Breaking news and updates from the world of technology.
The extortion group has issued an ultimatum to the healthcare provider, which confirmed unauthorized access to archived patient data from its Iora Health acquisition. No sample data has been released to verify the scope of the claim.
An attacker hijacked a contributor account with publishing rights to the Mastra AI framework's npm organization and republished 144 packages with a typosquatted dependency that deployed a cross-platform infostealer. Any system that ran npm install with a @mastra/* package after June 16 is potentially compromised.
A widespread credential-harvesting operation dubbed 'FortiBleed' has compromised more than 73,000 Fortinet firewall and VPN devices worldwide, with confirmed victims including Accenture, Oracle, Comcast, Samsung, and Siemens.
Cybernews researchers found a publicly accessible Elasticsearch cluster containing 24 billion records and over 8.3 terabytes of infostealer logs — usernames, plaintext passwords, and associated login URLs compiled from at least 36 sources. The database has since been secured.
Attackers published 15 fake AI coding plugins on the JetBrains Marketplace under seven vendor accounts, collectively downloaded nearly 70,000 times. Each plugin silently exfiltrated OpenAI, DeepSeek, and SiliconFlow API keys to an attacker-controlled server.
Varonis security researchers chained three vulnerabilities in Microsoft 365 Copilot Enterprise Search into an attack that exfiltrates emails, passwords, and files with a single click — patched in early June, disclosed publicly June 15.
Chinese cyberespionage group Velvet Ant compromised an isolated critical infrastructure network in 2016 and remained undetected for a decade — by replacing Linux PAM and OpenSSH binaries with backdoored versions that embedded persistent access into the authentication process itself.
Google filed suit in New York on June 12 against Outsider Enterprise, a China-based phishing-as-a-service operation that used Gemini to generate convincing fraud pages impersonating Google, USPS, E-ZPass, and banks. The FBI estimates the group stole 3.87 million credit card numbers and caused $1.9 billion in losses since July 2023. It is the first lawsuit Google has brought against threat actors for weaponizing its own AI.
The ShinyHunters group exploited a critical Oracle PeopleSoft zero-day for a full two weeks before Oracle published any patch, compromising more than 100 organizations and over 300 PeopleSoft instances worldwide. Universities bore the brunt of the attack, with the University of Nottingham among the confirmed victims and data on 455,000 individuals now circulating in leaked datasets.
Microsoft's June 2026 Patch Tuesday is the largest in the company's monthly update history: 200 vulnerabilities patched, 38 rated critical, and six zero-days — three with exploit code already public. Researchers say AI-assisted bug hunting is why, and that this volume may not be a one-time event.
Google and Mandiant confirm the hacking group targeted over 100 organizations — mostly US universities — using an unauthenticated remote code execution flaw with no patch currently available.
CVE-2026-35273 is a CVSS 9.8 unauthenticated remote code execution flaw in Oracle PeopleSoft PeopleTools 8.61 and 8.62 that ShinyHunters is actively exploiting. The University of Nottingham has confirmed a breach; nearly 500,000 student records are exposed. Oracle has issued an emergency out-of-band security alert.