🛑 Popular #WordPress plugin scripts were tampered with to plant hidden backdoors.

The attack hit #JavaScript used by PushEngage, OptinMonster, and TrustPulse.

If a logged-in admin loaded the script, attackers could create a rogue admin account and install a hidden web shell.

Over 1.2M sites run the three plugins.

Read the full article: https://thehackernews.com/2026/06/popular-wordpress-plugin-scripts.html

Runtime scanners may catch the attack.

But often, the bad package has already entered your CI/CD pipeline.

Jonny Rivera of ActiveState explains why supply chain security needs to move upstream — to the moment a dependency is downloaded, before unvetted code gets in.

Read the full article: https://thehackernews.com/expert-insights/2026/06/why-runtime-scanning-is-too-late-for.html

⚠️ Your browser’s new tab page can be turned into an ad-fraud machine.

Researchers found 152 Chrome wallpaper extensions, spread across 38 publisher accounts and 105,000 installs, linked to adware and fake Google traffic.

Details here ➝ https://thehackernews.com/2026/06/152-chrome-wallpaper-extensions-with.html

🚨 The biggest Shadow AI risk may not be a new tool.

It may be an AI feature quietly added to software your company already approved.

Security teams now need to know where AI is active, what data it can access, and what employees are putting into it.

The piece uses 🏆 award-winning solutions as examples of how security vendors are approaching the problem.

Read the full article: https://awards.thehackernews.com/blog/shadow-ai-the-hidden-risk/

This week’s cyber recap is stacked:

🌐 Chrome 0-day exploited
🏛️ Oracle PeopleSoft hit
🐧 Arch AUR packages poisoned
🔐 Check Point VPN attacks
📡 UniFi flaws exploited
🎣 Major phishing kit takedown
🤖 AI brands used as bait
🍎 #macOS fake installers
📦 npm/PyPI malware
📱 #Android adware
☁️ Cloud logging abuse risks
🕵️ RAT using Google Sheets
💾 Ransomware data exfil tricks

Plus urgent CVEs, tools, and expert webinars.

Read here: https://thehackernews.com/2026/06/weekly-recap-chrome-0-day-unifi.html

> A clean-looking GitHub repo.
> A poisoned npm package.
> A new cross-platform RAT.

Researchers found SStar Agent targeting Windows and #macOS through a fake Web3 developer take-home test.

Windows builds add keylogging, clipboard monitoring, and remote control. macOS builds focus on recon and data theft.

Read: https://thehackernews.com/2026/06/threatsday-bulletin-worm-code-leaked-ai.html#cross-platform-rat-emerges

AI workloads are scaling rapidly across cloud environments, giving security teams better visibility into what that means for cloud operations, development workflows, and security strategy.

On June 16 at 12:00 PM ET, Wiz Research will break down key findings from the State of AI in the Cloud 2026 report.

You’ll learn:
🔸 Where AI adoption is growing fastest
🔸 How AI changes cloud identity, data, and infrastructure risk
🔸 How attackers use AI to find and exploit misconfigurations faster

Save your spot ➝ https://thn.news/cloud-security-reshaping

🛑 One trusted Microsoft link could have been enough.

> No fake login page
> No password theft
> No second click

Researchers showed how 3 chained bugs in #Microsoft 365 Copilot Enterprise Search could let an attacker pull emails, calendar data, indexed files, and one-time codes.

See how the attack worked: https://thehackernews.com/2026/06/one-click-microsoft-365-copilot-flaw.html

🚨 One weak LiteLLM account could take over an AI gateway.

A CVSS 9.9 flaw chain lets attackers become admin, run code, steal AI keys, read prompts, and tamper with AI agent responses.

Read the full story: https://thehackernews.com/2026/06/litellm-vulnerability-chain-lets-low.html

A first-day password can become a long-term security hole.

Many onboarding passwords are sent by email or SMS, reused, or never changed.

That gives attackers an easy way into corporate systems before anyone notices.

Read the full article: https://thehackernews.com/2026/06/the-onboarding-password-mistake-that.html

⚡ Developers are being targeted where they work:

</> GitHub repos
</> VS Code projects
</> npm packages
</> Packagist
</> Crypto/Web3 lures

Researchers say North Korea-linked activity sent 250+ phishing emails to targets at nearly 100 organizations, aiming to steal credentials, wallet data, keys, and access.

Read ➝ https://thehackernews.com/2026/06/north-korean-hackers-are-turning.html

🚨 A trusted cloud feature became a spying tool.

Google says China-linked hackers breached North American research networks via REDCap, then abused Google Workspace rules to secretly BCC emails matching nearly 150 keywords.

Read: https://thehackernews.com/2026/06/chinese-hackers-abused-google-workspace.html

🚨 A shared hosting flaw just landed on CISA’s exploited list.

CVE-2026-54420 affects the LiteSpeed cPanel Plugin and can let a user with FTP or web shell access gain root on CloudLinux/CageFS servers.

Federal agencies must patch by June 18, 2026.

Read: https://thehackernews.com/2026/06/cisa-flags-litespeed-cpanel-plugin-flaw.html

⚠️ Cisco has released patches for a Catalyst SD-WAN Manager flaw now exploited in the wild.

CVE-2026-20262 lets an authenticated attacker with write access create or overwrite files on affected systems.

Cisco says exploitation is limited, but CISA added it to KEV and set a June 29 patch deadline.

Read: https://thehackernews.com/2026/06/cisco-releases-security-updates-for.html

A fake Microsoft security alert
A ZIP attachment
A malicious shortcut inside

Researchers say North Korea-linked ScarCruft is using the lure to deploy NarwhalRAT, a Python RAT that can log keystrokes, capture screenshots, record audio, collect USB data, and use pCloud as a C2 channel.

Read ➝ https://thehackernews.com/2026/06/fake-microsoft-alerts-used-to-deploy.html

🚨 A backdoor once thought to target #Linux has now moved to Windows.

ESET found two Windows versions of SprySOCKS, linked to a China-nexus espionage group.

One version uses kernel drivers to hide files, processes, registry keys, and network connections.

Read ➝ https://thehackernews.com/2026/06/china-linked-sprysocks-backdoor-expands.html

Ungoverned agent identities act without human oversight, improperly use privileged access, and violate compliance policies, exposing organizations to real security and compliance risk.

AppViewX's new Agent Identity Security tackles it directly: discovering shadow agents, managing their lifecycle, enforcing privileged access, responding to agent-driven threats, and keeping compliance continuous.

Explore Agent Identity Security here: https://thn.news/ai-agent-security

#AIAgents #AIGovernance #AppViewX #AgentIdentitySecurity

> fake security check
> copied PowerShell command
> then the malware starts

Researchers say ClickFix attacks are now delivering BabaDeda, Lorem Ipsum, and Potemkin loaders to deploy stealers, RATs, and #ransomware-linked payloads.

You think they’re fixing a problem... but you're running the attack.

Read the full story ➝ https://thehackernews.com/2026/06/clickfix-campaigns-expand-malware.html

A clean-looking IP can still hide a real attack.

VPNs and residential proxies now appear in nearly every security incident, according to a Spur study of 200+ security practitioners.

The problem: many teams still lack the context to know who is behind the traffic — and what to do next.

Read the full story ➝ https://thehackernews.com/2026/06/survey-94-of-incidents-involve.html

🛑 Your AI model upload could be hijacked before it even lands.

Researchers found a Google Vertex AI SDK flaw that let attackers pre-create a predictable bucket, intercept an ML model upload, and swap in a malicious model in under 2 seconds.

Read ➝ https://thehackernews.com/2026/06/google-vertex-ai-sdk-flaw-let-attackers.html