This posting is here to collect cyber security news in June 2026.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in June 2026.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
15 Comments
Tomi Engdahl says:
Dashlane Brute-Force Attack Leads to Limited Encrypted Vault Downloads
Dashlane’s security systems automatically locked accounts to protect them against the hacking attempts.
https://www.securityweek.com/dashlane-brute-force-attack-leads-to-limited-encrypted-vault-downloads/
Tomi Engdahl says:
Trump Signs Executive Order That Invites Vetting of Top AI Models for National Security Risks
The order establishes a framework for the federal government to vet the national security risks of the most advanced AI systems for up to a month before their public release.
https://www.securityweek.com/trump-signs-executive-order-that-invites-vetting-of-top-ai-models-for-national-security-risks/
President Donald Trump signed an executive order on oversight of artificial intelligence Tuesday, less than two weeks after postponing a White House ceremony over his concerns that a similar policy could dull America’s technological edge.
The order establishes a framework for the federal government to vet the national security risks of the most advanced AI systems for up to a month before their public release. Participation by AI developers would be voluntary, the order says.
“Advanced AI capabilities make our Nation stronger, but also introduce new national security considerations that require coordinated action across executive departments and agencies,” the order says.
Tomi Engdahl says:
Vulnerabilities
19-Year-Old Linux Kernel Vulnerability Exposes Systems to Root Access
Proof-of-concept (PoC) exploit code has been released for the CIFSwitch flaw, which allows low-privileged users to escalate to root on vulnerable Linux systems.
https://www.securityweek.com/19-year-old-linux-kernel-vulnerability-exposes-systems-to-root-access/
Tomi Engdahl says:
Critical Windows Netlogon Vulnerability in Attackers’ Crosshairs
Organizations are advised to patch CVE-2026-41089 as soon as possible, given its severity, the potential ongoing exploitation.
https://www.securityweek.com/critical-windows-netlogon-vulnerability-in-attackers-crosshairs/
Tomi Engdahl says:
Two New Reports Offer Competing Explanations for Cybersecurity’s Growing Crisis
As AI shortens the path from vulnerability disclosure to exploitation, researchers disagree on whether the problem is inadequate security tools or inadequate operational control.
https://www.securityweek.com/two-new-reports-offer-competing-explanations-for-cybersecuritys-growing-crisis/
Two reports offer differing viewpoints. One suggests a failure of tools to provide what security teams really need. The other suggests the tools exist but are not properly managed.
The industrialization of cybercrime threatens to overwhelm cyber defense. It’s a process that started before the arrival of ChatGPT, was supercharged by the age of AI, and is now typified as the post-Mythos era. It’s a time when defenders must improve their performance or cede the battleground to the adversary. Applications are the battlefield. The speed, scale and sophistication of AI-assisted attacks is difficult to contain.
“AI is not just creating more vulnerabilities. It is exposing the fact that companies cannot fix known vulnerabilities fast enough,” explains Daniel Shechter, CEO and co-founder at Miggo Security. “For years, security programs have been measured by how well they find risk before software goes live. Frontier AI like Mythos changes the question. If attackers can move from disclosure to exploit in hours, boards and CISOs need to understand how long the business remains exposed, and what can be done to mitigate quickly and efficiently.”
The Cloud Security Alliance (CSA) State of Modern Application and AI Security report (PDF), commissioned by Miggo and published on June 2, 2026, confirms and explains this new reality. CSA surveyed more than 900 cybersecurity leaders and found that vulnerabilities in this post-Mythos era are evading the pre-production phase while 82% of organizations lack effective runtime visibility.
“The real challenge begins once applications are in production, where security teams must rapidly determine which exposures are truly exploitable, prioritize the risks that matter most, and respond before attackers can take advantage,” suggests Daniel Shechter, CEO and co-founder at Miggo Security.
Most breaches are driven by known vulnerabilities. Eighty percent of the companies surveyed have suffered at least one incident involving a known vulnerability in the last year. If it is known, it is almost certainly patchable; but in the post-Mythos era there are too many patches to handle. The biggest problem is knowing which of those vulnerabilities are exploitable and most urgently need patching.
Two reports offer differing viewpoints. One suggests a failure of tools to provide what security teams really need. The other suggests the tools exist but are not properly managed.
The industrialization of cybercrime threatens to overwhelm cyber defense. It’s a process that started before the arrival of ChatGPT, was supercharged by the age of AI, and is now typified as the post-Mythos era. It’s a time when defenders must improve their performance or cede the battleground to the adversary. Applications are the battlefield. The speed, scale and sophistication of AI-assisted attacks is difficult to contain.
“AI is not just creating more vulnerabilities. It is exposing the fact that companies cannot fix known vulnerabilities fast enough,” explains Daniel Shechter, CEO and co-founder at Miggo Security. “For years, security programs have been measured by how well they find risk before software goes live. Frontier AI like Mythos changes the question. If attackers can move from disclosure to exploit in hours, boards and CISOs need to understand how long the business remains exposed, and what can be done to mitigate quickly and efficiently.”
The Cloud Security Alliance (CSA) State of Modern Application and AI Security report (PDF), commissioned by Miggo and published on June 2, 2026, confirms and explains this new reality. CSA surveyed more than 900 cybersecurity leaders and found that vulnerabilities in this post-Mythos era are evading the pre-production phase while 82% of organizations lack effective runtime visibility.
“The real challenge begins once applications are in production, where security teams must rapidly determine which exposures are truly exploitable, prioritize the risks that matter most, and respond before attackers can take advantage,” suggests Daniel Shechter, CEO and co-founder at Miggo Security.
Most breaches are driven by known vulnerabilities. Eighty percent of the companies surveyed have suffered at least one incident involving a known vulnerability in the last year. If it is known, it is almost certainly patchable; but in the post-Mythos era there are too many patches to handle. The biggest problem is knowing which of those vulnerabilities are exploitable and most urgently need patching.
Advertisement. Scroll to continue reading.
Imitation Protection
Only 9% remediate critical vulnerabilities within 24 hours; with74% take one to seven days. Patch time is important: Organizations taking four or more days had a 97% incident rate. Those taking three or less had a 67% rate. The implication is that patch rates must be increased and exploitable vulnerabilities better understood – and preferably both.
It gets more complicated, and urgent, in runtime, which is described as the breach battlefield. Most organizations only know what happened after reconstructing the event after the horse has bolted. Most (73%) would adopt virtual patching if they had better confidence in minimal false positives; but only 17% configure WAFs for automatic blocking, with 56% citing a lack of application context as the reason.
A separate FireMon Insights report, also published June 2, 2026, suggests that concern over the automated use of firewalls as a security barrier is unsurprising but at least partially due to a lack of human oversight. FireMon discusses firewalls in general, but the same principles will apply to WAFs.
“Technologies like Mythos are shining a bright light on a reality security teams can no longer ignore: any connected system is vulnerable,” says Jody Brazil, CEO at FireMon. “As AI accelerates the speed and scale of attacks, firewalls, segmentation, and policy governance become more important than ever. Our Insights data shows most organizations still lack the operational control needed to consistently manage policy across hybrid environments. That is why network segmentation, microsegmentation, and continuous policy governance are becoming foundational to reducing attack surface and limiting blast radius.”
It concludes that manual policy management is inefficient and allows risk across the attack surface to continue to expand rapidly, primarily due to an environment in which high severity policy failures persist over extended periods of time, and are exacerbated by unused and redundant rules.
FireMon suggests a failure in human management rather than firewall capability. For example, 45% of firewall rules lack an owner or documentation, 17% are redundant or shadowed, and 69% are unused.
“Firewall complexity is no longer just an operational problem. It is a control problem,” adds Brazil. “Security teams have massive investments in firewalls, cloud, and segmentation platforms, but without control of policy those environments become difficult to manage securely. The problem is no longer lack of tools. It is lack of operational control.”
Tomi Engdahl says:
Exclusive: How One Line of Code Put Billions of Microsoft Android App Downloads at Risk
A simple development setting bypassed protections designed to prevent unauthorized Android apps from accessing Microsoft account tokens, exposing billions of installations.
https://www.securityweek.com/exclusive-how-one-line-of-code-put-billions-of-microsoft-android-app-downloads-at-risk/
Six Microsoft 365 Android apps contain an identical flaw that could risk billions of downloads being compromised.
The findings, shared exclusively with SecurityWeek ahead of the expected public release of the research on Tuesday, were uncovered by Enclave, an AI-powered exploitable bug hunter. It is nothing more than a single debug flag being left in the production code of Word, PowerPoint, Excel, Microsoft 365 Copilot, Microsoft Loop and OneNote for Android. Someone left debug mode enabled in production: – set IsDebugMode(true). This was enabled across all six apps, but was not enabled in other Microsoft (MS) apps such as Teams. These were not affected by any consequent potential exploitation attempt.
The effect of such debug flags varies. Sometimes the purpose is simply to affect logging or to test output. “This one changed the behavior around account access token sharing,” explains Enclave reporting its findings. “With debug mode enabled, the protection that should have blocked untrusted apps from receiving tokens was skipped.”
Tomi Engdahl says:
Supply Chain Security
Supply Chain Attack Hits 32 Red Hat NPM Packages
Hackers published 96 malicious package versions, injected with a credential-stealing worm similar to Mini Shai-Hulud.
https://www.securityweek.com/supply-chain-attack-hits-32-red-hat-npm-packages/
Tomi Engdahl says:
19-Year-Old Linux Kernel Vulnerability Exposes Systems to Root Access
Proof-of-concept (PoC) exploit code has been released for the CIFSwitch flaw, which allows low-privileged users to escalate to root on vulnerable Linux systems.
https://www.securityweek.com/19-year-old-linux-kernel-vulnerability-exposes-systems-to-root-access/
A vulnerability that lurked in the Linux kernel for 19 years allows low-privileged users to obtain root-level privileges on numerous distributions.
Dubbed CIFSwitch, the issue impacts the Linux kernel’s CIFS subsystem and the cifs-utils userspace helper it uses for handling authentication. CIFS handles parts of the SMB network filesystem protocol, such as mounting shares, read/write actions, and SMB communication to the server.
When authenticating a mount, the subsystem sends a request_key call for a cifs.spnego key. The request checks the key in userspace and calls cifs.upcall as root to parse the key description, which contains fields such as UID, PID, credential cache, and namespace.
According to SpaceX security engineer Asim Viladi Oglu Manizada, the kernel does not check the origin of the request and the key description, which allows an attacker to call the request_key function directly and can supply their own key description fields, bypassing CIFS origin.
Because cifs.upcall is called as root, the helper switches into the namespaces of the PID supplied in the modified key description, providing the attacker with root access.
Furthermore, during the operation, before privileges are dropped, the helper also performs account lookup, which goes through Name Service Switch (NSS) and enables the loading of NSS modules.
Certain Linux Mint, CentOS, Rocky Linux, Kali Linux, AlmaLinux, and SLES SAP distributions that have cifs-utils installed by default are vulnerable. According to the researcher, some distros are vulnerable only if cifs-utils was manually installed.
Many Ubuntu, Fedora, CentOS, Rocky Linux, AlmaLinux, Oracle Linux, openSUSE, and SLES distros block the execution path by default, while Amazon Linux 2 KVM and Kali Linux 2019.4/2020.4 are not affected.
Major Linux distributions rolled out fixes for the security defect earlier this month.
Tomi Engdahl says:
Artificial Intelligence
Anthropic Expanding Mythos Access to 150 New Organizations
Only approximately 50 companies have had access to Mythos until now and they have found thousands of vulnerabilities in their products
https://www.securityweek.com/anthropic-expanding-mythos-access-to-150-new-organizations/
Tomi Engdahl says:
Artificial Intelligence
Raising the Cybersecurity Stakes: Ante up for the Agentic Era
CISOs are now facing machine-speed attacks and asking, “How do I agent?” The industry must provide remediation at scale.
https://www.securityweek.com/raising-the-cybersecurity-stakes-ante-up-for-the-agentic-era/
Organizations are making a big bet on AI, but if their plans don’t include a cybersecurity strategy, then they are gambling with their future.
Over the past few years, GenAI platforms have matured from pattern-matching large language models (LLMs) to tool-calling agents. Many enterprises now report that the majority of their code is written by AI. However, threat actors have also upped the ante – agentic attacks shape offense faster than human defenses can respond.
In the last decade, the fundamental questions of cybersecurity have evolved. When CISOs asked, “What do I have?”, the industry provided context on assets. When they asked, “What is important?”, the industry provided prioritization. When they asked, “How do I fix it?”, the industry provided remediation.
Now, virtually every cybersecurity solution has implemented conversational AI that can make recommendations, but manual remediation cannot keep pace with AI-powered cyberattacks.
The agentic era is forcing manual remediation processes to evolve rapidly. CISOs are now facing machine-speed attacks and asking, “How do I agent?” The industry must provide remediation at scale.
AI has changed the game in both the scope of the attack surface and the scale of agentic attacks. This attack surface (and the control plane) spans assets, identity, and decision context. Enterprise AI agents and AI-generated code are both sources of risk.
In February 2026, OpenClaw, an agentic assistant, became so popular that its creator was recruited to join OpenAI. Although early adopters of OpenClaw may pose a shadow AI risk in enterprise environments, they also serve as a proof of concept for the agentic enterprise.
But the agentic enterprise is a security nightmare. Connecting AI to everything creates a flat network that runs counter to the principles of network segmentation and isolation that the security industry has advocated for decades.
One risk is that AI agents have the ability to execute tasks and make decisions autonomously, but they lack the discernment to avoid harming themselves or their enterprise.
Many parents have scolded their children by asking, “If everyone jumped off a bridge, would you?” There are numerous examples of AI-induced outages and data leaks that demonstrate AI would jump off a bridge. Therefore, organizations must implement guardrails.
Another risk is that threat actors are targeting AI. Model poisoning can manipulate training data to corrupt the foundational logic of AI models. Evasion of logic attacks bypasses defensive decision-making algorithms. Autonomous systems create blind spots that humans might miss. AI-powered cyberattacks continuously learn from their failed attempts to improve future attacks.
It has been estimated that within the next few years, the ratio of humans to agents will increase to 1:100 (or more). That means the typical large enterprise with 10,000 employees will be contending with a million or more agents – the size of a major metropolitan city.
Organizations should think of managing the agentic enterprise like a major metropolitan city, implementing infrastructure, establishing proactive policies, and governing it with controls.
The Agentic Detection Gap
As bad actors reshape the threat landscape with agentic cyberattacks, the defensive paradigm has yet to adapt. In Armis’ 2026 State of Cyberwarfare Report (PDF), 43% of respondents reported that their organization still detects and responds to significant cyberattacks as they happen or after they have already occurred.
The cybersecurity industry optimizes for detection, but threat actors optimize for avoidance, which means security teams have to focus on finding threats after ingress. Alerts don’t change outcomes – knowing about a breach doesn’t prevent it.
The speed of adaptation on both offense and defense determines whether a cyberattack will succeed, but currently, the odds favor attackers. It used to take threat actors a week to create exploits when vulnerabilities were disclosed (and even then, patch management struggled to keep pace). Threat actors can now create exploits in minutes by weaponizing agentic coding platforms.
The irony is that many of the cybersecurity solutions that were developed to address the challenges of legacy technology have now become legacy cybersecurity solutions as well. Cybercriminals have outscaled static rules, periodic assessments, alert generation, and human-in-the-loop processes.
Organizations have been reluctant to adopt machine automation, but they can no longer afford to delay. At a minimum, cybersecurity requires dynamic threat hunting, continuous monitoring, and proactive exposure management. These are the table stakes today, but what about tomorrow?
The New Paradigm: From Human vs Human to AI vs. AI
It should be readily apparent that AI is driving the new paradigm of offense and defense. Speed, scale, and autonomy are redefining the competitive advantage between threat actors and defenders.
Pragmatically, cybersecurity teams must adapt to this paradigm in a few ways. First, they must move from reactive detection to preemptive protection. Organizations can stop attacks before they happen by operationalizing alert generation into prioritized exposure management.
Cybersecurity must also follow the AI paradigm shift from disconnected tools and ad hoc manual processes to unified, comprehensive platforms and autonomous action. Here are three principles that can help catalyze that shift.
When it comes to making big bets, they say the house always wins. Defenders actually do have an advantage over attackers: they know what matters most to their business. Agentic cyberattacks create an asymmetrical advantage in attack speed, but defenders can even the odds by adopting agentic cybersecurity.
Tomi Engdahl says:
Artificial Intelligence
Meta AI Hands Over High-Profile Instagram Accounts to Hackers
Exploiting a confused deputy weakness, the hackers simply asked the chatbot to link the account to a new email address.
https://www.securityweek.com/meta-ai-hands-over-high-profile-instagram-accounts-to-hackers/
Threat actors compromised multiple high-profile Instagram accounts last week by simply asking Meta’s AI-powered account recovery assistant to hand them over.
The attackers exploited a logic flaw in the AI assistant, a classic ‘confused deputy’ issue, to have their own email addresses linked to the targeted accounts and take them over.
Confused deputy weaknesses have been known to security researchers for decades and involve tricking a deputy that has elevated privileges into performing specific actions on the attacker’s behalf.
In this case, the Meta AI assistant had API access to account management systems, being deployed to help users re-link email addresses, reset passwords, and verify they are the owners of specific accounts.
Due to the logic flaw, hackers were able to simply ask the chatbot to link a targeted account to a new email address, under the pretense that they had been hacked or that they had lost access to the previously linked email address.
To bypass Meta’s fraud detection protections, they used VPNs to appear as if they were in the target’s geographic location.
Tomi Engdahl says:
https://www.securityweek.com/supply-chain-attack-hits-32-red-hat-npm-packages/
Tomi Engdahl says:
https://www.securityweek.com/dutch-police-dismantle-massive-17-million-device-botnet/
Tomi Engdahl says:
Security agencies from the “Five Eyes” alliance which includes the United States and Britain issued a warning about Chinese spies aggressively using online job platforms to recruit people with access to sensitive information. https://cnn.it/4fWMjiT
#2600net #irc #secnews #huntinghackers
Tomi Engdahl says:
https://www.the-independent.com/news/world/americas/crime/ai-scams-americans-lost-millions-b2984788.html?fbclid=IwdGRjcASRh5RjbGNrBJGHamV4dG4DYWVtAjExAHNydGMGYXBwX2lkDDM1MDY4NTUzMTcyOAABHiGpuX6zqbVWtpfjjOu0iTGMCXhT217gQg38zMqFAAoOBKDPW870s0qf-fpj_aem_DPHi5RwkPGEoE2aQArYikw