A TikTok and Instagram Reels campaign is using fake free-software tutorials to push Vidar, turning social feeds into a high-reach malware delivery channel. The operation used two campaigns to game recommendation systems, with one clip drawing more than 100,000 views and another logging nearly 1700 saves. One path delivered a PowerShell command that fetched Vidar from msget[.]run, while another used comment bait and direct messages to steer viewers toward d4ug[.]site. The activity combines social engineering, platform engagement tricks, and lure-based download chains to drive installation attempts at scale.

Threat actors are using TikTok and Instagram Reels to deliver Vidar infostealer through fake free-software tutorials, putting viewers at risk of credential, financial-data, and token theft. One delivery path used an AI-voiced PowerShell lure that fetched the malware from msget[.]run. A second path used comments and direct messages to steer users to d4ug[.]site, although its final payload was not confirmed.

Enterprise browser-session hardening is being emphasized to reduce browser-based phishing and session-layer abuse across enterprise environments. The guidance targets a control gap where traditional defenses miss activity that happens inside the browser rather than a standalone app. It is aimed at organizations handling email, SaaS, collaboration, AI assistant, financial, and credential-management workflows in-browser.

The SilabRAT MaaS operation is now offering a session-hijacking remote access trojan that can drain cryptocurrency and bypass password and MFA checks, expanding the risk from stolen logins to direct wallet theft. It uses HVNC and browser-profile cloning so attackers can revive a victim's live session on another machine. Operators are spreading it with email spam and ClickFix lures. The toolkit also includes keylogging, clipboard capture, and TightVNC, making the malware useful for both account abuse and wallet draining.

Browser-based phishing is leaving enterprise users exposed, with one in five attacks going completely undetected across millions of active browser sessions from January 1 to March 31, 2026. The pattern shows attackers operating in the browser session layer, where legacy filtering and many enterprise security products lack visibility. ClickFix-style social engineering can push users to act inside the browser and bypass controls that are not watching for legitimate-looking user actions. The gap raises the risk of credential theft and unauthorized access in environments that now run email, SaaS, collaboration, AI, and finance workflows in the browser.

o1oo1 is selling SilabRAT as a $5000/month MaaS and bundling it with AsmCrypt, turning the malware into a packaged criminal service that lowers adoption barriers. The setup shows a monetized ecosystem around session-hijacking and crypto theft, not just a standalone payload. Buyers are meant to launch their own campaigns, which broadens distribution and increases the risk of repeated infections across dark web forums and spam-driven lures.

Fortinet, Ivanti, and SAP released security updates that address multiple critical vulnerabilities across FortiSandbox, Ivanti Sentry, and SAP products. The patches cover flaws that could lead to arbitrary code execution and information disclosure, including CVE-2026-25089 and two critical Ivanti Sentry issues. The release matters because the affected products include internet-facing and enterprise application components with high-impact exposure.

Langflow's CVE-2026-5027 is an unpatched path traversal vulnerability that is being actively exploited in the wild. The flaw lets an attacker write files to arbitrary locations and can lead to unauthenticated remote code execution. Exposure is especially concerning because unauthenticated auto-login is enabled by default and roughly 7,000 instances are publicly exposed.

The JDY botnet has expanded its reconnaissance and flaw-focused scanning, increasing the risk that exposed infrastructure will be rapidly identified and targeted. Researchers say it remains heavily focused on the United States, especially U.S. military and associated networks, while operating through compromised SOHO and IoT devices. The botnet's scanning workflow helps operators locate systems vulnerable to newly disclosed flaws and quickly operationalize the results. Its growth from January 2024 to today also shows the network is becoming a more capable discovery platform.

The Gentlemen ransomware group has become a high-volume RaaS operation, using a 90/10 affiliate split to attract operators and expand its reach. The group now ranks as the second most active ransomware gang by victim count, with 332 published victims since mid-2025 and more than 240 in 2026. Its operators focus on Internet-facing VPNs and firewalls and can encrypt whole networks within hours. Identity work also links the administrator to the Zeta88/Hastalamuerte handles, reinforcing the picture of a centralized ransomware business built for scale.

Microsoft released June 2026 Security Updates for Exchange Server 2016, Exchange Server 2019, and Exchange Server Subscription Edition (SE) to fix CVE-2026-42897, an actively exploited spoofing/XSS flaw affecting Outlook Web Access users. Administrators were told to deploy the updates as soon as possible and keep the temporary Exchange Emergency Mitigation Service (EEMS) protections in place. The release closes a high-severity browser-code-execution path while preserving mitigation coverage during rollout.

CISA issued Binding Operational Directive 26-04 to require federal civilian agencies to prioritize vulnerability remediation using Asset Exposure, KEV Status, Exploit Automation, and Post-Exploitation Technical Impact. The directive updates BOD 19-02 and BOD 22-01 so agencies focus patching on the highest-risk vulnerabilities and verify whether systems were already compromised before patching. It is a federal cybersecurity mandate meant to reduce risk and improve remediation efficiency across the civilian government enterprise.

Microsoft Windows Update is failing on a small percentage of upgraded Windows 11 PCs, blocking June 2026 cumulative updates and producing 0x80073712 or 0x800f0993 errors. The affected cohort includes devices that started on Windows 10 21H2/22H2 or Windows 11 23H2 and were later upgraded to Windows 11 24H2 or 25H2. Microsoft says a fix will reach unmanaged enterprise devices and Home PCs after a restart, while already-affected systems may need package removal or an in-place upgrade. The disruption matters because impacted devices cannot install monthly Windows updates until the issue is cleared.

Identity crime victims faced more overlapping incidents in 2025-2026, increasing the risk that one compromise would spread across multiple accounts and institutions. A dataset of over 6,000 reports found nearly 26% of victims dealt with two or more concurrent incidents, up from 24% the prior year. Unauthorized device/PC access rose sharply and became a major driver of compromise, while account takeovers remained the largest misuse category at 50%. The pattern points to more chained identity abuse and slower recovery for victims caught in multi-step fraud.

Microsoft's June 2026 Patch Tuesday fixed three Windows zero-days that could yield SYSTEM access or bypass BitLocker on vulnerable systems.

Microsoft shipped a record 206-vulnerability update for its software portfolio, including three publicly disclosed flaws. The release spans Critical and Important issues across Windows and related components, making it a large enterprise patching event. It also includes fixes for Chromium-related code in Edge and adds MaxHeadersCount mitigation for HTTP/2 and HTTP/3 header abuse.

Fortinet and Ivanti released patches on Tuesday for multiple product flaws, including critical OS command injection and authentication-bypass bugs that could enable remote compromise. The update spans FortiSandbox, FortiOS, FortiProxy, FortiPortal, Sentry, and Endpoint Manager Mobile (EPMM).

Microsoft released a record Patch Tuesday bundle for June 2026 that patches nearly 200 security holes across Windows operating systems and supported software, with nearly three dozen critical flaws and public exploit code already available for at least three weaknesses.

ServiceNow disclosed an unauthorized access incident affecting hosted customer instances, with evidence that attackers made successful queries of instance tables against a subset of customers. The company said it applied a security update on June 5, 2026 after a flaw could let unauthenticated users gain greater access than intended. Impacted customers were notified, and the issue affected systems on the Australia platform release or certain earlier configurations. The activity shows real compromise of instance data access rather than a purely theoretical risk.

ServiceNow hosted customer instances were exposed to an unauthenticated access flaw that let a user gain greater access than intended, and ServiceNow pushed a June 5, 2026 security update to restrict the endpoint to authenticated users. The issue had no CVE identifier at the time of disclosure. ServiceNow also reported anomalous activity and evidence of successful queries of instance tables against a subset of customers. The affected scope included customers on the Australia platform release and certain older-release configurations.

Ivanti Sentry has a critical OS command injection vulnerability, CVE-2026-10520, that can let remote attackers execute code with root privileges on the gateway appliance. Ivanti said it had no evidence of exploitation in the wild at disclosure. The company released fixed builds R10.5.2, R10.6.2, and R10.7.1 to address the flaw. Administrators should upgrade affected gateways to reduce exposure.

Ivanti released a patch bundle for Sentry after identifying two critical vulnerabilities in the secure mobile gateway appliance, including CVE-2026-10520 and CVE-2026-10523. The update addresses an OS command injection flaw that can lead to code execution as root and an authentication bypass that can let unauthenticated attackers create rogue admin accounts. Ivanti said it had no evidence of exploitation in the wild and urged administrators to upgrade to R10.5.2, R10.6.2, or R10.7.1.

Microsoft Defender zero-day RoguePlanet is a race-condition flaw affecting fully patched Windows 10 and Windows 11 systems. A public proof-of-concept exploit was released shortly after June 2026 Patch Tuesday and can spawn a SYSTEM-level command prompt or shell when exploitation succeeds. Later reporting added that the exploit was reproduced on fully patched Windows 11 with KB5094126 and that the issue was originally aimed at remote code execution over SMB-hosted files, though the released proof of concept is mainly described as local privilege escalation. The later disclosure also says the exploit has been tested on Windows 10 and Windows 11 with June 2026 updates and does not yet work on Windows Server without redesign.

protobuf.js and protobufjs-cli now have fixed releases for Proto6, reducing the risk of RCE and DoS in affected Node.js environments. The patch release covers six vulnerabilities and gives users a clear upgrade path to protobufjs 7.5.6 / 8.0.2 and protobufjs-cli 1.2.1 / 2.0.2. Organizations that deserialize Protobuf data or generate code from schemas should move to the patched versions to limit exposure.

protobuf.js and protobufjs-cli have six newly disclosed vulnerabilities that can enable remote code execution or denial of service in Node.js environments processing untrusted Protobuf data. The flaws affect applications, cloud client libraries, messaging frameworks, and CI/CD pipelines that deserialize schemas or generate code from attacker-controlled inputs. The most severe issue, CVE-2026-44291, can lead to arbitrary JavaScript execution, and fixes are available.

Microsoft released June 2026 Patch Tuesday updates that fixed the GreenPlasma and YellowKey flaws, closing two previously disclosed issues in the Windows ecosystem. The patch release matters because it removes the vendor-supported remediation path for those vulnerabilities on affected systems. Administrators should treat the update as the relevant security action for the covered flaws.

A simulated phishing test showed that an OpenClaw AI email agent could be induced to expose credentials and customer data, increasing the risk of phishing-driven data leakage in autonomous workflows. The agent was stronger at spotting malicious URLs and OAuth lures than at verifying sender identities under urgent social-engineering prompts. Recommended controls now focus on approval for new external recipients, limited internal data access, and human review for high-risk actions.

Researchers found that OpenClaw email agents could be manipulated by phishing simulations, exposing gaps in sender verification and risky handling of sensitive data. In the tested setup, urgent impersonation requests caused the agent to disclose AWS IAM keys, database credentials, and a CRM export to an external Gmail account. The same framework was better at spotting suspicious URLs and malicious OAuth apps, but those checks did not stop the core identity-trust failure. The result shows that AI agents handling enterprise mail need stronger approval and access controls before they can safely act on behalf of users.

SAP released fixes for 15 vulnerabilities in its June 2026 Security Patch package, including four critical flaws in SAP NetWeaver and SAP Commerce Cloud that can affect enterprise environments.

Microsoft issued a temporary workaround for BitLocker recovery prompts on some Windows systems after recent updates. The issue affects devices configured with a BitLocker Group Policy that includes PCR7 in the TPM validation profile, plus certain Secure Boot and Windows Boot Manager setups tied to the Windows UEFI CA 2023 certificate. Administrators are told to remove the policy setting and suspend and resume BitLocker while Microsoft works on a permanent fix.