🛑 Cybercrime crews just lost part of their malware supply chain.

Operation Endgame disrupted infrastructure behind Amadey and StealC — malware used to steal data and deliver additional payloads.

Authorities say the operation led to:

- 326 servers dismantled
- 142 domains taken down
- 27M stolen credentials recovered
- $47 M+ in criminal crypto assets restricted

Read: https://thehackernews.com/2026/06/amadey-and-stealc-malware-network.html

⚠️ Attackers exploited a #Cisco SD-WAN flaw before it was public.

Mandiant says CVE-2026-20245 was used as a zero-day to turn admin access into root control.

They also restored configs, deleted traces, and hid a rogue “troot” account.

Read 🠖 https://thehackernews.com/2026/06/cisco-catalyst-sd-wan-zero-day-cve-2026.html

A critical Lantronix flaw is now under active exploitation.

CISA says CVE-2025-67038 affects EDS5000 Series devices and can let attackers run commands with root privileges.

Federal civilian agencies have until June 26, 2026, to patch.

Learn more: https://thehackernews.com/2026/06/cisa-warns-critical-lantronix-eds5000.html

🛑 A new backdoor is being used to keep access quiet.

Researchers say Mistic has targeted organizations in insurance, education, IT, and professional services since April 2026.

It runs payloads in memory, abuses Microsoft endpoint security tooling, and can delete itself.

Read: https://thehackernews.com/2026/06/new-mistic-backdoor-linked-to-kongtuke.html

Attackers don’t need to break in when trusted access already opens the door.

In a new BeyondTrust piece, Len Noe argues identity is now enterprise infrastructure, and privilege is the real risk.

Credentials, tokens, service accounts, cloud roles, and machine identities are now core attack paths.

Learn more: https://thehackernews.com/expert-insights/2026/06/identity-security-in-2026-brutal-truth.html

🚨 Malware is now trying to confuse the AI tools used to analyze it.

Experts found Gaslight, a Rust-based #macOS implant linked to North Korea-aligned actors.

It embeds fake system messages to push AI-assisted triage toward aborting or refusing analysis.

See how it works: https://thehackernews.com/2026/06/new-gaslight-macos-malware-uses-prompt.html

⚡ Alerts don’t prove what happened. They only start the investigation.

Richard Bejtlich’s new NDR guide argues security teams need network evidence, hypothesis-led hunting, and governed AI to validate threats before attackers finish the job.

Read how NDR helps teams investigate with evidence: https://thehackernews.com/2026/06/surviving-mythos-era-richard-bejtlich.html

> Your TV is not just a TV.
> Your browser is not just a browser.
> Your old creds are not dead.

This #ThreatsDay is packed smart TV proxyware, a curl bug from 2001, Hoppscotch takeover, macOS ClickFix, fake Teams IT, M365 phishing, AI crime forums, and more.

Read the full bulletin: https://thehackernews.com/2026/06/threatsday-bulletin-smart-tv-proxyware.html

Your developers work across 20+ languages. Does your governance?

Developers routinely work across more than 20 programming languages, each mapping to at least one package ecosystem, per the IDC Analyst Brief sponsored by ActiveState. That is a software supply chain footprint too complex to govern reactively. See where the gaps form.

Download the Brief: https://thn.news/securing-open-source-idc

🛑 ALERT - A Chrome ad blocker with 10 MILLION+ installs has a dormant risk.

Experts say the extension can be remotely configured to run arbitrary JavaScript across websites, without an extension update or store review.

Read the full analysis: https://thehackernews.com/2026/06/chrome-ad-blocker-with-10m-installs.html

⚠️ UPDATE - Forescout says CVE-2025-67038 was exploited as a zero-day.

The Lantronix flaw was used against honeypots as early as April 5, weeks before BRIDGE:BREAK was publicly disclosed.

Attackers may have reverse-engineered the Feb. 20 patch to build the exploit.

Read: https://thehackernews.com/2026/06/cisa-warns-critical-lantronix-eds5000.html

🚨 Google has linked Turla to a new .NET backdoor.

STOCKSTAY was used in espionage campaigns targeting #Ukraine government and military organizations.

It overlaps with Kazuar and reached targets through phishing, RDP files, MSI installers, and #WinRAR CVE-2025-8088 lures.

See the full attack details 🠖 https://thehackernews.com/2026/06/google-details-turlas-new-stockstay.html

⚠️ UPDATE: JetBrains removed 15 malicious Marketplace plugins, blocked 7 publisher accounts, and disabled the plugins in installed IDEs.

But experts say the attacker’s C2 server remained live on June 19.

Entered API keys? Revoke them now.

Read the updated story: https://thehackernews.com/2026/06/malicious-jetbrains-plugins-steal-ai.html

⚡ A sales cutoff did not kill the tool.

Citizen Lab says Russian authorities used Cellebrite UFED tool on a seized activist’s #iPhone after Israeli digital forensics company said it would stop selling to Russian.

Old UFED hardware still worked offline.

See how it happened 🠖 https://thehackernews.com/2026/06/russia-used-cellebrite-on-jailed.html

🚨 Hotel phishing is getting harder to spot.

Microsoft says attackers used Calendly and Google URL redirects to push photo ZIPs at hotels in Europe and Asia.

Inside? a fake image shortcut that drops the TonRAT Node.js implant.

See how it works 🠖 https://thehackernews.com/2026/06/microsoft-warns-of-photo-zip-phishing.html

Attackers do not always break in. Sometimes they use trusted access.

Len Noe of BeyondTrust argues that identity now runs the enterprise: users, machines, APIs, cloud roles, tokens, and AI agents.

Privilege is the blast radius.

Read the 2026 identity security case: https://thehackernews.com/expert-insights/2026/06/identity-security-in-2026-brutal-truth.html

🚨 Shai-Hulud-linked #malware has moved beyond npm.

Researchers found 23 malicious npm packages and a related Go module tied to Verana Blockchain.

The campaign also abuses #GitHub Actions to steal CI/CD secrets and spread through trusted developer workflows.

Read details 🠖 https://thehackernews.com/2026/06/miasma-malware-targets-npm-packages-and.html

🛑 Your IAM stack may not see what AI agents do after login.

They inherit human permissions, cross apps, and act at machine speed outside normal governance workflows.

Guardian agents bring runtime visibility and control.

Read the full guide: https://thehackernews.com/2026/06/guardian-agents-next-layer-of-identity.html

🚨 Attackers are exploiting a critical PTC flaw to drop JSP web shells.

CISA added CVE-2026-12569 to its KEV catalog after active exploitation was confirmed.

— Affected: PTC Windchill PDMlink and FlexPLM.
— Patch now. Hunt for IoCs.

Read more: https://thehackernews.com/2026/06/cisa-adds-exploited-ptc-windchill-rce.html

🛑 A new #Linux kernel flaw lets a local user rewrite /usr/bin/su in memory and gain #root.

The file on disk never changes. No audit trail.

DirtyClone (CVE-2026-43503) is the fourth bug with this failure mode in two months.

Details and what to do ↓ https://thehackernews.com/2026/06/new-dirtyclone-linux-kernel-flaw-lets.html

🛑 Opening a repo shouldn't hand over your AWS keys.

Amazon patched CVE-2026-12957, an #Amazon Q Developer flaw that let a malicious repo run code the moment you open and trust the workspace, with the developer's cloud credentials already attached.

No separate MCP approval. No second sign-in.

Learn how the attack worked 🠖 https://thehackernews.com/2026/06/amazon-q-developer-flaw-could-let.html