🔥 A fake AI Agent skill reportedly reached 26,000 agents after passing security scans.

The payload was loaded later from an external link that scanners did not check, and that link could be changed after review.

Read how the blind spot worked 🠖 https://thehackernews.com/2026/06/fake-ai-agent-skill-passed-security.html

🚨 FFortiBleed went beyond FortiGate firewalls.

Researchers say a Russian-speaking IAB targeted 430,000+ FortiGate firewalls, deployed credential sniffers, and identified over 110 million credentials.

Read: https://thehackernews.com/2026/06/fortibleed-targeted-fortigate-firewalls.html

The campaign also hit other internet-facing systems.

🛑 Cisco Unified CM admins should check WebDialer now.

CVE-2026-20230 is being exploited, and vulnerable WebDialer-enabled systems can be abused by unauthenticated attackers to write files.

Cisco patched it in 14SU6 and 15SU5.

Read: https://thehackernews.com/2026/06/cisco-unified-cm-flaw-exploited-after.html

⚡ The crackdown on HuiOne is now widening.

The DoJ seized a cloud account tied to HuiOne subsidiaries, while Treasury sanctioned 9 people and 26 entities linked to Prince Group.

The focus: crypto scam proceeds, laundering, and the networks behind Southeast Asia scam operations.

Read 🠖 https://thehackernews.com/2026/06/doj-seizes-huione-cloud-account-tied-to.html

Last Chance to Register for GRC Now | Get 8 Free CPEs

Join over 15K of your peers already registered for the July 8-9 GRC Now virtual event! Register and attend to explore the latest trends in GRC, cyber risk, practical strategies for AI governance, guidance for regulatory changes, and more.

✨ Bonus: You’ll earn up to 8 free CPE credits for attending.

Register now: https://thn.news/grc-now-reshape-resilience

Cybersecurity is losing the time buffer it used to depend on.

Agentic AI could compress the gap between finding a weakness and weaponizing it. That puts hidden IT, IoT, and OT assets directly in the blast path.

Know what’s on your network before attacker automation does.

See why asset visibility matters now: https://thehackernews.com/2026/06/dawn-of-apex-agentic-adversary.html

🛑 Cybercrime crews just lost part of their malware supply chain.

Operation Endgame disrupted infrastructure behind Amadey and StealC — malware used to steal data and deliver additional payloads.

Authorities say the operation led to:

- 326 servers dismantled
- 142 domains taken down
- 27M stolen credentials recovered
- $47 M+ in criminal crypto assets restricted

Read: https://thehackernews.com/2026/06/amadey-and-stealc-malware-network.html

⚠️ Attackers exploited a #Cisco SD-WAN flaw before it was public.

Mandiant says CVE-2026-20245 was used as a zero-day to turn admin access into root control.

They also restored configs, deleted traces, and hid a rogue “troot” account.

Read 🠖 https://thehackernews.com/2026/06/cisco-catalyst-sd-wan-zero-day-cve-2026.html

A critical Lantronix flaw is now under active exploitation.

CISA says CVE-2025-67038 affects EDS5000 Series devices and can let attackers run commands with root privileges.

Federal civilian agencies have until June 26, 2026, to patch.

Learn more: https://thehackernews.com/2026/06/cisa-warns-critical-lantronix-eds5000.html

🛑 A new backdoor is being used to keep access quiet.

Researchers say Mistic has targeted organizations in insurance, education, IT, and professional services since April 2026.

It runs payloads in memory, abuses Microsoft endpoint security tooling, and can delete itself.

Read: https://thehackernews.com/2026/06/new-mistic-backdoor-linked-to-kongtuke.html

Attackers don’t need to break in when trusted access already opens the door.

In a new BeyondTrust piece, Len Noe argues identity is now enterprise infrastructure, and privilege is the real risk.

Credentials, tokens, service accounts, cloud roles, and machine identities are now core attack paths.

Learn more: https://thehackernews.com/expert-insights/2026/06/identity-security-in-2026-brutal-truth.html

🚨 Malware is now trying to confuse the AI tools used to analyze it.

Experts found Gaslight, a Rust-based #macOS implant linked to North Korea-aligned actors.

It embeds fake system messages to push AI-assisted triage toward aborting or refusing analysis.

See how it works: https://thehackernews.com/2026/06/new-gaslight-macos-malware-uses-prompt.html

⚡ Alerts don’t prove what happened. They only start the investigation.

Richard Bejtlich’s new NDR guide argues security teams need network evidence, hypothesis-led hunting, and governed AI to validate threats before attackers finish the job.

Read how NDR helps teams investigate with evidence: https://thehackernews.com/2026/06/surviving-mythos-era-richard-bejtlich.html

> Your TV is not just a TV.
> Your browser is not just a browser.
> Your old creds are not dead.

This #ThreatsDay is packed smart TV proxyware, a curl bug from 2001, Hoppscotch takeover, macOS ClickFix, fake Teams IT, M365 phishing, AI crime forums, and more.

Read the full bulletin: https://thehackernews.com/2026/06/threatsday-bulletin-smart-tv-proxyware.html

Your developers work across 20+ languages. Does your governance?

Developers routinely work across more than 20 programming languages, each mapping to at least one package ecosystem, per the IDC Analyst Brief sponsored by ActiveState. That is a software supply chain footprint too complex to govern reactively. See where the gaps form.

Download the Brief: https://thn.news/securing-open-source-idc

🛑 ALERT - A Chrome ad blocker with 10 MILLION+ installs has a dormant risk.

Experts say the extension can be remotely configured to run arbitrary JavaScript across websites, without an extension update or store review.

Read the full analysis: https://thehackernews.com/2026/06/chrome-ad-blocker-with-10m-installs.html

⚠️ UPDATE - Forescout says CVE-2025-67038 was exploited as a zero-day.

The Lantronix flaw was used against honeypots as early as April 5, weeks before BRIDGE:BREAK was publicly disclosed.

Attackers may have reverse-engineered the Feb. 20 patch to build the exploit.

Read: https://thehackernews.com/2026/06/cisa-warns-critical-lantronix-eds5000.html

🚨 Google has linked Turla to a new .NET backdoor.

STOCKSTAY was used in espionage campaigns targeting #Ukraine government and military organizations.

It overlaps with Kazuar and reached targets through phishing, RDP files, MSI installers, and #WinRAR CVE-2025-8088 lures.

See the full attack details 🠖 https://thehackernews.com/2026/06/google-details-turlas-new-stockstay.html

⚠️ UPDATE: JetBrains removed 15 malicious Marketplace plugins, blocked 7 publisher accounts, and disabled the plugins in installed IDEs.

But experts say the attacker’s C2 server remained live on June 19.

Entered API keys? Revoke them now.

Read the updated story: https://thehackernews.com/2026/06/malicious-jetbrains-plugins-steal-ai.html

⚡ A sales cutoff did not kill the tool.

Citizen Lab says Russian authorities used Cellebrite UFED tool on a seized activist’s #iPhone after Israeli digital forensics company said it would stop selling to Russian.

Old UFED hardware still worked offline.

See how it happened 🠖 https://thehackernews.com/2026/06/russia-used-cellebrite-on-jailed.html

🚨 Hotel phishing is getting harder to spot.

Microsoft says attackers used Calendly and Google URL redirects to push photo ZIPs at hotels in Europe and Asia.

Inside? a fake image shortcut that drops the TonRAT Node.js implant.

See how it works 🠖 https://thehackernews.com/2026/06/microsoft-warns-of-photo-zip-phishing.html