⚠️ SharkLoader is delivering Cobalt Strike Beacon.

Experts say the StrikeShark campaign targeted government, diplomatic, and software development organizations across multiple countries.

Public CVE exploits, malicious installers, and DLL hijacking sit in the attack chain.

Read: https://thehackernews.com/2026/06/new-sharkloader-malware-deploys-cobalt.html

🚨 Russian intelligence-linked phishers have a new Signal trick.

FBI and CISA say they are asking targets to share their Signal Backup Recovery Key.

If they get it, they can restore old backups, read message history, and take over the account.

Here’s how the phishing works: https://thehackernews.com/2026/06/fbi-warns-russian-intelligence-hackers.html

🛑 Gaslight doesn’t just steal from #macOS.

It tries to talk the analyst’s AI tools out of analyzing it.

SentinelOne found a Rust-based implant with #Telegram C2 and 38 fake “system” messages built to make LLM-assisted triage abort or refuse.

Read: https://thehackernews.com/2026/06/new-gaslight-macos-malware-uses-prompt.html

⚡ OpenAI is keeping GPT-5.6 behind a narrow gate.

Sol, Terra, and Luna are in limited preview for government-approved partners.

Sol adds stronger cyber safeguards for #vulnerability research, defensive testing, and dual-use requests.

Read: https://thehackernews.com/2026/06/openai-limits-gpt-56-rollout-as-sol.html

🛑 A fake support SMS was the entry point.

Ukraine’s SSU and the FBI say Russian intelligence services targeted messaging accounts used by officials, military personnel, politicians, and activists.

The goal: steal credentials and sensitive information.

How the campaign worked: https://thehackernews.com/2026/06/ukraine-says-russian-intelligence-used.html

⚠️ A trusted VS Code workspace can trigger the attack.

Hijacked npm packages used hidden folder-open tasks instead of npm lifecycle scripts.

JavaScript was hidden as a font file, resolved through blockchain dead drops, and used to deploy a Python infostealer.

Learn more ➝ https://thehackernews.com/2026/06/hijacked-npm-and-go-packages-use-vs.html

🚨 CVE-2026-55200 now has public PoC code.

The libssh2 flaw lets a malicious SSH server trigger memory corruption in a connecting client.

> No credentials
> No user interaction
> Affected through libssh2 1.11.1

The real cleanup problem is finding bundled and static copies in curl, Git, PHP, and appliances.

Learn more ➝ https://thehackernews.com/2026/06/public-poc-released-for-critical.html

🛑 Microsoft removed 119 Edge extensions hiding malware in images and fonts.

Up to 2.6 MILLION installs. They posed as ad blockers, VPNs, translators, and video downloaders.

Some payloads stole credentials and ran ad fraud.

Read how StegoAd stayed hidden for years ➝ https://thehackernews.com/2026/06/microsoft-removes-119-edge-extensions.html

The SOC problem is no longer just detection.

It is the queue.

AI is now taking the first pass on alert triage, enrichment, and routine response so analysts can focus on calls that carry risk.

The 2026 Cybersecurity Stars Awards winners show where SOC automation is headed.

Read the story: https://awards.thehackernews.com/blog/ai-reads-the-alert-queue/

⚠️ Gamaredon ran 35 phishing campaigns against Ukraine in 2025.

ESET says it used new PowerShell tools, HTML smuggling, and CVE-2025-8088 to plant malware in Startup.

Simple malware. Harder infrastructure.

Read more ↓ https://thehackernews.com/2026/06/gamaredon-expands-ukraine-attacks-with.html

🛑 236,493 scam domains.

Experts say DCloud Uni-App templates are being used to run fake crypto exchanges, #WhatsApp phishing, gambling scams, and wallet drainers.

Read the full story ➝ https://thehackernews.com/2026/06/236000-dcloud-uni-app-sites-used-in.html

🛑 EvilTokens hides account takeover risk from your SOC.

Static URL analysis misses it as the phishing page appears only after browser-side decryption. Avoid visibility gaps and accelerate response by uncovering the full attack flow in 1 min.

Read ➝ https://thn.news/ghost-analysis-2023

Your encrypted credentials may not stay encrypted forever.

Attackers can harvest them now, store them, and decrypt them later when quantum hardware catches up.

That is why post-quantum migration should start with long-lived credentials and machine identities.

Read the full story: https://thehackernews.com/2026/06/why-post-quantum-cryptography-starts.html

⚠️ Mustang Panda hid C2 in cloud traffic.

Acronis says the China-aligned group abused Zoho WorkDrive as a command channel in campaigns against Indian government and hydropower targets.

ZOHOMURK read commands from an inbox folder and wrote stolen output to an outbox.

Read 🠖 https://thehackernews.com/2026/06/mustang-panda-uses-zoho-workdrive-as.html

⚡ DirtyClone leads the week, but the rest of the queue is ugly:

🐧 Linux root bug
🚨 PTC exploited
🍎 Gaslight malware
🎯 Turla backdoor
🧹 StealC takedown
🤖 Agent prompt injection
🕵️ New infostealers
📺 DVR proxy abuse
🧩 Urgent CVEs

Full recap: https://thehackernews.com/2026/06/weekly-recap-linux-kernel-flaws-ai.html

🔥 #WhatsApp is finally getting usernames.

The app has started global username reservations before a wider rollout later this year.

So people can message each other without handing over a phone number.

Details here: https://thehackernews.com/2026/06/whatsapp-is-finally-getting-usernames.html

🛑 The extension did not need to steal passwords to be dangerous.

Microsoft found a fake #Perplexity Chrome extension that logged searches and address bar input before redirecting users to real results.

How it worked, and what users should check: https://thehackernews.com/2026/06/malicious-perplexity-chrome-extension.html

🚨 Oracle E-Business Suite has a new active exploitation problem.

CVE-2026-46817 is a CVSS 9.8 flaw in Oracle Payments that can allow unauthenticated HTTP takeover.

No public PoC. Attribution unknown.

Read the full report: https://thehackernews.com/2026/06/oracle-e-business-suite-flaw-cve-2026.html