The AryStinger botnet is compromising more than 4,000 outdated routers and converting them into proxy executors for malicious traffic, expanding attacker reach and interception risk. It targets D-Link DIR-850L and D-Link DIR-818LW routers through older flaws and can support scanning, tunneling, and command execution. The malware also enables DNS tampering and network-traffic monitoring, creating a broader exposure window for affected networks.

The Prinz Eugen ransomware operation is actively using hands-on-keyboard tradecraft and legitimate RMM tools, which makes intrusions harder to spot and contain. Researchers say the operators likely start with stolen RDP credentials, then manually deploy servertool.exe and maintain access with RemotePC. The encryptor focuses on recently modified files, skips a ransom note, and pushes victims toward out-of-band extortion. The activity has already been tied to multiple victims, including a Standard Bank breach demand of 1 BTC.

The Prinz Eugen ransomware campaign is using stolen RDP credentials, RemotePC, and hands-on operator control to break into multiple victims. It matters because the operation combines manual intrusion tradecraft with data encryption and exfiltration, increasing extortion pressure and reducing detection. Researchers say the group has reached at least five victims, while the leak site currently lists three. In one Standard Bank breach, the attacker demanded 1 BTC and was refused.

The Mastra AI supply-chain campaign was attributed to Sapphire Sleet / BlueNoroff, putting more than 140 npm packages and developer endpoints at risk of credential and crypto-wallet theft. Attackers compromised the npm maintainer account "ehindero" and used its publishing privileges to push malicious updates into the @mastra scope. Those updates injected easy-day-js, which ran a postinstall hook, contacted attacker-controlled C2 infrastructure, and downloaded a second-stage payload. The resulting stealer targeted Windows, Linux, and macOS systems and checked for 166 cryptocurrency wallet extensions.

Mastra @mastra/* npm packages were compromised in a software supply chain attack that spread through the namespace on 2026-06-17. Microsoft now attributes the activity to Sapphire Sleet (BlueNoroff), saying the attackers hijacked the npm maintainer account "ehindero" and published malicious updates to more than 140 npm packages in the @mastra scope. The poisoned packages injected easy-day-js, which ran a postinstall hook, fetched a second-stage payload, and deployed a cross-platform stealer on Windows, Linux, and macOS. The activity put credentials, API keys, authentication tokens, and cryptocurrency wallets at risk across developer systems, CI runners, and build environments.

Gravity SMTP released version 2.1.5 to fix CVE-2026-4020, closing a medium-severity information disclosure flaw in the WordPress plugin. The patch addresses a bug that let unauthenticated visitors pull API keys, secrets, and OAuth tokens from plugin data. The update is urgent because the plugin is installed on about 100,000 sites and exploit traffic is already active.

Klue confirmed a June 12, 2026 security incident in which an attacker used a compromised legacy credential to obtain OAuth tokens from Klue’s integration infrastructure and access data in connected Salesforce environments. The activity is now publicly claimed by Icarus, which said Klue.com was impacted and that partner Salesforce instances were exfiltrated. Reports from Huntress and ReliaQuest tie the theft to automated Python scripts and Salesforce API querying, with affected organizations including Recorded Future, Tanium, Jamf, Sprout Social, Gong, and Insurity. Klue says the incident was limited to third-party integrations and that there is no evidence customer content stored directly in the Klue platform was impacted.

A Klue-related Salesforce data leak on June 12 exposed customer records after an attacker used a compromised legacy credential to obtain OAuth tokens from Klue’s integration infrastructure and access connected environments. Huntress and ReliaQuest tied the activity to stolen integration access, Python scripting, and bulk Salesforce REST API querying, and Icarus has now publicly claimed responsibility on its leak site. Additional affected organizations have disclosed impacts, while most say the exposure was limited to Salesforce instances rather than their core platforms or infrastructure.

An actively exploited unauthenticated information disclosure flaw in Gravity SMTP exposes API keys, secrets, OAuth tokens, and email-service credentials on sites using the plugin, with the affected footprint reaching 100,000 WordPress sites. The vulnerability is tracked as CVE-2026-4020, affects version 2.1.4 and older, and was fixed in 2.1.5. Wordfence says it has blocked more than 17 million attempts, including a spike on June 7.

A public usbliter8 exploit now reaches arbitrary code execution in Apple's SecureROM, exposing an unpatchable USB DMA underflow flaw across A12, A13, S4, and S5 hardware. The attack needs physical possession, DFU mode, and a RP2350-based microcontroller board, but it completes in under two seconds before the signed boot chain loads. Because the vulnerable code is burned into silicon, no software update can remove the flaw. The result is a durable device-custody risk for environments that must protect high-value Apple hardware from direct access.

CERT/CC issued mitigation guidance to apply UEFI Forbidden Signature Database (DBX) updates, reducing Secure Boot bypass risk for affected vendor-signed UEFI applications. The advisory covers binaries from Acer, AMD, ASUS, ECS, Getac, GIGABYTE, Toshiba, and Uniwill. Administrators are being told to revoke trust in the affected binaries before they can execute during boot.

The Texas Parks and Wildlife Department license system vendor suffered an intrusion that led to unauthorized access and exposed customer records for millions of license holders. The breach prompted a state investigation and raised follow-on risks of phishing and social engineering against affected people.

The Texas Parks and Wildlife Department disclosed a data breach at its license system vendor that exposed personal information for 3,087,721 Texas hunting and fishing license customers. The exposed dataset included driver’s license information, passport numbers, email addresses, phone numbers, and residential addresses, creating elevated risk of phishing and social engineering abuse. Officials said SSNs, dates of birth, and financial information were not impacted.

A remote code execution flaw in AutoGen Studio affects the MCP WebSocket surface in pre-release builds 0.4.3.dev1 and 0.4.3.dev2. The exploit chain uses a localhost trust bypass, missing authentication, and command execution from a request parameter. The hardening fix is in GitHub main at commit b047730, but no patched PyPI build has landed yet.

Operation Endgame is an ongoing international law enforcement initiative that now includes the takedown of SocGholish infrastructure, expanding disruption of botnets and criminal infrastructure used for malware delivery. The operation has already removed 106 servers and cleaned 14,971 WordPress sites, reducing abuse paths used to spread follow-on payloads. Launched in 2024, the initiative keeps pressure on the infrastructure that supports large-scale cybercrime.

CISA warned Fortinet customers with FortiGate appliances to secure exposed systems against ongoing malicious activity tied to FortiBleed. The activity had reached 86,644 compromised devices by June 19, 2026 and was targeting internet-accessible gateways and administrators. CISA directed operators to terminate active sessions, reset passwords, enforce strong password policies, and enable phishing-resistant MFA.

AWS Continuum launched in gated preview as a new AI-powered vulnerability management platform for AWS environments, expanding security teams’ ability to manage code flaws from discovery through remediation. The platform combines prioritization, validation, and remediation with access to structured and unstructured organization data, including documents and communications. AWS also bundled AWS Security Agent capabilities for penetration testing, code scanning, and threat modelling, broadening the platform’s defensive reach.

The FortiBleed campaign is an ongoing Fortinet credential-theft activity tied to internet-accessible FortiGate appliances and other Fortinet firewalls and VPN gateways. CISA warned customers to harden devices after researchers linked the campaign to 86,644 compromised devices as of June 19, 2026. The activity used mass-scanning, a bespoke credential-spraying tool, and passive traffic monitoring to collect more logins, with Russian-speaking threat actors believed to be involved. CISA advised terminating active sessions, resetting credentials, enabling phishing-resistant MFA, and reviewing logs to limit further access.

FortiBleed is a data leak of Fortinet/FortiGate VPN credentials that now includes a verified database of 86,644 confirmed working credentials collected from internet-facing Fortinet infrastructure across 194 countries. CISA urged customers to harden FortiGate devices by terminating sessions, resetting credentials, enabling phishing-resistant MFA, reviewing logs, and restricting management access. Reporting links the exposure to a Russian-speaking threat actor using SSL VPN authentication interception, hash cracking, and Active Directory pivoting, with at least four organizations fully compromised and broad impact across government and critical infrastructure.

Splunk Enterprise now has a critical CVE-2026-20253 flaw that lets an unauthenticated attacker perform arbitrary file operations and potentially reach remote code execution on affected servers. The issue affects versions below 10.2.4 and 10.0.7, while Splunk Cloud is not impacted. The weakness sits in a PostgreSQL sidecar service endpoint that lacks authentication controls, allowing network-reachable users to invoke file operations without credentials. Exploit details published for the flaw increase the risk of opportunistic abuse even though there is no evidence of in-the-wild exploitation.

A survey found a broad non-email threat-detection gap across Slack, Microsoft Teams, and social channels, increasing exposure as attackers move beyond email. At Infosecurity Europe 2026, 50% of 169 cybersecurity professionals said their organizations lack strong confidence in detecting threats on messaging and social platforms. The pattern is reinforced by low confidence in Slack (40%) and only partial training coverage for non-email threats.

The alleged spoofed-account harassment campaign against a Georgia college student has been tied to repeated use of fake social profiles and email to spread AI-generated nude images and racist fabrications. The activity allegedly spanned January to March 2025 and kept following the victim after a transfer in August 2024. Multiple impersonation accounts were created on Instagram, LinkedIn, Reddit, X, Strava, and Yahoo. The operation widened the harm by contacting the victim's mother and amplifying the abuse across several platforms.

Anthony Belford was arraigned after a federal grand jury indictment on cyberstalking charges, advancing a case tied to AI-generated nude image harassment of a college student. Prosecutors say he used fake Instagram, LinkedIn, Reddit, X, Strava, and Yahoo accounts between January and March 2025 to impersonate the victim and spread racist and anti-Muslim messages. The conduct allegedly continued after the victim transferred to a Georgia college in August 2024, and one spoofed Yahoo account was used to send an AI-generated nude image to the victim's mother.

CISA issued mitigation guidance for FortiBleed, urging operators of internet-accessible Fortinet devices to harden exposed FortiGate and VPN environments after a large-scale credential theft campaign. Reported figures now place the verified credential set at 86,644 confirmed working credentials across 194 countries, with researchers also citing at least four organizations fully compromised. CISA’s actions center on ending active sessions, resetting credentials, enabling phishing-resistant MFA, reviewing logs, and restricting management access to reduce account abuse.

CISA added CVE-2026-28318 affecting SolarWinds Serv-U to the KEV catalog and ordered FCEB agencies to remediate it by June 19, 2026. The directive expands operational urgency for federal civilian environments because the flaw is tied to active exploitation. SolarWinds says the issue is fixed in Serv-U 15.5.4 HF1.

Gentlemen ransomware-as-a-service (RaaS) is actively maintaining a suite of EDR killers led by GentleKiller to disable endpoint defenses before encryption. ESET says the framework has at least eight variants, impersonates legitimate security products such as Kaspersky, Valorant, Javelin, and WatchDog, and uses BYOVD with vulnerable drivers to obtain kernel-level privileges and target more than 400 processes across roughly 48 security vendors and products. The broader tooling set also includes HexKiller, ThrottleBlood, HavocKiller, and OxideHarvest. ESET also reported that Gentlemen can operationalize newly disclosed BYOVD PoC exploits within days and appears to favor victims with FortiGate endpoint configurations.

Nintendo of America confirmed that internal employee survey data from TinyPulse was stolen, exposing information tied to a small subset of employees while leaving Nintendo systems and customer data untouched. The breach was paired with Shadowbyt3$ ransom claims, including a demand for $2 million and warnings that the stolen material could be leaked publicly. The confirmed exposure is limited to survey content, but the event adds pressure because the threat actor says more employee-related data may exist.

The Vo1d campaign continues to target unofficial Android-based TV boxes, keeping a large-scale proxy botnet alive across consumer devices. The operation turns those boxes into relay nodes that can forward traffic for advertising fraud, account takeovers, and mass data-scraping. Researchers say the activity has persisted for four years and spans millions of devices. The scale and persistence make the campaign a broad abuse platform rather than a one-off botnet flare-up.

The Popa botnet has forced millions of consumer TV boxes to relay Internet traffic linked to advertising fraud, account takeovers, and mass data-scraping efforts. The activity has persisted for four years, making it a long-lived proxy layer rather than a short burst of abuse. The scale increases the risk of traffic laundering, downstream misuse, and attribution confusion for affected sites and network defenders.

F5 released security updates for NGINX Open Source after finding two critical vulnerabilities that could lead to remote code execution on affected systems. The patch set covers CVE-2026-42530 and CVE-2026-42055, with fixed builds spanning NGINX Open Source and related NGINX products. Administrators using the affected HTTP/3, HTTP/2, proxy, WAF, and ingress components need to move to the fixed versions to remove the code-execution risk.