🚨 Attackers are exploiting a critical PTC flaw to drop JSP web shells.

CISA added CVE-2026-12569 to its KEV catalog after active exploitation was confirmed.

— Affected: PTC Windchill PDMlink and FlexPLM.
— Patch now. Hunt for IoCs.

Read more: https://thehackernews.com/2026/06/cisa-adds-exploited-ptc-windchill-rce.html

🛑 A new #Linux kernel flaw lets a local user rewrite /usr/bin/su in memory and gain #root.

The file on disk never changes. No audit trail.

DirtyClone (CVE-2026-43503) is the fourth bug with this failure mode in two months.

Details and what to do ↓ https://thehackernews.com/2026/06/new-dirtyclone-linux-kernel-flaw-lets.html

🛑 Opening a repo shouldn't hand over your AWS keys.

Amazon patched CVE-2026-12957, an #Amazon Q Developer flaw that let a malicious repo run code the moment you open and trust the workspace, with the developer's cloud credentials already attached.

No separate MCP approval. No second sign-in.

Learn how the attack worked 🠖 https://thehackernews.com/2026/06/amazon-q-developer-flaw-could-let.html

🛑 A new #Linux kernel exploit (CVE-2026-46331) gets root without modifying a single file on disk.

It poisons the cached copy of /bin/su in memory. The binary on disk stays untouched. File-integrity checks come back clean.

The root shell is already open.

Details here ↓ https://thehackernews.com/2026/06/new-linux-pedit-cow-exploit-enables.html

🚨 A new custom backdoor is hitting government and energy targets in Southeast Asia.

Unit 42 links it to CL-STA-1062, a Chinese-speaking APT cluster.

TinyRCT can run commands, steal files, capture screenshots, and support remote control.

Read: https://thehackernews.com/2026/06/chinese-speaking-apt-deploys-new.html

CISA just added a Cisco Unified CM flaw to its exploited bugs list.

Defused Cyber says CVE-2026-20230 is being exploited from a single source using an unvetted PoC.

The bug can allow unauthenticated SSRF and file writes when WebDialer is enabled.

The technical trail is here: https://thehackernews.com/2026/06/cisco-unified-cm-flaw-exploited-after.html

SOC teams don’t need another console.

They need alerts that connect across endpoint, cloud, identity, and network data.

One attack should not look like five separate incidents.

The analysis starts here: https://awards.thehackernews.com/blog/soc-doesnt-need-another-console/

⚠️ SharkLoader is delivering Cobalt Strike Beacon.

Experts say the StrikeShark campaign targeted government, diplomatic, and software development organizations across multiple countries.

Public CVE exploits, malicious installers, and DLL hijacking sit in the attack chain.

Read: https://thehackernews.com/2026/06/new-sharkloader-malware-deploys-cobalt.html

🚨 Russian intelligence-linked phishers have a new Signal trick.

FBI and CISA say they are asking targets to share their Signal Backup Recovery Key.

If they get it, they can restore old backups, read message history, and take over the account.

Here’s how the phishing works: https://thehackernews.com/2026/06/fbi-warns-russian-intelligence-hackers.html

🛑 Gaslight doesn’t just steal from #macOS.

It tries to talk the analyst’s AI tools out of analyzing it.

SentinelOne found a Rust-based implant with #Telegram C2 and 38 fake “system” messages built to make LLM-assisted triage abort or refuse.

Read: https://thehackernews.com/2026/06/new-gaslight-macos-malware-uses-prompt.html

⚡ OpenAI is keeping GPT-5.6 behind a narrow gate.

Sol, Terra, and Luna are in limited preview for government-approved partners.

Sol adds stronger cyber safeguards for #vulnerability research, defensive testing, and dual-use requests.

Read: https://thehackernews.com/2026/06/openai-limits-gpt-56-rollout-as-sol.html

🛑 A fake support SMS was the entry point.

Ukraine’s SSU and the FBI say Russian intelligence services targeted messaging accounts used by officials, military personnel, politicians, and activists.

The goal: steal credentials and sensitive information.

How the campaign worked: https://thehackernews.com/2026/06/ukraine-says-russian-intelligence-used.html