Incidents, vulnerabilities, abuse and certificates.
Hackers exploited a vulnerability in UpdraftPlus to access Awesome Motive’s CDN credentials, injecting malicious JavaScript into OptinMonster, TrustPulse, and PushEngage plugins. The attack created rogue admin accounts and installed persistent backdoors, requiring immediate remediation by site owners.
A critical vulnerability in SimpleHelp remote management software (CVE-2026-48558) allows unauthenticated attackers to create privileged technician accounts on servers with OIDC authentication enabled. The flaw affects versions 5.5.15 and older, with patches released June 9. Roughly 1,000 exposed servers may be vulnerable.
AMD has silently removed Transparent Secure Memory Encryption (TSME) from its consumer-grade Ryzen CPUs, a feature previously available on these chips. The change, which affects security against physical memory attacks, was not publicly announced and went unnoticed on Windows systems.
Cisco has released security updates for a zero-day vulnerability in Catalyst SD-WAN Manager (formerly vManage) that was actively exploited to gain root access. The flaw, tracked as CVE-2026-20262, affects all deployment types and stems from insufficient input validation during file uploads.
Microsoft failed to renew a TLS certificate for connectivity.office.com, causing untrusted connection warnings for IT administrators testing Microsoft 365 network access. The issue persisted for over a day without resolution.
Google Threat Intelligence Group has attributed a stealthy, multi-year intrusion campaign against North American academic, medical, and military research institutions to a China-nexus actor called UNC6508, which deployed custom malware and abused cloud email compliance rules to exfiltrate data undetected for more than a year.
ShinyHunters stole data from Infinite Campus's Salesforce instance in March, leaking a 1.2 GB archive containing personal details for 137,100 school staff accounts. The K-12 platform serves over 3,200 districts and 11 million students.
MariaDB has issued fixes for CVE-2026-49261, a CVSS 10.0 remote code execution vulnerability in the wsrep_notify_cmd feature used by Galera Cluster. Two additional CVSS 8.0 parameter-injection flaws were patched in the same May 27 release. Standalone MariaDB deployments are unaffected.
Microsoft's June 2026 Patch Tuesday is the largest in the cycle's history, covering close to 200 vulnerabilities in Windows and related software, with Rapid7 noting an additional 360 browser flaws that fall outside the official count.
Operation Riptide has dismantled Outsider Enterprise, a China-based phishing-as-a-service platform that used AI and distributed phishing kits to run SMS fraud campaigns impersonating major brands, resulting in 3.8 million stolen card records and an estimated $1.9 billion in losses.
Google Cloud customers across India continue to experience intermittent latency and packet loss after a fire at a third-party Delhi data center forced an emergency shutdown of networking equipment on June 9, isolating a local Point of Presence and degrading regional capacity.
Cumulative updates released June 2026 finally close a known issue that broke WUSA-based patch deployment from network shares on Windows 11 24H2/25H2 and Windows Server 2025.
Sygnia's 'Operation Highland' investigation reveals how Velvet Ant chained Nginx proxy modifications and a FastCGI execution bridge to reach an isolated network, then replaced PAM and OpenSSH binaries to harvest credentials and observe every administrative session.
Aikido Security discovered a trivially exploitable authentication bypass in phpBB on June 2; a patch landed in version 3.3.17 four days later, though no fix yet exists for the 4.x alpha branch.
Mandiant and Google Threat Intelligence Group have attributed an active compromise campaign to ShinyHunters (UNC6240), exploiting CVE-2026-35273 in Oracle PeopleSoft before Oracle issued its advisory on June 10, 2026. Over 100 organizations were exposed, 68% of them academic institutions.
More than 400 Arch Linux AUR packages have been modified to pull down a malicious npm package called atomic-lockfile, which installs a Linux binary capable of stealing credentials and hiding itself using eBPF kernel-level capabilities.
Security researcher Sasha Romijn disclosed that RIPE NCC's SSO session cookie was scoped to *.ripe.net, exposing it to more than 1,000 third-party-controlled hosts. Combined with permissive CAA records, any rogue operator on that domain could have stolen tokens giving full read-write access to routing infrastructure for Europe, the Middle East, and Central Asia.