The Adriatic Port Authority suffered a ransomware breach that disrupted the Italian port of Ancona and exposed sensitive port records. The intrusion was tied to Anubis and involved stolen data being leaked after the compromise. Reported impacts included rerouted vessels and a loss of roughly 2% of data, while backups preserved the rest. The stolen material included contracts, employee records, and port safety plans, raising operational and security risk for maritime infrastructure.

Stolen data from the Adriatic Port Authority was published on Anubis's leak site, exposing employee records, contracts, and port safety/security information tied to the Italian port of Ancona. The authority said the leak covered about 2% of its data, with backups preserving the rest, but some material still reached the dark web.

The FBI published a public service announcement warning that scammers in cryptocurrency investment fraud are now using couriers to collect cash after suspicious transfers are blocked. The warning covers pig butchering and romance baiting schemes that reach victims through social media, dating sites, and messaging apps. It urges people to avoid sharing home addresses or handing cash to strangers, and to report suspected fraud promptly to the FBI.

A North American medical institution suffered a REDCap breach that enabled InfiniteRed deployment and sensitive-data theft, leaving the network compromised for more than a year. GTIG attributed the intrusion to UNC6508 and tied the initial compromise to September 2023. The attackers used a credential-harvesting component, a backdoor, and email-based exfiltration through a legitimate compliance-rule feature. Google notified affected organizations in the U.S. and Canada after identifying the activity.

UNC6508 ran a China-linked espionage campaign that targeted exposed REDCap servers to steal sensitive data from a North American medical institution. The operation stayed active from September 2023 through November 2025, giving the actor more than a year of undetected access. The operators used InfiniteRed, a custom malware set built for REDCap environments, and paired it with residential proxies, compromised routers, and VPS infrastructure. The campaign mattered because it combined credential theft and email-based exfiltration to move research data out of the victim network.

Microsoft 365 Copilot Enterprise Search has a critical vulnerability chain, SearchLeak, that could let a user leak emails, calendar details, MFA codes, and indexed files after clicking a trusted microsoft.com link. The chain used the `q` parameter, an HTML rendering race, and Bing's Search by Image as an exfiltration proxy. Microsoft assigned CVE-2026-42824 and said it mitigated the flaw on its backend, while Varonis Threat Labs reported a proof-of-concept rather than observed exploitation.

Microsoft's fix for SearchLeak in Microsoft 365 Copilot Enterprise closed a critical flaw tied to CVE-2026-42824 that could expose mailbox, OneDrive, and SharePoint data through a crafted URL.

Infinite Campus suffered a Salesforce data theft breach that exposed more than 137,000 school staff accounts, putting staff contact and account data at risk. The compromise targeted the Infinite Campus K-12 student information system and was linked to ShinyHunters. A later leak included an alleged 1.2GB archive of Salesforce records, and breach analysis reported 137,100 accounts with names, email addresses, phone numbers, physical addresses, usernames, and support tickets. The event matters because the platform serves 3,200+ school districts and manages data for 11 million students across the United States.

Oleksii Oleksiyovych Lytvynenko was indicted by guilty plea in a US court over his role in the Conti ransomware case, extending criminal exposure for a defendant tied to a major cybercrime enterprise. He admitted joining the operation in September 2021 and helping develop a malware loader for the group. He also admitted possessing data from 12 victims, including eight in the US, and faces up to 20 years in prison. Sentencing is scheduled for September 10, 2026.

A network of 152 Google Chrome extensions is distributing a potentially unwanted program (PUP) family through new-tab live-wallpaper add-ons, creating a broad browser-based adware risk across 105,000 installs. The cluster spans 38 Chrome Web Store publisher accounts and three brand backends, including tabplugins[.]com, yowgames[.]com, and chromewallpaper[.]com. The linked privacy policy admits logging IP addresses, ISP, click counts, and referrers and sharing them with Google AdSense, DoubleClick, and third-party ad partners, despite store listings denying user-data collection. A sub-cluster also uses hard-coded install and uninstall URLs in js/bg.js to manufacture apparent Google organic search traffic and includes dormant logic to delete IndexedDB databases.

Researchers found a commercial adware and traffic-attribution-fraud affiliate operation abusing Chrome extensions to fabricate traffic signals and monetize installs, increasing fraud-enablement risk across the extension ecosystem. The network spans 38 publisher accounts, three brand backends, and 105,000 installs, showing coordinated distribution at meaningful scale.

ShinyHunters has posted the Council of Europe on a Tor-based leak site, claiming a data theft that could expose more than 297 GB and over 429,000 files. The alleged material spans multiple departments and includes payroll, identity, financial, and medical records. If the claim is accurate, the leak could expose sensitive employee and organizational data ahead of a June 16 deadline.

A multi-plugin JavaScript tampering campaign spread poisoned code through PushEngage, OptinMonster, and TrustPulse, putting more than 1.2 million WordPress sites at risk of takeover. The malicious scripts only fired when a logged-in administrator loaded them, then used that session to create an attacker-controlled admin account. The operation also installed a hidden plugin backdoor and could leave additional persistence behind. Sites that loaded the tampered files should be treated as potentially compromised and checked server-side.

A PushEngage script-tampering incident put WordPress sites at risk of takeover after poisoned JavaScript was served through trusted plugin delivery paths. The same malicious code also appeared in OptinMonster and TrustPulse deliveries, and it only triggered when a logged-in WordPress administrator loaded the page. Sites that loaded the backdoored scripts should be treated as compromised, because the payload could create attacker-controlled admin access and hide a persistent entry point.

GC3 ran weekly AI hackathons that uncovered and helped remediate 407 vulnerabilities across nine UK government departments, reducing exploitable risk in public-sector code. The initiative found issues including authentication bypass, data exposure, and remote code execution. All critical and high-risk exploitable weaknesses were remediated, and no exploitation was identified. The effort also showed how frontier models can support cross-boundary vulnerability discovery and triage.

A Sniper Dz fraud campaign is targeting users across the Middle East and North Africa with fake Facebook accounts that impersonate politicians, public figures, and trusted organizations. The lures push free mobile internet, financial compensation, and government subsidy offers, then steer victims through intermediary sites into phishing and traffic monetization infrastructure. The operation abuses browser notification permissions, back-button hijacking, and tab-under redirects to keep victims inside attacker-controlled pages. The same ecosystem has also been linked to telecom impersonation and investment scams across multiple regions, pointing to a broader monetization network.

A long-running Sniper Dz ecosystem operated as a free phishing-as-a-service (PhaaS) platform that repeatedly rebranded, lowering the barrier for large-scale credential theft and scam delivery. Its bundled kits, hosting, and support helped cybercriminals launch phishing campaigns across major brands and government impersonations.

Palo Alto Networks is urging GlobalProtect customers to search logs for successful gateway-connected events tied to CVE-2026-0257, a step that can expose possible unauthorized VPN access. The guidance matches activity from hard-coded client configuration values used in a proof-of-concept (PoC) exploit. The flaw is an authentication bypass in PAN-OS portal and gateway components, and the company says it has seen active exploitation in limited attacks. Reviewing logs now can help operators identify whether their environments were touched by the abuse path.

CISA revised the schedule for virtual town halls on the CIRCIA rulemaking, reopening stakeholder engagement on a cybersecurity reporting rule that will affect critical infrastructure organizations. The rescheduled sessions begin June 15 and replace meetings that had been set for March and April 2026. CISA says the consultations are meant to collect input before the rule is finalized.

Google filed a civil lawsuit against Outsider Enterprise, adding legal pressure to a major phishing infrastructure operation that sent fraudulent texts at scale. The action matters because it targets the network used to impersonate trusted brands and supports blocking efforts with AT&T, T-Mobile, and Verizon.

The FBI and partners dismantled Outsider Enterprise, a phishing-as-a-service operation tied to thousands of phishing websites and large-scale credential theft. The takedown seized infrastructure, domains, wallets, and a Telegram bot, disrupting a network that had operated since at least 2023. The disruption cuts off a service blamed for millions of stolen credit card records and $1.9 billion in estimated losses.

The Outsider Enterprise happening is a phishing-as-a-service campaign tied to a Chinese cybercrime network that used AI and distributed phishing kits to impersonate trusted brands in texts sent through AT&T, T-Mobile, and Verizon. In the latest phase, the FBI, with Google and Black Lotus Labs, dismantled parts of the operation, seized infrastructure including administration servers, a Shopify e-commerce storefront, a testing account, around $100,000 USDT, and a Telegram bot, and redirected thousands of domains to an FBI splash page. Google said the service had reached 9,000 fake websites and more than a million fraudulent URLs, and authorities tied the activity to theft of more than 3.8 million credit card records and $1.9 billion in losses. Google is also pursuing civil action and working with carriers to block fraudulent messages before they reach subscribers.

The Outsider Enterprise is a Chinese phishing-as-a-service operation that used Telegram, AI, and distributed phishing kits to run large-scale brand-impersonation campaigns through texts sent over AT&T, T-Mobile, and Verizon. Google linked the network to 9,000 fake websites and more than a million fraudulent URLs, and authorities say the activity has driven theft of more than 3.8 million credit card records and about $1.9 billion in losses. The latest response includes an FBI-led takedown with Google and Black Lotus Labs, seizures of infrastructure and funds, and carrier blocking efforts to stop fraudulent messages before they reach users.

The Saydel Community School District suffered a 21-month unauthorized access intrusion that disrupted classroom operations, deleted accounts, and caused tens of thousands of dollars in remediation costs. The attacker used retained credentials after employment ended to keep reaching district systems. The activity also blocked access to Apple School Manager and Schoology, creating direct operational impact for staff and students.

Ezekiel Dean Potter was sentenced on June 11, 2026 to 21 months in prison and three years of supervised release for computer fraud tied to attacks on the Saydel Community School District. The sentence resolves a post-employment intrusion campaign that disrupted classroom operations and caused tens of thousands of dollars in damage. Potter must also pay $59,668.81 in restitution and faces monitoring and restrictions during supervision.

A target organization suffered a 10-year authentication stack compromise that exposed administrative activity inside an isolated critical infrastructure network. The intrusion was linked to Velvet Ant and Operation Highland, and it began in 2016 after access through internet-facing systems. Attackers then preserved access by modifying PAM and OpenSSH components to steal credentials and observe every login and command.

Splunk released security updates for CVE-2026-20253, fixing a critical Splunk Enterprise flaw that could enable unauthenticated file operations and remote code execution. The update covers Splunk Enterprise 10.0.0 to 10.0.6 and 10.2.0 to 10.2.3, with fixes in 10.0.7 and 10.2.4. Splunk Cloud is not impacted.

Splunk Enterprise now has a critical CVE-2026-20253 flaw that lets an unauthenticated attacker perform arbitrary file operations and potentially reach remote code execution on affected servers. The issue affects versions below 10.2.4 and 10.0.7, while Splunk Cloud is not impacted. The weakness sits in a PostgreSQL sidecar service endpoint that lacks authentication controls, allowing network-reachable users to invoke file operations without credentials. Exploit details published for the flaw increase the risk of opportunistic abuse even though there is no evidence of in-the-wild exploitation.

The U.S. government ordered Anthropic to suspend access to Claude Fable 5 and Mythos 5 for foreign nationals, restricting advanced AI model access on national-security grounds. Anthropic said it received the order at 5:21 p.m. ET and is trying to restore access after what it described as a possible misunderstanding. The directive does not affect access to other models, and Mythos 5 remains available to a vetted group of cyber defenders and critical infrastructure operators.

Maine's Attorney General's Office temporarily disabled public access to the breach notification database, changing the state's breach-reporting workflow after fraudulent disclosures were posted. The office said the move is meant to curb abuse of the reporting system and stop false notices from being auto-published. The service still accepts submissions from companies, but the public must now request copies directly from the office.