Threat Newsletter June 6, 2026
The first week of June makes one thing clear: attackers are targeting trust itself — in AI platforms, CI/CD pipelines, package provenance, MFA, and legacy patch status.
AI is being weaponized faster than it's being defended. Sophos uncovered an AI-assisted ransomware lab using Cursor and Claude Opus to write and iterate EDR evasion techniques, compressing the time from concept to deployable payload. Meanwhile, Meta's AI support chatbot was manipulated into handing over password reset codes for high-profile Instagram accounts, and ChatGPT share links were abused to serve malware from a legitimate OpenAI domain. The White House responded with an AI executive order directing CISA to deploy AI-enabled defensive tools — but the offensive side is moving faster.
Supply chain attacks have crossed a new threshold. TeamPCP's Mini Shai-Hulud worm published over 400 malicious package versions across 172 projects — TanStack, Mistral AI, UiPath, OpenSearch — in under five hours, with no stolen credentials and valid cryptographic provenance on every package. The full toolchain is now public. This capability belongs to everyone now.
MFA is no longer a reliable backstop. The FBI's Kali365 advisory describes a phishing-as-a-service platform that bypasses MFA entirely by harvesting OAuth session tokens after the victim authenticates on a legitimate Microsoft page. Conditional Access policy changes are required — user awareness training is not enough.
China's collection operations are expanding on every axis. The Five Eyes issued their first-ever joint public bulletin warning of systematic LinkedIn and job platform recruitment by Chinese military intelligence. TA4922 is now the most prolific tracked cybercrime actor, having expanded into Europe and Africa. A separate espionage operation drained a stock exchange executive's inbox for five months undetected, exfiltrating through Dropbox and OneDrive.
Legacy vulnerabilities are still the path of least resistance. Two actively exploited flaws — a two-year-old Oracle WebLogic bug and a SolarWinds Serv-U vulnerability — were added to CISA's KEV catalog this week. Acer disclosed two CVSS 10.0 zero-days in its Wave 7 routers with no patch available until end of June. Attackers don't need novel exploits when known ones stay unpatched.
CISA Rings the Alarm on Actively Exploited SolarWinds Serv-U Flaw
Summary: CISA added CVE-2026-28318 to the KEV catalog on June 5, 2026, setting a remediation deadline of June 19, 2026 for all Federal Civilian Executive Branch (FCEB) agencies. The vulnerability affects SolarWinds Serv-U file transfer software and enables unauthenticated attackers to crash the service through specially crafted HTTP requests using the Content-Encoding: deflate header.
Key Takeaways:
- Over 12,000 Serv-U servers are currently exposed online, and administrators who upgraded to 15.5.4 but skipped the hotfix remain vulnerable — a critical distinction that patch inventory tools may miss.
- Serv-U has been a persistent target for cybercriminals and nation-state groups. The Clop ransomware gang previously exploited CVE-2021-35211 in 2021, while Chinese state-sponsored threat group DEV-0322 weaponized it in zero-day attacks.
- Patch: Update to Serv-U version 15.5.4 HF1 immediately. Also consider blocking any requests containing
Content-Encodingheaders as an interim mitigation.
Guru Baran
OpenAI Drops a New Security Shield — ChatGPT Lockdown Mode
Summary: OpenAI has released ChatGPT Lockdown Mode, a new security feature designed to limit outbound network access and reduce the risk of data exfiltration from prompt-injection attacks. The feature is now available to eligible personal accounts, self-serve ChatGPT Business users, and managed enterprise workspaces. Cyber Security News
Key Takeaways:
- The feature limits web and external-service access by disabling tools like live browsing, image retrieval, deep research, Agent mode, Canvas networking, and file downloads.
- Lockdown Mode is specifically engineered to disrupt the final stage of a prompt injection attack: the unauthorized transfer of sensitive data to an attacker-controlled destination. Importantly, Lockdown Mode does not prevent prompt injections from entering the model's context.
- OpenAI also launched a new session management tool allowing users to review active sessions and log out of suspicious activity, providing details such as device type, approximate location, and sign-in time.
Guru Baran
Threat Actors Begin Weaponizing the Palo Alto GlobalProtect VPN Auth Bypass
Summary: Palo Alto Networks is warning that hackers are now exploiting a PAN-OS GlobalProtect authentication bypass flaw, tracked as CVE-2026-0257, in attacks attempting to breach corporate networks. The flaw allows attackers to bypass security restrictions and establish an unauthorized VPN connection.
Key Takeaways:
- CVE-2026-0257 stems from firewalls relying on cookies without performing detailed validation and integrity checking. Rapid7 observed successful exploitation across multiple customers via authentication probes using forged cookies.
- Despite successful VPN access, no evidence of lateral movement or further post-exploitation activity has been reported in the initial wave of attacks, suggesting the attackers may be focused on establishing persistent access or selling access to other threat actors.
- CISA added the flaw to its KEV catalog and ordered federal agencies to mitigate by June 1, 2026. Organizations should immediately install the latest security updates or disable the authentication override feature.
Lawrence Abrams
Attackers Turn ChatGPT's Own Sharing Feature Against Users to Spread Malware
Summary: Threat actors are abusing ChatGPT's content-sharing feature to display fake OpenAI outage pages that direct users to download malware disguised as the ChatGPT desktop application. The "LLMShare" campaign, discovered by Push Security, uses Google ads to direct users searching for ChatGPT to a malicious shared ChatGPT page hosted on chatgpt.com, allowing the attack to be delivered through a legitimate OpenAI domain.
Key Takeaways:
- The technique exploits a design feature — not a software vulnerability — in ChatGPT's sharing system, which means no patch from OpenAI can close it without changing how the product works.
- Push Security also observed attacks misusing Claude Artifacts to host ClickFix-style lures that trick users into executing malicious commands, showing this is part of a broader pattern of exploiting AI platform sharing features.
- Users should avoid clicking sponsored ads when searching for AI tools and should never download software prompted by an "outage" page, as legitimate services do not redirect to downloads during disruptions.
Lawrence Abrams
Google Insider Used Company Secrets to Win Big on Polymarket — Now He's Facing Federal Charges
Summary: A Google security engineer was arrested in New York and charged with crimes related to bets he allegedly placed on Polymarket using confidential information pulled from Google systems. Michele Spagnuolo, a 36-year-old Italian citizen, is accused of placing multiple trades that netted him a profit of more than $1.2 million.
Key Takeaways:
- Beginning in October 2025, Spagnuolo allegedly used a Polymarket account under the alias "AlphaRaccoon" to bet on whether specific individuals would appear on Google's top trending search lists, using an internal tool containing confidential "Year in Search" data marked with a "Google Confidential" banner.
- This marks the second major arrest of someone who allegedly traded on Polymarket using insider information, following an earlier arrest of a U.S. Army soldier who allegedly bet on the Nicolas Maduro raid he was part of.
- The case highlights the insider threat risk posed by employees with privileged access to sensitive business intelligence — even non-technical data such as marketing analytics can be weaponized for financial fraud.
Matt Kapko
North Korea's Kimsuky Goes Deeper — HTTPSpy, HelloDoor & VS Code Tunnels in New Campaign
The North Korean state-sponsored threat actor Kimsuky (aka Velvet Chollima) has been attributed to a fresh set of cyber attacks targeting South Korean military and corporate entities through March and April 2026, employing social engineering tactics such as spoofing security software installation pages and crafting a fake Webex meeting page.
Key Takeaways:
- HTTPSpy provides full-featured control of compromised systems — command execution, file upload and download, screenshot capture, process injection, and self-deletion — giving Kimsuky a resilient foothold in sensitive networks.
- Kimsuky is expanding its arsenal by delivering multiple malware families via JSE, PIF, SCR, and EXE droppers, and has introduced mechanisms to verify infection in real time through a technique called JSONPing.
- Defenders should scrutinize all remote access channels, harden against script-based droppers, and be wary of Webex or security software download prompts arriving via unusual channels.
The Hacker News
Supply Chain Under Fire — 14 Poisoned npm Packages Went After Cloud Credentials
A single npm user published 14 malicious packages within a four-hour window, all mimicking popular OpenSearch, Elasticsearch, DevOps, and environment-configuration libraries. Once installed, these packages harvest cloud credentials and CI/CD pipeline secrets from the host environment. The Register
Key Takeaways:
- The packages typosquatted well-known libraries and spoofed the upstream OpenSearch project's repository URL in their
package.jsonto appear legitimate, while also being assigned inflated version numbers to suggest maturity. Microsoft - All packages targeted AWS credentials, HashiCorp Vault tokens, GitHub Actions secrets, and npm registry tokens, suggesting the actor specifically chose a developer audience likely to have cloud credentials in their environments. Microsoft
- Security teams should identify systems that installed affected package versions on or after May 28, 2026, pin known-good package versions, and rotate any potentially exposed credentials immediately.
Jessica Lyons
Meta's AI Chatbot Became a Master Key for Instagram Account Takeovers
Hackers used Meta's AI support chatbot to break into a host of high-profile Instagram profiles by asking the support bot to change the email address associated with the target account, entirely bypassing identity verification checks.
Key Takeaways:
- Several high-profile accounts — including former President Barack Obama's White House account and the clothing brand Sephora — were seized by hackers after enlisting Meta AI for help. Meta replaced human customer support with AI in March 2026, giving the AI the ability to reset passwords and perform critical account maintenance functions.
- According to Krebs on Security, the attack method would likely not succeed against accounts using any form of multi-factor authentication. For profiles without that extra layer, the takeover could happen in minutes.
- Meta has stated the issue has been resolved. Users should immediately enable MFA on all social accounts. This incident is a major warning about deploying AI agents with unrestricted account management privileges.
Jason Koebler
Two-Year-Old Oracle WebLogic Bug Is Back — And Ransomware Gangs Are Circling
CISA has ordered government agencies to secure their systems against a high-severity Oracle WebLogic Server vulnerability that was patched two years ago and is now actively exploited in attacks. Bleeping Computer
Key Takeaways:
- Tracked as CVE-2024-21182, the flaw is easily exploitable and allows an unauthenticated attacker with network access via T3 or IIOP to compromise Oracle WebLogic Server, potentially resulting in unauthorized access to all accessible data.
- Over the last several years, CISA has flagged 43 vulnerabilities across various Oracle products as exploited in the wild, 12 of which have been abused in ransomware attacks.
- Federal agencies had until June 4, 2026 to remediate. All organizations should treat this as a high-priority patch given WebLogic's widespread enterprise use and history as a ransomware entry point.
Sergiu Gatlan
AI Is Now Writing the Ransomware — Meet the Toolkit Built to Beat Your EDR
A threat actor is using an AI-built ransomware attack toolkit that automates Active Directory discovery and helps evade endpoint detection and response (EDR) solutions. Tool and payload development was assisted by Cursor and Claude Opus agents in various stages, including initial coding, analysis, and revisioning.
Key Takeaways:
- A Claude Opus 4.5 agent acts as the coordinator of the R&D process, while other agents handle testing, OPSEC hardening, documentation, proxy stress testing, and VM deployment. Despite AI orchestration, researchers note the workflow is entirely human-driven.
- The toolkit includes Cobalt Strike profiles to disguise beacon traffic, a Telegram bot API for command and control, Python scripts for injecting shellcode into legitimate Windows executables, and a Cloudflare Worker to obscure the C2 server. It was tested against EDR solutions from Sophos, CrowdStrike, and Microsoft.
- This is a significant development showing that AI is now actively accelerating ransomware development cycles. Defenders should validate existing EDR tuning against AI-assisted evasion techniques.
Bill Toulas
Kali365 — The MFA-Bypassing Phishing Kit the FBI Doesn't Want You to Ignore
Kali365 is a phishing-as-a-service platform first observed in April 2026 that uses OAuth 2.0 device code phishing to capture Microsoft 365 access tokens and bypass MFA — without ever requiring the victim's credentials. The FBI issued a public service announcement about it in May, and the platform has since expanded beyond Microsoft 365 to target AWS, Okta, and Russian platforms. =
Key Takeaways:
- In a device code phishing attack, once the victim authenticates and completes any required MFA steps, the service issues access tokens to the attacker's session. MFA does not prevent compromise because the victim unknowingly completes the authentication process on behalf of the attacker. Dark Reading
- Kali365 is primarily distributed on Telegram and lowers the barrier of entry, providing less-technical attackers access to AI-generated phishing lures, automated campaign templates, real-time tracking dashboards, and OAuth token capture capabilities.
- Organizations should train users to recognize device code phishing lures, implement Conditional Access policies to block unsanctioned device code flows, and monitor for suspicious OAuth token grants.
Pieter Arntz
Microsoft's Majorana 2 Quantum Chip Brings the "Crypto Apocalypse" Timeline Closer
Microsoft unveiled a new quantum computing chip — the Majorana 2 — redesigned with the help of AI, and now believes it will have commercially useful quantum machines by 2029. The announcement was made at Microsoft's Build developer conference.
Key Takeaways:
- Majorana 2 features a new materials stack enabling a 1,000-fold improvement in reliability over the prior generation of qubits, with a mean qubit lifetime of 20 seconds and instances lasting as long as one minute.
- The new target date puts Microsoft on track to have quantum computers the same year as rival IBM, which plans to spend $10 billion on quantum machines. Competitors also include Google, Amazon, and several Chinese efforts.
- From a security perspective, the accelerating quantum timeline reinforces urgency around post-quantum cryptography adoption. Organizations should be tracking NIST's post-quantum standards roadmap.
Vanessa Ho
No Patch, No Problem for Attackers — Acer Wave 7 Routers Plagued by Two CVSS 10.0 Zero-Days
Acer confirmed it is working to address two maximum-severity zero-day vulnerabilities affecting its Wave 7 mesh routers. The flaws — CVE-2026-49200 and CVE-2026-49201 — affect devices running firmware version T7c_GBL_1.01.000055 or earlier and were reported by security researcher Gergo Pap.
Key Takeaways:
- The first zero-day allows unauthenticated attackers to remotely access plaintext credentials stored in log archives via the web interface. The second stems from a hard-coded cryptographic key that lets remote attackers gain persistent backdoor access to the router by decrypting, modifying, and re-encrypting system backups.
- No patches are available yet. Acer says fixes should be released by end of June 2026. In the meantime, users are advised to disable remote administration features and restrict access to the management interface to trusted internal networks.
- Both vulnerabilities carry a CVSS score of 10.0 — the maximum rating. Wave 7 router owners should act immediately on available mitigations.
Sergiu Gatlan
TA4922 Goes Global — Chinese Cybercrime Group Hits Record Campaign Volume
A Chinese-speaking cybercrime group tracked as TA4922 has been escalating activities and expanding to new geographies. TA4922 currently conducts more unique campaigns than any other tracked cybercrime threat actor in Proofpoint's threat data, demonstrating high operational tempo, a variety of lures, and multiple objectives. SecurityWeek
Key Takeaways:
- The actor has significantly increased its operational tempo since March 2026 and is using a wider collection of malware that includes Atlas RAT, RomulusLoader, SilentRunLoader, and variants of Winos4.0 (ValleyRAT). The group has expanded from East Asia to now targeting organizations in the UK, Germany, Italy, and South Africa.
- TA4922 was also seen launching credential-phishing and imposter campaigns, looking to shift communication from email to out-of-band channels including LINE, WhatsApp, and Microsoft Teams.
- Organizations in Europe and Asia-Pacific should review defenses against business-themed phishing, particularly tax and HR lures. Monitoring for unexpected use of legitimate RMM tools like AnyDesk is recommended.
Ionut Arghire
Silent for Five Months — Spies Quietly Drained a Stock Exchange Executive's Inbox
Unknown attackers spent at least five months inside the Outlook mailbox of a senior executive at a major global stock exchange, copying the inbox out in small, repeated batches and routing it through Dropbox and OneDrive so the traffic blended into normal cloud activity.
Key Takeaways:
- The activity persisted for approximately five months between October 2025 and March 2026 without triggering traditional security alerts. Attackers leveraged stealth and persistence rather than widespread lateral movement, focusing exclusively on extracting intelligence from a single high-value mailbox.
- Scheduled tasks posed as Adobe, Lenovo, and OneDrive system services for persistence. For exfiltration, the attacker used Dropbox and OneDrive Personal, connecting to hard-coded Microsoft IP addresses to avoid DNS-based detection.
- This case is a strong reminder to implement strict monitoring on executive email accounts, apply behavioral anomaly detection, and audit legitimate cloud sync and file-sharing services for signs of data exfiltration.
The Hacker News
Trump Signs AI Executive Order — CISA Gets 30 Days to Issue New Cyber Directives
CISA plans to release a binding operational directive to federal agencies detailing actions required to carry out the President's AI executive order. The directive will focus in part on "vulnerability alleviation and vulnerability management," CISA Acting Director Nick Andersen said at the TechNet Cyber conference in Baltimore.
Key Takeaways:
- On June 2, 2026, President Trump signed an executive order titled "Promoting Advanced Artificial Intelligence Innovation and Security," directing federal agencies to establish a framework for the secure deployment of frontier AI models and to harden government cyber defenses, including by expanding AI-enabled defensive tools.
- The AI executive order is a scaled-back version of an earlier iteration, reducing the voluntary pre-release model-testing window from 90 days to 30 days. CISA will also play a key role in helping stand up a "cyber clearinghouse" function.
- This signals a major pivot in how the U.S. government intends to deploy AI in defensive cyber operations. Critical infrastructure operators should watch for new guidance from CISA in the coming weeks.
Suzanne Smalley
CISA's Future Is Uncertain as DHS Leadership Signals a Major Overhaul
DHS Secretary Mullin told the House Homeland Security Committee the administration's vision for CISA aims to return the agency to what Trump administration officials describe as its "core mission," while shifting more cybersecurity responsibilities and resources closer to state and local governments.
Key Takeaways:
- Congress has continued raising concerns over whether CISA can maintain operations while absorbing staffing losses and operating without Senate-confirmed leadership. The agency has spent much of the past year under acting leadership following a series of personnel changes.
- Mullin indicated a new CISA director nomination is coming soon, signaling further organizational change ahead.
- The restructuring of CISA creates uncertainty for critical infrastructure operators who rely on the agency for threat intelligence and incident response support.
Martin Matishak
Five Eyes Breaks Cover — China Is Hunting for State Secrets on LinkedIn and Job Sites
The Five Eyes intelligence alliance — comprising ASIO, CSIS, FBI, MI5, and NZSIS — issued a rare joint bulletin warning that China's military intelligence services are using professional networking and online recruitment platforms, including LinkedIn, Indeed, and Upwork, to target individuals with access to sensitive government, military, and economic information.
Key Takeaways:
- According to the bulletin, operatives pose as recruiters, consultants, or think-tank staff linked to fictitious companies outside China, representing a scaled, methodical approach to identifying and cultivating sources through seemingly legitimate employment opportunities.
- This was the first-ever joint public bulletin from the Five Eyes, titled "Safeguarding Our Secrets," and was published simultaneously by all five partner agencies on June 3, 2026.
- Organizations should train employees — particularly those with security clearances or access to proprietary data — to scrutinize unsolicited job approaches on professional platforms and report them to security personnel.
Connor Jones
Instagram's Password Reset Flow Leaked Users' Real Emails and Phone Numbers
Summary: A critical logic bug in Instagram's web-based password reset flow exposed unredacted email addresses and phone numbers associated with user accounts, including those belonging to high-profile individuals such as Meta CEO Mark Zuckerberg. Meta deployed an emergency hotfix within hours, but not before proof-of-concept screenshots circulated widely on social media.
Key Takeaways:
- The vulnerability resided in Instagram's web-based password reset interface, where the account recovery screen failed to properly mask sensitive contact data before presenting it to the requesting party — returning fully visible email addresses and phone numbers rather than the partially obscured versions Instagram normally displays.
- This incident is the latest in a string of Instagram security issues in 2026, compounding earlier incidents including the Meta AI chatbot account hijacking and a January leak of 17.5 million Instagram user records.
- Users should review their account recovery information, enable MFA, and monitor for unusual login attempts. The repeated security failures at Meta's Instagram platform warrant heightened vigilance.
Guru Baran
EDRChoker — A Stealthy New Red Team Tool That Starves Your EDR of Network Access
A newly released open-source red team tool called EDRChoker introduces a novel technique for silencing cloud-connected Endpoint Detection and Response (EDR) agents — not by killing their processes or injecting code, but by using Windows policy-based Quality of Service (QoS) controls to throttle or block EDR network communications.
Key Takeaways:
- Unlike prior tools such as EDRSilencer (which used Windows Filtering Platform), EDRChoker operates at the QoS policy layer — a less-monitored attack surface that many EDR detection rules do not currently cover.
- The release continues a pattern of sophisticated open-source red team tools being rapidly repurposed for offensive use. Defenders should review detection coverage for QoS-based network manipulation.
- Security teams should test their EDR solutions against this new evasion class and update detection rules to monitor for unauthorized QoS policy modifications targeting security processes.
Guru Baran
