Stay ahead of emerging threats with expert analysis from 137 published security articles, vulnerability reports, and cybersecurity insights — updated daily with the latest CVEs, threat actor campaigns, and security advisories. As of Tuesday, June 9, 2026, the most urgent items for production stacks: the "Miasma" worm has detonated across 73 Microsoft-owned GitHub repositories in an npm supply-chain cascade — a software supply-chain attack means malicious code is planted in a trusted package your developers already install, so it spreads automatically into everything that depends on it — making any team that pulls JavaScript packages from npm a potential downstream victim; audit your dependencies and pin trusted versions now. The Cisco Catalyst SD-WAN Manager zero-day CVE-2026-20245 remains under active exploitation with no patch available yet — restrict management-interface access and watch Cisco's advisory for the fix. Cisco Unified Communications Manager flaw CVE-2026-20230 hands attackers root through a server-side request forgery (SSRF) bug — a server tricked into making attacker-controlled requests — and a working proof-of-concept exploit is already public, so patch now. The Mirasvit Cache Warmer bug CVE-2026-45247 is being used for active remote code execution (RCE — running attacker code on your server) against Magento e-commerce stores. Still carrying forward: the HTTP/2 "Bomb" CVE-2026-49975 lets a single home connection knock NGINX, Apache, IIS, and Cloudflare web servers offline; Palo Alto GlobalProtect authentication-bypass CVE-2026-0257 remains on the CISA Known Exploited Vulnerabilities (KEV) catalog under active exploitation; and the WP Maps Pro WordPress flaw CVE-2026-8732 is still spawning rogue administrator accounts across roughly 15,000 sites. If your business pulls npm packages, or runs Cisco SD-WAN or Unified CM, Magento, a public web server, Palo Alto GlobalProtect, or WordPress with WP Maps Pro, these advisories require action now — start with the article-level remediation steps below.
Shadowserver reports 900+ Sangoma FreePBX instances worldwide remain infected with web shells exploiting CVE-2025-64328 (CVSS 8.6). The INJ3CTOR3 threat actor deploys EncystPHP web shells for command execution and fraudulent outbound calls. US leads with 401 compromised systems.
Zscaler ThreatLabz discovered ScarCruft (APT37) running the "Ruby Jumper" campaign that bridges air-gapped networks using weaponized USB drives. The operation abuses Zoho WorkDrive for C2 and deploys multiple malware families including THUMBSBD, FOOTWINE, and BLUELIGHT for surveillance and data exfiltration.
Read moreAnthropic revealed that DeepSeek, Moonshot AI, and MiniMax ran industrial-scale distillation attacks using 24,000 fraudulent accounts to systematically extract Claude's reasoning, coding, and agentic capabilities across 16 million exchanges. Google disclosed similar attacks on Gemini weeks earlier.
Read moreAmazon Threat Intelligence reveals a Russian-speaking actor with limited skills compromised 600+ FortiGate devices using DeepSeek and Claude. The campaign exploited exposed management interfaces and weak credentials, demonstrating how AI has democratized sophisticated attack capabilities.
Read moreAmazon Threat Intelligence documents a Russian-speaking threat actor who compromised 600+ FortiGate devices across 55 countries using AI-assisted tools. No zero-days were exploited—just exposed management interfaces and weak credentials, with generative AI helping an unsophisticated attacker scale their operations.
Read moreESET researchers discovered PromptSpy, an Android malware that uses Google's Gemini AI to dynamically navigate device interfaces and maintain persistence. The malware sends screen captures to Gemini, which responds with tap instructions, effectively solving Android fragmentation for attackers.
Read moreGoogle released emergency updates to patch CVE-2026-2441, a high-severity use-after-free vulnerability in Chrome's CSS handling that attackers are actively exploiting. All Chromium-based browsers are affected.
Read moreGoogle patches CVE-2026-2441, a high-severity use-after-free in Chrome actively exploited in the wild. This is Chrome first zero-day of 2026. Update immediately.
Read moreSecurity researchers at Koi Security discovered the first known malicious Microsoft Outlook add-in, dubbed AgreeToSteal. Attackers hijacked an abandoned legitimate calendar tool by claiming its orphaned Vercel URL, turning Microsoft's own infrastructure into a phishing delivery mechanism that harvested over 4,000 Microsoft account credentials.
Read moreSmarterTools confirms the Warlock ransomware gang breached their network through a forgotten, unpatched SmarterMail server. The attackers exploited known vulnerabilities (CVE-2026-23760, CVE-2026-24423) to gain access, then moved laterally before deploying ransomware.
Read moreTGR-STA-1030, a state-backed Asian threat group, breached 70+ government and critical infrastructure organizations across 37 countries since January 2024. They exfiltrated financial negotiations, military updates, and banking info using Cobalt Strike, web shells, and eBPF rootkits.
Read moreCloudflare mitigated a record-breaking 31.4 Tbps DDoS attack from the AISURU/Kimwolf botnet, powered by 2 million compromised Android devices. DDoS attacks surged 121% in 2025 with 47.1 million incidents. The botnet spread via trojanized Android apps and fake Windows binaries.
Read moreResearchers discovered DockerDash, a critical vulnerability in Docker Ask Gordon AI feature that lets attackers execute code by hiding malicious instructions in image metadata. The attack exploits blind trust between the AI assistant and MCP Gateway. Patched in Docker Desktop 4.50.0.
Read moreEmail-stealing malware has become a cornerstone of modern espionage and cybercrime. Here's how these tools work, why attackers love them, and what you can do about it.
Read moreRussia's APT28 began exploiting Microsoft Office CVE-2026-21509 just 72 hours after disclosure, targeting Ukraine, Slovakia, and Romania with email-stealing malware and Covenant implants.
Read moreA high-severity Microsoft Office zero-day (CVE-2026-21509) is being actively exploited to bypass security controls designed to block risky COM and OLE content. Successful exploitation requires a user to open a malicious Office document, enabling follow-on payload execution and intrusion activity. Apply Microsoft's out-of-band update immediately or deploy the recommended registry-based mitigation if patching is delayed.
Read moreReact2Shell refers to a newly disclosed set of exploitation paths affecting React Server Components and modern server-side rendering workflows. In vulnerable implementations, attackers may escalate from user-driven application behavior into sensitive server-side execution, data access, or compromise of backend services. Organizations using RSC or SSR patterns should audit server-executed components, reduce dynamic execution paths, and apply strict validation and least-privilege controls.
Read moreOur CyberOne MobileAssess platform performs deep static analysis, source code decompilation, and runtime security testing for iOS and Android apps. From one-time assessments to year-long continuous testing, we find what surface-level scanners miss.
Subscribe to our newsletter and get the latest security insights delivered to your inbox.
