The Texas Parks and Wildlife Department license system vendor suffered an intrusion that led to unauthorized access and exposed customer records for millions of license holders. The breach prompted a state investigation and raised follow-on risks of phishing and social engineering against affected people.

The Texas Parks and Wildlife Department disclosed a data breach at its license system vendor that exposed personal information for 3,087,721 Texas hunting and fishing license customers. The exposed dataset included driver’s license information, passport numbers, email addresses, phone numbers, and residential addresses, creating elevated risk of phishing and social engineering abuse. Officials said SSNs, dates of birth, and financial information were not impacted.

Operation Endgame is an ongoing international law enforcement initiative that now includes the takedown of SocGholish infrastructure, expanding disruption of botnets and criminal infrastructure used for malware delivery. The operation has already removed 106 servers and cleaned 14,971 WordPress sites, reducing abuse paths used to spread follow-on payloads. Launched in 2024, the initiative keeps pressure on the infrastructure that supports large-scale cybercrime.

CISA warned Fortinet customers with FortiGate appliances to secure exposed systems against ongoing malicious activity tied to FortiBleed. The activity had reached 86,644 compromised devices by June 19, 2026 and was targeting internet-accessible gateways and administrators. CISA directed operators to terminate active sessions, reset passwords, enforce strong password policies, and enable phishing-resistant MFA.

AWS Continuum launched in gated preview as a new AI-powered vulnerability management platform for AWS environments, expanding security teams’ ability to manage code flaws from discovery through remediation. The platform combines prioritization, validation, and remediation with access to structured and unstructured organization data, including documents and communications. AWS also bundled AWS Security Agent capabilities for penetration testing, code scanning, and threat modelling, broadening the platform’s defensive reach.

The FortiBleed campaign is an ongoing Fortinet credential-theft activity tied to internet-accessible FortiGate appliances and other Fortinet firewalls and VPN gateways. CISA warned customers to harden devices after researchers linked the campaign to 86,644 compromised devices as of June 19, 2026. The activity used mass-scanning, a bespoke credential-spraying tool, and passive traffic monitoring to collect more logins, with Russian-speaking threat actors believed to be involved. CISA advised terminating active sessions, resetting credentials, enabling phishing-resistant MFA, and reviewing logs to limit further access.

FortiBleed is a data leak of Fortinet/FortiGate VPN credentials that now includes a verified database of 86,644 confirmed working credentials collected from internet-facing Fortinet infrastructure across 194 countries. CISA urged customers to harden FortiGate devices by terminating sessions, resetting credentials, enabling phishing-resistant MFA, reviewing logs, and restricting management access. Reporting links the exposure to a Russian-speaking threat actor using SSL VPN authentication interception, hash cracking, and Active Directory pivoting, with at least four organizations fully compromised and broad impact across government and critical infrastructure.

Splunk Enterprise now has a critical CVE-2026-20253 flaw that lets an unauthenticated attacker perform arbitrary file operations and potentially reach remote code execution on affected servers. The issue affects versions below 10.2.4 and 10.0.7, while Splunk Cloud is not impacted. The weakness sits in a PostgreSQL sidecar service endpoint that lacks authentication controls, allowing network-reachable users to invoke file operations without credentials. Exploit details published for the flaw increase the risk of opportunistic abuse even though there is no evidence of in-the-wild exploitation.

A Klue Battlecards app connection to Salesforce exposed customer data after unauthorized access let attackers copy records from connected environments, affecting Klue customers including Huntress. The copied information included business contacts, price quotes, and other sales-related data and messaging. Klue said the intrusion began with a compromised legacy credential and later used stolen OAuth tokens to query customer CRM tools directly. Salesforce disabled the integration, showing the exposure was limited to the app connection but still reached sensitive customer records.

A survey found a broad non-email threat-detection gap across Slack, Microsoft Teams, and social channels, increasing exposure as attackers move beyond email. At Infosecurity Europe 2026, 50% of 169 cybersecurity professionals said their organizations lack strong confidence in detecting threats on messaging and social platforms. The pattern is reinforced by low confidence in Slack (40%) and only partial training coverage for non-email threats.

The alleged spoofed-account harassment campaign against a Georgia college student has been tied to repeated use of fake social profiles and email to spread AI-generated nude images and racist fabrications. The activity allegedly spanned January to March 2025 and kept following the victim after a transfer in August 2024. Multiple impersonation accounts were created on Instagram, LinkedIn, Reddit, X, Strava, and Yahoo. The operation widened the harm by contacting the victim's mother and amplifying the abuse across several platforms.

Anthony Belford was arraigned after a federal grand jury indictment on cyberstalking charges, advancing a case tied to AI-generated nude image harassment of a college student. Prosecutors say he used fake Instagram, LinkedIn, Reddit, X, Strava, and Yahoo accounts between January and March 2025 to impersonate the victim and spread racist and anti-Muslim messages. The conduct allegedly continued after the victim transferred to a Georgia college in August 2024, and one spoofed Yahoo account was used to send an AI-generated nude image to the victim's mother.

CISA issued mitigation guidance for FortiBleed, urging operators of internet-accessible Fortinet devices to harden exposed FortiGate and VPN environments after a large-scale credential theft campaign. Reported figures now place the verified credential set at 86,644 confirmed working credentials across 194 countries, with researchers also citing at least four organizations fully compromised. CISA’s actions center on ending active sessions, resetting credentials, enabling phishing-resistant MFA, reviewing logs, and restricting management access to reduce account abuse.

CISA added CVE-2026-28318 affecting SolarWinds Serv-U to the KEV catalog and ordered FCEB agencies to remediate it by June 19, 2026. The directive expands operational urgency for federal civilian environments because the flaw is tied to active exploitation. SolarWinds says the issue is fixed in Serv-U 15.5.4 HF1.

The Gentlemen ransomware-as-a-service operation is actively maintaining EDR killers to blunt endpoint defenses and let affiliate attacks proceed with less detection. Its main utility, GentleKiller, has at least eight variants and impersonates legitimate products such as Kaspersky and WatchDog. The tooling uses BYOVD to gain kernel-level privileges and disable security engines, and it targets more than 400 processes across about 48 vendors/products. The suite also includes external tools such as HexKiller, ThrottleBlood, HavocKiller, and OxideHarvest.

Nintendo of America confirmed that internal employee survey data from TinyPulse was stolen, exposing information tied to a small subset of employees while leaving Nintendo systems and customer data untouched. The breach was paired with Shadowbyt3$ ransom claims, including a demand for $2 million and warnings that the stolen material could be leaked publicly. The confirmed exposure is limited to survey content, but the event adds pressure because the threat actor says more employee-related data may exist.

The Vo1d campaign continues to target unofficial Android-based TV boxes, keeping a large-scale proxy botnet alive across consumer devices. The operation turns those boxes into relay nodes that can forward traffic for advertising fraud, account takeovers, and mass data-scraping. Researchers say the activity has persisted for four years and spans millions of devices. The scale and persistence make the campaign a broad abuse platform rather than a one-off botnet flare-up.

The Popa botnet has forced millions of consumer TV boxes to relay Internet traffic linked to advertising fraud, account takeovers, and mass data-scraping efforts. The activity has persisted for four years, making it a long-lived proxy layer rather than a short burst of abuse. The scale increases the risk of traffic laundering, downstream misuse, and attribution confusion for affected sites and network defenders.

F5 released security updates for NGINX Open Source after finding two critical vulnerabilities that could lead to remote code execution on affected systems. The patch set covers CVE-2026-42530 and CVE-2026-42055, with fixed builds spanning NGINX Open Source and related NGINX products. Administrators using the affected HTTP/3, HTTP/2, proxy, WAF, and ingress components need to move to the fixed versions to remove the code-execution risk.

A USB-spreading clipboard-stealing malware family is actively stealing seed phrases, private keys, and wallet addresses from Windows victims, putting cryptocurrency funds at direct risk. The malware also captures screenshots and sends stolen data over Tor, making detection and takedown harder. Its use of LNK shortcut files on removable drives gives it a worm-like propagation path across connected systems.

A Rust-based clipboard hijacker is spreading through fake crypto tools and silently replacing copied wallet addresses, putting Windows and macOS users at risk of theft. The operation uses bogus GitHub stars, inflated download counts, and AI-narrated YouTube tutorials to make the downloads look legitimate. A WordPress phishing page serves as the distribution hub, and the malware runs at startup to persist on infected systems. On macOS, a bundled unlocker script helps users bypass Apple quarantine and Gatekeeper, increasing the chance the unsigned app will run.

The ICO issued a formal caution to a former London healthcare professional under section 170(5) after reviewing prosecution criteria in a case involving the Princess of Wales's medical records. The action closes the criminal probe without prosecution and underscores enforcement against the deliberate misuse of highly sensitive personal information. The regulator said the conduct included an offer to disclose it for financial gain.

A Windows-based cryptocurrency clipper has been active since February 2026, using USB-delivered LNK worming to steal wallet data and reroute payments. The malware adds clipboard theft, screenshot exfiltration, and wallet-address substitution, increasing the risk of stolen seed phrases and diverted transactions. It also uses a Tor-based hidden-service C2 and can execute attacker-supplied code through an EVAL response.

A Windows cryptocurrency clipper campaign is actively targeting users since February 2026, putting clipboard data, wallet addresses, and seed phrases at risk. The operation uses malicious USB-delivered LNK files, Windows Script Host, and a Tor-based hidden-service C2 to spread and steal data. It can also replace copied cryptocurrency addresses with attacker-controlled alternatives and execute attacker-supplied code through an EVAL response.

Klue suffered a June 11–12, 2026 integration compromise that let attackers steal OAuth tokens and access connected Salesforce environments, prompting Salesforce to disable the Klue Battlecards app integration. Klue said the intrusion began through a compromised legacy credential tied to an integration service, while ReliaQuest observed automated Python scripts querying the Salesforce REST API for bulk data retrieval. The activity is linked to the Icarus extortion campaign and has exposed customer CRM data such as business contacts and price quotes.

The Icarus extortion campaign is actively stealing Salesforce CRM data from multiple organizations, expanding pressure on victims and showing a repeatable cloud-app abuse pattern. The operation uses stolen OAuth tokens and automated queries against Salesforce REST API endpoints to map objects and pull records. Victims then receive extortion emails tied to the alias mr bean, while leak-site messaging signals continuing activity.

INC has grown from a RaaS startup into one of 2026’s most prolific ransomware groups, with 830+ victims since August 2023. The expansion followed affiliate migration after disruption to LockBit and the shutdown of BlackCat, strengthening INC’s market position. Its rise increases extortion pressure across U.S. organizations and targeted sectors including health care, legal services, manufacturing, technology, and construction.

INC's Windows and Linux/ESXi encryptors were rewritten in Rust, improving cross-platform development and making reverse engineering harder. The malware line also gained updated credential-dumping support aimed at newer Veeam backup deployments. The changes strengthen the ransomware toolset used in 2026 attacks and raise the cost of analysis and defense.

Hackledorb has pivoted DragonForce from a conventional ransomware-as-a-service (RaaS) model into a formalized cartel structure, signaling a more organized and durable adversary ecosystem. The shift raises the group's ability to scale operations, coordinate affiliates, and sustain pressure against enterprise victims while blending ransomware with stealthier post-compromise tradecraft.

SocGholish is a long-running JavaScript-based malware downloader also tracked as FakeUpdates that hijacks compromised WordPress sites to push fake browser update lures and deliver follow-on payloads. In June 2026, authorities from the Netherlands, Canada, Germany, and the U.S. carried out an Operation Endgame disruption that took 106 servers offline and cleaned 14,971 infected WordPress sites. The action reduced the network’s ability to spread malware and stage additional compromise through abused websites.