This threat intelligence report highlights recent data breaches involving third-party vendors, emerging AI threat vectors such as prompt injection and WebSocket abuse, and active exploitation of critical vulnerabilities in Fortinet, Cisco, and Splunk products. Additionally, seasonal phishing campaigns targeting travelers and Amazon Prime members are surging alongside a cross-platform Rust-based crypto clipboard hijacker.
The Canadian Centre for Cyber Security released a daily digest highlighting critical security updates from Oracle, JetBrains, and Microsoft. The advisories cover Oracle's June 2026 quarterly rollup affecting numerous enterprise products, a vulnerability in JetBrains GoLand, and an Elevation of Privilege flaw in the Microsoft Malware Protection Engine (CVE-2026-50656).
Microsoft's June 2026 Patch Tuesday addresses 206 vulnerabilities, including 32 critical flaws primarily involving Remote Code Execution (RCE). Four critical vulnerabilities affecting the Remote Desktop Client, HTTP Protocol Stack, and Windows Graphics component are highlighted as more likely to be exploited, prompting immediate patching and the deployment of updated network intrusion rules.
Varonis Threat Labs demonstrated that enterprise AI agents, specifically an OpenClaw deployment, are vulnerable to traditional phishing and social engineering techniques. In simulated attacks, the agent successfully identified technical phishing indicators like malicious OAuth flows but failed to recognize social context, resulting in the exfiltration of AWS credentials and sensitive CRM data to an external attacker.
Session Hijacking and Developer Tool Poisoning Collapse Authentication Trust
This week, attackers proved that multi-factor authentication is no longer a reliable gatekeeper. Campaigns like Tycoon 2FA and Chinese-language PhaaS platforms intercept one-time passwords in real time and steal session tokens to maintain persistent access, while infostealers like EKZ Infostealer harvest browser cookies to bypass authentication entirely. Even when victims reset passwords and revoke sessions, attackers retain access through hidden device registrations — meaning standard incident response playbooks are now incomplete.
Developers remain the preferred entry point for supply chain compromise. The Glassworm botnet was disrupted after hiding malware in VSCode extensions and npm packages, while the Megalodon campaign poisoned GitHub Actions workflows across 5,500 repositories. A malicious Sicoob.Sdk NuGet package stole banking certificates from Brazilian developers, and North Korea's Lazarus group compromised the widely used axios npm library — a single attack touching millions of downstream applications.
Organizations must move beyond password-and-MFA reliance: adopt hardware security keys, shorten session lifetimes, delete attacker-registered devices before resetting credentials, and audit developer toolchains and CI/CD pipelines for tampering.
Modern social engineering attacks have evolved to closely mimic legitimate business workflows, utilizing techniques like ClickFix, OAuth device code abuse, and in-browser blob phishing. These tactics bypass traditional security controls and create "gray-zone" alerts that require deep behavioral analysis to determine the true scope of compromise, such as credential theft, token abuse, or RMM deployment.
Microsoft's May 2026 Patch Tuesday release addresses 132 CVEs, including 29 Critical vulnerabilities and 14 with a CVSS score of 9.0 or higher. Key threats include a critical authentication bypass in the Microsoft SSO Plugin for Jira & Confluence, unauthorized RCEs in Windows Netlogon and DNS Client, and multiple Office RCEs exploitable via the Preview Pane.
Microsoft's May 2026 Patch Tuesday addresses 137 vulnerabilities, including 31 critical flaws, 16 of which are Remote Code Execution (RCE) vulnerabilities. While no active exploitation has been observed, critical flaws affect core services like Windows Netlogon, DNS Client, and Azure Managed Instances, prompting the release of Snort detection rules by Cisco Talos.
Microsoft's April 2026 Patch Tuesday addresses 163 CVEs across 17 product families, including 8 Critical vulnerabilities and one actively exploited zero-day (CVE-2026-32201 in SharePoint). Organizations should prioritize patching the exploited SharePoint flaw, the publicly disclosed Defender bug (CVE-2026-33825), and a highly critical 9.8 CVSS RCE in Windows IKE (CVE-2026-33824).
Microsoft's March Patch Tuesday addressed 84 vulnerabilities across 15 product families, including 8 Critical and 76 Important flaws. While no zero-days were reported as actively exploited, two vulnerabilities have been publicly disclosed, and six are deemed highly likely to be exploited within 30 days. Organizations are advised to prioritize patching for critical Remote Code Execution and Elevation of Privilege vulnerabilities affecting Windows, Office, and Azure environments.