A USB-spreading clipboard-stealing malware family is actively stealing seed phrases, private keys, and wallet addresses from Windows victims, putting cryptocurrency funds at direct risk. The malware also captures screenshots and sends stolen data over Tor, making detection and takedown harder. Its use of LNK shortcut files on removable drives gives it a worm-like propagation path across connected systems.

A Rust-based clipboard hijacker is spreading through fake crypto tools and silently replacing copied wallet addresses, putting Windows and macOS users at risk of theft. The operation uses bogus GitHub stars, inflated download counts, and AI-narrated YouTube tutorials to make the downloads look legitimate. A WordPress phishing page serves as the distribution hub, and the malware runs at startup to persist on infected systems. On macOS, a bundled unlocker script helps users bypass Apple quarantine and Gatekeeper, increasing the chance the unsigned app will run.

The ICO issued a formal caution to a former London healthcare professional under section 170(5) after reviewing prosecution criteria in a case involving the Princess of Wales's medical records. The action closes the criminal probe without prosecution and underscores enforcement against the deliberate misuse of highly sensitive personal information. The regulator said the conduct included an offer to disclose it for financial gain.

A Windows-based cryptocurrency clipper has been active since February 2026, using USB-delivered LNK worming to steal wallet data and reroute payments. The malware adds clipboard theft, screenshot exfiltration, and wallet-address substitution, increasing the risk of stolen seed phrases and diverted transactions. It also uses a Tor-based hidden-service C2 and can execute attacker-supplied code through an EVAL response.

A Windows cryptocurrency clipper campaign is actively targeting users since February 2026, putting clipboard data, wallet addresses, and seed phrases at risk. The operation uses malicious USB-delivered LNK files, Windows Script Host, and a Tor-based hidden-service C2 to spread and steal data. It can also replace copied cryptocurrency addresses with attacker-controlled alternatives and execute attacker-supplied code through an EVAL response.

The Klue backend compromise and OAuth token theft enabled unauthorized access to connected Salesforce environments and triggered an ongoing extortion response. Attackers used a malicious code update in the Battlecards integration path to steal customer tokens. The stolen credentials were then used to query Salesforce data across multiple affected organizations.

The Icarus extortion campaign is actively stealing Salesforce CRM data from multiple organizations, expanding pressure on victims and showing a repeatable cloud-app abuse pattern. The operation uses stolen OAuth tokens and automated queries against Salesforce REST API endpoints to map objects and pull records. Victims then receive extortion emails tied to the alias mr bean, while leak-site messaging signals continuing activity.

INC has grown from a RaaS startup into one of 2026’s most prolific ransomware groups, with 830+ victims since August 2023. The expansion followed affiliate migration after disruption to LockBit and the shutdown of BlackCat, strengthening INC’s market position. Its rise increases extortion pressure across U.S. organizations and targeted sectors including health care, legal services, manufacturing, technology, and construction.

INC's Windows and Linux/ESXi encryptors were rewritten in Rust, improving cross-platform development and making reverse engineering harder. The malware line also gained updated credential-dumping support aimed at newer Veeam backup deployments. The changes strengthen the ransomware toolset used in 2026 attacks and raise the cost of analysis and defense.

Hackledorb has pivoted DragonForce from a conventional ransomware-as-a-service (RaaS) model into a formalized cartel structure, signaling a more organized and durable adversary ecosystem. The shift raises the group's ability to scale operations, coordinate affiliates, and sustain pressure against enterprise victims while blending ransomware with stealthier post-compromise tradecraft.

SocGholish is a long-running JavaScript-based malware downloader that hijacks legitimate WordPress sites to push fake browser updates, creating a persistent path for visitor infection and follow-on payload delivery. The activity has been used since at least 2017 and is linked to Evil Corp. Once installed, the malware can open attacker access and stage additional malware families.

International law enforcement cleaned 14,971 WordPress sites and took 106 servers and domains offline in a coordinated takedown of SocGholish infrastructure linked to Evil Corp. The action disrupted a long-running malware infection chain used to hijack legitimate sites and deliver malicious payloads. It reduced cybercriminal access to compromised systems across citizens, businesses, and organizations worldwide. The operation is part of Operation Endgame and signals further action against the same infrastructure.

The LicenseLoader.php malware embedded in infected ShapedPlugin releases now enables credential theft, 2FA secret theft, and remote file-writing on compromised WordPress sites. The loader activates when an administrator opens the WordPress admin panel, then reaches out to C2 and installs a hidden fake plugin such as woocommerce-subscription or woocommerce-notification. It also self-deletes after staging, which increases stealth and slows detection.

ShapedPlugin suffered a supply-chain compromise that pushed infected WordPress plugin releases to paying customers through the vendor's official update system, putting affected sites at risk of credential theft and remote file-writing. The incident affected Product Slider Pro before 3.5.4 for WooCommerce, Real Testimonials Pro 3.2.5, and Smart Post Show Pro before 4.0.2. Researchers tied the backdoor injection to May 21 and confirmed malicious downloads on June 12. The vendor acknowledged the incident on June 16 and began preparing updated releases.

Apple released Beats Firmware Update 1B211 for Beats Studio Buds to fix CVE-2025-20701, closing a Bluetooth flaw that could let nearby attackers spy on conversations. The update is delivered automatically to vulnerable earbuds when they pair within range of an iPhone, iPad, or Mac.

Beats Studio Buds are affected by CVE-2025-20701, a missing-authentication flaw in Airoha system-on-a-chip (SoCs) and the Bluetooth BR/EDR radio that can let a nearby attacker listen through the microphone of an unpaired device. Apple shipped Beats Firmware Update 1B211 to patch the bug. Researchers also built a proof-of-concept exploit and said chaining it with CVE-2025-20700 and CVE-2025-20702 can expand control to calls and device memory.

India's government warned Telegram and imposed a nationwide block tied to alleged NEET-UG 2026 exam-paper leaks, restricting access to the platform and leak-related channels. The government told the Delhi High Court that Telegram said it could not proactively detect the offending channels, while the National Testing Agency identified channels, groups, and bots circulating leaked material. The block was imposed ahead of the June 21 re-exam and remained in force while the court considered Telegram's challenge. The restriction also affected users beyond India, including access disruption in the UAE after a BGP route leak.

F5 released out-of-band security updates for NGINX after finding multiple web server vulnerabilities, including two critical flaws that could enable remote code execution or denial of service on affected systems. The fixes cover NGINX Plus, NGINX Open Source, NGINX Gateway Fabric, and NGINX Instance Manager. Administrators unable to patch immediately have product-specific mitigations, but the release remains urgent because the flaws affect vulnerable non-default configurations.

NGINX had two critical web server flaws, CVE-2026-42530 and CVE-2026-42055, that can let unauthenticated remote attackers hit non-default configurations with DoS or code execution. The bugs affect ngx_http_v3_module, ngx_http_proxy_v2_module, and ngx_http_grpc_module. F5 released out-of-band fixes and temporary mitigations for affected deployments, including NGINX Plus and NGINX Open Source.

The Operation Escaneo campaign exposed a coordinated intrusion effort against government and financial targets across Latin America, with confirmed victim access and data theft. The operation reached critical infrastructure in Mexico, with additional activity in Ecuador and Portugal. Attackers used Fortinet FortiOS SSL-VPN and Ivanti Connect Secure flaws, plus Apache Tomcat, EternalBlue, Zerologon, and Log4Shell, to penetrate perimeter systems. The exposed tooling and access paths show an active cross-border campaign rather than isolated scans.

Microsoft resolved a Windows Server 2016 update-installation failure that blocked June 2026 security updates on some unpatched servers. Affected devices could hit 0x80070002 / FILE_NOT_FOUND and fail to install KB5094122 unless KB5087537 had already been applied. The fix restores normal patch deployment and reduces the chance that servers remain behind on security updates.

Interpol's 2025/2026 assessment shows cybercrime now accounts for 30% of crime in over half of the surveyed Asia and South Pacific countries, signaling a broad regional rise in threat pressure. The report covers 18 Southeast Asian countries and Pacific Island states and points to expanding online scams, phishing, ransomware, and DDoS activity. In 2024, some countries reported more than 10,000 scam cases, while phishing clicks reached 5.5 per 1,000 people monthly, about twice the global average. The pattern shows a region where digital adoption is outpacing security readiness and increasing exposure across governments, enterprises, and individuals.

Telegram access was disrupted outside India after AS18101 / Reliance Communications announced Telegram prefixes, spilling a domestic block into the UAE and other regions. The route leak cut off users who were never meant to be covered by the restriction. Analysts later confirmed the hijack, showing that the availability problem was real even as intent remained disputed.

Unknown threat actor is running an active June 2026 campaign that fakes legitimacy to distribute a Rust-based clipboard hijacker. The operation uses bogus GitHub stars, inflated SourceForge downloads, VirusTotal planted “safe” votes, AI-narrated YouTube tutorials, and a WordPress phishing page to push booby-trapped crypto tools. The hidden payload targets Windows and macOS clipboard data, swapping copied wallet addresses for attacker-controlled ones from an embedded list of more than 15,500 addresses. The promotion model turns public reputation signals into a distribution layer for theft.

The Rust-based clipper is a Windows and macOS malware activity that replaces copied cryptocurrency wallet addresses with attacker-controlled destinations. It continuously watches the clipboard for wallet-pattern matches and swaps in addresses from a hard-coded list, diverting transfers. The payload is concealed inside Solana and Pump.fun sniper bots and crash-game predictors, increasing theft risk for cryptocurrency users.

Microsoft is preparing a security update for Microsoft Defender to address CVE-2026-50656, a privilege-escalation flaw in the Microsoft Malware Protection Engine. The issue is a zero-day with a CVSS score of 7.8 and can enable SYSTEM-level privileges if exploited. A public PoC from Chaotic Eclipse reportedly uses a race condition, increasing pressure for the patch.

The small French automotive business suffered a credential-theft intrusion that exposed banking and email access and preserved attacker persistence after the primary C2 went offline. The attacker also installed OpenSSH Server and Tailscale on April 7 to keep a separate way back in. When the Havoc server returned on April 26, the agent reconnected automatically and the activity continued through May 1.

A Russian-speaking multi-operator threat group ran a FortiGate and Microsoft SQL Server bruteforce campaign that generated billions of credential attempts, raising the risk of widespread account compromise and internal access. The operation targeted 320,777 FortiGate systems and 163,650 SQL Server systems, and recovered credentials were reportedly used for lateral movement into Active Directory environments. The same activity also involved harvesting and cracking SSL VPN hashes, making it a large-scale access-focused intrusion operation.

The FortiBleed leak exposed Fortinet/FortiGate VPN credentials for 73,932 firewall URLs, putting organizations worldwide at risk of account abuse and follow-on intrusion. The exposed records reportedly included usernames, email addresses, and plaintext passwords. Some of the leaked entries were later confirmed as authentic by independent reviewers, indicating the dataset was not a false alarm.

A long-running GitBait phishing campaign is stealing banking credentials from customers of Mexican financial institutions, using GitHub Pages and SheetBest to hide its infrastructure and complicate takedown. The operation has hit at least 12 institutions over roughly three years and relies on cloned bank pages plus cloud-based data forwarding. Its serverless design reduces seizure opportunities while increasing the risk of credential theft and downstream account abuse.