Nissan disclosed a data breach affecting current and former employees after unauthorized access tied to Oracle PeopleSoft exploitation put personnel records at risk. The exposed information may include contact details, banking information, Social Security numbers, Social Insurance Numbers, National Identification Numbers, and financial and tax data across the United States, Canada, Mexico, and Brazil. Nissan has activated incident response, engaged outside cybersecurity help, and is tightening access controls while the investigation continues.

Nissan disclosed a data leak affecting current and former employees after attackers exploited Oracle PeopleSoft, exposing sensitive payroll and identity records across multiple countries. The exposure may include Social Security numbers, banking details, tax records, and national identification numbers, making the event a significant privacy and fraud risk. Nissan said the breach was tied to a May 27 to June 9 attack window and that affected staff span the US, Canada, Mexico, and Brazil.

The Silent Swap campaign is replacing copied cryptocurrency wallet addresses with attacker-controlled ones, creating a risk of permanent financial loss for crypto users. It spreads through unsigned .NET and Golang installers that drop a malicious Chromium extension masquerading as Google Notes. The operation uses EtherHiding to resolve command-and-control details and hides itself by tampering with browser settings and developer-mode defenses. Telemetry shows infections are globally distributed, with the heaviest concentration in India.

The Silent Swap malware activity now installs malicious Chromium extensions that intercept copied wallet addresses and reroute cryptocurrency transfers to attacker-controlled wallets, creating direct financial-loss risk for affected users. The activity also steals other clipboard-derived secrets and hides behind a benign-looking Google Notes extension. It uses unsigned .NET and Golang installers and browser tampering to load silently across Chromium-based browsers.

The abuse of SimpleHelp RMM turned a trusted support channel into a malware delivery path for TaskWeaver and Djinn Stealer, expanding attacker reach into managed networks and downstream environments. TaskWeaver is a modular Node.js loader disguised as jquery.js and executed from a temporary Cloudflare address. Djinn Stealer is a cross-platform infostealer for Windows, macOS and Linux that targets cloud keys, SSH credentials, source code, wallets and package-registry tokens.

GuardFall exposed a shell-trick bypass that lets dangerous commands slip past safety checks in open-source AI coding and computer-use agents, putting full account access at risk. The bypass worked against 10 of 11 tested agents and could reach a real shell before the guard understood what would run. Only Continue was built to resist the default attack path.

BEC underground activity is expanding into a broader fraud-enablement ecosystem, raising the effectiveness and reach of invoice and payment fraud. Researchers observed actors combining mailbox/SaaS compromise, procurement mapping, call centers, and cash-out services to move stolen funds. Underground discussions from the past year also show rising use of AI-generated business correspondence and recruitment of mule support.

BEC defenders are being pushed toward tighter training and account-response controls as operators combine AI-generated business correspondence, call-center pressure, and exposed credentials to improve payment-fraud success. The guidance focuses on leadership, finance, and procurement staff because those roles are most likely to validate invoices and approve transfers. Faster password resets, session revocation, and MFA enforcement reduce the window for account misuse after a mailbox or SaaS compromise.

LLMKeyLens testing found 444 iPhone AI chatbot apps leaking paid AI access, exposing API keys, replayable tokens, and open relays that let others bill model usage to the developer account. The technical pattern creates direct risk of LLMjacking and hidden prompt exposure across multiple AI providers, including OpenAI. The problem remained widespread after disclosure, with only 28% of notified developers fixing it within three months.

Organizations are being urged to harden defenses against ClickFix on Windows and macOS, reducing the chance that social-engineering lures can turn trusted dialogs into malware execution. The guidance pairs user training with administrative restrictions to cut off the main input paths abused by the technique.

Pre-tournament fraud around FIFA World Cup 2026 intensified across partners, sportsbook users, and travel buyers, raising the risk of impersonation, payment diversion, and credential theft before kickoff. More than one-third of official partners lacked sufficient DMARC enforcement to stop email spoofing, leaving sponsor and vendor messages exposed. A controlled comparison across eight major sportsbook brands found 64 impersonator apps in the pre-tournament window versus zero in the non-tournament baseline. Fraudulent travel and hospitality domains were also staged months ahead of the event, showing a broad, coordinated abuse pattern.

A pre-positioned FIFA World Cup 2026 fraud campaign was already staged before kickoff, widening the risk of email impersonation, fake apps, and travel-site spoofing across tournament-linked sectors. The operation spanned three sectors and at least ten languages, showing coordinated preparation rather than isolated scams. Its reach into sportsbook, hospitality, and partner-email channels increases the likelihood of fraudulent deposits, payment diversion, and brand impersonation during the tournament.

A SimpleHelp exploitation chain is now delivering TaskWeaver and Djinn Stealer, creating a direct path from server-side access to credential theft on managed endpoints. The loader runs as jquery.js through node.exe and acts as an encrypted staging channel rather than a fixed command set. The second stage targets Windows, macOS, and Linux, and it is built to steal cloud, source-control, AI, SSH, browser, and wallet data. Harvested material is packed, encrypted, and exfiltrated to attacker-controlled infrastructure.

Aflac Japan disclosed that certain impacted files exposed policy and coverage details, personal information, and bank account information after unauthorized access to its systems. The exposure affects a Japan-only environment and raises risk for affected policyholders and other individuals whose records were stored on the compromised systems. Aflac said it contained the incident, notified Japanese authorities, and continues to investigate the scope while confirming that U.S. business systems were not accessed.

Aflac Japan disclosed an unauthorized access incident that affected certain systems between June 15 and June 25, 2026, creating risk around sensitive insurance records and bank information. The company said impacted files included policy and coverage details, personal information, and bank account information. It also said the incident was limited to systems in Japan and that U.S. business systems were not accessed.

Microsoft Teams introduced an admin policy that lets organizers prevent third-party bots from joining meetings without approval. The control improves visibility over external participants by detecting bots, placing them in the meeting lobby, and requiring confirmation before admission. The update reduces the risk of malicious apps or automated tools being abused for meeting access and social engineering.

Microsoft Teams has added admin controls that block third-party bots without approval, reducing meeting social-engineering risk across managed tenants. The policy improves visibility by identifying bots, placing them in the meeting lobby, and requiring organizer confirmation before admission. Microsoft also plans allow lists, bot blocking, and audit logs to tighten enforcement.

The TONResolver malware implant was delivered through a ZIP/LNK/PowerShell chain that can establish a remote access trojan foothold and enable command execution. The payload is tracked as TrojanSpy.JS.TONRESOLVER.A and is designed for follow-on compromise rather than simple nuisance behavior. It also uses the TON blockchain to make command-and-control switching harder to detect and block. The delivery and obfuscation layers raise the cost of inspection, containment, and takedown.

A phishing campaign is targeting Booking.com partner accommodations in Japan with guest-complaint and review-request lures that deliver malicious files for TONResolver installation. The operation matters because the payload can establish a foothold for command execution and possible credential theft. The same activity also reached partner accommodations in multiple other countries, showing broader campaign continuity.

Kali Linux 2026.2 ships with 9 new tools and broader Kali NetHunter improvements, expanding the capabilities of a widely used security-testing platform. The release also updates packages, helper scripts, desktop environments, and VM behavior, improving virtual machine boot speed and day-to-day operator workflow.

Blackfield escalated pressure on Nidec Corporation and Nidec Chaun Choung Technology by posting alleged stolen-data samples and threatening to publish or sell the material, increasing the risk of exposure of internal documents and file structures. The leak claim remains unverified, but the posted samples and ransom demand make the data exposure allegation operationally significant.

Nidec Chaun Choung Technology confirmed a ransomware attack that caused ransomware-originated damage to part of a server and forced emergency containment actions. The company shut down the affected server and network to prevent spread, while it investigated whether production, shipping, and other operations were affected. The incident also created a possible information leak risk, though no personal or confidential data had been confirmed publicly leaked online.

SonicWall detected a tenfold increase in attacks against the UK healthcare sector during January-May 2026, pushing pressure on hospital defenses and internet-facing care systems. The sensors recorded 264,000 events in that period, compared with 27,000 across all of 2025. The surge suggests attackers are exploiting both legacy Java systems and newer patient portals at the same time. The pattern raises the risk of persistent probing, patching delays, and operational disruption across healthcare networks.

Nearby attackers can crash AirDrop and bypass Quick Share session checks, exposing Apple, Samsung, and Google Windows file-sharing stacks to local disruption and possible exploitation. The flaws reach sharingd on macOS and iOS, and one issue sits in Google's Quick Share for Windows memory handling. Attackers need wireless proximity or the same local network, but they do not need prior pairing or user interaction. Apple has patched one bug and Google has landed a Windows fix, while the rest remain under coordinated disclosure.

Apple and Google have started shipping fixes for the disclosed AirDrop and Quick Share flaws, reducing exposure for nearby attacks against widely used sharing features. Apple has patched one AirDrop bug and assigned it a CVE, while the advisory remains unpublished. Google has landed a code fix for the Quick Share for Windows flaw, though its CVE is still pending. Samsung's two Quick Share bugs remain under investigation.

CISA has flagged BlueHammer (CVE-2026-33825) as exploited in ransomware campaigns, expanding the risk to Windows devices exposed to privilege escalation. The flaw in Microsoft Defender can let an authorized attacker elevate to SYSTEM and take over a targeted machine. Microsoft patched the issue on April 14, but the KEV update shows active abuse is still occurring.

An abused SimpleHelp technician session led to the delivery of TaskWeaver and Djinn Stealer, turning an access flaw into malware execution on managed systems and developer machines. The activity matters because it gave the attacker a path to load payloads, fingerprint hosts, and steal high-value secrets from development environments.

LayerX recommends tightening AI browser agent mode so the browser must ask before reading from logged-in accounts, reducing the risk of credential theft through indirect prompt injection. The guidance also calls for hard limits on what an agent can touch, so a compromised browsing session cannot freely reach private repositories, open tabs, or internal tools. The change targets a concrete abuse path where malicious pages steer an agent into copying secrets to an attacker.

UK businesses were urged to harden ransomware defenses with regular backups, strong access controls, system updates, and NCSC guidance, reducing attack risk and recovery impact across a SME-heavy corporate base.

UK corporate ransomware activity rose to more than 26 successful attacks each month last year, driving a sustained risk to small and mid-sized companies. 323 corporate victims were reported between April 2025 and March 2026, and average reported losses climbed to around £270,000 per incident.