#0759
Socket21 days ago6 min▣LLM reporthigh Threat researchers discovered GlassWASM, a WebAssembly-based malware distributed via trojanized extensions on the Open VSX marketplace. The malware uses ChaCha20 encryption to evade static analysis and leverages the Solana blockchain as a resilient C2 dead-drop to retrieve and execute OS-specific second-stage payloads via Node.js.
#0758
CISA21 days ago4 min▣LLM reporthigh CISA has added two actively exploited vulnerabilities, CVE-2026-20262 affecting Cisco Catalyst SD-WAN Manager and CVE-2026-54420 affecting the LiteSpeed cPanel Plugin, to its Known Exploited Vulnerabilities (KEV) catalog. Organizations are urged to prioritize remediation of these flaws, particularly on publicly exposed assets, and to investigate for potential pre-patch compromise in alignment with risk-based vulnerability management practices outlined in BOD 26-04.
#0757
Varonis22 days ago5 min▣LLM reportcritical Varonis Threat Labs discovered SearchLeak, a critical vulnerability chain in Microsoft 365 Copilot Enterprise Search (CVE-2026-42824). By chaining Parameter-to-Prompt (P2P) injection, an HTML rendering race condition, and a Server-Side Request Forgery (SSRF) via Bing's image search, attackers could exfiltrate sensitive organizational data via a single malicious link.
#0756
Mandiant22 days ago6 min▣LLM reportcritical Google Threat Intelligence Group identified a PRC-nexus espionage campaign by UNC6508 targeting North American research and defense entities. The actors compromised REDCap servers to deploy INFINITERED, a custom malware that harvests credentials and intercepts software upgrades for persistence. Using stolen credentials, the attackers pivoted to administrative accounts and abused email content compliance rules to covertly exfiltrate sensitive intelligence.
#0755
Canadian Centre for Cyber Security22 days ago4 min▣LLM reporthigh The Canadian Centre for Cyber Security released a daily digest summarizing five security advisories for vulnerabilities patched between June 8 and 14, 2026. The advisories cover a wide range of enterprise software, infrastructure, Linux kernels, and industrial control systems from vendors including IBM, Dell, Ubuntu, Red Hat, and various ICS manufacturers. Organizations are strongly encouraged to review the specific vendor advisories and apply necessary updates.
#0754
Check Point22 days ago5 min▣LLM reportcritical This threat intelligence report highlights multiple critical vulnerabilities and active exploits, including a zero-day in Oracle PeopleSoft (CVE-2026-35273) exploited by ShinyHunters and an IKEv1 authentication bypass in Check Point VPNs (CVE-2026-50751) linked to Qilin ransomware. Additionally, the report details emerging AI-driven threats, a supply-chain compromise in the Arch User Repository deploying eBPF rootkits, and widespread patching efforts by Microsoft and Veeam.
#075322 days ago7 min▤RecapJun 8 – Jun 15
Perimeter Auth Collapse and AI-Driven Deception Shift the Battlefield
The security perimeter cracked open this week as critical authentication bypasses in Check Point VPNs, Ivanti Sentry, and Palo Alto GlobalProtect gave attackers a free pass into corporate networks, with Qilin ransomware already exploiting one to launch real attacks.
At the same time, AI became the year's most versatile weapon: criminals used ChatGPT and Claude brands as phishing lures, researchers proved AI email assistants will hand over corporate secrets to impersonators, and the Shai-Hulud campaign began injecting fake prompts to blind AI-powered security scanners.
Patch edge VPN appliances immediately, treat AI agents as high-risk insiders, and hunt for device-code authentication events that bypass normal credential checks.
#0752
Canadian Centre for Cyber Security23 days ago5 min▣LLM reportcritical Critical vulnerabilities in Fortinet products allow unauthenticated attackers to bypass FortiCloud SSO and SAML login authentication using crafted SAML response messages. Active exploitation has been observed in the wild, necessitating immediate patching or the disabling of the FortiCloud SSO feature and restriction of internet-facing administrative access.
#0751
Zscaler ThreatLabz24 days ago6 min▣LLM reportcritical The Shai-Hulud software supply chain campaign has significantly evolved, expanding from npm to PyPI and shifting from maintainer compromise to CI/CD abuse. Recent waves demonstrate advanced techniques including OIDC token scraping to bypass SLSA provenance, IDE configuration file weaponization, and prompt injection designed to evade LLM-based security scanners.
#0750WWatchtowr24 days ago6 min▣LLM reportcritical WatchTowr Labs detailed the exploitation of CVE-2026-20253, a critical pre-authentication Remote Code Execution (RCE) vulnerability in Splunk Enterprise. By abusing unauthenticated PostgreSQL Sidecar Service endpoints and injecting connection string parameters, attackers can force the server to connect to an external database, write malicious files to the filesystem, and overwrite legitimate scripts to achieve arbitrary code execution.
#0749
CISA24 days ago4 min▣LLM reporthigh CISA has added CVE-2026-35273, a missing authentication vulnerability in Oracle PeopleSoft Enterprise PeopleTools, to its Known Exploited Vulnerabilities (KEV) catalog based on evidence of active exploitation. Federal agencies are mandated to remediate this high-risk vulnerability on publicly exposed assets under BOD 26-04, and all organizations are strongly encouraged to prioritize patching and investigate for prior compromise.
#0748RReversinglabs25 days ago6 min▣LLM reporthigh An active Microsoft 365 phishing campaign is abusing the OAuth 2.0 Device Authorization Grant flow to achieve account takeover without stealing passwords. The attack utilizes ClickFix-style landing pages with Unicode obfuscation and tricks victims into authorizing an attacker-controlled device via legitimate Microsoft authentication portals, coordinating the flow via a 4-second beaconing mechanism.
#0747
Canadian Centre for Cyber Security25 days ago4 min▣LLM reporthigh The Canadian Centre for Cyber Security released a daily digest highlighting critical security updates for Microsoft Edge, Spring framework components, Google Chrome, and Moxa industrial computers. Notably, the Microsoft Edge update addresses CVE-2026-11645, a vulnerability with a known exploit available in the wild, necessitating urgent patching.
#0746WWatchtowr25 days ago4 min▣LLM reportcritical Check Point Remote Access VPNs are vulnerable to a critical authentication bypass (CVE-2026-50751, CVSS 9.3) within the IKEv1 key exchange process. By sending a crafted 'VPNExtFeatures' Vendor ID payload, an attacker can manipulate the negotiation state to skip certificate signature verification, allowing full network access using only a valid username and the gateway's public ICA organization string.
#0745
Trail of Bits25 days ago4 min▣LLM reporthigh Researchers identified a cryptographic vulnerability in the wild where 'short-sleeve' RSA and DSA keys contain heavily biased zero bits, allowing rapid factorization using polynomial-based cryptanalysis. The flaw was traced to a type mismatch in the key generation code of older CompleteFTP versions, prompting the release of detection and remediation tools.
#0744
ESET25 days ago8 min▣LLM reporthigh Between 2024 and 2026, the Vietnam-aligned threat actor OceanLotus (APT32) shifted its focus toward domestic espionage, conducting a supply-chain attack against the FireAnt MetaKit stock investment platform and compromising a major infrastructure corporation. The campaigns leveraged DLL side-loading to deploy the SPECTRALVIPER backdoor, which features advanced orchestration capabilities and exfiltrates encrypted host data via HTTP Cookie headers.
#0743
Mandiant25 days ago6 min▣LLM reportcritical Mandiant and Google Threat Intelligence Group identified an active extortion campaign by UNC6240 (ShinyHunters) exploiting CVE-2026-35273, a critical zero-day RCE vulnerability in Oracle PeopleSoft. The threat actors targeted the higher education sector, deploying customized MeshCentral agents for C2 and utilizing custom scripts for lateral movement, defacement, and data exfiltration.
#0742RReversinglabs26 days ago4 min▣LLM reportcritical ITScape (CVE-2026-46316) is a critical guest-to-host escape vulnerability located in the vGIC-ITS emulation of KVM/arm64. By exploiting a race condition that triggers a double-put use-after-free, an attacker with guest kernel privileges can execute arbitrary code on the host kernel, completely compromising the hypervisor and threatening multi-tenant cloud infrastructure.
#0741
Recorded Future26 days ago7 min▣LLM reporthigh Sanctions Evasion Networks (SENs) supporting Iranian and Russian shadow fleets are operating a complex ecosystem of inauthentic websites to bypass maritime compliance. These networks impersonate legitimate maritime authorities and utilize automated document generation tools to produce fraudulent ship and seafarer certificates, complicating detection by regulatory and enforcement bodies.
#0740
Canadian Centre for Cyber Security26 days ago4 min▣LLM reportcritical The Canadian Centre for Cyber Security issued a daily digest highlighting two critical security advisories. Notably, Oracle PeopleSoft Enterprise PeopleTools is affected by CVE-2026-35273, a critical vulnerability currently being exploited in the wild, while GitLab has released patches for multiple versions of its Community and Enterprise Editions.