A Russian-speaking multi-operator threat group ran a FortiGate and Microsoft SQL Server bruteforce campaign that generated billions of credential attempts, raising the risk of widespread account compromise and internal access. The operation targeted 320,777 FortiGate systems and 163,650 SQL Server systems, and recovered credentials were reportedly used for lateral movement into Active Directory environments. The same activity also involved harvesting and cracking SSL VPN hashes, making it a large-scale access-focused intrusion operation.

The FortiBleed leak exposed Fortinet/FortiGate VPN credentials for 73,932 firewall URLs, putting organizations worldwide at risk of account abuse and follow-on intrusion. The exposed records reportedly included usernames, email addresses, and plaintext passwords. Some of the leaked entries were later confirmed as authentic by independent reviewers, indicating the dataset was not a false alarm.

A long-running GitBait phishing campaign is stealing banking credentials from customers of Mexican financial institutions, using GitHub Pages and SheetBest to hide its infrastructure and complicate takedown. The operation has hit at least 12 institutions over roughly three years and relies on cloned bank pages plus cloud-based data forwarding. Its serverless design reduces seizure opportunities while increasing the risk of credential theft and downstream account abuse.

Enterprise employees are uploading sensitive data to AI and machine-learning tools at a sharply higher rate, increasing the chance of data breaches and cyber espionage. The measured volume reached 18,033 TB during January 2025 through December 2025, with transfers up 93% year over year. Use is concentrated in everyday assistants such as Grammarly and ChatGPT, which together drove more than half of the observed transfers. The same pattern produced hundreds of millions of DLP violations, showing how routine productivity workflows can create large-scale exposure.

Telegram access was disrupted outside India after AS18101 / Reliance Communications announced Telegram prefixes, spilling a domestic block into the UAE and other regions. The route leak cut off users who were never meant to be covered by the restriction. Analysts later confirmed the hijack, showing that the availability problem was real even as intent remained disputed.

Microsoft is investigating a Windows update-related disruption that can stop third-party applications from launching Word, Excel, PowerPoint, Access or opening documents on up-to-date Windows systems. The issue appears after the June 9, 2026 updates and affects apps that use OLE automation to interact with Office. No fix is available yet, so affected users are being told to open Office apps or files directly as a workaround. The disruption can break workflows in tools such as CCH Engagement, Zotero, Workpaper Manager, Dentrix, and Softdent.

Broad exposure of HTTP panels, databases, and legacy services is expanding organizations' internet-facing attack surface, increasing brute-force and initial-access risk. In a 2026 measurement of 3,000 attack surfaces, 60% of organizations had at least one exposed panel, 49% had a risky port or service, and 42% had a database reachable from the internet. Public files and information were also common at 30%, showing that many reachable assets should not be public at all.

JCE security team released JCE Pro 2.9.99.6 in early June 2026 to fix CVE-2026-48907 in the Widget Factory Joomla Content Editor (JCE) plugin. The update addresses an improper access control flaw that could let unauthenticated attackers upload and execute PHP code on Joomla deployments. Public reporting says the flaw is actively exploited and users should patch installations as soon as possible.

The Widget Factory Joomla Content Editor (JCE) flaw CVE-2026-48907 has been added to CISA's KEV catalog after evidence of active exploitation, putting affected Joomla sites at risk of PHP code upload and execution. The issue is an improper access control weakness that lets unauthenticated users create editor profiles and reach arbitrary code execution. JCE 1.0.0 through 2.9.99.4 are affected, and version 2.9.99.5 contains the fix.

The Council of the EU approved Ukraine's inclusion in the EU Cybersecurity Reserve, expanding access to emergency cyber support for large-scale attacks and incidents. The Reserve, managed by ENISA, can now help Ukrainian organizations and businesses through incident-response services from 47 trusted private providers. The decision broadens a Digital Europe Work Programme 2025-2027 capability under the EU Cyber Solidarity Act and strengthens cross-border cyber resilience.

A JetBrains Marketplace malware operation has pushed 15 malicious plugins that pose as AI coding assistants and steal AI provider API keys from developers. The plugins send the entered keys to 39.107.60[.]51 and have been active since late October 2025, with new releases still appearing on June 10, 2026. The scale and marketplace distribution make the activity a direct risk to developer environments and paid AI accounts.

Developers' AI provider API keys were exfiltrated through malicious JetBrains Marketplace plugins, exposing credentials from a broad user base and risking unauthorized access to paid AI accounts. At least 15 plugins were tied to the same operation and had been installed around 70,000 times. The plugins dated back to October 2025, with the newest releases appearing in June 2026.

A 2026 SANS SOC Survey found staffing remains the top operational challenge for SOC teams, and the gap between leaders and practitioners keeps signaling retention and hiring risk. 14% of practitioners named staffing their main issue, while 59% of cyber leaders said management pays close attention to hiring and retention needs. AI/ML use is widespread at 79%, but only 36% have built those tools into a defined workflow, leaving many SOCs with uneven operational control.

A Microsoft Defender zero-day tracked as CVE-2026-50656 can elevate privileges to SYSTEM on fully patched Windows 10 and Windows 11 devices. Microsoft says it is working on a security update, leaving the flaw temporarily unpatched. The bug is publicly known as RoguePlanet and affects the Microsoft Malware Protection Engine.

The easy-day-js campaign mass-published more than 140 malicious npm packages across the @mastra/* namespace, creating broad supply-chain exposure for developers and build systems. The operation used the ehindero npm account in a short publishing burst on 2026-06-17. The malicious packages could reach users through normal installs before defenders removed the tainted versions.

The Mastra @mastra/* npm packages were compromised in a software supply chain attack, putting installs at risk of workstation, CI runner, and build-environment compromise. The malicious wave used a hijacked ehindero account to mass-publish more than 140 packages on 2026-06-17. A dependency on easy-day-js introduced a postinstall loader that fetched a second stage from 23.254.164[.]92 and exfiltrated data to 23.254.164[.]123.

Kodak confirmed a data breach after an unauthorized third party gained temporary access to a limited amount of company data. The company said it has brought in external cybersecurity experts and is investigating what was accessed and copied. Kodak also said it is working with law enforcement and sees no threat to systems or operations.

Kodak is facing a claimed data leak after ShinyHunters said it stole over 2.2 million records from the company and threatened public release. The claimed material includes customer PII and internal corporate data, putting sensitive information at risk even as the full scope remains unverified. The leak deadline heightens pressure on Kodak and increases the chance of follow-on abuse if the data is published.

Kodak is dealing with a confirmed unauthorized-access incident and an associated ShinyHunters leak threat. Kodak said a third party gained temporary access to a limited amount of company data, while the actor claimed it stole over 2.2 million records containing customer PII and internal corporate data and threatened publication on 18 June 2026. Kodak has engaged external cybersecurity experts and law enforcement to determine what was accessed and copied. Available evidence confirms the breach investigation and the extortion-style leak threat, but not independent verification of the full claimed dataset.

CISA added CVE-2026-48907 to the KEV catalog and ordered FCEB agencies to apply fixes by June 19, 2026, forcing federal remediation of an actively exploited Joomla flaw. The directive centers on Widget Factory Joomla Content Editor (JCE) and a maximum-severity access-control issue that can enable PHP code upload and execution. The action increases urgency for federal operators because the vulnerability is already treated as a known exploited weakness with a short compliance window.

A coordinated malware campaign on the JetBrains Marketplace is stealing developers' AI provider API keys through malicious plugins that pose as AI coding assistants, code-review tools, and Git utilities. The operation spans at least 15 plugins under seven vendor accounts and sends stolen keys to 39.107.60[.]51 over HTTP. The campaign has been active since October 2025 and continued with new uploads as recently as June 10, 2026. One analyzed plugin remained available for download, keeping the theft path active.

The Rokarolla Android campaign now profiles infected devices to assign a unique identifier to each victim, enabling repeated tracking and coordinated financial-fraud activity across compromised phones.

Google released staged fixes for Google Cloud Vertex AI SDK for Python, closing a bucket-squatting path that could hijack model uploads and enable code execution in Google's serving infrastructure. The first safeguard landed in v1.144.0 on March 31, 2026, and the final hardening arrived in v1.148.0 on April 15, 2026. The update changed temporary bucket selection and then added bucket ownership verification in Model.upload(). Users of the SDK should move to 1.148.0 or later to activate the completed fix.

Google Cloud Vertex AI SDK for Python had a predictable temporary bucket flaw that let an attacker hijack model uploads and reach code execution inside Google's serving infrastructure, and Google fixed it in 1.148.0.

Malicious Steam Workshop wallpaper packages are being used to install backdoors, steal Steam credentials, and launch cryptomining on users' systems, expanding a long-running abuse of Wallpaper Engine. The activity has been underway since at least late 2025 and includes multiple malware families, not just a single payload. Steam removed the identified uploads, but the distribution path remains attractive for repeat abuse.

A Steam Workshop campaign has used malicious wallpaper uploads to deliver malware to Steam users, creating a broad infection risk across the platform since late 2025. The operation has spread through Wallpaper Engine and has been linked to backdoors, credential theft, cryptominers, and other payloads. Steam has removed identified uploads, but new malicious packages are likely to keep appearing.

The Potemkin loader is delivering EtherRAT and RMMProject to Windows systems, giving operators in-memory payload execution and browser credential theft. The loader uses a DGA to reach C2 and reflectively loads follow-on modules, limiting on-disk visibility. The payload set expands control to remote screen access, screenshot capture, and credential collection, increasing post-compromise risk.

The ClickFix malware-delivery campaign is spreading BabaDeda Loader, Lorem Ipsum Loader, and Potemkin, widening risk for Windows and macOS users across several sectors. The operation uses social engineering, compromised WordPress sites, and fake update lures to trick victims into running attacker-controlled commands. Those chains can drop information stealers and RATs, creating paths to credential theft and remote access. The activity shows a sustained shift in delivery methods as operators adapt to disruptions and keep the campaign moving.

The UK government announced a ban on under-16s using social media, requiring age checks for new accounts and tightening access to major platforms. The rollout is set for spring 2027, with regulations due before Christmas and Ofcom asked to study verification methods. New users will likely need to upload an ID or pass a facial age scan, while long-standing accounts are mostly grandfathered. The move pushes UK social media toward verified access and away from anonymous account creation.

FishMonger ran a multi-country espionage campaign against government bodies in Honduras, Taiwan, Thailand and Pakistan across 2023 and 2024. The activity points to a sustained public-sector collection effort rather than an isolated intrusion. The campaign matters because it shows repeated targeting across several jurisdictions using the same operator identity and backdoor-based access pattern.