Threat Intelligence
Meta Files Federal Contempt Motion Against NSO Group Over Alleged WhatsApp Targeting
Meta's contempt filing tests whether court-ordered restrictions are effectively binding on a commercial spyware vendor.
Supply Chain Attack
PyPI Discloses "Hades" Package-Poisoning Incident; 19 Packages Removed
Another package-poisoning incident lands across a language registry, reinforcing the case for default-behavior reform that GitHub has now begun applying to npm.
Cybersecurity 101
Threat Intelligence and Threat Actors: The Complete Guide
A complete guide to threat intelligence and threat actors — the four types of CTI, the major actor categories, the intelligence lifecycle, and the frameworks defenders use.
Vulnerabilities
Cisco SD-WAN Manager Zero-Day CVE-2026-20245 Is Exploited in the Wild With No Patch Yet
Cisco warns that CVE-2026-20245, a zero-day in Catalyst SD-WAN Manager, is being exploited to gain root, with no patch available. Exploitation needs netadmin access — obtainable by chaining CVE-2026-20182 — making it Cisco's seventh exploited SD-WAN zero-day of 2026.
Data Breaches
DentaQuest Breach Hits 2.6 Million as ShinyHunters Leaks a 234 GB Data Trove
DentaQuest, a Sun Life dental-benefits administrator serving 35 million people, confirmed a breach of 2.6 million accounts after ShinyHunters leaked about 234 GB of data — including names, dates of birth, Medicaid IDs and health-insurance information.
Nation-State Cyber Threats
OP-512: A China-Linked Cluster Is Planting Custom Web Shells on Microsoft IIS Servers
ReliaQuest disclosed OP-512, a previously unreported, China-linked espionage cluster that plants a custom three-web-shell framework on Microsoft IIS servers — the fourth such group to target IIS in a year. For anyone running IIS, it is a prompt to go hunting.
Cyber Attacks
PCPJack Hijacked 230 AWS, Google Cloud, and Azure Servers Into a Covert SMTP Relay
Hunt.io found that a threat actor called PCPJack hijacked about 230 AWS, Google Cloud and Azure servers into a covert SMTP relay network — quietly converting business servers into verified mail proxies synced to a downstream consumer every five minutes.
phishing
FIFA World Cup Scams Are Already Live — Days Before Kickoff, the FBI Is Warning Fans
Days before the June 11 kickoff, the FBI and researchers warn that FIFA World Cup 2026 fraud is already live — thousands of lookalike FIFA domains, banking malware hidden in pirate streaming apps, and login pages cloned well enough to take over real accounts.
Supply Chain Attack
Trusted Channels Turned Hostile: a Rust npm Worm, a Poisoned Browser, and Stripe Card Skimmers
Three disclosures this cycle share one thesis: attackers borrowing the trust of legitimate channels. A Rust-written npm worm (IronWorm), a cryptominer slipped into Hola Browser, and a Magecart skimmer hosted inside Stripe each hide in traffic defenders are inclined to allow.
Artificial Intelligence (AI)
Mythos: NSA Reportedly Readies It for Offense as Anthropic Publishes a Misuse Analysis
Two Mythos threads landed this cycle: TechCrunch reports the NSA is said to be readying Anthropic's Mythos for cyber operations despite a federal restriction, while Anthropic published an analysis of 832 accounts banned for malicious cyber activity, mapped to MITRE ATT&CK.
Vulnerabilities
Cisco Unified CM CVE-2026-20230: A Public PoC for an Unauthenticated SSRF That Climbs to Root
Cisco patched CVE-2026-20230, an unauthenticated server-side request forgery flaw in Unified Communications Manager that lets a network attacker write files and escalate to root. Public proof-of-concept code is already out; Cisco's PSIRT reports no in-the-wild exploitation yet.
Vulnerabilities
The Bugs AI Found This Week: an HTTP/2 'Bomb' and a Two-Year-Old Redis RCE
Two vulnerabilities disclosed this cycle were found by AI tooling: HTTP/2 Bomb (CVE-2026-49975), a remote DoS that crashes NGINX, Apache, IIS, Envoy and Cloudflare Pingora in default config, and CVE-2026-23479, a two-year-old authenticated RCE in Redis.