Hacking News

China-linked FishMonger APT expands its Linux-only SprySOCKS backdoor to Windows with WIN_DRV and WIN_PLUS variants featuring kernel drivers and Print Spooler abuse.

Google TAG exposes UNC6508 campaign that compromised US and Canadian medical, academic, and military research labs since September 2023 using custom INFINITERED malware.

Japan's Kyushu Electric Power reports an unencrypted SSD containing 10.9 million customer records vanished from a locked server room, becoming Japan's largest data breach.

A cyberattack disrupted services at four major Iranian banks on June 14, with hacktivist group Black Wolves claiming responsibility for targeting shared infrastructure.

Socket researchers expose a coordinated network of 152 Chrome 'live wallpaper' extensions stealing user data and generating fake Google organic search traffic.

ShinyHunters threatens to leak 26 million customer records from MSG Sports, owner of the Knicks and Rangers, as today's June 15 deadline passes.

Operation Ghost Hook takedown seizes 9,000 fake websites and $100K in crypto from Chinese phishing-as-a-service ring that weaponized Gemini AI to steal 3.8 million credit cards.

Pharmaceutical giant Novo Nordisk confirmed attackers copied clinical trial patient data and healthcare professional information from internal systems. The company says affected data was pseudonymized and cannot identify patients by name.

Handala threat group claims to have compromised California Water Service, publishing 5GB of customer data. Security experts assess the group reached billing systems and GPS servers but likely cannot disrupt water operations.

Cybercriminals are using TikTok and Instagram Reels videos to distribute Vidar malware through fake software tutorials. One campaign accumulated over 100,000 views promoting 'free Spotify Premium' hacks.

CVE-2026-20253 scores CVSS 9.8 and allows network attackers to execute arbitrary code on Splunk Enterprise servers without authentication. No workaround exists—patching is mandatory.

Researchers at Tenet Security discovered Agentjacking, an attack that tricks AI coding assistants like Claude Code and Cursor into executing arbitrary code through malicious Sentry error events.

Chinese APT Velvet Ant compromised PAM and OpenSSH on a critical infrastructure network, remaining undetected from 2016 to 2026. Here's how they did it.

Qilin's affiliate network hit healthcare, manufacturing, and critical infrastructure across nine countries in early June. The gang maintains 12-month dominance.

WatchTowr Labs published technical details and exploit code for CVE-2026-50751, the auth bypass flaw already used by Qilin ransomware. TCP 443 bypass works too.

Check Point researchers chained SQL injection and unsafe deserialization flaws to achieve RCE on AI workflow platforms. Patch langgraph to 1.0.10+ immediately.

Attackers compromised France's secure messaging platform via social engineering, allegedly stealing 650,000 messages and 13.5GB of data from civil servants.

CISA orders federal agencies to patch CVSS 10.0 Ivanti Sentry flaw within 3 days—the first application of BOD 26-04. Exploitation is automated and widespread.

Attackers adopted orphaned AUR packages to push credential-stealing malware with kernel-level rootkit capabilities. Here's what Arch users need to do now.

GitHub announces breaking changes for npm 12 releasing next month. Install scripts, Git dependencies, and remote URLs now require explicit approval to combat malicious packages.

11-nation operation shuts down €336M cryptocurrency laundering service. Two operators arrested in Georgia, 25 domains seized, and over 6,000 money mule accounts exposed.

BlackFog researchers detail OnyxC2 MaaS stealer pricing at $250/month. Targets browsers, crypto wallets, password managers with DLL sideloading delivery that bypasses VirusTotal detection.

ReliaQuest uncovers OP-512 threat cluster targeting Windows IIS servers with three-part web shell framework. Each deployment is unique, self-reporting, and timestamps itself to evade forensics.

Microsoft releases CVE-2026-42897 fix for Exchange Server OWA XSS vulnerability exploited since May. ESU-only updates for 2016/2019 leave many systems exposed.

CVE-2026-7473 lets attackers bypass tunnel security controls on Arista network devices. CISA added it to KEV—but Arista says patching would 'break existing configurations.'

Attackers exploited an unauthenticated API endpoint to query ServiceNow customer instances. The company received a bug report in April but didn't patch until June 5—after exploitation began.

CVE-2026-5027 allows unauthenticated attackers to write arbitrary files on Langflow servers. Patch to version 1.10.0 immediately—attackers are already exploiting exposed instances.

Oracle issues emergency patch for CVE-2026-35273 (CVSS 9.8) as ShinyHunters claims to have stolen data from 300 PeopleSoft instances. Nottingham University among confirmed victims.

Security researcher Nightmare Eclipse releases fourth Microsoft Defender zero-day in months, granting SYSTEM privileges on patched Windows 10 and 11 systems. Here's what defenders need to know.

Attackers exploited CVE-2026-26980 SQL injection in Ghost CMS to compromise 700+ websites including Harvard and Oxford, deploying ClickFix social engineering malware through fake CAPTCHA prompts.

SAP's June 2026 Security Patch Day addresses 15 vulnerabilities including CVE-2026-44748 (CVSS 9.9) enabling SAML authentication bypass and CVE-2026-27671 (CVSS 9.8) memory corruption RCE.

CVE-2026-44963 in Veeam Backup & Replication enables any authenticated domain user to achieve remote code execution on backup servers. CVSS 9.4 critical severity.

Google patches CVE-2026-11645, the fifth actively exploited Chrome zero-day of 2026. The V8 out-of-bounds memory flaw enables sandbox code execution via malicious web pages.

Microsoft's record-breaking June 2026 Patch Tuesday fixes 206 vulnerabilities including CVE-2026-45657, a CVSS 9.8 wormable kernel flaw allowing remote code execution without authentication.

Mandiant tracks UNC3753 hitting dozens of law firms via vishing and physical intrusions. Data theft to extortion in under one hour. FBI issues flash alert.

CVE-2026-23111 exploit code now public. A single misplaced character in nf_tables lets unprivileged users gain root and escape containers. Patch immediately.

CVE-2026-50751 lets attackers bypass VPN authentication without passwords. CISA gives feds 3 days to patch after Qilin ransomware affiliate exploitation confirmed.

CVE-2026-42271 in LiteLLM chains with Starlette bypass for unauthenticated remote code execution. CISA adds to KEV catalog after active exploitation confirmed.

Meta catches NSO Group targeting WhatsApp users in Jordan and Lebanon despite permanent injunction. Files contempt order after detecting one-click phishing attempts.

Self-replicating Miasma malware compromises 73 Microsoft repositories across Azure, Microsoft, and MicrosoftDocs orgs. GitHub disables access as durabletask package gets reinfected.

GoDaddy researchers uncover campaign infecting 2,000 WordPress sites with malware that extracts commands from invisible Unicode characters in Steam Community comments.

Sophos discovers ransomware framework using Claude Opus 4.5 to automate EDR evasion and Active Directory discovery. Toolkit tested 80+ modules against Sophos, CrowdStrike, and Defender.

Anthropic patches critical Claude Code GitHub Action vulnerability that let attackers steal tokens and hijack repositories through a single malicious issue. CVSS 7.8 flaw exploited bot actor trust.

Unit 42 uncovers FlutterShell backdoor campaign targeting macOS users through Google-verified shell companies. Malware evades detection via WebView architecture and Apple notarization.

Fortinet exposes C0xmo, a modular Gafgyt variant exploiting CVE-2021-27137 in DD-WRT routers to recruit IoT devices for DDoS attacks while killing rival malware.