Supply Chain Attack
A compromised Red Hat employee GitHub account pushed a new 'Miasma' build of the Mini Shai-Hulud worm into 32 Cloud Services npm packages. Red Hat says the code was internal-only and never reached customers; any pipeline that installed a poisoned version should rotate its secrets.
Vulnerabilities
Google's June 2026 Android update fixes CVE-2025-48595, an Android Framework integer overflow that Google says may be under limited, targeted exploitation. Because the Framework is the API layer every app touches, the flaw can hand an attacker complete control of an unpatched device.
Malware
Unit 42 documented Operation FlutterBridge, a macOS malvertising campaign that uses hundreds of Google-verified ads to drop FlutterShell — a new backdoor built with Google's Flutter framework that adds shell execution, file manipulation and AI-summarization-based exfiltration to adware.
Artificial Intelligence (AI)
Sophos documented a threat actor using AI agents — including a Claude Opus 4.5 coordinator — to run a lab testing malware against Sophos, CrowdStrike and Microsoft Defender. Notably, the lab's own claims of rising evasion success were not borne out by Sophos's data.
Mobile Security
A single debug setting left enabled in Microsoft's Android Office apps — Word, Excel, PowerPoint, OneNote, Loop and Microsoft 365 Copilot — let any other app on the same device read Microsoft account tokens, per a SecurityWeek exclusive. Microsoft has patched the flaws.
Artificial Intelligence (AI)
Attackers seized high-profile Instagram accounts by exploiting a 'confused deputy' flaw in Meta's AI support bot: they asked it to bind a new email, the bot sent the one-time code to the attacker, and the owner was locked out. Meta has pushed an emergency hotfix.
Vulnerabilities
Belgium's national cybersecurity authority warned on May 29 that CVE-2026-41089, a critical pre-auth buffer-overflow RCE in Windows Netlogon, is now being exploited against unpatched domain controllers. Microsoft patched the flaw in its May 12 Patch Tuesday release.
Nation-State Cyber Threats
Seqrite Labs disclosed Operation Dragon Weave, a China-aligned cyber-espionage campaign delivering an AdaptixC2 agent against government, research, academic, technology, and financial-services targets in the Czech Republic and Taiwan via spear-phishing ZIPs.
Vulnerabilities
CVE-2026-8732, a CVSS 9.8 flaw in the WP Maps Pro WordPress plugin, lets any unauthenticated attacker mint an administrator account on 15,000 affected sites. Wordfence blocked 2,858 exploitation attempts in a single 24-hour window. Patch is in v6.1.1.
Nation-State Cyber Threats
Sekoia documented an FSB-linked Gamaredon campaign whose GammaWorm hides fileless VBScript modules inside NTFS Alternate Data Streams to spy on Ukrainian government, military, and critical-infrastructure targets while leaving almost no trace on disk.
Supply Chain Attack
The npm package codexui-android, a remote web UI for OpenAI Codex with 29,000 weekly downloads, has been exfiltrating users' Codex authentication tokens to an attacker server for the past month. The package is still live on npm.
Password Security
Dashlane confirmed that an external party brute-forced the token check on its new-device-registration flow, and the company's automatic protections suspended targeted accounts. The lockout is the protection working — the news is what attackers went after.