that allows authenticated attackers to overwrite files and potentially escalate to root.

• China-linked UNC6508 group targets North American medical research with InfiniteRed malware

  A China-affiliated espionage group known as UNC6508 has been conducting a prolonged cyber campaign against North American medical, academic, and military research institutions.

• SearchLeak vulnerability enables one-click data theft from Microsoft 365 Copilot Enterprise

  A critical vulnerability chain named SearchLeak (CVE-2026-42824) affects Microsoft 365 Copilot Enterprise, allowing attackers to steal sensitive data including emails, calendar details, files, and MFA codes via a specially crafted URL.

• ShinyHunters Hits Universities Via Oracle Zero-Day

  For the latest discoveries in cyber research for the week of 15th June, please download our Threat Intelligence Bulletin. TOP ATTACKS AND BREACHES The University of Nottingham, a UK research university, has suffered a data breach after ShinyHunters accessed its student records system.

• ShinyHunters exploits Oracle PeopleSoft zero-day to breach over 100 organizations including universities and Council of Europe

  The ShinyHunters cybercrime group has exploited a critical zero-day vulnerability (CVE-2026-35273) in Oracle PeopleSoft to compromise more than 100 organizations worldwide. The majority of confirmed victims are higher education institutions, including the University of Nottingham, as well as the Council of Europe.

• US government restricts Anthropic AI models over security concerns, sparking EU tech sovereignty debate

  The US government has ordered Anthropic to disable access to its advanced AI models Claude Fable 5 and Mythos 5 for foreign nationals, citing national security risks related to potential misuse for vulnerability discovery.

• Active exploitation of PAN-OS GlobalProtect VPN vulnerability prompts CISA KEV listing

  Palo Alto Networks has confirmed active exploitation of a critical authentication bypass vulnerability (CVE-2026-0257) in its PAN-OS GlobalProtect VPN software. The flaw affects both portal and gateway components, allowing unauthorized access.

• Maine disables data breach reporting portal after fake submissions

  Maine's Attorney General office has suspended its public data breach reporting portal after it was targeted with fake breach reports, notably involving VRChat and Discord. This prompted the state to disable public access to the portal to prevent further fraudulent entries. Although companies are still able to report breaches through other means, the portal will remain offline to the public until an audit is completed to enhance its security and submission verification processes.

• Council of Europe investigates alleged data breach by ShinyHunters extortion group

  Over the weekend, the ShinyHunters extortion group claimed to have hacked the Council of Europe, stealing 297 GB of data containing employee personal information. In response, the Council of Europe has launched an investigation into these data breach claims. The extortion group has threatened to leak the stolen data, raising concerns about the security of sensitive information within the organization.

• Weekly cybersecurity recap highlights chrome zero-day, unifi exploits, and rising ai scams

  Recent cybersecurity reports reveal a surge in exploits and scams, including an actively exploited Chrome zero-day vulnerability patched by Google, attacks targeting UniFi devices, and AI-powered scams causing nearly $900 million in losses in the US.

• Heap-related vulnerabilities disclosed in AWS and Microsoft components

  Two critical heap-related vulnerabilities have been disclosed in widely used software components by AWS and Microsoft.

• Google and FBI dismantle Chinese AI-powered phishing network Outsider

  Coverage discusses speculative scenarios around ~$1.9B; treat as market chatter and see linked sources.

• Novo Nordisk suffers data breach exposing patient and healthcare professional information

  Danish pharmaceutical company Novo Nordisk disclosed a data breach in which attackers accessed internal IT systems and copied non-public data. The compromised information includes clinical trial data related to patients and healthcare providers, affecting drugs such as Ozempic and Wegovy.

• Over 400 Arch Linux AUR packages compromised to deploy credential stealer and rootkit

  Attackers hijacked more than 400 packages in the Arch User Repository (AUR), modifying their build scripts to install a Rust-based credential stealer.

• Ukrainian national pleads guilty to role in Conti ransomware attacks

  A former member of the notorious Conti ransomware group has pleaded guilty to conspiracy charges in the United States, acknowledging his role in developing malware and participating in attacks that affected over 1,000 victims globally. This legal development highlights ongoing law enforcement efforts to hold ransomware actors accountable even after the group's dissolution, underscoring the persistent threat ransomware poses to organizations worldwide.

• Oracle PeopleSoft zero-day exploited by ShinyHunters in university-targeted extortion campaign

  A critical zero-day vulnerability (CVE-2026-35273) in Oracle PeopleSoft Enterprise PeopleTools versions 8.61 and 8.62 has been actively exploited by the ShinyHunters cybercriminal group since at least May 27, 2026.

• ShinyHunters exploit Oracle PeopleSoft zero-day to breach over 100 organizations, mainly universities

  A critical zero-day vulnerability (CVE-2026-35273) in Oracle PeopleSoft PeopleTools has been actively exploited by the ShinyHunters threat group since late May 2026. The flaw allows unauthenticated remote code execution, enabling attackers to compromise systems and steal data.

• Europol and FBI dismantle AudiA6 crypto laundering platform used by ransomware gangs

  Coverage discusses speculative scenarios around ~€336M; treat as market chatter and see linked sources.

• AI reveals fundamental gaps in cybersecurity's reactive model amid evolving threats

  Cybersecurity has traditionally operated as a reactive, crisis-driven discipline focused on incident response rather than prevention.

• ShinyHunters exploit Oracle PeopleSoft zero-day to breach universities and other organizations

  Between late May and early June 2026, the ShinyHunters threat group exploited a critical remote code execution vulnerability (CVE-2026-35273) in Oracle PeopleSoft PeopleTools Environment Management component.

• Europol disrupts AudiA6 crypto laundering service used by ransomware gangs

  Coverage discusses speculative scenarios around ~€336M; treat as market chatter and see linked sources.

• Multiple critical security updates issued for major open source software in June 2026

  On June 11-12, 2026, coordinated security advisories were released addressing numerous critical vulnerabilities across widely used open source software including OpenSSH, Linux kernel, OpenShift Container Platform, OpenSSL, and others.

• Critical buffer overflow vulnerabilities found in lwIP affecting Ubuntu 20.04 LTS

  Multiple severe vulnerabilities have been identified in the lightweight TCP/IP stack lwIP used in Ubuntu 20.04 LTS. These include buffer overflows in EAP authentication, ICMPv6/6LoWPAN packet handling, and SNMPv3 authentication parameter validation.

• Vietnam's APT32 shifts focus to domestic investors and infrastructure with SPECTRALVIPER backdoor

  The Vietnam-aligned threat actor OceanLotus, also known as APT32, has redirected its cyber espionage efforts from foreign targets to domestic entities.

• CISA urges smarter patching amid diverse cyber threats including AI phishing and supply chain attacks

  Recent cybersecurity developments highlight a surge in sophisticated threats such as a public supply chain attack kit, AI agents being phished to leak credentials, and polished malware-as-a-service operations.

• CISA directs federal agencies to prioritize security patches based on real-world risk

  The Cybersecurity and Infrastructure Security Agency (CISA) has issued Binding Operational Directive 26-04, instructing federal agencies to prioritize security patching efforts based on real-world risk rather than relying solely on CVSS severity scores....

• Criminal AI tools accelerate cybercrime operations in underground market

  The underground cybercrime market is increasingly integrating AI to streamline and scale operations rather than relying on fully autonomous hacking systems.

• Critical security updates issued for Red Hat, OpenSSL, Chromium, and other key software

  On June 11, 2026, multiple coordinated security advisories were released addressing critical vulnerabilities in widely used software including Red Hat products, OpenSSL, Chromium, dnsmasq, and Splunk Enterprise.

• ShinyHunters gang exploits vulnerabilities to steal data from Oracle PeopleSoft servers

  The ShinyHunters extortion gang has launched ongoing data theft attacks against Oracle PeopleSoft servers, impacting more than 100 organizations. They exploit a novel "gadget chain" that combines both legacy and zero-day vulnerabilities to compromise cloud and on-premises PeopleSoft deployments. This multi-vector approach enables the group to breach systems and exfiltrate sensitive business data, underscoring the need for organizations to prioritize patching and monitoring to mitigate these advanced threats.

• New Windows zero-day exploit 'RoguePlanet' targets Microsoft Defender for SYSTEM access

  A new zero-day exploit named RoguePlanet has been released, targeting a race condition vulnerability in Microsoft Defender on updated Windows systems.

• Microsoft fixes 200 vulnerabilities including three zero-days in June 2026 Patch Tuesday

  On June 9, 2026, Microsoft issued its monthly Patch Tuesday security update, fixing 200 vulnerabilities across its products. Notably, this update includes patches for three zero-day vulnerabilities that had been publicly disclosed, underscoring the urgency for organizations to apply these fixes promptly. By addressing a large volume of flaws, Microsoft enhances the overall security posture of its software and helps prevent exploitation by threat actors leveraging these vulnerabilities.

• June 2026 critical security updates address multiple high-severity vulnerabilities

  In early June 2026, major vendors including Microsoft, Google, SUSE, Red Hat, Debian, and SAP released security patches addressing numerous critical vulnerabilities.

• Nginx regression causes denial of service, patch reverted pending fix

  A recent update to nginx intended to fix CVE-2026-49975 introduced a regression causing crashes when used with external modules. This issue, affecting multiple Ubuntu LTS releases, can lead to denial of service by exhausting resources via malformed HTTP/2 cookie headers.

• Microsoft releases Windows 10 KB5094127 extended security update

  Microsoft continues to support Windows 10 security with the KB5094127 update, which fixes recent critical vulnerabilities and improves Secure Boot monitoring. This update replaces expiring Secure Boot certificates to maintain system integrity against boot-level attacks, reflecting Microsoft's commitment to protecting Windows 10 users despite no longer adding new features to the OS.

• Google issues emergency patch for actively exploited Chrome zero-day CVE-2026-11645

  Google has urgently patched a critical zero-day vulnerability in Chrome's V8 JavaScript engine, tracked as CVE-2026-11645, which is actively exploited in the wild. This out-of-bounds memory access flaw can lead to arbitrary code execution or browser crashes. The update fixes 74 vulnerabilities in total and addresses the fifth Chrome zero-day exploited this year, underscoring the heightened risk to users. Immediate patching is essential to prevent further exploitation and protect user security.

• Apache HTTP Server 2.4.68 released with security fixes

  The Apache Software Foundation announced the release of Apache HTTP Server 2.4.68 on June 8, 2026. This update includes important security patches along with feature enhancements and bug fixes, representing the latest generation in the 2.4.x branch after fifteen years of development. The Canadian Centre for Cyber Security and AusCERT have both issued advisories encouraging users and administrators to upgrade from earlier versions to mitigate vulnerabilities.

• Critical Check Point VPN vulnerability exploited in ransomware-linked attacks

  Check Point has released emergency hotfixes for a critical authentication bypass vulnerability (CVE-2026-50751) affecting VPN products using the outdated IKEv1 protocol. The flaw allows attackers to establish VPN sessions without valid credentials, enabling potential network access.

• CISA orders urgent patch for Check Point VPN zero-day exploited by Qilin ransomware

  CISA has mandated U.S. federal agencies to patch a critical zero-day vulnerability in Check Point Remote Access and Mobile Access VPN products. The flaw allows attackers to bypass authentication and establish VPN connections without valid credentials.

• Multiple high-severity vulnerabilities patched in Google Chrome and Debian keystone

  On June 9, 2026, security updates were released addressing numerous vulnerabilities in Google Chrome and the Debian keystone package.

• Google patches fifth Chrome zero-day exploited in 2026

  In 2026, Google continues to face persistent threats targeting Chrome users, with the recent emergency patch addressing the fifth zero-day vulnerability exploited in the wild this year. The latest flaw, CVE-2026-11645, was reported in late April and quickly patched to prevent further exploitation. This pattern of frequent zero-day discoveries and active exploitation underscores the critical need for timely updates to protect user security and privacy.

• Broadcom issues critical VMware security advisory addressing multiple vulnerabilities

  On June 8, 2026, Broadcom released security updates for several VMware products including VMware Cloud Foundation, VMware vSphere Foundation, VMware Aria Operations, and VMware Telco Cloud Platform.

• Multiple vulnerabilities found and patched in Pillow imaging library

  Several security vulnerabilities affecting the Pillow Python Imaging Library were disclosed and patched in June 2026.

• Ubuntu issues security updates for multiple LTS versions addressing Netty vulnerabilities

  In early June 2026, Ubuntu released security advisories covering several vulnerabilities in the Netty framework affecting multiple Long Term Support (LTS) versions of Ubuntu from 14.04 through 26.04, as well as versions 25.10 and 26.04 LTS.

• VS Code introduces two-hour delay on extension updates to mitigate supply chain risks

  Microsoft has implemented a two-hour delay for automatic updates of Visual Studio Code extensions starting with version 1.123. This measure aims to reduce the risk of supply chain attacks by allowing a buffer period after an extension is published before it is auto-updated.

• Cisco Catalyst SD-WAN Manager vulnerability actively exploited with no patch available

  A high-severity security flaw (CVE-2026-20245) in Cisco Catalyst SD-WAN Manager is currently being actively exploited.

• Cisco issues high-severity patch for SD-WAN Manager privilege escalation vulnerability

  On June 4, 2026, Cisco released a security advisory addressing an authenticated privilege escalation vulnerability (CVE-2026-20245) in Cisco Catalyst SD-WAN Manager.

• Unpatched Windows search URI handler vulnerability exposes NTLMv2 hashes

  A recently identified security flaw in the Windows search URI handler has been disclosed by cybersecurity researchers. This vulnerability enables attackers to steal NTLMv2 hashes, which are used for user authentication. The issue bears resemblance to the earlier CVE-2026-33829 vulnerability that impacted the Windows Snipping Tool's ms-screensketch URI handler and was patched. The new flaw remains unpatched, raising concerns about potential exploitation and the need for prompt mitigation measures.

• New HTTP/2 Bomb attack rapidly disables major web servers

  A newly discovered HTTP/2 Bomb attack exploits default configurations in widely used web servers such as NGINX, Apache HTTP Server, Microsoft IIS, Envoy, and Cloudflare Pingora.

• SideCopy group targets Afghanistan's Ministry of Finance with Xeno RAT in spear-phishing campaign

  The Pakistan-linked SideCopy threat group has launched a spear-phishing campaign targeting Afghanistan's Ministry of Finance. The attack begins with a ZIP archive containing a malicious LNK file named in Pashto to exploit language familiarity within the Afghan government.

• Google issues June 2026 Android update fixing exploited zero-day and 123 other vulnerabilities

  In June 2026, Google issued a critical Android security update that fixes a total of 124 vulnerabilities. Among these is a zero-day vulnerability, CVE-2025-48595, which has been actively exploited in targeted attacks, posing an immediate threat to users. The update consolidates fixes to protect millions of devices worldwide and highlights the importance of timely patching to prevent further exploitation.

• Over 30 Red Hat npm packages compromised in supply chain attack stealing developer credentials

  A supply chain attack compromised more than 30 npm packages under Red Hat's '@redhat-cloud-services' namespace, distributing a new variant of the Shai-Hulud malware called Miasma. This malware steals developer credentials, authentication tokens, and other secrets from developer environments.

• Attackers exploit ChatGPT shared content feature to spread malware

  A phishing campaign named "LLMShare" has been uncovered by Push Security, where attackers use Google ads to redirect users searching for ChatGPT to malicious shared pages hosted on the legitimate chatgpt.com domain.

• Charter Communications data breach exposes nearly 5 million accounts

  The ShinyHunters extortion gang compromised Charter Communications in early April, resulting in the theft of personal data from nearly 5 million accounts. This breach led to the leak of over 42 million records, underscoring the scale and impact of the incident on the telecom provider's customer base. The event has been confirmed by multiple sources, including data breach notification services and cybersecurity news outlets.

• Critical Apache HTTP Server vulnerabilities patched with follow-up regression fix

  On May 28-29, 2026, multiple severe security vulnerabilities in Apache HTTP Server were addressed in Ubuntu security updates. The initial patch (USN-8338-1) fixed numerous high-severity CVEs, including remote code execution and denial-of-service flaws with CVSS scores up to 9.8.

• Zapier exploit chain and npm typosquatting reveal critical supply chain risks

  Security researchers disclosed a five-stage exploit chain in Zapier that could have allowed attackers to take over millions of accounts by chaining known anti-patterns. Separately, Microsoft reported a supply chain attack using typosquatted npm packages to steal cloud and CI/CD secrets.

• Critical remote code execution vulnerability in Gogs remains unpatched, raising concerns for open-source self-hosted Git services

  A critical argument injection vulnerability in Gogs, a popular open-source self-hosted Git service, allows any authenticated user to execute arbitrary code on the server.

• Multiple critical vulnerabilities patched in Ubuntu PHP and QtSvg components

  Ubuntu has released security updates addressing several vulnerabilities in PHP and QtSvg components affecting multiple LTS versions.

• Multiple vulnerabilities discovered and patched in pip package installer

  Security updates released for the pip package installer address critical vulnerabilities that could expose users to man-in-the-middle attacks and denial-of-service conditions. The issues stem from improper TLS certificate verification and resource exhaustion flaws in the bundled urllib3 library. Ubuntu has issued patches for multiple LTS versions, emphasizing the importance of timely updates to maintain secure Python package management environments.

• Microsoft condemns public zero-day disclosures amid escalating feud with researcher

  Microsoft has strongly criticized the public disclosure of multiple unpatched Windows zero-day vulnerabilities by a security researcher known as Nightmare Eclipse (aka Chaotic Eclipse).

• Critical FortiClient EMS vulnerability exploited to deliver credential stealer malware

  A critical authentication bypass vulnerability (CVE-2026-35616) in FortiClient Enterprise Management Server (EMS) is actively exploited by threat actors to deploy an undocumented credential stealer named EKZ.

• Carnival confirms data breach affecting nearly 6 million customers after ShinyHunters attack

  Carnival Corporation, the world's largest cruise operator, confirmed a data breach in April 2026 that exposed personal information of nearly 6 million customers.

• Critical vulnerabilities in Starlette framework expose millions of servers to authentication bypass and data leaks

  Multiple high-severity vulnerabilities have been discovered in the Starlette web framework, including the notable CVE-2026-48710 'BadHost' flaw that allows attackers to bypass authentication and access sensitive data by exploiting malformed Host headers.

• Ubuntu patches multiple vulnerabilities in QtSvg and GStreamer Good Plugins

  Ubuntu has released security updates addressing several vulnerabilities in QtSvg and GStreamer Good Plugins affecting Ubuntu 16.04 LTS, 20.04 LTS, and other releases. The QtSvg issues include denial of service and potential arbitrary code execution triggered by specially crafted SVG images.

• Multiple security advisories issued for major software and control system products in late May 2026

  Between May 26 and 28, 2026, several prominent vendors including GitLab, GitHub, Google Chrome, Veeam, Drupal, Notepad++, Zimbra, and Phoenix Contact released security advisories addressing vulnerabilities in their products.

• CrowdStrike and Google disrupt Glassworm botnet targeting open-source developers

  CrowdStrike, in collaboration with Google and the Shadowserver Foundation, has successfully taken down the Glassworm botnet, a self-propagating malware campaign that targeted developers by poisoning open-source software repositories since early 2025.

• New macOS malware campaigns target cryptocurrency firms and users via fake recruiters and download sites

  A newly identified threat actor, JINX-0164, has launched targeted attacks against cryptocurrency organizations using sophisticated social engineering and custom macOS malware delivered through fake recruiter lures.

• FBI warns law firms of in-person data theft by tech support impersonators

  Coverage discusses speculative scenarios; treat as market chatter and see linked sources.

• Critical vulnerability found in Apache Commons BeanUtils with CVSS 8.8

  A high-severity vulnerability (CVE-2025-48734) affecting Apache Commons BeanUtils has been disclosed, allowing attackers to execute arbitrary code by exploiting access to the declaredClass property of Java enum objects via crafted input. This issue impacts multiple Ubuntu LTS releases and has prompted security patches.

• Foomuuri firewall vulnerabilities fixed in Ubuntu security update

  Ubuntu has released security patches addressing two vulnerabilities in the Foomuuri firewall's D-Bus service. The issues, discovered by Matthias Gerstner, involve improper authorization enforcement and interface name validation, potentially allowing local attackers to manipulate firewall configurations.

• CISA warns of exploited zero-day in LiteSpeed cPanel plugin, urges immediate patching

  CISA has identified a critical zero-day vulnerability in the LiteSpeed cPanel plugin that has been exploited in the wild to gain root-level script execution. Recognizing the severity and active exploitation of this flaw, CISA has added it to its exploited vulnerabilities catalog and is urging all affected users to promptly apply the available patch. This vulnerability particularly endangers shared hosting platforms, where compromised privileges can lead to widespread impact.

• AI chatbot interactions exploited to spread cryptojacking and RAT malware

  Cybercriminals are leveraging AI chatbot recommendations and poisoned search results to direct users to malicious download sites distributing cryptojacking malware and remote access Trojans.

• CrowdStrike and partners dismantle Glassworm botnet targeting open-source developers

  Coverage discusses speculative scenarios for 2025; treat as market chatter and see linked sources.

• Critical security updates issued for Linux kernel, samba, Hitachi products, and Microsoft SharePoint

  Between May 26-27, 2026, multiple coordinated security advisories were released addressing critical vulnerabilities in widely used software including the Linux kernel, samba, Microsoft SharePoint Server, and various Hitachi products.

• Apple open-sources quantum-resistant encryption code and verification tools

  Apple has publicly released its implementations of quantum-resistant cryptographic algorithms ML-KEM and ML-DSA, along with formal verification libraries and tools. These resources enable independent expert review and broader industry adoption.

• Apple releases open source quantum-resistant encryption and verification tools

  Apple has published its post-quantum cryptography implementations within its corecrypto library, including quantum-secure algorithms ML-KEM and ML-DSA.

• Fake AI tool sites and malicious packages target Claude and ChatGPT users

  A wave of cyberattacks is exploiting the popularity of AI tools like Anthropic's Claude and ChatGPT. Attackers use SEO poisoning to promote fake AI tool websites that steal developer data by redirecting users to typosquatted domains.

• Stored XSS flaw in pretalx conference software allowed guaranteed talk acceptance

  A stored cross-site scripting (XSS) vulnerability (CVE-2026-41241) in pretalx, a widely used open source conference call-for-papers (CFP) management tool, enabled attackers to hijack organizer sessions and manipulate talk submissions.

• AI accelerates vulnerability remediation as CERT-In mandates 12-hour patching for exploited bugs

  As AI-driven cyberattacks compress the timeline from vulnerability discovery to exploitation, security vendors and agencies are responding with accelerated detection and remediation solutions.

• AI-powered platforms accelerate vulnerability remediation from exploit to fix

  Recent cybersecurity innovations focus on closing the gap between vulnerability discovery and remediation by leveraging AI to automate and speed up patching processes.

• Dutch police arrest suspect in Ajax football club cyber breach

  In a significant law enforcement action, Dutch police detained a 35-year-old man suspected of conducting a cyber breach against the professional football club Ajax Amsterdam. The arrest occurred in the town of Buren, where officers also executed a search warrant, confiscating several digital storage devices to aid in the ongoing investigation. This move highlights the increasing focus on cybercrime targeting high-profile sports organizations.

• Iranian intelligence linked to Los Angeles transit system hack

  Researchers have attributed the March cyberattack on the Los Angeles County Metropolitan Transportation Authority (LACMTA) to Iranian-backed operators.

• Cryptojacking campaign uses ai chatbot and poisoned search results to spread malware

  Microsoft Defender Experts have uncovered an active cryptojacking campaign that leverages AI chatbot interactions alongside traditional search engine poisoning to direct users to malicious download sites.

• CISA highlights critical vulnerabilities in LiteSpeed cPanel plugin and Drupal

  CISA has added a Drupal SQL injection vulnerability (CVE-2026-9082) to its Known Exploited Vulnerabilities list following active attacks.

• Microsoft Defender introduces automatic isolation for compromised endpoints

  Microsoft is previewing a new feature in Defender for Endpoint that automatically isolates compromised devices to prevent attackers from moving laterally within networks.

• Microsoft previews automatic device isolation in Defender for Endpoint

  Microsoft has introduced a preview of an automatic device isolation feature in Defender for Endpoint. This capability automatically disconnects compromised devices from the network to contain cyberattacks while maintaining connection to Defender for Endpoint for ongoing monitoring.

• Critical vulnerabilities disclosed in industrial control systems and robotics software

  On May 26, 2026, security advisories were issued for multiple industrial control system products and robotics software.

• Zero-day vulnerability in KnowledgeDeliver LMS exploited to deploy Cobalt Strike and Godzilla web shell

  A critical zero-day vulnerability (CVE-2026-5426) in the Japanese Learning Management System KnowledgeDeliver was actively exploited before a patch was released.

• Over 700 education and tech websites hijacked via Ghost CMS vulnerability in ClickFix malware campaign

  A critical SQL injection vulnerability (CVE-2026-26980) in Ghost CMS versions 3.24.0 to 6.19.0 has been exploited to compromise more than 700 legitimate websites, including those of universities and tech companies.

• Chinese-language phishing services expand targeting mostly non-Chinese organizations

  Chinese-language phishing-as-a-service (PhaaS) platforms are growing rapidly, establishing themselves as significant players in the phishing ecosystem traditionally dominated by Russian-speaking groups.

• Anthropic advances enterprise security with Claude Mythos and new integrations

  Anthropic has made significant strides in enterprise security by expanding Claude's governance capabilities with 28 new integrations involving major cybersecurity firms such as CrowdStrike, Palo Alto Networks, and Microsoft.

• Microsoft patches high-severity SharePoint remote code execution vulnerability CVE-2026-45659

  Microsoft has issued patches for a high-severity remote code execution vulnerability in multiple SharePoint Server versions. The flaw, CVE-2026-45659, involves deserialization of untrusted data and can be exploited by authenticated attackers without user interaction. Given the low complexity of attacks, organizations using affected SharePoint editions should apply updates immediately to mitigate risks of remote code execution and potential server compromise.