• NAVTOR NavBox
  "Successful exploitation of this vulnerability could allow a local attacker to gain unauthorized access to SOAP methods, resulting in a disruption of operations."
  https://www.cisa.gov/news-events/ics-advisories/icsa-26-155-01
• Hitachi Energy ITT600 Explorer
  "Hitachi Energy is aware of vulnerabilities that affect ITT600 Explorer product versions listed in this document. These vulnerabilities can be exploited to carry out Denial of Service (DoS) attack on the product. The vulnerabilities only affect Hitachi Energy Integrated Testing Tool ITT600 SA Explorer without affecting IEC 61850 system endpoints. Please refer to the Recommended Immediate Actions for information about the mitigation/remediation."
  https://www.cisa.gov/news-events/ics-advisories/icsa-26-155-02
• B&R PPT30 Operating System
  "B&R is aware of a vulnerability in the product versions listed as affected in the advisory. An attacker who successfully exploits this vulnerability could make the OPC-UA server of the product inaccessible."
  https://www.cisa.gov/news-events/ics-advisories/icsa-26-155-03
• Hitachi Energy RTU500
  "Hitachi Energy is aware of vulnerabilities that affect RTU500 product versions listed in this document. If exploited, these vulnerabilities primarily impact product availability, with potential secondary impacts on confidentiality and integrity. Please refer to the Recommended Immediate Actions for information about the mitigation/remediation."
  https://www.cisa.gov/news-events/ics-advisories/icsa-26-155-04
• Hitachi Energy MACH HiDraw
  "Hitachi Energy is aware of a buffer overflow vulnerability that affects MACH HiDraw product versions listed in this document. Successful exploitation of this vulnerability could lead to a buffer overflow condition, potentially resulting in application outages (denial of service) and possible arbitrary code execution. Please refer to the Recommended Immediate Actions for information about the mitigation/remediation."
  https://www.cisa.gov/news-events/ics-advisories/icsa-26-155-05

New Tooling

• DockSec: Open-Source AI-Powered Docker Security Scanner
  "DockSec is an OWASP Incubator Project that combines three container security scanners with a language-model layer for explanation and remediation. Created by Advait Patel, the Python tool runs Trivy, Hadolint, and Docker Scout against a developer’s Dockerfile and image, correlates the findings, returns a 0-100 security score, and proposes line-specific fixes. DockSec requires Python 3.12 and ships under the MIT license. It supports four language-model backends: OpenAI, Anthropic, Google Gemini, and local models served through Ollama, with a scan-only mode that operates offline and requires no API key."
  https://www.helpnetsecurity.com/2026/06/08/docksec-open-source-ai-docker-security-scanner/
  https://github.com/OWASP/DockSec

Vulnerabilities

• Popping Root On UniFi OS Server: Unauthenticated RCE Chain Detection & Analysis
  "Ubiquiti’s Security Advisory Bulletin 064 covers vulnerabilities across the UniFi OS device family that chain into unauthenticated remote code execution. An attacker bypasses the front-end authentication gateway to reach an internal API endpoint that runs an attacker-controlled value as a shell command, all without credentials. We confirmed the full chain end-to-end, turning a single request into a reverse shell with full root privileges. The severity comes from what the appliance controls: it is the management plane for the network it runs. Root on it, therefore, exposes every stored secret, lets an attacker forge admin sessions that survive the patch, and, in physical deployments, can compromise managed devices including door controls and security cameras."
  https://bishopfox.com/blog/popping-root-on-unifi-os-server-unauthenticated-rce-chain-detection-analysis
  https://www.bleepingcomputer.com/news/security/critical-unifi-os-bug-lets-hackers-gain-root-without-authentication/
  Security Advisory – Action Required – Active Exploitation Of Check Point VPN Authentication Bypass (CVE-2026-50751)
• "Check Point Research has identified active exploitation of CVE-2026-50751, a critical authentication bypass vulnerability affecting Check Point Remote Access VPN and Mobile Access deployments configured to use the deprecated IKEv1 key exchange protocol. By exploiting a logic flaw in certificate validation, an attacker can establish a VPN session without possession of a valid password, effectively bypassing authentication requirements. Additional post-authentication activity is required to access internal resources or escalate privileges."
  https://blog.checkpoint.com/security/check-point-releases-important-hotfix-for-vulnerabilities-in-deprecated-ikev1-vpn-protocol/
  https://www.bleepingcomputer.com/news/security/check-point-links-vpn-zero-day-attacks-to-qilin-ransomware-gang/
  https://www.darkreading.com/vulnerabilities-threats/check-point-vpn-flaw-exploited-early-may
  https://thehackernews.com/2026/06/critical-check-point-vpn-flaw-exploited.html
  https://www.helpnetsecurity.com/2026/06/08/check-point-cve-2026-50751-qilin-ransomware/
  https://www.theregister.com/cyber-crime/2026/06/08/attackers-had-month-long-head-start-on-patched-check-point-vpn-zero-day/5252438
• CISA Adds Two Known Exploited Vulnerabilities To Catalog
  "CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
  CVE-2026-42271 BerriAI LiteLLM Command Injection Vulnerability
  CVE-2026-50751 Check Point Security Gateway Improper Authentication Vulnerability"
  https://www.cisa.gov/news-events/alerts/2026/06/08/cisa-adds-two-known-exploited-vulnerabilities-catalog
• Gogs Patches Critical Zero-Day Enabling Remote Code Execution
  "Gogs has patched a critical security zero-day flaw that can allow attackers to compromise Internet-facing instances and access any repositories (including private ones). This argument injection vulnerability has yet to be assigned a CVE ID, can only be exploited by authenticated attackers without admin privileges, and affects all Gogs releases up to and including 0.14.2 and 0.15.0+dev. They can exploit this vulnerability to compromise the targeted server, read any repository (including private repos), steal credentials, move laterally to other systems on the network, and alter any hosted source code."
  https://www.bleepingcomputer.com/news/security/gogs-patches-critical-zero-day-enabling-remote-code-execution/
• Off By !: Exploiting a Use-After-Free In The Linux Kernel
  "In this blog post, we discuss a use-after-free vulnerability that we found in the nftables subsystem of the Linux kernel in early 2025. This vulnerability was patched upstream on 5 February 2026 and assigned CVE-2026-23111. This blog post covers a technical analysis of the vulnerability and how we exploited it to perform a local privilege escalation from an unprivileged user to root on Debian Bookworm, Debian Trixie, Ubuntu 22.04 LTS, and Ubuntu 24.04 LTS."
  https://blog.exodusintel.com/2026/06/08/off-by-exploiting-a-use-after-free-in-the-linux-kernel/
  https://thehackernews.com/2026/06/one-character-linux-kernel-flaw-enables.html

Malware

• NFCShare Android Malware Spreads Via Fake Banking App Updates On GitHub
  "New variants of the NFCShare Android malware are being distributed as fake updates for legitimate banking apps hosted on GitHub. The malware has evolved and is now targeting customers of multiple banks and financial institutions across Europe in a phishing campaign aimed at stealing payment card data. After tricking victims with a fake verification screen to place the cards near the mobile device's near-field communication (NFC) chip, NFCShare reads the information using Android’s IsoDep interface and EMV commands."
  https://www.bleepingcomputer.com/news/security/nfcshare-android-malware-spreads-via-fake-banking-app-updates-on-github/
• Shai-Hulud Descends To Hades: Miasma Worm Campaign Spreads With New PyPI Wave
  "Socket detected a coordinated PyPI compromise involving 37 malicious wheel artifacts across 19 packages. The compromised releases shipped a *-setup.pth file that attempts to execute automatically during Python startup, download the Bun JavaScript runtime, and run an obfuscated JavaScript payload named _index.js. Socket’s AI malware detection system identified the malicious package cluster minutes after publication. The attack is cross-runtime, and the tradecraft is unmistakably Shai-Hulud / Miasma. Python packages provide the delivery vehicle, but the payload runs under Bun as a heavily obfuscated JavaScript stealer."
  https://socket.dev/blog/shai-hulud-descends-to-hades-miasma-pypi-wave
  https://www.bleepingcomputer.com/news/security/new-shai-hulud-attack-trojanizes-19-science-focused-pypi-packages/
  https://www.darkreading.com/application-security/hades-campaign-pypi-shai-hulud
• Fighting Spyware: An Update From WhatsApp
  "WhatsApp caught and disrupted spear phishing attempts linked to NSO, a spyware firm blacklisted by the US government. Today, we’re asking the court to hold NSO in contempt for violating a permanent injunction that barred them from ever targeting WhatsApp and its users. Spyware is a national security threat, which is why we are supporting a growing coalition of privacy advocates and security researchers against spyware, and donating to the Spyware Accountability Initiative."
  https://about.fb.com/news/2026/06/fighting-spyware-an-update-from-whatsapp/
  https://www.bleepingcomputer.com/news/security/whatsapp-says-it-disrupted-new-nso-spyware-phishing-attacks/
  https://thehackernews.com/2026/06/meta-blocks-nso-groups-new-whatsapp.html
  https://therecord.media/whatsapp-says-nso-targeted-users-with-attacks-against-court-order
  https://cyberscoop.com/meta-contempt-complaint-nso-group-spyware/
  https://hackread.com/whatsapp-blocked-pegasus-spyware-campaign-nso/
  https://www.securityweek.com/whatsapp-catches-spyware-firm-nso-defying-no-hacking-court-order/
  https://securityaffairs.com/193333/security/meta-accuses-nso-of-violating-whatsapp-court-injunction.html
  https://www.theregister.com/security/2026/06/08/nso-group-back-in-metas-crosshairs-after-alleged-whatsapp-targeting/5252105
  https://www.helpnetsecurity.com/2026/06/08/meta-whatsapp-nso-group-phishing-campaign/
• From Fake Amazon Security Alert To HarborWatch Agent: ClickFix Delivery Of a Custom Monitoring RAT
  "Threat actors do not always need to compromise a major company to weaponize its trust; they simply need to borrow its name. In the following campaign threat, cybercriminals utilize social engineering, lookalike domains, and fake verification tactics to turn a routine security alert into a ClickFix malware delivery with the goal of convincing recipients to unknowingly infect themselves. The Cofense Phishing Defense Center has identified an Amazon-themed malware delivery campaign that abuses the ClickFix self-infection technique to deliver a custom monitoring RAT known as HarborWatch Agent. This campaign highlights a growing trend in the threat landscape where attackers are abusing trusted brands and fake verification to turn users into the mechanism of their own infection."
  https://cofense.com/blog/from-fake-amazon-security-alert-to-harborwatch-agent-clickfix-delivery-of-a-custom-monitoring-rat
• Don't Fear The Repo: UNK_DeadDrop Phishing Campaign Targets Developers To Steal Cryptocurrency
  "Since at least 2022, North Korea-aligned threat actors have made a concerted effort not only to target cryptocurrency and decentralized finance organizations, but specifically to target developers using fake recruiter personas, malicious npm/PyPI packages (TraderTraitor / Jade Sleet), and trojanized cryptocurrency trading applications (AppleJeus / Citrine Sleet). These often masquerade as technical assessments or coding challenges and use techniques such as ClickFix or abusing Visual Studio Code’s features to execute malware. Approaches often occur over LinkedIn, Slack, Telegram, or in a multi-platform manner, with a consistent aim of targeting developer assets such as API tokens, cryptocurrency wallets, and credentials."
  https://www.proofpoint.com/us/blog/threat-insight/dont-fear-repo-unkdeaddrop-phishing-campaign-targets-developers-steal
  https://www.infosecurity-magazine.com/news/north-korean-hackers-developers/
  https://www.theregister.com/security/2026/06/08/suspected-norks-send-250-fake-dev-job-pitches-to-steal-crypto/5252526
• Old WinRAR Flaw Fuels Attacks On Ukraine: How Unmanaged Software Keeps The Door Open
  "When Russia annexed Crimea in 2014, the Russia-aligned cyber threat landscape was defined by a handful of known actors: Pawn Storm (also known as APT28), Sandworm, Earth Koshchei (also known as APT29), Turla, and Earth Dahu (also known as Gamaredon). A decade later, those groups remain active, but they have been joined by a much larger number of distinct activity clusters targeting Ukraine. One pattern cuts across these clusters: the rapid adoption of vulnerabilities in widely used software. CVE-2025-8088, the WinRAR vulnerability at the center of this report, was first reported in July 2025 as a zero-day used by Void Rabisu (ROMCOM) and has since been exploited by other groups, including Sandworm and Turla. SHADOW-EARTH-066 (known as UAC-0226) and Earth Dahu also exploited this vulnerability."
  https://www.trendmicro.com/en_us/research/26/f/old-winrar-flaw-fuels-attacks-on-ukraine.html
• When “Hi, This Is IT” Comes Through Microsoft Teams
  "It's Friday afternoon. The week has been busy, and everyone is wrapping up before the weekend. One of your workers receives a message (Figure 1) through Microsoft Teams from what appears to be the IT Service Provider. The message is marked as external. The worker previews the message and sees, "Hi, this is the IT Department. We see an issue with your account." The message looks routine and is in MS Teams, not email. The worker accepts the message. The conversation proceeds and the "IT technician" explains that a login anomaly was detected and asks the worker to approve a multi-factor authentication (MFA) prompt to confirm their identity. The conversation continues for a few minutes to maintain credibility, but behind the scenes the compromise is already underway."
  https://unit42.paloaltonetworks.com/microsoft-teams-phishing/

Breaches/Hacks/Leaks

• SoFi Confirms Third-Party Data Breach At Hong Kong Subsidiary
  "SoFi Hong Kong is warning that it suffered a data breach after hackers gained access to a database at a third-party vendor containing customer information. The company is a U.S.-based financial technology company that offers banking, investing, loans, and other personal finance services. The company also operates SoFi Hong Kong, which provides investment and securities services to customers in the region. In emails sent to customers and shared with BleepingComputer, SoFi said it discovered the incident on April 30, 2026, after detecting unauthorized access to a database of SoFi Securities (Hong Kong) Limited via one of its vendors."
  https://www.bleepingcomputer.com/news/security/sofi-confirms-third-party-data-breach-at-hong-kong-subsidiary/
• Over 20,000 Instagram Accounts Stolen In Meta AI Support Hack
  "Meta has revealed that 20,225 Instagram users had their accounts hijacked in a recent incident where attackers used Meta's AI-powered support system to reset passwords. As BleepingComputer reported one week ago, the threat actors exploited a flaw in the company's High Touch Support (HTS) tool, an AI-assisted support system that helps users regain access after being locked out of their Instagram accounts. By exploiting the fact that HTS didn't verify whether email addresses were associated with the targeted Instagram accounts, they obtained password reset links that allowed them to log in and hijack accounts without two-factor authentication (2FA) enabled."
  https://www.bleepingcomputer.com/news/security/meta-ai-support-data-breach-affects-20-000-instagram-accounts/
  https://www.infosecurity-magazine.com/news/over-20000-instagram-accounts/
  https://hackread.com/instagram-recovery-tool-bug-accounts-password-reset/
  https://www.securityweek.com/meta-says-20000-instagram-accounts-hacked-via-ai-tool-abuse/
  https://securityaffairs.com/193307/ai/meta-ai-recovery-tool-flaw-exposed-20000-instagram-accounts.html
  https://www.helpnetsecurity.com/2026/06/08/instagram-ai-support-vulnerability-account-takeovers/
• 174,000 Impacted By Lansing Community College Data Breach
  "Lansing Community College (LCC) is notifying over 174,000 people that their personal information was compromised in a data breach more than one year ago. The incident was identified in February 2025, roughly one week after hackers gained access to some of its systems using compromised credentials, the Lansing, Michigan public community college says in notification letters sent to the impacted individuals. Working with third-party cybersecurity experts, LCC determined that the hackers accessed personal information such as names, addresses, dates of birth, driver’s license details, and Social Security numbers."
  https://www.securityweek.com/174000-impacted-by-lansing-community-college-data-breach/
• Ransomware Sends Illinois High School On An Early Summer Vacation
  "An Illinois high school won't reopen until Wednesday at the earliest after suffering a ransomware attack on Sunday, June 7. Evanston Township High School (ETHS), located 14 miles north of Chicago, said it would be closed today and tomorrow, and that the closure also affected summer school, sports camps, and on-campus activities, which are all canceled."
  https://www.theregister.com/cyber-crime/2026/06/08/ransomware-attack-shuts-illinois-high-school-until-wednesday/5252322

General News

• Iran Signed a Ceasefire — Its Hackers Didn't
  "The United States and Iran have extended what began as a two-week ceasefire. The pause applies only to kinetic warfare, and even that didn't fully stop the shooting. The cyber front has no signs of a truce. The day before that ceasefire took effect, six federal agencies — the FBI, CISA, NSA, EPA, DOE, and U.S. Cyber Command's Cyber National Mission Force — issued a joint advisory warning that Iranian-affiliated actors had been manipulating programmable logic controllers inside U.S. critical infrastructure since at least March. Victim organizations across water, energy, and government services confirmed operational disruptions and financial losses. Hours after the ceasefire took effect, one IRGC-linked group announced it was pausing attacks on the U.S., for now, while vowing to revive them "when the time is right." Another pledged operations against Israel would continue “at full force.”"
  https://www.darkreading.com/cyberattacks-data-breaches/iran-signed-ceasefire-hackers
• Cybercriminals Create 19,000 FIFA-Themed Domains Ahead Of 2026 World Cup
  "Fans looking for tickets, accommodation and match broadcasts are already encountering scams tied to the 2026 FIFA World Cup. The 2026 FIFA World Cup will bring millions of visitors and an estimated 6 billion spectators to a tournament spread across 16 host cities in the United States, Canada and Mexico. In a new report, Intel 471 describes the 2026 FIFA World Cup as “the largest and most complex cyberattack surface in sporting history.”"
  https://www.helpnetsecurity.com/2026/06/08/fifa-world-cup-cyber-threats/
• Everybody Is Vibe Coding But Nobody Told The Security Team
  "In February 2025, Andrej Karpathy coined the term “vibe coding” to describe a new way of building software: rapid, AI-assisted development where users ‘fully give in to the vibes, embrace exponentials, and forget that the code even exists’.” Fast forward to 2026, and Anthropic CEO now predicts that 90% of code will be written by AI in 3-6 months. According to one survey, 84% of developers globally are using or planning to use AI coding tools in their workflow, up from 76% in 2024. Of those, 51% of professional developers use AI tools daily."
  https://www.securityweek.com/everybody-is-vibe-coding-but-nobody-told-the-security-team/
• The Hardest Fork
  "Mythos is real. I know a big chunk of the industry thinks it's a marketing stunt, and I get why. I get it. But I've seen the findings, and they're bad. These aren't "whoops, this line right here is wrong, and that's RCE." They're novel combinations of a few dozen issues out of thousands of things every SAST scanner already finds, chained together into something much worse. It's real creativity, like Move 37. That's not a better scanner. That's a different category of threat."
  https://thehackernews.com/2026/06/the-hardest-fork.html
• 52% Of Direct-To-IP Threats Are Missing From Intelligence Feeds
  "Security tools are good at inspecting websites, domains, URLs, and files, so attackers are moving lower in the stack and communicating directly with IP addresses, where visibility is limited. According to Palo Alto Networks’ report, this creates a visibility gap that allows malicious traffic to blend into normal internet activity and evade detection. At the internet edge, this gap starves security systems of the telemetry needed to identify and block threats. Threat actors hide the signals security tools rely on, use shared infrastructure to avoid detection, and scale these techniques with AI."
  https://www.helpnetsecurity.com/2026/06/08/palo-alto-networks-securing-ip-connections-report/

อ้างอิง
Electronic Transactions Development Agency (ETDA)