π¨ Google has linked Turla to a new .NET backdoor.
STOCKSTAY was used in espionage campaigns targeting #Ukraine government and military organizations.
It overlaps with Kazuar and reached targets through phishing, RDP files, MSI installers, and #WinRAR CVE-2025-8088 lures.
See the full attack details π https://thehackernews.com/2026/06/google-details-turlas-new-stockstay.html
STOCKSTAY was used in espionage campaigns targeting #Ukraine government and military organizations.
It overlaps with Kazuar and reached targets through phishing, RDP files, MSI installers, and #WinRAR CVE-2025-8088 lures.
See the full attack details π https://thehackernews.com/2026/06/google-details-turlas-new-stockstay.html
π4
β οΈ UPDATE: JetBrains removed 15 malicious Marketplace plugins, blocked 7 publisher accounts, and disabled the plugins in installed IDEs.
But experts say the attackerβs C2 server remained live on June 19.
Entered API keys? Revoke them now.
Read the updated story: https://thehackernews.com/2026/06/malicious-jetbrains-plugins-steal-ai.html
But experts say the attackerβs C2 server remained live on June 19.
Entered API keys? Revoke them now.
Read the updated story: https://thehackernews.com/2026/06/malicious-jetbrains-plugins-steal-ai.html
π5π1
β‘ A sales cutoff did not kill the tool.
Citizen Lab says Russian authorities used Cellebrite UFED tool on a seized activistβs #iPhone after Israeli digital forensics company said it would stop selling to Russian.
Old UFED hardware still worked offline.
See how it happened π https://thehackernews.com/2026/06/russia-used-cellebrite-on-jailed.html
Citizen Lab says Russian authorities used Cellebrite UFED tool on a seized activistβs #iPhone after Israeli digital forensics company said it would stop selling to Russian.
Old UFED hardware still worked offline.
See how it happened π https://thehackernews.com/2026/06/russia-used-cellebrite-on-jailed.html
β‘3π3
π¨ Hotel phishing is getting harder to spot.
Microsoft says attackers used Calendly and Google URL redirects to push photo ZIPs at hotels in Europe and Asia.
Inside? a fake image shortcut that drops the TonRAT Node.js implant.
See how it works π https://thehackernews.com/2026/06/microsoft-warns-of-photo-zip-phishing.html
Microsoft says attackers used Calendly and Google URL redirects to push photo ZIPs at hotels in Europe and Asia.
Inside? a fake image shortcut that drops the TonRAT Node.js implant.
See how it works π https://thehackernews.com/2026/06/microsoft-warns-of-photo-zip-phishing.html
π₯5π3
Attackers do not always break in. Sometimes they use trusted access.
Len Noe of BeyondTrust argues that identity now runs the enterprise: users, machines, APIs, cloud roles, tokens, and AI agents.
Privilege is the blast radius.
Read the 2026 identity security case: https://thehackernews.com/expert-insights/2026/06/identity-security-in-2026-brutal-truth.html
Len Noe of BeyondTrust argues that identity now runs the enterprise: users, machines, APIs, cloud roles, tokens, and AI agents.
Privilege is the blast radius.
Read the 2026 identity security case: https://thehackernews.com/expert-insights/2026/06/identity-security-in-2026-brutal-truth.html
π₯6
π¨ Shai-Hulud-linked #malware has moved beyond npm.
Researchers found 23 malicious npm packages and a related Go module tied to Verana Blockchain.
The campaign also abuses #GitHub Actions to steal CI/CD secrets and spread through trusted developer workflows.
Read details π https://thehackernews.com/2026/06/miasma-malware-targets-npm-packages-and.html
Researchers found 23 malicious npm packages and a related Go module tied to Verana Blockchain.
The campaign also abuses #GitHub Actions to steal CI/CD secrets and spread through trusted developer workflows.
Read details π https://thehackernews.com/2026/06/miasma-malware-targets-npm-packages-and.html
π4
π Your IAM stack may not see what AI agents do after login.
They inherit human permissions, cross apps, and act at machine speed outside normal governance workflows.
Guardian agents bring runtime visibility and control.
Read the full guide: https://thehackernews.com/2026/06/guardian-agents-next-layer-of-identity.html
They inherit human permissions, cross apps, and act at machine speed outside normal governance workflows.
Guardian agents bring runtime visibility and control.
Read the full guide: https://thehackernews.com/2026/06/guardian-agents-next-layer-of-identity.html
π3
π¨ Attackers are exploiting a critical PTC flaw to drop JSP web shells.
CISA added CVE-2026-12569 to its KEV catalog after active exploitation was confirmed.
β Affected: PTC Windchill PDMlink and FlexPLM.
β Patch now. Hunt for IoCs.
Read more: https://thehackernews.com/2026/06/cisa-adds-exploited-ptc-windchill-rce.html
CISA added CVE-2026-12569 to its KEV catalog after active exploitation was confirmed.
β Affected: PTC Windchill PDMlink and FlexPLM.
β Patch now. Hunt for IoCs.
Read more: https://thehackernews.com/2026/06/cisa-adds-exploited-ptc-windchill-rce.html
π₯3
π A new #Linux kernel flaw lets a local user rewrite /usr/bin/su in memory and gain #root.
The file on disk never changes. No audit trail.
DirtyClone (CVE-2026-43503) is the fourth bug with this failure mode in two months.
Details and what to do β https://thehackernews.com/2026/06/new-dirtyclone-linux-kernel-flaw-lets.html
The file on disk never changes. No audit trail.
DirtyClone (CVE-2026-43503) is the fourth bug with this failure mode in two months.
Details and what to do β https://thehackernews.com/2026/06/new-dirtyclone-linux-kernel-flaw-lets.html
π₯7β‘5π1
π Opening a repo shouldn't hand over your AWS keys.
Amazon patched CVE-2026-12957, an #Amazon Q Developer flaw that let a malicious repo run code the moment you open and trust the workspace, with the developer's cloud credentials already attached.
No separate MCP approval. No second sign-in.
Learn how the attack worked π https://thehackernews.com/2026/06/amazon-q-developer-flaw-could-let.html
Amazon patched CVE-2026-12957, an #Amazon Q Developer flaw that let a malicious repo run code the moment you open and trust the workspace, with the developer's cloud credentials already attached.
No separate MCP approval. No second sign-in.
Learn how the attack worked π https://thehackernews.com/2026/06/amazon-q-developer-flaw-could-let.html
π₯4π€―4π1π€1
π A new #Linux kernel exploit (CVE-2026-46331) gets root without modifying a single file on disk.
It poisons the cached copy of /bin/su in memory. The binary on disk stays untouched. File-integrity checks come back clean.
The root shell is already open.
Details here β https://thehackernews.com/2026/06/new-linux-pedit-cow-exploit-enables.html
It poisons the cached copy of /bin/su in memory. The binary on disk stays untouched. File-integrity checks come back clean.
The root shell is already open.
Details here β https://thehackernews.com/2026/06/new-linux-pedit-cow-exploit-enables.html
π€―17π±6π₯5π2π1
π¨ A new custom backdoor is hitting government and energy targets in Southeast Asia.
Unit 42 links it to CL-STA-1062, a Chinese-speaking APT cluster.
TinyRCT can run commands, steal files, capture screenshots, and support remote control.
Read: https://thehackernews.com/2026/06/chinese-speaking-apt-deploys-new.html
Unit 42 links it to CL-STA-1062, a Chinese-speaking APT cluster.
TinyRCT can run commands, steal files, capture screenshots, and support remote control.
Read: https://thehackernews.com/2026/06/chinese-speaking-apt-deploys-new.html
π₯5π4π€―2
CISA just added a Cisco Unified CM flaw to its exploited bugs list.
Defused Cyber says CVE-2026-20230 is being exploited from a single source using an unvetted PoC.
The bug can allow unauthenticated SSRF and file writes when WebDialer is enabled.
The technical trail is here: https://thehackernews.com/2026/06/cisco-unified-cm-flaw-exploited-after.html
Defused Cyber says CVE-2026-20230 is being exploited from a single source using an unvetted PoC.
The bug can allow unauthenticated SSRF and file writes when WebDialer is enabled.
The technical trail is here: https://thehackernews.com/2026/06/cisco-unified-cm-flaw-exploited-after.html
π₯3π2π2
SOC teams donβt need another console.
They need alerts that connect across endpoint, cloud, identity, and network data.
One attack should not look like five separate incidents.
The analysis starts here: https://awards.thehackernews.com/blog/soc-doesnt-need-another-console/
They need alerts that connect across endpoint, cloud, identity, and network data.
One attack should not look like five separate incidents.
The analysis starts here: https://awards.thehackernews.com/blog/soc-doesnt-need-another-console/
π₯5
β οΈ SharkLoader is delivering Cobalt Strike Beacon.
Experts say the StrikeShark campaign targeted government, diplomatic, and software development organizations across multiple countries.
Public CVE exploits, malicious installers, and DLL hijacking sit in the attack chain.
Read: https://thehackernews.com/2026/06/new-sharkloader-malware-deploys-cobalt.html
Experts say the StrikeShark campaign targeted government, diplomatic, and software development organizations across multiple countries.
Public CVE exploits, malicious installers, and DLL hijacking sit in the attack chain.
Read: https://thehackernews.com/2026/06/new-sharkloader-malware-deploys-cobalt.html
π₯4π€2
π¨ Russian intelligence-linked phishers have a new Signal trick.
FBI and CISA say they are asking targets to share their Signal Backup Recovery Key.
If they get it, they can restore old backups, read message history, and take over the account.
Hereβs how the phishing works: https://thehackernews.com/2026/06/fbi-warns-russian-intelligence-hackers.html
FBI and CISA say they are asking targets to share their Signal Backup Recovery Key.
If they get it, they can restore old backups, read message history, and take over the account.
Hereβs how the phishing works: https://thehackernews.com/2026/06/fbi-warns-russian-intelligence-hackers.html
π₯12π5π€―3
π Gaslight doesnβt just steal from #macOS.
It tries to talk the analystβs AI tools out of analyzing it.
SentinelOne found a Rust-based implant with #Telegram C2 and 38 fake βsystemβ messages built to make LLM-assisted triage abort or refuse.
Read: https://thehackernews.com/2026/06/new-gaslight-macos-malware-uses-prompt.html
It tries to talk the analystβs AI tools out of analyzing it.
SentinelOne found a Rust-based implant with #Telegram C2 and 38 fake βsystemβ messages built to make LLM-assisted triage abort or refuse.
Read: https://thehackernews.com/2026/06/new-gaslight-macos-malware-uses-prompt.html
π7
β‘ OpenAI is keeping GPT-5.6 behind a narrow gate.
Sol, Terra, and Luna are in limited preview for government-approved partners.
Sol adds stronger cyber safeguards for #vulnerability research, defensive testing, and dual-use requests.
Read: https://thehackernews.com/2026/06/openai-limits-gpt-56-rollout-as-sol.html
Sol, Terra, and Luna are in limited preview for government-approved partners.
Sol adds stronger cyber safeguards for #vulnerability research, defensive testing, and dual-use requests.
Read: https://thehackernews.com/2026/06/openai-limits-gpt-56-rollout-as-sol.html
π14π€―5π€4π₯1
π A fake support SMS was the entry point.
Ukraineβs SSU and the FBI say Russian intelligence services targeted messaging accounts used by officials, military personnel, politicians, and activists.
The goal: steal credentials and sensitive information.
How the campaign worked: https://thehackernews.com/2026/06/ukraine-says-russian-intelligence-used.html
Ukraineβs SSU and the FBI say Russian intelligence services targeted messaging accounts used by officials, military personnel, politicians, and activists.
The goal: steal credentials and sensitive information.
How the campaign worked: https://thehackernews.com/2026/06/ukraine-says-russian-intelligence-used.html
π5β‘3π₯1π1π€1