A massive global cybercrime sweep has wrapped up with 5,811 arrests and $293 million in intercepted illicit assets. Operation First Light 2026 ran from January 15 to April 30, 2026, pulling in law enforcement from 97 countries under Interpol's coordination — with funding from China's Ministry of Public Security.
The operation targeted social engineering scams like romance fraud and business email compromise schemes. Authorities froze over 31,000 bank accounts, identified 15,606 suspects, and uncovered 142,000 victims worldwide. One standout bust in Eswatini revealed scammers running a full replica Brazilian police station — fake uniforms and all — to trick victims into transferring money.
Source: Infosecurity Magazine
A massive global cybercrime sweep has wrapped up with 5,811 arrests and $293 million in intercepted illicit assets. Operation First Light 2026 ran from January 15 to April 30, 2026, pulling in law enforcement from 97 countries under Interpol's coordination — with funding from China's Ministry of Public Security.
The operation targeted social engineering scams like romance fraud and business email compromise schemes. Authorities froze over 31,000 bank accounts, identified 15,606 suspects, and uncovered 142,000 victims worldwide. One standout bust in Eswatini revealed scammers running a full replica Brazilian police station — fake uniforms and all — to trick victims into transferring money.
Source: Infosecurity Magazine
A sophisticated phishing campaign is targeting marketing professionals by impersonating major brands like Coca-Cola, Netflix, OpenAI, McKinsey & Company, and Louis Vuitton. First spotted by Team Cymru's Will Thomas, the attackers send personalized job recruitment emails via legitimate HR platform PeopleForce, then route victims through nested redirects — bouncing through Salesforce's ExactTarget and real estate CRM Wise Agent — before landing on a fake Google sign-in page hosted on Netlify.
The multi-hop redirect chain bypasses basic email filters and builds false trust. Over 30 malicious domains have been identified. Password managers and advanced web filtering are recommended defenses.
Source: Dark Reading
A sophisticated phishing campaign is targeting marketing professionals by impersonating major brands like Coca-Cola, Netflix, OpenAI, McKinsey & Company, and Louis Vuitton. First spotted by Team Cymru's Will Thomas, the attackers send personalized job recruitment emails via legitimate HR platform PeopleForce, then route victims through nested redirects — bouncing through Salesforce's ExactTarget and real estate CRM Wise Agent — before landing on a fake Google sign-in page hosted on Netlify.
The multi-hop redirect chain bypasses basic email filters and builds false trust. Over 30 malicious domains have been identified. Password managers and advanced web filtering are recommended defenses.
Source: Dark Reading
Cybersecurity firm Sysdig has documented what it calls the first agentic ransomware attack — where an AI agent autonomously managed an entire extortion operation from start to finish. The late June 2026 attack, attributed to a financially motivated group called JadePuffer, exploited a Langflow vulnerability to reach a MySQL and Alibaba Nacos production server.
The AI agent ran over 600 payloads, self-corrected errors in 31 seconds, and tapped models from OpenAI, Anthropic, DeepSeek, and Gemini. A human still set up the infrastructure, but the AI handled the heavy lifting. "The skill floor for running a full ransomware operation just dropped," warned Sysdig's Michael Clark.
Source: CyberScoop
Cybersecurity firm Sysdig has documented what it calls the first agentic ransomware attack — where an AI agent autonomously managed an entire extortion operation from start to finish. The late June 2026 attack, attributed to a financially motivated group called JadePuffer, exploited a Langflow vulnerability to reach a MySQL and Alibaba Nacos production server.
The AI agent ran over 600 payloads, self-corrected errors in 31 seconds, and tapped models from OpenAI, Anthropic, DeepSeek, and Gemini. A human still set up the infrastructure, but the AI handled the heavy lifting. "The skill floor for running a full ransomware operation just dropped," warned Sysdig's Michael Clark.
Source: CyberScoop
Security researchers at Push Security have uncovered a new attack where hackers create fake OpenAI organizations — impersonating real companies — and send employees legitimate-looking invitations straight from OpenAI's own notification system. One click joins the victim to an attacker-controlled tenant with zero additional verification.
Once inside, anything the employee does — prompts, uploaded files, API calls — is visible to the attacker. The fake org even had a credit card attached to avoid suspicion. No spoofed domains, no malicious links. Just a trusted platform being weaponized against its own users.
Source: Cybersecurity News
Security researchers at Push Security have uncovered a new attack where hackers create fake OpenAI organizations — impersonating real companies — and send employees legitimate-looking invitations straight from OpenAI's own notification system. One click joins the victim to an attacker-controlled tenant with zero additional verification.
Once inside, anything the employee does — prompts, uploaded files, API calls — is visible to the attacker. The fake org even had a credit card attached to avoid suspicion. No spoofed domains, no malicious links. Just a trusted platform being weaponized against its own users.
Source: Cybersecurity News
A newly discovered threat group called "Armored Likho" is targeting government agencies and critical infrastructure across Russia, Brazil, and Kazakhstan using spear-phishing emails disguised as official government or social assistance communications.
Their main weapon is a Python-based infostealer dubbed "BusySnake" — capable of stealing passwords, cookies, cryptographic keys, and Telegram session data, while also opening backdoor access via reverse SSH tunnels. Notably, Kaspersky researchers found evidence the attackers used AI language models to generate early-stage payloads, speeding up attack development. The group's nation-state affiliation remains unconfirmed.
Source: Dark Reading
A newly discovered threat group called "Armored Likho" is targeting government agencies and critical infrastructure across Russia, Brazil, and Kazakhstan using spear-phishing emails disguised as official government or social assistance communications.
Their main weapon is a Python-based infostealer dubbed "BusySnake" — capable of stealing passwords, cookies, cryptographic keys, and Telegram session data, while also opening backdoor access via reverse SSH tunnels. Notably, Kaspersky researchers found evidence the attackers used AI language models to generate early-stage payloads, speeding up attack development. The group's nation-state affiliation remains unconfirmed.
Source: Dark Reading
North Korean hackers have been quietly compromising open source software since December 2025 in a campaign called PolinRider. Linked to the broader Contagious Interview operation, the attackers hijack legitimate GitHub maintainer accounts, inject obfuscated JavaScript loaders into real repositories, and use Git history rewriting to make the changes look old. The malware drops two payloads: the DEV#POPPER RAT and OmniStealer. So far, 162 malicious artifacts across 108 packages have been found on NPM, Packagist, Go modules, and Chrome extensions. Any developer who installed an affected package should assume their environment is compromised and remediate from a clean machine.
Source: SecurityWeek
North Korean hackers have been quietly compromising open source software since December 2025 in a campaign called PolinRider. Linked to the broader Contagious Interview operation, the attackers hijack legitimate GitHub maintainer accounts, inject obfuscated JavaScript loaders into real repositories, and use Git history rewriting to make the changes look old. The malware drops two payloads: the DEV#POPPER RAT and OmniStealer. So far, 162 malicious artifacts across 108 packages have been found on NPM, Packagist, Go modules, and Chrome extensions. Any developer who installed an affected package should assume their environment is compromised and remediate from a clean machine.
Source: SecurityWeek
A critical zero-day vulnerability in the LiteSpeed cPanel user-end plugin is being actively exploited, threatening shared hosting environments globally. Tracked as CVE-2026-54420, the flaw lets attackers with limited access — like stolen FTP credentials — escalate privileges all the way to root, breaking tenant isolation and potentially exposing every site on a shared server.
Namecheap researchers discovered the issue after spotting suspicious API call patterns, specifically rapid concurrent chaining of the generateEcCert and packageUserSize functions. LiteSpeed patched it in cPanel plugin version 2.4.8 on June 1, 2026. Admins should update immediately or remove the user-end plugin as a stopgap.
Source: Cybersecurity News
A critical zero-day vulnerability in the LiteSpeed cPanel user-end plugin is being actively exploited, threatening shared hosting environments globally. Tracked as CVE-2026-54420, the flaw lets attackers with limited access — like stolen FTP credentials — escalate privileges all the way to root, breaking tenant isolation and potentially exposing every site on a shared server.
Namecheap researchers discovered the issue after spotting suspicious API call patterns, specifically rapid concurrent chaining of the generateEcCert and packageUserSize functions. LiteSpeed patched it in cPanel plugin version 2.4.8 on June 1, 2026. Admins should update immediately or remove the user-end plugin as a stopgap.
Source: Cybersecurity News
A newly discovered Linux kernel vulnerability called "Bad Epoll" (CVE-2026-46242) lets unprivileged local users gain full root access on Linux servers, desktops, and Android devices. The flaw exploits a race condition and use-after-free bug in the kernel's epoll subsystem — a core component that can't be disabled without breaking the OS.
Researcher Jaeyoung Chung found and exploited the bug, submitting it to Google's kernelCTF program, which pays $71,337+ for working kernel exploits. The exploit achieves roughly 99% reliability and can even be chained with a Chrome renderer exploit for full kernel code execution. No workaround exists — patching is the only fix.
Source: Cybersecurity News
A newly discovered Linux kernel vulnerability called "Bad Epoll" (CVE-2026-46242) lets unprivileged local users gain full root access on Linux servers, desktops, and Android devices. The flaw exploits a race condition and use-after-free bug in the kernel's epoll subsystem — a core component that can't be disabled without breaking the OS.
Researcher Jaeyoung Chung found and exploited the bug, submitting it to Google's kernelCTF program, which pays $71,337+ for working kernel exploits. The exploit achieves roughly 99% reliability and can even be chained with a Chrome renderer exploit for full kernel code execution. No workaround exists — patching is the only fix.
Source: Cybersecurity News
A supply chain attack on market intelligence platform Klue has hit cybersecurity firms Huntress and Recorded Future, among others. Starting June 11, hackers accessed Klue's backend servers and harvested OAuth tokens, then abused the Salesforce REST API to pull large volumes of CRM data — including nearly 1,000 queries in just 15 minutes.
Stolen data from both firms includes business contacts, price quotes, and contract information. No threat intelligence, passwords, or payment data was compromised. Huntress has linked the attack to Icarus, an extortion group that emerged in April 2026, after receiving direct extortion messages from a threat actor identifying as "mr bean."
Source: SecurityWeek
A supply chain attack on market intelligence platform Klue has hit cybersecurity firms Huntress and Recorded Future, among others. Starting June 11, hackers accessed Klue's backend servers and harvested OAuth tokens, then abused the Salesforce REST API to pull large volumes of CRM data — including nearly 1,000 queries in just 15 minutes.
Stolen data from both firms includes business contacts, price quotes, and contract information. No threat intelligence, passwords, or payment data was compromised. Huntress has linked the attack to Icarus, an extortion group that emerged in April 2026, after receiving direct extortion messages from a threat actor identifying as "mr bean."
Source: SecurityWeek
Security researchers at HawkTrace have disclosed a high-severity SSRF vulnerability in Microsoft Exchange, tracked as CVE-2026-45504 with a CVSS score of 8.8. The flaw lets authenticated low-privileged users read arbitrary files from on-premises Exchange servers — think credentials, config files, and internal service data.
The attack exploits how Exchange handles attachment previews via its OneDriveProUtilities component, passing user-controlled URLs into HTTP requests without proper validation. A simple file:// URI with a fragment character (#) bypasses protections entirely.
A working PoC is now live on GitHub, making patching urgent. Organizations should apply Microsoft's updates and block Exchange from reaching untrusted external endpoints immediately.
Source: Cybersecurity News
Security researchers at HawkTrace have disclosed a high-severity SSRF vulnerability in Microsoft Exchange, tracked as CVE-2026-45504 with a CVSS score of 8.8. The flaw lets authenticated low-privileged users read arbitrary files from on-premises Exchange servers — think credentials, config files, and internal service data.
The attack exploits how Exchange handles attachment previews via its OneDriveProUtilities component, passing user-controlled URLs into HTTP requests without proper validation. A simple file:// URI with a fragment character (#) bypasses protections entirely.
A working PoC is now live on GitHub, making patching urgent. Organizations should apply Microsoft's updates and block Exchange from reaching untrusted external endpoints immediately.
Source: Cybersecurity News