A Microsoft GitHub repository removal incident in June 2026 disrupted continuous integration pipelines and briefly broke Azure/functions-action workflows used by developers. Microsoft later said it had temporarily removed some GitHub repositories while investigating potential malicious content, then restored some repos and kept others offline during the review. The incident was tied to a broader Miasma supply-chain campaign that compromised 73 open-source projects to inject an information stealer and prompted Microsoft to notify a small number of customers who may have pulled content from the affected repositories.

The Miasma supply-chain campaign has expanded into a new PyPI wave, increasing the risk that developers and downstream users will ingest information-stealing malware through trusted open-source packages. The latest cluster adds 23 packages and shows that the operators are changing delivery methods rather than relying on a single implant format.

A Checkmarx survey found that pressure to delay security reporting is pushing vulnerable code into production across 14 countries, increasing the chance that known flaws reach live systems. 95% of CISOs said they faced pressure to deprioritize or delay reporting of security issues, and 75% said their organizations knowingly deployed vulnerable code. Remediation is also lagging, with only 9% fixing over 90% of vulnerabilities within 90 days. The pattern shows that business deadlines and AI-generated code are widening the gap between discovery and fix.

AI coding assistants are now used by 97% of software engineers and DevOps professionals, but only 30% have fully governed oversight, leaving security and compliance controls behind adoption. The most common assistants are GitHub Copilot and Claude Code, and many teams run more than one tool. The gap is shifting work toward manual review, security testing, and vulnerability fixing, which slows delivery and raises code-risk exposure.

The CVE-2026-44963 flaw in Veeam Backup & Replication exposes domain-joined backup servers to remote code execution until admins move to 12.3.2.4854. The issue affects VBR 12.3.2.4465 and earlier version 12 builds, creating elevated risk for backup infrastructure that is joined to a Windows domain.

Veeam released security updates for Veeam Backup & Replication to fix CVE-2026-44963, a critical flaw that could enable remote code execution on domain-joined backup servers. The issue affects VBR 12.3.2.4465 and earlier version 12 builds, while 12.3.2.4854 contains the fix. Version 13.x is not affected. Administrators running impacted builds need to deploy the patched release promptly to reduce exposure to code execution on backup infrastructure.

A critical phpBB authentication bypass now exposes versions up to 3.3.16 and the 4.0.0 alpha to account takeover, including administrators, through one unauthenticated request. The flaw affects standard installs in default database-authentication mode, so a normal deployment can be vulnerable out of the box. phpBB 3.3.17 is the complete fix and affected operators need to upgrade.

phpBB released version 3.3.17 to fix PTT-2026-004 and PTT-2026-005, closing account-takeover flaws affecting forum deployments. The update is the only complete fix for PTT-2026-004 and requires administrators to upgrade.

The Earth Dahu and SHADOW-EARTH-066 campaigns are still exploiting CVE-2025-8088 in WinRAR against Ukrainian organisations, extending exposure nearly a year after the patch and enabling stealer and espionage payloads. One chain uses crafted RAR archives with hidden ADS payloads, a Startup-folder LNK, and a PowerShell loader to launch GIFTEDCROOK and exfiltrate credentials and documents. The other chain uses an HTA-to-VBScript sequence to deliver GammaPhish, GammaLoad, and GammaSteel, showing sustained access and a shift to dedicated C2 infrastructure.

A Gamaredon-linked malware activity is using WinRAR CVE-2025-8088 to deliver staged payloads, including GammaPhish, GammaLoad, and GammaSteel, against Ukrainian organisations. The latest reporting also ties ongoing exploitation to Earth Dahu (Gamaredon) and SHADOW-EARTH-066 (UAC-0226), with crafted RAR archives, hidden ADS payloads, and a Startup-folder LNK used to launch the infection chain. The activity shifted from Telegram exfiltration to dedicated C2 servers, and Earth Dahu's use of the flaw remained active through at least April 10, 2026.

Gamaredon activity in Ukrainian networks has broadened into a wider WinRAR CVE-2025-8088 exploitation story that also includes SHADOW-EARTH-066 (UAC-0226) operations against Ukrainian organizations. The intrusion paths abuse malicious RAR content to gain startup persistence, then branch into fileless VBScript, NTFS Alternate Data Streams, PowerShell-driven loading, and dedicated follow-on tooling. Available evidence ties the activity to long-term espionage access, document theft, and, in the UAC-0226 chain, browser credential and cookie theft through GIFTEDCROOK. The exploitation remained active well after the July 2025 patch release, keeping WinRAR remediation and host hunting high-priority for Ukrainian defenders.

CISA announced the winners of the seventh annual President’s Cup cybersecurity competition on June 9, 2026. The federal contest ran from January through the last week of May and drew more than 800 individuals and 200 teams into defensive, offensive, and team-based cyber challenges. The program recognizes and rewards federal cyber talent across the U.S. government workforce, with winners from the U.S. Navy, U.S. Army, and U.S. Marine Corps.

Researchers demonstrated a proof-of-concept AI-driven worm that reasons at runtime and self-replicates, showing adaptive host-to-host spread across a 33-host vulnerable test network. The prototype raises the risk of runtime exploit generation, fresh-advisory weaponization, and GPU-assisted propagation without a fixed exploit chain.

A compromised user account enabled an unauthorized breach of Tchap, putting the French government's encrypted messaging platform at risk of exposing conversations and personal data. The incident was detected by ANSSI and disclosed by DINUM on Monday, with investigation still underway.

FROST turns browser storage timing into a remote SSD side channel that can identify which sites a user visits and which apps they open. The technique runs inside the browser sandbox with JavaScript only, raising privacy risk across macOS and Linux desktop systems.

Check Point warned that CVE-2026-50751 is a critical authentication bypass in Remote Access VPN and Mobile Access deployments using deprecated IKEv1, letting an attacker bypass user authentication and establish a VPN connection without a valid password. Check Point said the flaw has been actively exploited since May 7, 2026, with activity affecting a few dozen targeted organizations worldwide and one post-compromise case linked to a Qilin ransomware affiliate. The company also disclosed CVE-2026-50752, a related certificate-validation flaw in the same IKEv1 path, and said it has not been observed exploited.

CVE-2026-50751 is an active exploitation wave against Check Point Remote Access VPN and Mobile Access deployments that use deprecated IKEv1. The flaw is an authentication bypass that can let a remote attacker establish a VPN connection without a valid password, and Check Point said abuse has reached a few dozen targeted organizations globally. Exploitation has been observed since May 7, 2026, increased in early June, and in one case was tied to a Qilin ransomware affiliate in post-compromise activity. Check Point also identified CVE-2026-50752 in the same IKEv1 certificate-validation path and said it has not been observed exploited.

Check Point gateways using deprecated IKEv1 are facing active exploitation of CVE-2026-50751 in Remote Access VPN and Mobile Access deployments. The bug lets unauthenticated attackers bypass authentication and open VPN sessions on exposed systems under specific legacy configuration conditions, and confirmed impact has reached a few dozen organizations globally since at least May 7, 2026. Defensive pressure rose as patches and mitigation guidance were released for affected Security Gateways and Spark Firewalls, one post-exploitation case was associated with a Qilin ransomware affiliate, and CVE-2026-50751 entered the Known Exploited Vulnerabilities catalog. CVE-2026-50752 was disclosed alongside the response for site-to-site VPN connections, but available evidence does not show it being exploited in the wild.

A new Hades PyPI malware wave uses a Python startup hook to launch a Bun-powered JavaScript stealer, putting developer and CI/CD credentials at risk. The payload can harvest secrets, keys, and local configuration data from package-install environments. It extends a known supply-chain playbook with automatic execution before normal package use.

The Miasma supply-chain campaign has expanded into a new PyPI branch called Hades, with 37 malicious wheel artifacts across 19 packages. The compromised releases use a -setup.pth startup hook to execute during Python startup, download the Bun JavaScript runtime, and launch an obfuscated _index.js stealer. The activity targets developer systems for credential theft, CI/CD secret harvesting, and GitHub-centric exfiltration, and it adds LLM prompt injection plus repository-based payload staging. The campaign remains part of the broader Mini Shai-Hulud / Miasma lineage rather than a standalone Python incident.

CISA ordered Federal Civilian Executive Branch agencies to secure CVE-2026-50751, forcing a rapid federal response to a flaw that can let attackers bypass authentication on affected Check Point VPN systems. The directive matters because the vulnerability has already been used in zero-day attacks and is now on the Known Exploited Vulnerabilities (KEV) Catalog. Agencies must meet the June 11 deadline under Binding Operational Directive 22-01.

Check Point released security updates to patch CVE-2026-50751 in Remote Access VPN and Mobile Access deployments. The update addressed a critical authentication bypass on systems using deprecated IKEv1, after the flaw was exploited in zero-day attacks. Check Point also disclosed CVE-2026-50752 and urged customers to apply the fixes immediately or use mitigation steps such as IKEv2 only and mandatory Machine Certificate Authentication.

WhatsApp moved the US court to hold NSO Group in contempt over a permanent injunction tied to spyware targeting of users. The company says NSO violated the order by using social engineering and malicious links aimed at WhatsApp users and by creating test accounts and groups that were taken down. The request seeks to keep the court's restrictions on NSO in force after years of litigation over Pegasus.

NSO Group remains tied to a WhatsApp spear-phishing campaign that used malicious links to push targets to external websites outside the app. On June 8, WhatsApp said it successfully disrupted the activity, removed test accounts and groups, and published related domains including fr24cast[.]com, ghazacast[.]com, and ikhwancast[.]com. WhatsApp also asked a US court to hold the blacklisted spyware firm in contempt for violating a permanent injunction, keeping the pressure on a campaign already associated with Pegasus abuse and prior targeting of WhatsApp users.

Google has patched CVE-2026-11645, a Chrome V8 JavaScript engine zero-day that was exploited in the wild and could let remote attackers run code inside the browser sandbox. The flaw was triggered with crafted HTML pages, putting Chrome users on Windows, Mac, and Linux at risk until the emergency update reached their devices. Google said the fix was rolling out through Stable Desktop builds worldwide.

Google released emergency Chrome updates to fix CVE-2026-11645, a zero-day that had already been exploited in the wild. The patched release covers Chrome Stable Desktop users on Windows, Mac, and Linux as the fix rolls out worldwide. The update is high priority because the flaw enables code execution inside the browser sandbox.

CVE-2026-42271 in BerriAI LiteLLM was added to CISA's KEV catalog after evidence of active exploitation, creating remote command-execution risk for affected proxy deployments. The command injection flaw impacts LiteLLM Python package versions >= 1.74.2 < 1.83.7 and can let an authenticated user run arbitrary commands on the host. Version 1.83.7 patches the issue by restricting the vulnerable endpoints to the PROXY_ADMIN role.

BerriAI released LiteLLM 1.83.7, hardening access to the vulnerable MCP test endpoints that accepted full server configurations. The update now requires the PROXY_ADMIN role for both endpoints, aligning them with the save endpoint and closing the weaker access-control path. The release addresses CVE-2026-42271 in LiteLLM versions >= 1.74.2 < 1.83.7, a command-injection flaw that could let authenticated users run arbitrary commands on the proxy host.

The NFCShare phishing campaign is using fake banking-app updates on GitHub to steal payment card data from customers of multiple banks across Europe, expanding the theft risk across a broad financial-services target set. The operation combines impersonated bank login pages, deceptive update prompts, and malicious Android packages to capture card details and a 4-digit PIN. It matters because the theft path is built for reusable fraud against bank customers rather than a single isolated lure.

The NFCShare Android malware is being spread as fake banking-app updates on GitHub, broadening attacks against customers of multiple banks and financial institutions across Europe. The malware uses a phishing site and a fake verification screen to trick victims into placing their cards near the phone’s NFC chip, then reads the card data with Android’s IsoDep interface and EMV commands. It steals the card number, card type, expiry date, and a 4-digit PIN, then sends the data to attacker C2 infrastructure over WebSocket for payment-relay abuse.