A fake Microsoft security alert
A ZIP attachment
A malicious shortcut inside
Researchers say North Korea-linked ScarCruft is using the lure to deploy NarwhalRAT, a Python RAT that can log keystrokes, capture screenshots, record audio, collect USB data, and use pCloud as a C2 channel.
Read β https://thehackernews.com/2026/06/fake-microsoft-alerts-used-to-deploy.html
A ZIP attachment
A malicious shortcut inside
Researchers say North Korea-linked ScarCruft is using the lure to deploy NarwhalRAT, a Python RAT that can log keystrokes, capture screenshots, record audio, collect USB data, and use pCloud as a C2 channel.
Read β https://thehackernews.com/2026/06/fake-microsoft-alerts-used-to-deploy.html
π±17π₯1
π¨ A backdoor once thought to target #Linux has now moved to Windows.
ESET found two Windows versions of SprySOCKS, linked to a China-nexus espionage group.
One version uses kernel drivers to hide files, processes, registry keys, and network connections.
Read β https://thehackernews.com/2026/06/china-linked-sprysocks-backdoor-expands.html
ESET found two Windows versions of SprySOCKS, linked to a China-nexus espionage group.
One version uses kernel drivers to hide files, processes, registry keys, and network connections.
Read β https://thehackernews.com/2026/06/china-linked-sprysocks-backdoor-expands.html
π11π₯2
Ungoverned agent identities act without human oversight, improperly use privileged access, and violate compliance policies, exposing organizations to real security and compliance risk.
AppViewX's new Agent Identity Security tackles it directly: discovering shadow agents, managing their lifecycle, enforcing privileged access, responding to agent-driven threats, and keeping compliance continuous.
Explore Agent Identity Security here: https://thn.news/ai-agent-security
#AIAgents #AIGovernance #AppViewX #AgentIdentitySecurity
AppViewX's new Agent Identity Security tackles it directly: discovering shadow agents, managing their lifecycle, enforcing privileged access, responding to agent-driven threats, and keeping compliance continuous.
Explore Agent Identity Security here: https://thn.news/ai-agent-security
#AIAgents #AIGovernance #AppViewX #AgentIdentitySecurity
π₯2
> fake security check
> copied PowerShell command
> then the malware starts
Researchers say ClickFix attacks are now delivering BabaDeda, Lorem Ipsum, and Potemkin loaders to deploy stealers, RATs, and #ransomware-linked payloads.
You think theyβre fixing a problem... but you're running the attack.
Read the full story β https://thehackernews.com/2026/06/clickfix-campaigns-expand-malware.html
> copied PowerShell command
> then the malware starts
Researchers say ClickFix attacks are now delivering BabaDeda, Lorem Ipsum, and Potemkin loaders to deploy stealers, RATs, and #ransomware-linked payloads.
You think theyβre fixing a problem... but you're running the attack.
Read the full story β https://thehackernews.com/2026/06/clickfix-campaigns-expand-malware.html
π₯4π€―2
A clean-looking IP can still hide a real attack.
VPNs and residential proxies now appear in nearly every security incident, according to a Spur study of 200+ security practitioners.
The problem: many teams still lack the context to know who is behind the traffic β and what to do next.
Read the full story β https://thehackernews.com/2026/06/survey-94-of-incidents-involve.html
VPNs and residential proxies now appear in nearly every security incident, according to a Spur study of 200+ security practitioners.
The problem: many teams still lack the context to know who is behind the traffic β and what to do next.
Read the full story β https://thehackernews.com/2026/06/survey-94-of-incidents-involve.html
π₯4π€―3π2π1
π Your AI model upload could be hijacked before it even lands.
Researchers found a Google Vertex AI SDK flaw that let attackers pre-create a predictable bucket, intercept an ML model upload, and swap in a malicious model in under 2 seconds.
Read β https://thehackernews.com/2026/06/google-vertex-ai-sdk-flaw-let-attackers.html
Researchers found a Google Vertex AI SDK flaw that let attackers pre-create a predictable bucket, intercept an ML model upload, and swap in a malicious model in under 2 seconds.
Read β https://thehackernews.com/2026/06/google-vertex-ai-sdk-flaw-let-attackers.html
π₯7β‘2π€―1
EDR bypass doesnβt always mean killing the agent.
A new technique called EDRChoker throttles EDR processes using Windows QoS policies, cutting bandwidth to 8 bits per second.
The agent may still run β but its server connection can time out, weakening telemetry and remote control.
Read more: https://thehackernews.com/2026/06/threatsday-bulletin-worm-code-leaked-ai.html#edr-telemetry-throttled
A new technique called EDRChoker throttles EDR processes using Windows QoS policies, cutting bandwidth to 8 bits per second.
The agent may still run β but its server connection can time out, weakening telemetry and remote control.
Read more: https://thehackernews.com/2026/06/threatsday-bulletin-worm-code-leaked-ai.html#edr-telemetry-throttled
π10
β οΈ A patched AD bug may not end the risk.
Richard Lambert of One Identity explains how CVE-2026-25177 exposes a deeper problem: overbroad AD rights, service account sprawl, and weak governance.
Patch fast. Then fix the permissions underneath.
Read the article: https://thehackernews.com/expert-insights/2026/06/why-active-directory-vulnerabilities.html
Richard Lambert of One Identity explains how CVE-2026-25177 exposes a deeper problem: overbroad AD rights, service account sprawl, and weak governance.
Patch fast. Then fix the permissions underneath.
Read the article: https://thehackernews.com/expert-insights/2026/06/why-active-directory-vulnerabilities.html
π2π₯1
π¨ A Joomla flaw is now on CISAβs exploited bug list.
CVE-2026-48907 has a max CVSS score of 10.0 and can let attackers upload and run PHP code through JCE editor profiles.
Affected versions: 1.0.0 through 2.9.99.4
Fixed in: 2.9.99.5
Details here: https://thehackernews.com/2026/06/cisa-warns-of-actively-exploited-joomla.html
CVE-2026-48907 has a max CVSS score of 10.0 and can let attackers upload and run PHP code through JCE editor profiles.
Affected versions: 1.0.0 through 2.9.99.4
Fixed in: 2.9.99.5
Details here: https://thehackernews.com/2026/06/cisa-warns-of-actively-exploited-joomla.html
π3π₯1
β‘ Can you trust your own AI?
Jailbreaks, prompt injection, model extraction, and poisoned data are forcing companies to rethink how they test AI systems.
The article explains why AI red teaming is becoming part of production security.
Read it here: https://awards.thehackernews.com/blog/ai-red-teaming-production-risk/
Jailbreaks, prompt injection, model extraction, and poisoned data are forcing companies to rethink how they test AI systems.
The article explains why AI red teaming is becoming part of production security.
Read it here: https://awards.thehackernews.com/blog/ai-red-teaming-production-risk/
π4π₯4
A trusted npm scope.
A hidden dependency.
A payload that runs on install.
144 Mastra npm packages were compromised after attackers abused a hijacked contributor account and added the malicious easy-day-js dependency.
Any developer machine, CI runner, or build system that installed affected versions may be exposed.
Read: https://thehackernews.com/2026/06/144-mastra-npm-packages-compromised-via.html
A hidden dependency.
A payload that runs on install.
144 Mastra npm packages were compromised after attackers abused a hijacked contributor account and added the malicious easy-day-js dependency.
Any developer machine, CI runner, or build system that installed affected versions may be exposed.
Read: https://thehackernews.com/2026/06/144-mastra-npm-packages-compromised-via.html
π€5π1
Most breaches do not need a zero-day.
Intruder analyzed 3,000 attack surfaces and found:
- 60% exposed HTTP panels
- 49% exposed risky ports or services
- 42% exposed databases
- 30% exposed files or information that should not be public
The real question: why were they online at all?
Read π https://thehackernews.com/2026/06/the-top-10-attack-surface-exposures-in.html
Intruder analyzed 3,000 attack surfaces and found:
- 60% exposed HTTP panels
- 49% exposed risky ports or services
- 42% exposed databases
- 30% exposed files or information that should not be public
The real question: why were they online at all?
Read π https://thehackernews.com/2026/06/the-top-10-attack-surface-exposures-in.html
π7
AI tools are becoming a new place to steal secrets.
Researchers found 15 malicious JetBrains plugins stealing AI provider API keys from developers.
Separately, two Chrome ad blocker extensions were found capturing AI chatbot conversations across major platforms.
Read: https://thehackernews.com/2026/06/malicious-jetbrains-plugins-steal-ai.html
Researchers found 15 malicious JetBrains plugins stealing AI provider API keys from developers.
Separately, two Chrome ad blocker extensions were found capturing AI chatbot conversations across major platforms.
Read: https://thehackernews.com/2026/06/malicious-jetbrains-plugins-steal-ai.html
π±6π2π₯1π1
Researchers say Rokarolla, a new Android banking trojan, targets 217 banking and crypto apps and can steal PINs, SMS codes, and crypto wallet funds.
Read the full article: https://thehackernews.com/2026/06/new-rokarolla-android-malware-steals.html
Read the full article: https://thehackernews.com/2026/06/new-rokarolla-android-malware-steals.html
π6π1
For most security teams, the hard part is not finding vulnerabilities but knowing which ones an AI-assisted adversary will actually exploit.
PlexTrac consolidates findings from every tool and pentest into one platform, scores them against real business risk, and surfaces the exposures that matter most β so your team remediates what counts instead of chasing noise.
Not every vulnerability is a crisis. PlexTrac helps you find and remediate the ones that are.
Learn more: https://thn.news/plextrac-platform
#Cybersecurity #CTEM #ThreatExposureManagement #AISecurity #PenetrationTesting
PlexTrac consolidates findings from every tool and pentest into one platform, scores them against real business risk, and surfaces the exposures that matter most β so your team remediates what counts instead of chasing noise.
Not every vulnerability is a crisis. PlexTrac helps you find and remediate the ones that are.
Learn more: https://thn.news/plextrac-platform
#Cybersecurity #CTEM #ThreatExposureManagement #AISecurity #PenetrationTesting
π2
π A cybercriminal lost C2 access. But the backdoor stayed open.
Researchers say it tracked 339 attacker commands over 33 days and found the operator used Tailscale VPN and OpenSSH to keep access after Havoc C2 went offline.
Read the full story π https://thehackernews.com/2026/06/junior-hacker-used-tailscale-and.html
Researchers say it tracked 339 attacker commands over 33 days and found the operator used Tailscale VPN and OpenSSH to keep access after Havoc C2 went offline.
Read the full story π https://thehackernews.com/2026/06/junior-hacker-used-tailscale-and.html
π₯8π2
UPDATE π FortiBleed looks bigger than first reported.
Update: Hudson Rock says FortiBleed targeted 73,932 Fortinet firewall URLs across 194 countries, affecting 21,632 domains.
The bigger risk: exposed FortiGate SSL VPNs may be used as listening posts to capture more credentials and keep the access loop going.
Read the full update: https://thehackernews.com/2026/06/attackers-exploit-three-fortinet.html
Update: Hudson Rock says FortiBleed targeted 73,932 Fortinet firewall URLs across 194 countries, affecting 21,632 domains.
The bigger risk: exposed FortiGate SSL VPNs may be used as listening posts to capture more credentials and keep the access loop going.
Read the full update: https://thehackernews.com/2026/06/attackers-exploit-three-fortinet.html
π3π₯3
Security teams can see more risk than ever.
Thatβs no longer the hard part.
The real challenge is knowing which findings are reachable, exploitable, and worth fixing first.
AEV helps turn exposure data into clear remediation priorities.
Read: https://thehackernews.com/2026/06/adversarial-exposure-validation-turns.html
Thatβs no longer the hard part.
The real challenge is knowing which findings are reachable, exploitable, and worth fixing first.
AEV helps turn exposure data into clear remediation priorities.
Read: https://thehackernews.com/2026/06/adversarial-exposure-validation-turns.html
π3π₯2
π¨ Microsoft Defender zero-day RoguePlanet is now officially CVE-2026-50656.
Microsoft is preparing a patch for the Malware Protection Engine flaw, which can enable privilege escalation.
A public PoC describes a race condition that may grant SYSTEM-level privileges.
Read: https://thehackernews.com/2026/06/microsoft-confirms-rogueplanet-defender_02022423645.html
Microsoft is preparing a patch for the Malware Protection Engine flaw, which can enable privilege escalation.
A public PoC describes a race condition that may grant SYSTEM-level privileges.
Read: https://thehackernews.com/2026/06/microsoft-confirms-rogueplanet-defender_02022423645.html
π₯8π2
β οΈ What if a βsafeβ download was only trusted because attackers made it look popular?
Check Point says fake reviews, GitHub accounts, YouTube videos, VirusTotal comments, and paid news posts promoted a Rust crypto clipper.
It swaps copied wallet addresses with attacker-controlled ones.
Read: https://thehackernews.com/2026/06/crypto-clipper-campaign-abuses-fake.html
Check Point says fake reviews, GitHub accounts, YouTube videos, VirusTotal comments, and paid news posts promoted a Rust crypto clipper.
It swaps copied wallet addresses with attacker-controlled ones.
Read: https://thehackernews.com/2026/06/crypto-clipper-campaign-abuses-fake.html
π9π2π₯1