🚨 ALERT - A critical Splunk Enterprise flaw can go from “no login required” to remote code execution.

Tracked as CVE-2026-20253, the bug carries a 9.8 CVSS score and affects vulnerable Splunk Enterprise servers through exposed PostgreSQL sidecar endpoints.

The exploit chain is now public.

Read the full story: https://thehackernews.com/2026/06/critical-splunk-enterprise-flaw-lets.html

A fake bank update.
A GitHub-hosted Android APK.
A trap that asks users to tap their payment card on the phone.

Fraudsters are spreading NFCShare through fake banking sites that steal login details, then push victims to install a malicious APK.

The app asks for “card verification,” reads NFC card data, and captures the PIN.

Read: https://thehackernews.com/2026/06/threatsday-bulletin-worm-code-leaked-ai.html#fake-banking-updates

ICYMI... Researchers built a self-replicating AI worm in a lab.

It scanned the web for fresh CVE details, picked targets, exploited vulnerable servers, and spread on its own across a network.

No hardcoded exploit chain. No human steering each step.

Read more: https://thehackernews.com/2026/06/researchers-build-self-replicating-ai.html

🚨 Hackers found a way into Palo Alto’s GlobalProtect VPN without a password.

The flaw, tracked as CVE-2026-0257, lets attackers bypass PAN-OS authentication and establish unauthorized VPN sessions.

Palo Alto says it’s already being used in real attacks.

If you run GlobalProtect, check this now.

Details ➝ https://thehackernews.com/2026/06/palo-alto-warns-of-active-exploitation.html

One tap on a fake #Facebook offer can pull users into a fraud funnel.

Researchers say Sniper Dz scams used browser alerts, back-button traps, and hidden redirects to keep MENA users moving through scam pages.

No malware. No download.

See how the scam works ➝ https://thehackernews.com/2026/06/sniper-dz-scams-target-mena-users-via.html

🛑 Popular #WordPress plugin scripts were tampered with to plant hidden backdoors.

The attack hit #JavaScript used by PushEngage, OptinMonster, and TrustPulse.

If a logged-in admin loaded the script, attackers could create a rogue admin account and install a hidden web shell.

Over 1.2M sites run the three plugins.

Read the full article: https://thehackernews.com/2026/06/popular-wordpress-plugin-scripts.html

Runtime scanners may catch the attack.

But often, the bad package has already entered your CI/CD pipeline.

Jonny Rivera of ActiveState explains why supply chain security needs to move upstream — to the moment a dependency is downloaded, before unvetted code gets in.

Read the full article: https://thehackernews.com/expert-insights/2026/06/why-runtime-scanning-is-too-late-for.html

⚠️ Your browser’s new tab page can be turned into an ad-fraud machine.

Researchers found 152 Chrome wallpaper extensions, spread across 38 publisher accounts and 105,000 installs, linked to adware and fake Google traffic.

Details here ➝ https://thehackernews.com/2026/06/152-chrome-wallpaper-extensions-with.html

🚨 The biggest Shadow AI risk may not be a new tool.

It may be an AI feature quietly added to software your company already approved.

Security teams now need to know where AI is active, what data it can access, and what employees are putting into it.

The piece uses 🏆 award-winning solutions as examples of how security vendors are approaching the problem.

Read the full article: https://awards.thehackernews.com/blog/shadow-ai-the-hidden-risk/

This week’s cyber recap is stacked:

🌐 Chrome 0-day exploited
🏛️ Oracle PeopleSoft hit
🐧 Arch AUR packages poisoned
🔐 Check Point VPN attacks
📡 UniFi flaws exploited
🎣 Major phishing kit takedown
🤖 AI brands used as bait
🍎 #macOS fake installers
📦 npm/PyPI malware
📱 #Android adware
☁️ Cloud logging abuse risks
🕵️ RAT using Google Sheets
💾 Ransomware data exfil tricks

Plus urgent CVEs, tools, and expert webinars.

Read here: https://thehackernews.com/2026/06/weekly-recap-chrome-0-day-unifi.html

> A clean-looking GitHub repo.
> A poisoned npm package.
> A new cross-platform RAT.

Researchers found SStar Agent targeting Windows and #macOS through a fake Web3 developer take-home test.

Windows builds add keylogging, clipboard monitoring, and remote control. macOS builds focus on recon and data theft.

Read: https://thehackernews.com/2026/06/threatsday-bulletin-worm-code-leaked-ai.html#cross-platform-rat-emerges

AI workloads are scaling rapidly across cloud environments, giving security teams better visibility into what that means for cloud operations, development workflows, and security strategy.

On June 16 at 12:00 PM ET, Wiz Research will break down key findings from the State of AI in the Cloud 2026 report.

You’ll learn:
🔸 Where AI adoption is growing fastest
🔸 How AI changes cloud identity, data, and infrastructure risk
🔸 How attackers use AI to find and exploit misconfigurations faster

Save your spot ➝ https://thn.news/cloud-security-reshaping

🛑 One trusted Microsoft link could have been enough.

> No fake login page
> No password theft
> No second click

Researchers showed how 3 chained bugs in #Microsoft 365 Copilot Enterprise Search could let an attacker pull emails, calendar data, indexed files, and one-time codes.

See how the attack worked: https://thehackernews.com/2026/06/one-click-microsoft-365-copilot-flaw.html

🚨 One weak LiteLLM account could take over an AI gateway.

A CVSS 9.9 flaw chain lets attackers become admin, run code, steal AI keys, read prompts, and tamper with AI agent responses.

Read the full story: https://thehackernews.com/2026/06/litellm-vulnerability-chain-lets-low.html

A first-day password can become a long-term security hole.

Many onboarding passwords are sent by email or SMS, reused, or never changed.

That gives attackers an easy way into corporate systems before anyone notices.

Read the full article: https://thehackernews.com/2026/06/the-onboarding-password-mistake-that.html

⚡ Developers are being targeted where they work:

</> GitHub repos
</> VS Code projects
</> npm packages
</> Packagist
</> Crypto/Web3 lures

Researchers say North Korea-linked activity sent 250+ phishing emails to targets at nearly 100 organizations, aiming to steal credentials, wallet data, keys, and access.

Read ➝ https://thehackernews.com/2026/06/north-korean-hackers-are-turning.html

🚨 A trusted cloud feature became a spying tool.

Google says China-linked hackers breached North American research networks via REDCap, then abused Google Workspace rules to secretly BCC emails matching nearly 150 keywords.

Read: https://thehackernews.com/2026/06/chinese-hackers-abused-google-workspace.html

🚨 A shared hosting flaw just landed on CISA’s exploited list.

CVE-2026-54420 affects the LiteSpeed cPanel Plugin and can let a user with FTP or web shell access gain root on CloudLinux/CageFS servers.

Federal agencies must patch by June 18, 2026.

Read: https://thehackernews.com/2026/06/cisa-flags-litespeed-cpanel-plugin-flaw.html

⚠️ Cisco has released patches for a Catalyst SD-WAN Manager flaw now exploited in the wild.

CVE-2026-20262 lets an authenticated attacker with write access create or overwrite files on affected systems.

Cisco says exploitation is limited, but CISA added it to KEV and set a June 29 patch deadline.

Read: https://thehackernews.com/2026/06/cisco-releases-security-updates-for.html

A fake Microsoft security alert
A ZIP attachment
A malicious shortcut inside

Researchers say North Korea-linked ScarCruft is using the lure to deploy NarwhalRAT, a Python RAT that can log keystrokes, capture screenshots, record audio, collect USB data, and use pCloud as a C2 channel.

Read ➝ https://thehackernews.com/2026/06/fake-microsoft-alerts-used-to-deploy.html

🚨 A backdoor once thought to target #Linux has now moved to Windows.

ESET found two Windows versions of SprySOCKS, linked to a China-nexus espionage group.

One version uses kernel drivers to hide files, processes, registry keys, and network connections.

Read ➝ https://thehackernews.com/2026/06/china-linked-sprysocks-backdoor-expands.html