Major Data Breaches
Headline: China-Nexus Actor Spies on US Researchers Undetected for a Year
A sophisticated China-linked espionage campaign was uncovered this week, targeting US and Canadian research, medical, and defense institutions. Google’s Threat Intelligence Group revealed that attackers exploited REDCap research servers to steal credentials and exfiltrate sensitive data. The campaign, attributed to the cluster UNC6508, involved manipulating Google Workspace rules to covertly forward emails matching specific keywords to attacker-controlled inboxes. The victims included clinical providers, academic centers, military health institutions, and advocacy groups. The attack persisted undetected for over a year, highlighting the advanced operational security of the threat actor. Google first reported the backdoor in February, but the full scope and persistence of the campaign were only detailed in this week’s report1.
Key Details:
- Organizations affected: Multiple US and Canadian research, medical, and defense entities
- Attack vector: REDCap server backdoor, Google Workspace rule manipulation
- Discovery date: June 2026 (public disclosure)
- Data exfiltration: Confirmed, including sensitive research and defense emails
- Response: Google disrupted the campaign and published technical details
Headline: WordPress Plugin Supply Chain Attack Plants Hidden Backdoors
A major supply chain attack was disclosed involving three popular WordPress plugins—PushEngage, OptinMonster, and TrustPulse. Attackers tampered with trusted JavaScript files, enabling the creation of rogue admin accounts and installation of hidden plugins for persistent access. The campaign was discovered by Sansec and confirmed by PushEngage, which issued an incident notice. The attack only triggered when a site administrator was logged in, leaving ordinary visitors unaffected. All three plugins are managed by Awesome Motive, which had not commented on the two larger plugins as of June 151.
Key Details:
- Plugins affected: PushEngage, OptinMonster, TrustPulse
- Attack vector: Tampered JavaScript files, admin session hijack
- Discovery date: June 13–14, 2026
- Impact: Potential full site compromise for affected WordPress sites
- Response: PushEngage confirmed incident; other plugin maintainers pending
Significant Cyberattacks
Headline: North Korean Hackers Weaponize Developer Tools for Malware Delivery
Proofpoint researchers identified two cyber campaigns linked to the North Korean threat cluster “Contagious Interview” (aka Famous Chollima, HexagonalRodent, Void Dokkaebi). The campaigns used phishing emails themed around developer recruitment and code review to target nearly 100 organizations across finance, cryptocurrency, education, and technology sectors. The infection chain began with links to malicious GitHub repositories, leading to cross-platform malware deployment via the open-source Go framework “Overlord.” The use of Microsoft Visual Studio Code extensions was a key indicator tying the activity to North Korea1.
Key Details:
- Sectors targeted: Finance, crypto, education, technology
- Attack vector: Phishing, malicious GitHub repos, VS Code extensions
- Malware: Overlord (Go-based, cross-platform)
- Discovery date: June 2026 (public disclosure)
- Response: Proofpoint published technical indicators and mitigation advice
Headline: Silent Ransom Group Hits US Law Firms in Escalating Extortion Attacks
A new wave of ransomware attacks by the Silent Ransom Group targeted US law firms, escalating extortion tactics and threatening public data leaks. The group’s operations were reported to have intensified in early June, with several firms experiencing data theft and service disruptions. The attackers demanded substantial ransoms and threatened to publish sensitive legal documents if not paid. The campaign underscores the ongoing risk to the legal sector from targeted ransomware operations2.
Key Details:
- Victims: Multiple US law firms
- Attack vector: Ransomware, data exfiltration
- Discovery date: Early June 2026
- Impact: Service outages, data leak threats
- Response: Law firms engaged incident response teams; FBI notified
Critical Vulnerabilities
Headline: Google Patches Actively Exploited Chrome 0-Day (CVE-2026-11645)
Google released emergency security updates for Chrome, addressing 74 vulnerabilities, including a high-severity zero-day (CVE-2026-11645, CVSS 8.8) exploited in the wild. The flaw, an out-of-bounds memory access in the V8 JavaScript engine, allowed attackers to execute arbitrary code. Google confirmed active exploitation but withheld technical details pending patch adoption. Users are urged to update Chrome immediately1.
Technical Details:
- CVE: CVE-2026-11645
- CVSS: 8.8 (High)
- Component: V8 JavaScript engine
- Patch released: June 2026
- Exploitation: Confirmed in the wild
Headline: Max-Severity Ivanti Flaw Exploited 24 Hours After Disclosure
A critical vulnerability in Ivanti software was exploited within 24 hours of public disclosure, according to Dark Reading. Attackers leveraged the flaw to gain unauthorized access to enterprise environments. The rapid exploitation highlights the need for immediate patching of newly disclosed vulnerabilities2.
Technical Details:
- Product: Ivanti (specific product not detailed)
- Exploit window: <24 hours post-disclosure
- Impact: Unauthorized access, potential lateral movement
- Response: Emergency patches released; CISA issued alert
Headline: One-Click Microsoft 365 Copilot Flaw (CVE-2026-42824) Could Have Exposed Emails and Files
Researchers at Varonis Threat Labs disclosed a critical Microsoft 365 Copilot vulnerability (CVE-2026-42824) that could have allowed attackers to exfiltrate emails, files, and MFA codes with a single click. The flaw, dubbed “SearchLeak,” involved chaining three bugs into a seamless exfiltration path. Microsoft mitigated the issue on the backend, and no exploitation was observed in the wild. The CVSS scores varied: 6.5 (Microsoft) and 7.5 (NVD)1.
Technical Details:
- CVE: CVE-2026-42824
- CVSS: 6.5 (Microsoft), 7.5 (NVD)
- Attack vector: Command injection via trusted Microsoft link
- Patch status: Mitigated by Microsoft backend update
Government Responses
Headline: CISA Adds Multiple Exploited Vulnerabilities to Known Exploited Catalog
The US Cybersecurity and Infrastructure Security Agency (CISA) issued several alerts between June 9 and June 12, adding new vulnerabilities to its Known Exploited Vulnerabilities Catalog. These advisories urge organizations to prioritize patching and mitigation for actively exploited flaws, including those in widely used enterprise software. CISA’s ongoing updates reflect the rapid pace of exploitation and the need for timely defensive action3.
Key Details:
- Dates: June 9, 11, 12, 2026
- Action: Multiple vulnerabilities added to KEV Catalog
- Response: Federal agencies and critical infrastructure operators required to patch by specified deadlines
Miscellaneous
Headline: Chrome Extensions Linked to Adware and Fake Traffic
Researchers discovered a network of 152 Chrome wallpaper extensions, installed over 105,000 times, distributing potentially unwanted programs (PUPs) and generating fake traffic. The extensions, spread across 38 publisher accounts, were linked to three backend domains. Google has been notified, and users are advised to remove suspicious extensions1.
Headline: Sniper Dz Scams Target MENA Users via Fake Facebook Offers
A fraudulent campaign targeting Middle East and North Africa (MENA) users was uncovered, using fake Facebook accounts to impersonate public figures and organizations. Victims were lured with promises of free mobile internet or financial compensation, only to be redirected to phishing and monetization infrastructure. Group-IB analysts provided technical details and mitigation advice1.
Conclusion
This week’s cybersecurity landscape was marked by high-impact espionage campaigns, rapid exploitation of critical vulnerabilities, and persistent threats to both enterprise and public sector organizations. The continued targeting of supply chains, developer tools, and cloud services underscores the need for robust, multi-layered defenses and rapid incident response. Organizations are urged to review CISA advisories, patch critical vulnerabilities, and remain vigilant against evolving attack vectors.
Sources: