Squid web proxy is affected by CVE-2026-47729, a heap over-read that can leak another user's cleartext HTTP request, including credentials or session tokens, to another client on the same proxy.

Squid maintainers merged a null-terminator check for CVE-2026-47729 into the development branch and v7, closing the FTP-parser over-read that could expose shared proxy traffic. The patch lands in the code path that handled cleartext HTTP requests and embedded credentials or session tokens. Administrators still need to verify that their deployed build or distro backport includes the fix.

A search-your-target underground service layer is turning stolen infostealer logs into on-demand credentials, raising account takeover and corporate intrusion risk across targeted companies and users. Sellers now let buyers query by company, domain, geography, platform, or account type instead of buying bulk dumps. The market sits between log theft and access abuse, with actors advertising freshness, deduplication, and rapid turnaround while buyer feedback says many results are duplicated or invalid.

Researchers disclosed usbliter8, an unpatchable BootROM flaw affecting Apple A12, S4/S5, and A13 SoCs, creating boot-chain compromise risk for devices with physical access. The issue sits in immutable BootROM/SecureROM code, so an operating system update cannot fully remove it. The proof-of-concept relies on DFU mode and specialized RP2350-based microcontroller hardware, which limits broad abuse but raises risk for seized, stolen, or unattended devices.

The REF8372 campaign now uses malicious Google Ads and a fake Node.js download site to deliver OXLOADER and CastleStealer, putting search users at risk of malware execution and information theft. The operation also abuses Storj, PowerShell, DLL side-loading, and UAC prompts to move from lure to payload. Researchers assess the activity as Russian-speaking and financially motivated, with CIS exclusions suggesting deliberate victim filtering.

The OXLOADER malware activity now shows a loader delivering CastleStealer through PowerShell, UAC prompting, and DLL side-loading, giving the stealer a stealthier path to infected Windows systems. The loader's obfuscation layers and anti-VM checks help it avoid static detection and sandbox analysis. That combination increases the chance that the payload executes before defenders can stop it.

A poisoned Mastra package chain delivered malware through easy-day-js, creating compromise risk across Windows, MacOS and Linux systems. The payload disabled TLS certificate verification and reached an attacker-controlled C2 server before execution. It then expanded post-infection activity by checking for 166 cryptocurrency wallet browser-extension IDs and gathering host reconnaissance data.

Mastra @mastra/* npm packages were compromised in a software supply chain attack that spread through the namespace on 2026-06-17. Microsoft now attributes the activity to Sapphire Sleet (BlueNoroff), saying the attackers compromised the npm maintainer account "ehindero" and published malicious updates to more than 140 npm packages in the @mastra scope. The poisoned packages injected easy-day-js, which ran a postinstall hook, disabled TLS certificate verification, contacted attacker-controlled C2 infrastructure, and deployed a cross-platform stealer on Windows, Linux, and macOS. The activity put credentials, API keys, authentication tokens, and cryptocurrency wallets at risk across developer systems, CI runners, and build environments.

A Klue-related Salesforce data leak on June 12 exposed customer records after an attacker used a compromised legacy credential to obtain OAuth tokens from Klue’s integration infrastructure and access connected environments. Huntress and ReliaQuest tied the activity to stolen integration access, Python scripting, and bulk Salesforce REST API querying, and Icarus has now publicly claimed responsibility on its leak site. Additional affected organizations have disclosed impacts, while most say the exposure was limited to Salesforce instances rather than their core platforms or infrastructure.

CSIS used a judge-authorized threat reduction warrant to disrupt two foreign-run botnets on Canadian devices, marking the service's first use of those powers in this way. The action let the agency alter, degrade, destroy, and disconnect botnet data on servers, SOHO routers, and IoT gear on Canadian soil. The Federal Court released a public version of the ruling on June 15, 2026, after granting the warrant on May 1, 2024. The ruling matters because the court found the threat to Canada clearly established and imminent and tied the operation to national-security risk.

The public ruling confirms two foreign-run botnets used infected Canadian devices as traffic relays, a setup that can conceal probing of critical infrastructure, government, and military networks. The botnets relied on a command tier and a relay layer of compromised devices, including servers, SOHO routers, and IoT gear. The activity mattered because the relay pattern let operators blend malicious traffic into ordinary-looking connections and increase stealth. The same infrastructure also created a path for potential disruption against sensitive networks.

The FortiBleed Happening is a global Fortinet credential-theft campaign affecting FortiGate firewall and SSL VPN customers. The UK’s NCSC issued guidance after researchers found a database of about 75,000 stolen credentials tied to the campaign, including usernames, email addresses, and plaintext passwords for organizations such as Oracle, Spotify, Toyota, and AT&T. The exposed logins reportedly span 194 countries and over 21,000 unique domains, and the activity has been associated with brute-force, dictionary, and credential stuffing attempts against Fortinet systems.

The FortiBleed credential leak exposed around 75,000 stolen logins from FortiGate firewall and SSL VPN customers, creating immediate account-takeover risk for affected organizations. The exposed records include usernames, email addresses, and plaintext passwords tied to customers in 194 countries. The dataset also spans over 21,000 unique domains, showing broad exposure across internet-facing Fortinet deployments. The UK’s NCSC has issued guidance for impacted customers to check exposure and hunt for compromise indicators.

A FortiBleed dataset containing around 75,000 stolen credentials tied to FortiGate firewall and SSL VPN customers has been exposed, putting affected organizations at immediate risk of account takeover and follow-on network access. The leaked records reportedly include usernames, email addresses, and plaintext passwords, and the exposure has been associated with customers in 194 countries and over 21,000 unique domains. The initial intrusion method has not been confirmed, but the reported sequence points to stolen configuration data followed by credential abuse opportunities against internet-facing systems. The UK NCSC has already issued guidance telling affected organizations to check exposure and review for indicators such as unauthorized account creation and unexpected log activity.

The AryStinger campaign is turning legacy routers and QNAP NAS boxes into a distributed reconnaissance and proxy network, creating a stealth relay layer for intrusion staging. It has reached at least 4,300 infected routers and is still growing. The operation abuses CVE-2013-3307, CVE-2016-5681, and later CVE-2025-11837 to spread across Linksys, D-Link, and QNAP devices.

The AryStinger malware family is building a distributed reconnaissance and proxy network from legacy routers and NAS appliances, expanding a covert relay layer that helps operators scan and hide their origin. It now affects at least 4,300 infected routers and the pool is still growing. The activity matters because infected devices can fingerprint services, enumerate subdomains, tunnel traffic, and run attacker commands on demand. A second strain extends the operation to QNAP NAS boxes through CVE-2025-11837.

Asia and the South Pacific is seeing a sharp rise in phishing, ransomware, DDoS, and AI-enabled scams, increasing financial losses and operational pressure across the region. Phishing has become the most widespread and financially damaging cybercrime, with a third of countries reporting more than 10,000 cases between January 2024 and March 2025. The region also recorded over 135,000 ransomware-related attacks in 2024 and a 92% jump in DDoS attacks, showing a broad escalation in cybercrime intensity. The trend is expanding exposure across real estate, manufacturing, and financial services while deepfake-enabled fraud and scam centers drive major losses.

The AryStinger botnet is compromising more than 4,000 outdated routers and converting them into proxy executors for malicious traffic, expanding attacker reach and interception risk. It targets D-Link DIR-850L and D-Link DIR-818LW routers through older flaws and can support scanning, tunneling, and command execution. The malware also enables DNS tampering and network-traffic monitoring, creating a broader exposure window for affected networks.

The Prinz Eugen ransomware operation is actively using hands-on-keyboard tradecraft and legitimate RMM tools, which makes intrusions harder to spot and contain. Researchers say the operators likely start with stolen RDP credentials, then manually deploy servertool.exe and maintain access with RemotePC. The encryptor focuses on recently modified files, skips a ransom note, and pushes victims toward out-of-band extortion. The activity has already been tied to multiple victims, including a Standard Bank breach demand of 1 BTC.

The Prinz Eugen ransomware campaign is using stolen RDP credentials, RemotePC, and hands-on operator control to break into multiple victims. It matters because the operation combines manual intrusion tradecraft with data encryption and exfiltration, increasing extortion pressure and reducing detection. Researchers say the group has reached at least five victims, while the leak site currently lists three. In one Standard Bank breach, the attacker demanded 1 BTC and was refused.

The Mastra AI supply-chain campaign was attributed to Sapphire Sleet / BlueNoroff after Microsoft said the operation compromised the npm maintainer account "ehindero" and pushed malicious updates into the @mastra scope. The poisoned packages introduced easy-day-js, a typosquat of dayjs, which ran a postinstall hook, reached attacker-controlled C2 infrastructure, and delivered a cross-platform stealer to Windows, Linux, and macOS systems. The activity targeted developers and checked for 166 cryptocurrency wallet extensions, including MetaMask, Phantom, Coinbase Wallet, Binance Wallet, and TronLink. The campaign affected more than 140 npm packages and created exposure to credential theft, API key theft, authentication token theft, and wallet theft.

Gravity SMTP released version 2.1.5 to fix CVE-2026-4020, closing a medium-severity information disclosure flaw in the WordPress plugin. The patch addresses a bug that let unauthenticated visitors pull API keys, secrets, and OAuth tokens from plugin data. The update is urgent because the plugin is installed on about 100,000 sites and exploit traffic is already active.

Klue confirmed a June 12, 2026 security incident in which an attacker used a compromised legacy credential to obtain OAuth tokens from Klue’s integration infrastructure and access data in connected Salesforce environments. The activity is now publicly claimed by Icarus, which said Klue.com was impacted and that partner Salesforce instances were exfiltrated. Reports from Huntress and ReliaQuest tie the theft to automated Python scripts and Salesforce API querying, with affected organizations including Recorded Future, Tanium, Jamf, Sprout Social, Gong, and Insurity. Klue says the incident was limited to third-party integrations and that there is no evidence customer content stored directly in the Klue platform was impacted.

An actively exploited unauthenticated information disclosure flaw in Gravity SMTP exposes API keys, secrets, OAuth tokens, and email-service credentials on sites using the plugin, with the affected footprint reaching 100,000 WordPress sites. The vulnerability is tracked as CVE-2026-4020, affects version 2.1.4 and older, and was fixed in 2.1.5. Wordfence says it has blocked more than 17 million attempts, including a spike on June 7.

A public usbliter8 exploit now reaches arbitrary code execution in Apple's SecureROM, exposing an unpatchable USB DMA underflow flaw across A12, A13, S4, and S5 hardware. The attack needs physical possession, DFU mode, and a RP2350-based microcontroller board, but it completes in under two seconds before the signed boot chain loads. Because the vulnerable code is burned into silicon, no software update can remove the flaw. The result is a durable device-custody risk for environments that must protect high-value Apple hardware from direct access.

CERT/CC issued mitigation guidance to apply UEFI Forbidden Signature Database (DBX) updates, reducing Secure Boot bypass risk for affected vendor-signed UEFI applications. The advisory covers binaries from Acer, AMD, ASUS, ECS, Getac, GIGABYTE, Toshiba, and Uniwill. Administrators are being told to revoke trust in the affected binaries before they can execute during boot.

The Texas Parks and Wildlife Department license system vendor suffered an intrusion that led to unauthorized access and exposed customer records for millions of license holders. The breach prompted a state investigation and raised follow-on risks of phishing and social engineering against affected people.

The Texas Parks and Wildlife Department disclosed a data breach at its license system vendor that exposed personal information for 3,087,721 Texas hunting and fishing license customers. The exposed dataset included driver’s license information, passport numbers, email addresses, phone numbers, and residential addresses, creating elevated risk of phishing and social engineering abuse. Officials said SSNs, dates of birth, and financial information were not impacted.

A remote code execution flaw in AutoGen Studio affects the MCP WebSocket surface in pre-release builds 0.4.3.dev1 and 0.4.3.dev2. The exploit chain uses a localhost trust bypass, missing authentication, and command execution from a request parameter. The hardening fix is in GitHub main at commit b047730, but no patched PyPI build has landed yet.

Operation Endgame is an ongoing international law enforcement initiative that now includes the takedown of SocGholish infrastructure, expanding disruption of botnets and criminal infrastructure used for malware delivery. The operation has already removed 106 servers and cleaned 14,971 WordPress sites, reducing abuse paths used to spread follow-on payloads. Launched in 2024, the initiative keeps pressure on the infrastructure that supports large-scale cybercrime.