Weekly Recap — 2026-06-08 -> 2026-06-15

By the Numbers

• Total articles: 44
• By severity: Critical: 15, High: 27, Medium: 2
• By category: APT: 3, general security news: 5, malware: 4, phishing/social engineering: 7, threat actor: 3, vulnerability: 22

Top Threats

Perimeter Authentication Collapse

Edge security appliances designed to protect networks are instead opening doors, as critical pre-authentication bypasses in Check Point VPN (CVE-2026-50751), Ivanti Sentry (CVE-2026-10520, CVE-2026-10523), and Palo Alto GlobalProtect (CVE-2026-0257) let unauthenticated attackers walk straight into corporate environments. Qilin ransomware is already exploiting the Check Point flaw in the wild, turning a perimeter defense into a ransomware entry point.

• https://www.cisa.gov/news-events/alerts/2026/06/08/cisa-adds-two-known-exploited-vulnerabilities-catalog
• https://cyber.gc.ca/en/daily-digest/2026-06-09
• https://labs.watchtowr.com/marking-your-own-homework-check-point-remote-access-vpn-ikev1-authentication-bypass-cve-2026-50751/
• https://labs.watchtowr.com/more-evidence-that-words-dont-mean-what-we-thought-they-meant-ivanti-sentry-pre-auth-os-command-injection-cve-2026-10520/
• https://cert.europa.eu/publications/security-advisories/2026-008/
• https://arcticwolf.com/resources/blog/arctic-wolf-observes-increase-in-palo-alto-networks-globalprotect-authentication-bypass-exploitation-via-cve-2026-0257/

AI as Attack Surface, Lure, and Shield

Artificial intelligence is simultaneously the bait, the target, and the blind spot. Attackers weaponize popular AI brands like ChatGPT and Claude as phishing lures, while AI email assistants like OpenClaw are easily social-engineered into leaking corporate secrets — and the Shai-Hulud campaign now injects deceptive prompts into malicious packages to evade AI-powered security scanners entirely.

• https://www.microsoft.com/en-us/security/blog/2026/06/08/ai-brands-as-bait-how-threat-actors-are-using-the-ai-hype-in-social-engineering/
• https://www.varonis.com/blog/openclaw-phishing
• https://unit42.paloaltonetworks.com/ai-agent-supply-chain-risks/
• https://research.checkpoint.com/2026/from-sqli-to-rce-exploiting-langgraphs-checkpointer/
• https://www.zscaler.com/blogs/security-research/shai-hulud-campaign-evolution-miasma-hades-and-ai-scanner-evasion

Developer Supply Chain Under Siege

Software supply chain attacks have evolved from stealing credentials to hijacking the entire build process. The Shai-Hulud campaign scrapes OIDC tokens from GitHub Actions runner memory to forge SLSA provenance, while OceanLotus compromised the FireAnt MetaKit update server to deliver the SPECTRALVIPER backdoor — proving that automated build and update systems can no longer be implicitly trusted.

• https://socket.dev/blog/mini-shai-hulud-miasma-and-hades-worms-target-bioinformatics-and-mcp-developers-via-malicious
• https://www.zscaler.com/blogs/security-research/shai-hulud-campaign-evolution-miasma-hades-and-ai-scanner-evasion
• https://www.welivesecurity.com/en/eset-research/oceanlotus-external-espionage-domestic-targeting/
• https://www.crowdstrike.com/en-us/blog/crowdstrike-2026-technology-threat-landscape-report/

ClickFix and Device Code Phishing

By convincing users to infect themselves, attackers bypass every technical defense. The ClickFix technique — where fake error pages instruct victims to paste malicious PowerShell commands into their own terminal — delivered both the HarborWatch RAT and the MLTBackdoor this week, while a parallel campaign abuses Microsoft's device-code OAuth flow to authorize attacker devices without ever stealing a password.

• https://cofense.com/blog/from-fake-amazon-security-alert-to-harborwatch-agent-clickfix-delivery-of-a-custom-monitoring-rat
• https://www.zscaler.com/blogs/security-research/technical-analysis-mltbackdoor
• https://www.reversinglabs.com/blog/device-code-phishing-campaign

Critical Infrastructure Exposed and Unpatched

Operational technology and IoT devices remain riddled with hardcoded credentials, default passwords, and unfixable flaws. From Schneider Electric panels that revert to factory credentials, to Naxclow smart home devices with no available patch, to Yarbo robots controllable with a single extracted password — many of these devices cannot be secured by traditional means and must be network-isolated immediately.

• https://www.cisa.gov/news-events/ics-advisories/icsa-26-160-03
• https://www.cisa.gov/news-events/ics-advisories/icsa-26-160-02
• https://www.cisa.gov/news-events/ics-advisories/icsa-26-162-03
• https://www.cisa.gov/news-events/ics-advisories/icsa-26-162-02
• https://www.cisa.gov/news-events/ics-advisories/icsa-26-162-01

Trending CVEs

• CVE-2026-50751 (3 mentions) — Critical Check Point Remote Access VPN IKEv1 authentication bypass (CVSS 9.3), actively exploited by Qilin ransomware affiliates since May 2026. Sources: 1, 2, 3
• CVE-2026-35273 (3 mentions) — Oracle PeopleSoft Enterprise PeopleTools missing authentication for critical function, exploited as a zero-day by ShinyHunters targeting universities. Sources: 1, 2, 3
• CVE-2026-11645 (3 mentions) — Google Chromium V8 engine vulnerability with confirmed active exploitation in the wild, tracked across multiple national cyber security advisories. Sources: 1, 2, 3
• CVE-2026-10520 (2 mentions) — Critical CVSS 10.0 pre-authentication OS command injection in Ivanti Sentry, enabling root-level remote code execution via a single HTTP endpoint. Sources: 1, 2
• CVE-2026-10523 (2 mentions) — CVSS 9.9 authentication bypass in Ivanti Sentry allowing unauthenticated attackers to create arbitrary administrative accounts. Sources: 1, 2

Sector Trends

• Higher Education — ShinyHunters (UNC6240) exploited a zero-day in Oracle PeopleSoft to breach universities, stealing billing and student records for extortion using customized MeshCentral agents disguised as Microsoft Azure services. Sources: 1, 2, 3
• Technology — China-nexus adversaries account for over 58% of state-sponsored intrusions in the tech sector, focusing on AI capabilities and IP theft, while DPRK actors use fraudulent employment to infiltrate companies from the inside. Sources: 1
• Maritime — Russian and Iranian shadow fleets operate over 36 fake websites impersonating maritime authorities to issue fraudulent certificates and evade international sanctions, with clusters linked to Indian web developers and Syrian nationals in Türkiye. Sources: 1
• Sports and Entertainment — The 2026 FIFA World Cup is attracting AiTM phishing kits, QR-code attacks targeting organizers, and state-sponsored espionage from actors like BlueDelta aiming at high-value attendees and officials. Sources: 1, 2

Notable Incidents

• Qilin Ransomware Exploits Check Point VPN Auth Bypass — First confirmed ransomware exploitation of the Check Point VPN authentication bypass, turning a perimeter defense into a direct ransomware entry point.
• ShinyHunters Mass Exploitation of Oracle PeopleSoft Zero-Day — Active zero-day exploitation of enterprise HR software in higher education, with data theft and extortion following rapid automated lateral movement.
• Shai-Hulud Steals GitHub Actions OIDC Tokens to Forge SLSA Provenance — First observed supply chain attack that compromises SLSA provenance by scraping OIDC tokens from CI/CD runner memory, undermining a key software integrity framework.
• OceanLotus Compromises FireAnt MetaKit Update Server for Domestic Espionage — Nation-state actor pivots from external espionage to targeting its own country's citizens via supply chain compromise of a stock trading app.
• Windows Netlogon RCE (CVE-2026-41089) Actively Exploited — Critical unauthenticated RCE on domain controllers with confirmed wild exploitation, providing a direct path to full domain takeover.