Google filed a civil lawsuit against Outsider Enterprise, adding legal pressure to a major phishing infrastructure operation that sent fraudulent texts at scale. The action matters because it targets the network used to impersonate trusted brands and supports blocking efforts with AT&T, T-Mobile, and Verizon.

The FBI and partners dismantled Outsider Enterprise, a phishing-as-a-service operation tied to thousands of phishing websites and large-scale credential theft. The takedown seized infrastructure, domains, wallets, and a Telegram bot, disrupting a network that had operated since at least 2023. The disruption cuts off a service blamed for millions of stolen credit card records and $1.9 billion in estimated losses.

The Outsider Enterprise happening is a phishing-as-a-service campaign tied to a Chinese cybercrime network that used AI and distributed phishing kits to impersonate trusted brands in texts sent through AT&T, T-Mobile, and Verizon. In the latest phase, the FBI, with Google and Black Lotus Labs, dismantled parts of the operation, seized infrastructure including administration servers, a Shopify e-commerce storefront, a testing account, around $100,000 USDT, and a Telegram bot, and redirected thousands of domains to an FBI splash page. Google said the service had reached 9,000 fake websites and more than a million fraudulent URLs, and authorities tied the activity to theft of more than 3.8 million credit card records and $1.9 billion in losses. Google is also pursuing civil action and working with carriers to block fraudulent messages before they reach subscribers.

The Outsider Enterprise is a Chinese phishing-as-a-service operation that used Telegram, AI, and distributed phishing kits to run large-scale brand-impersonation campaigns through texts sent over AT&T, T-Mobile, and Verizon. Google linked the network to 9,000 fake websites and more than a million fraudulent URLs, and authorities say the activity has driven theft of more than 3.8 million credit card records and about $1.9 billion in losses. The latest response includes an FBI-led takedown with Google and Black Lotus Labs, seizures of infrastructure and funds, and carrier blocking efforts to stop fraudulent messages before they reach users.

The Saydel Community School District suffered a 21-month unauthorized access intrusion that disrupted classroom operations, deleted accounts, and caused tens of thousands of dollars in remediation costs. The attacker used retained credentials after employment ended to keep reaching district systems. The activity also blocked access to Apple School Manager and Schoology, creating direct operational impact for staff and students.

Ezekiel Dean Potter was sentenced on June 11, 2026 to 21 months in prison and three years of supervised release for computer fraud tied to attacks on the Saydel Community School District. The sentence resolves a post-employment intrusion campaign that disrupted classroom operations and caused tens of thousands of dollars in damage. Potter must also pay $59,668.81 in restitution and faces monitoring and restrictions during supervision.

A target organization suffered a 10-year authentication stack compromise that exposed administrative activity inside an isolated critical infrastructure network. The intrusion was linked to Velvet Ant and Operation Highland, and it began in 2016 after access through internet-facing systems. Attackers then preserved access by modifying PAM and OpenSSH components to steal credentials and observe every login and command.

Splunk released security updates for CVE-2026-20253, fixing a critical Splunk Enterprise flaw that could enable unauthenticated file operations and remote code execution. The update covers Splunk Enterprise 10.0.0 to 10.0.6 and 10.2.0 to 10.2.3, with fixes in 10.0.7 and 10.2.4. Splunk Cloud is not impacted.

Splunk Enterprise now has a critical CVE-2026-20253 flaw that lets an unauthenticated attacker perform arbitrary file operations and potentially reach remote code execution on affected servers. The issue affects versions below 10.2.4 and 10.0.7, while Splunk Cloud is not impacted. The weakness sits in a PostgreSQL sidecar service endpoint that lacks authentication controls, allowing network-reachable users to invoke file operations without credentials. Exploit details published for the flaw increase the risk of opportunistic abuse even though there is no evidence of in-the-wild exploitation.

The U.S. government ordered Anthropic to suspend access to Claude Fable 5 and Mythos 5 for foreign nationals, restricting advanced AI model access on national-security grounds. Anthropic said it received the order at 5:21 p.m. ET and is trying to restore access after what it described as a possible misunderstanding. The directive does not affect access to other models, and Mythos 5 remains available to a vetted group of cyber defenders and critical infrastructure operators.

Maine's Attorney General's Office temporarily disabled public access to the breach notification database, changing the state's breach-reporting workflow after fraudulent disclosures were posted. The office said the move is meant to curb abuse of the reporting system and stop false notices from being auto-published. The service still accepts submissions from companies, but the public must now request copies directly from the office.

Atomic Arch is a malware activity that hijacked more than 400 Arch User Repository (AUR) packages on or after June 11 and rewrote their build scripts to run npm install atomic-lockfile during builds, delivering a Rust credential stealer through the AUR build path. The deps payload targets developer workstations and build systems, steals browser cookies, SSH keys, GitHub/npm tokens, and other secrets, exfiltrates data to temp.sh, and can add systemd persistence plus an optional eBPF rootkit when it has root. The official Arch repositories were not affected, and confirmed examples include alvr and premake-git.

A critical phpBB authentication bypass now exposes versions up to 3.3.16 and the 4.0.0 alpha to account takeover, including administrators, through one unauthenticated request. The flaw affects standard installs in default database-authentication mode, so a normal deployment can be vulnerable out of the box. phpBB 3.3.17 is the complete fix and affected operators need to upgrade.

Researchers documented a long-running Velvet Ant compromise of Linux PAM and OpenSSH login components, exposing credential theft and covert persistence across isolated systems. The attacker modified trusted sign-in software to accept secret passwords, record real credentials, and capture commands typed during sessions. The technique matters because it turns the authentication layer itself into a stealthy credential harvester and frustrates normal cleanup.

A Velvet Ant campaign was uncovered that quietly maintained access by backdooring Linux PAM and OpenSSH components, putting credential capture and command logging inside the login path. The operation used internet-facing systems as a bridge into an isolated network and left traces dating to 2016. Because the compromised software controlled authentication itself, ordinary cleanup and password resets would not reliably remove the foothold or stop reuse of stolen credentials.

Oleksii Oleksiyovych Lytvynenko pleaded guilty to conspiracy to commit wire fraud in a Conti ransomware case, resolving a major U.S. prosecution tied to attacks on victims in the United States and abroad. Prosecutors said the operation stole data, encrypted devices, and sought Bitcoin ransom payments after his extradition from Ireland and prior arrest in July 2023. The plea increases legal exposure for a key Conti participant and keeps the cross-border ransomware case active at sentencing.

The Conti ransomware operation ran as a large-scale 2021-2022 extortion campaign that stole data and encrypted devices to pressure victims into paying Bitcoin. It struck victim networks in the United States and abroad and targeted hospitals, businesses, schools, and government agencies. Court documents say the operation hit more than 1,000 victims worldwide and collected over $150 million in ransom payments.

AUR packages are distributing the atomic-lockfile Linux rootkit and infostealer through compromised build scripts, with more than 400 packages reported and the official Arch repositories not affected. The malicious path uses preinstall and post-install hooks to fetch [email protected], which runs a bundled Linux ELF named deps during builds. The payload targets developer secrets such as GitHub, SSH, Vault, Slack, Microsoft Teams, Discord, Docker/Podman, VPN, and browser and Electron data, and it can load an optional eBPF rootkit when built with root privileges.

AUR package-hijacking campaign is abusing more than 400 compromised Arch User Repository (AUR) packages to deliver atomic-lockfile, turning the AUR build path into a supply-chain route for credential theft and an optional eBPF rootkit. Attackers used orphaned packages, spoofed maintainer metadata, and altered PKGBUILD or .install scripts to run npm install atomic-lockfile during builds; confirmed examples include alvr and premake-git. The payload is a Rust stealer that targets developer secrets such as browser sessions, SSH keys, GitHub and npm tokens, HashiCorp Vault tokens, and desktop app session data, and it can also hide itself when it gains root. Users who installed or updated AUR packages on or after June 11 were told to check against known-bad package lists, rotate exposed credentials, and treat affected hosts as compromised if the package ran.

NPM's Git dependency install path can be bypassed by a malicious .npmrc, allowing full code execution even when --ignore-scripts=true is enabled. The flaw weakens Git repository install defenses and sits within the broader PackageGate set of JavaScript package-manager issues. GitHub's npm v12 adds a separate mitigation path by making install-time execution and non-registry sources require explicit approval, reducing abuse of preinstall/install/postinstall scripts, node-gyp builds, Git-based dependencies, and remote URL dependencies.

GitHub announced npm v12 with default-blocking install scripts, Git dependencies, and remote URLs, shifting package installation to explicit opt-in and reducing supply-chain attack risk. The rollout is scheduled for July 2026 and replaces historically permissive dependency handling across the npm ecosystem. Developers can already move to npm 11.16.0+ and use npm approve-scripts to audit blocked scripts and build local allowlists.

A Sentry architectural flaw can let attacker-crafted error events be returned as trusted output to AI coding agents, creating arbitrary code execution risk on developer machines. The weakness affects exposed organizations that publish a usable DSN and connect Sentry to agents through MCP. Sentry acknowledged the issue and relied on a content filter rather than a full fix.

Microsoft has fixed a WUSA problem that caused Windows updates to fail when installed from a network share, disrupting update deployment on Windows 11 24H2/25H2 and Windows Server 2025 enterprise systems. The failure could surface as ERROR_BAD_PATHNAME when a share held multiple .msu files. Microsoft first reduced the impact with Known Issue Rollback on some devices before resolving the issue in June 2026 cumulative updates.

Sports organizations faced sustained cyber targeting across the last 12 months, with 84% of teams, venues and event bodies hit and 57% struck more than once. The pattern raises operational risk for live events, where attackers can time ransomware or DDoS disruption for maximum impact. The same targeting also increases exposure to fan data theft, supply-chain abuse and phishing-led compromise.

Novo Nordisk disclosed externally copied non-public data affecting clinical-trial participants and some healthcare professionals, raising exposure risk for sensitive records and contact details. The exposed material includes patient IDs, trial participation details, biomarkers, health/immunogenicity data, lifestyle factors, and HCP names, phone numbers, and office locations. The company said the patient records were pseudonymized, but the HCP details could support phishing and impersonation attempts. Novo Nordisk took the compromised internal IT systems offline while investigators assess the full scope of the leak.

Researchers disclosed three now-patched LangGraph vulnerabilities affecting self-hosted deployments and including a remote code execution chain. The flaws span SQLite checkpoint SQL injection, unsafe msgpack deserialization, and RediSearch Query Injection. The issue is most serious where deployments accept user-controlled filter input or expose the get_state_history() endpoint. LangSmith Deployment is stated to be unaffected.

CISA ordered FCEB agencies to secure Ivanti Sentry within three days after confirming CVE-2026-10520 is being actively exploited, creating immediate remediation pressure on federal civilian systems. The directive came under Binding Operational Directive 26-04 and adds the flaw to the KEV Catalog. That combination makes the exposure operationally urgent for any federal deployment that still lacks a fix or acceptable mitigation.

Google rolled out Chrome 149 for Windows, macOS, and Linux, resolving 28 critical and high-severity vulnerabilities. The update reduces risk from browser compromise, memory corruption, and possible sandbox-escape chains tied to flaws in core browser components.

INTERPOL-led Operation Ramz disrupted Sniper Dz, a decade-long phishing-as-a-service (PhaaS) platform, during October 2025-February 2026. Authorities in 13 MENA countries made 201 arrests, including Guedz, the platform’s primary developer and administrator, and seized the site used to offer the service plus hardware containing phishing software and scripts. Group-IB said Sniper Dz had collected more than 45,000 victim records, used 80 phishing templates in five languages, and targeted 30 major global organizations before it was taken down.

A long-running Sniper Dz ecosystem operated as a free phishing-as-a-service (PhaaS) platform that repeatedly rebranded, lowering the barrier for large-scale credential theft and scam delivery. Its bundled kits, hosting, and support helped cybercriminals launch phishing campaigns across major brands and government impersonations.