The OYSTERBLUES malware activity used compromised accounts and spear-phishing to reach government organizations, increasing the risk of credential theft and follow-on account abuse. The payload was an information stealer, making the delivery chain especially relevant for sensitive-data collection. The activity was reported in late last month and was linked to UNC1151 in the source reporting.

A long-running phishing campaign by Russian intelligence services is stealing messaging-account credentials from officials, military personnel, politicians, and activists across Ukraine, Europe, and the U.S. The operation uses fake support SMS that impersonate a messaging platform's support bot to trick recipients into revealing access details. The activity threatens sensitive military and political communications and extends to Ukrainian personal accounts.

The FBI and CISA updated mitigation guidance for Signal users after a phishing operation began targeting Backup Recovery Keys, which can expose historical messages on compromised accounts. The advisory says legitimate support communicates only through official company email addresses, never asks for verification codes in the app, and does not send links to verify or restore accounts. Users who may have shared a key are told to create a new Backup Recovery Key so the old one no longer works for future backup downloads, although already stolen backups can still remain accessible.

CISA ordered federal agencies to patch CVE-2026-20230 in Cisco Unified Communications Manager Server by June 28, tightening exposure around an actively exploited SSRF flaw. The vulnerability was added to CISA's KEV catalog under BOD 26-04, making remediation urgent for covered agencies. Cisco had already labeled the bug critical and warned it could be exploited remotely without authentication.

A newly observed SharkLoader malware operation is staging Cobalt Strike Beacon on compromised Windows hosts, expanding post-compromise control and persistence risk. The loader reaches systems through DLL sideloading and malicious installers, including a `SystemSettings.exe` / `SystemSettings.dll` chain. Some samples use decoy PDF lures and staged components to unpack and launch the beacon. The activity raises exposure for organizations hit through public-facing application exploits and installer-based delivery.

The StrikeShark campaign is deploying SharkLoader to load Cobalt Strike Beacon on compromised hosts, raising the risk of broader follow-on intrusion activity. It has targeted a diplomatic organization in Indonesia, government organizations in Taiwan, software development companies, and other entities across multiple countries. The operation combines exploit-driven initial access with post-compromise tooling and persistence, making it a sustained, multi-sector campaign.

Polymarket’s frontend integrity was disrupted when malicious JavaScript reached the live site through a third-party vendor, triggering fraudulent transactions and about $3 million in losses across fewer than 15 accounts. The platform said its own servers and backend infrastructure were not impacted. Polymarket also said it would fully reimburse affected customers. Independent blockchain analysis later traced the stolen funds across Polygon and Ethereum.

The Poisoned Tenant campaign is using fraudulent OpenAI organizations to lure targeted employees into shared ChatGPT workspaces, creating a risk of sensitive company data exposure. The fake invites arrived from [email protected] and passed authentication, making them look legitimate. Attackers also created tenants impersonating real companies and even attached a Visa credit card to improve credibility. The targets were mainly employees in cybersecurity and technology companies.

The newly documented TinyRCT backdoor gives CL-STA-1062 a custom remote-access payload for government and critical-infrastructure targets in Southeast Asia, expanding the operator’s ability to steal data and control compromised hosts. TinyRCT can run commands, exfiltrate files, capture screenshots, and self-delete after use. It is delivered through a malicious archive and AppDomainManager injection chain that retrieves the payload from attacker infrastructure. The activity is tied to operations that included a September 2025 government intrusion and the compromise of at least 10 organizations between October and December 2025.

Amazon Q Developer had a high-severity trust-boundary flaw in MCP server handling that could let a malicious repository trigger commands on a developer machine and steal cloud credentials from an active session. AWS says it patched CVE-2026-12957 and a related CVE-2026-12958, with fixes across affected Amazon Q Developer plugins and Language Servers for AWS 1.65.0; AWS also advises customers to move to 1.69.0 and newer plugin builds. Wiz Research disclosed the issue and published technical details and PoC code.

AWS released fixes for Amazon Q Developer after a high-severity flaw in the VS Code extension could expose developers’ cloud credentials. The patch set covers CVE-2026-12957 and a related CVE-2026-12958 symbolic-link issue. Fixes are available across affected Amazon Q Developer plugins and the language server.

A Linux kernel traffic-control flaw, CVE-2026-46331, lets a local unprivileged user gain root by abusing an out-of-bounds write in act_pedit. A public working exploit appeared within a day of assignment and was shown corrupting a cached /bin/su image in memory without touching the file on disk. Vendors list affected releases across RHEL, Debian, and Ubuntu, and patched kernels or mitigations are available.

CVE-2026-12569 in PTC Windchill PDMlink and PTC FlexPLM was added to CISA KEV after confirmed active exploitation, exposing susceptible systems to remote code execution and JSP web shell deployment. The flaw is rated 9.3 and stems from improper input validation. PTC said patches were released last week and provided mitigation steps to help defenders block abuse and look for compromise indicators.

CISA added CVE-2026-12569 to the KEV catalog after finding active exploitation of PTC Windchill PDMlink and PTC FlexPLM, elevating the flaw to a federal remediation priority. The listed issue is a 9.3 RCE that can let attackers run code on susceptible systems. PTC said attackers are using the flaw to deploy JSP web shells.

Linux kernel merged and shipped the DirtyClone security fix for CVE-2026-43503, closing a CVSS 8.8 local privilege-escalation path that could let affected systems be rooted.

CVE-2026-43503 in the Linux kernel gives a local user a path to root on affected systems, including multi-tenant servers, CI runners, container hosts, and Kubernetes clusters. JFrog Security Research published a working exploit walkthrough on June 25, showing how DirtyClone turns a kernel memory-corruption bug into full privilege escalation. The fix landed in mainline on May 21, so exposed deployments need to update now or apply temporary namespace and module restrictions.

The Mini Shai-Hulud / Miasma / Hades malware activity added malicious npm releases, GitHub Actions workflow abuse, and a related Go module compromise, increasing the risk of developer credential theft across trusted supply-chain workflows. The affected path spans LeoPlatform, RStreams, and the Verana Blockchain project, showing the operator's ability to move across package ecosystems. The payload uses install-time execution and stolen secrets to spread through registries, repositories, and CI/CD runners.

The codfish/semantic-release-action GitHub Action was hit by a malicious commit force-push and tag redirection that caused trusted workflows to run attacker code. The compromise executed inside GitHub Actions runners, where it stole GitHub OIDC tokens and harvested Personal Access Tokens. The event put CI/CD secrets and downstream repository access at risk.

The TinyRCT backdoor appeared in a 2025 intrusion operation, adding stealthy persistent access and control to the attackers' toolkit. It also supports command execution, file exfiltration, and screenshot capture, expanding post-compromise reach. A built-in self-destruct feature can wipe traces from infected systems and complicate response.

A China-linked campaign by CL-STA-1062 is targeting government entities and critical infrastructure across Southeast Asia, with activity reaching state-owned enterprises in the energy and government sectors. Palo Alto Networks Unit 42 tied the operation to the previously undocumented TinyRCT backdoor and said the activity has been active since at least March 2022 and remained visible through 2025. The campaign used ASPX web shells, SoftEther VPN, Mimikatz, and VNT to support access, reconnaissance, and exfiltration. Unit 42 said it detected breaches of at least 10 organizations in the region between October and December 2025.

TonRAT is using a Node.js implant to hide command-and-control lookups behind the TON blockchain API, increasing the chance that blocking and detection will fail. The activity is tied to hospitality hosts and includes encrypted WebSocket communications, which strengthens persistence and operator control on compromised systems. The delivery chain also uses photo-themed ZIP files and a LNK-to-PowerShell sequence, making the malware harder to spot during initial access.

An active phishing campaign is targeting hotel and hospitality organizations across Europe and Asia, increasing the risk of front-desk machine compromise and durable access. The operation has run since April 2026 and uses photo-themed ZIP files to deliver a Node.js implant. The lure chain leans on Calendly and Google redirect infrastructure, and there is no confirmed data theft or ransomware tied to the activity.

Russian investigators seized and searched Andrey Pivovarov's phone and laptop in June 2021, using Cellebrite UFED tools to build a case tied to his opposition work. The forensic record names UFED Physical Analyzer and UFED 4PC and shows searches for Open Russia contacts and activist figures. The action expanded official access to a detained activist's data and linked commercial forensic tooling to a political prosecution.

The Canvas incident at Instructure exposed confidential course and user data after unauthorized activity and a later access event, affecting about 160 UK higher education institutions and roughly 9,000 institutions worldwide. Instructure detected the activity on April 29, 2026, and the same threat actor gained additional access on May 7, 2026 through a second Canvas vulnerability. Canvas was reported fully online by May 9, but the stolen data creates a continuing risk of phishing, smishing, and vishing.

Attackers compromised Instructure's Canvas, stole confidential course and user data, and later reused a Canvas application weakness to alter institutional login pages. The activity affected about 160 UK higher education institutions and roughly 9,000 educational institutions worldwide, while confirmed exposed data included user personal information and messages among users. Response actions included temporary service disruption, shutdown of Free-for-Teacher accounts until issues were resolved, patches, key rotation, increased monitoring, and customer API re-authorization. Canvas was reported fully online by May 9, 2026, but the stolen data leaves a continuing phishing, smishing, and vishing risk, and some claimed exfiltration scale details remain unverified.

Turla's STOCKSTAY backdoor has been newly detailed as a .NET espionage implant used against government and military organizations in Ukraine and entities linked to Italian foreign policy. The malware runs as a multi-component Windows Forms backdoor with secure WebSocket C2, letting operators route commands through separate downloader, tunneler, backdoor, and controller modules. Delivery has included phishing emails, malicious RDP files, MSI installers, and RAR archives; a November 2025 wave used CVE-2025-8088 in WinRAR. Suspected development traces back to December 2022, and the implant shares design overlaps with Kazuar.

Turla's STOCKSTAY phishing campaign is targeting government and military organizations in Ukraine and selected European entities, extending a recurring espionage operation. The operation uses academic- or diplomatic-themed lures to deliver the malware and has been observed across early 2025 and November 2025. Later waves used RAR archives that exploited CVE-2025-8088 in WinRAR, showing the campaign's delivery methods evolved over time.

Microsoft's May 13, 2026 Patch Tuesday release fixed 138 vulnerabilities across its product portfolio, including Windows, Azure, and Edge. None of the flaws were listed as publicly known or under active attack. The update spans both Critical and Important issues, making it a broad monthly remediation cycle for Microsoft customers. Administrators also need to watch a separate Windows Secure Boot certificate rollover before the June 26, 2026 deadline.

Polish authorities arrested four members of an organized cybercrime group, disrupting a case tied to SIM-swapping attacks and cryptocurrency account takeovers. The operation, supported by the FBI and HSI, targets a network linked to millions of U.S. dollars in theft and laundering. The arrests raise the legal exposure for a cross-border cybercrime ring that used telecom breaches and account hijacking to move stolen funds.

Threat actors are abusing Shop by planting fake purchase receipts in order histories, turning a trusted shopping app into a callback-phishing lure that can expose account credentials, payment card details, and OTPs. The abuse also pushes some victims toward remote access software installation. The operation is especially relevant in North America, where Shop is widely used and trusted. No evidence indicates that Shop, Shopify, or the impersonated brands were compromised.