Ticker feed
A supply chain attack on market intelligence platform Klue has hit cybersecurity firms Huntress and Recorded Future, among others. Starting June 11, hackers accessed Klue's backend servers and harvested OAuth tokens, then abused the Salesforce REST API to pull large volumes of CRM data — including nearly 1,000 queries in just 15 minutes.
Stolen data from both firms includes business contacts, price quotes, and contract information. No threat intelligence, passwords, or payment data was compromised. Huntress has linked the attack to Icarus, an extortion group that emerged in April 2026, after receiving direct extortion messages from a threat actor identifying as "mr bean."
Source: SecurityWeek
A supply chain attack on market intelligence platform Klue has hit cybersecurity firms Huntress and Recorded Future, among others. Starting June 11, hackers accessed Klue's backend servers and harvested OAuth tokens, then abused the Salesforce REST API to pull large volumes of CRM data — including nearly 1,000 queries in just 15 minutes.
Stolen data from both firms includes business contacts, price quotes, and contract information. No threat intelligence, passwords, or payment data was compromised. Huntress has linked the attack to Icarus, an extortion group that emerged in April 2026, after receiving direct extortion messages from a threat actor identifying as "mr bean."
Source: SecurityWeek
Security researchers at HawkTrace have disclosed a high-severity SSRF vulnerability in Microsoft Exchange, tracked as CVE-2026-45504 with a CVSS score of 8.8. The flaw lets authenticated low-privileged users read arbitrary files from on-premises Exchange servers — think credentials, config files, and internal service data.
The attack exploits how Exchange handles attachment previews via its OneDriveProUtilities component, passing user-controlled URLs into HTTP requests without proper validation. A simple file:// URI with a fragment character (#) bypasses protections entirely.
A working PoC is now live on GitHub, making patching urgent. Organizations should apply Microsoft's updates and block Exchange from reaching untrusted external endpoints immediately.
Source: Cybersecurity News
Security researchers at HawkTrace have disclosed a high-severity SSRF vulnerability in Microsoft Exchange, tracked as CVE-2026-45504 with a CVSS score of 8.8. The flaw lets authenticated low-privileged users read arbitrary files from on-premises Exchange servers — think credentials, config files, and internal service data.
The attack exploits how Exchange handles attachment previews via its OneDriveProUtilities component, passing user-controlled URLs into HTTP requests without proper validation. A simple file:// URI with a fragment character (#) bypasses protections entirely.
A working PoC is now live on GitHub, making patching urgent. Organizations should apply Microsoft's updates and block Exchange from reaching untrusted external endpoints immediately.
Source: Cybersecurity News
Texas Parks and Wildlife Department is offering free credit monitoring to over 3 million Texans after a cybersecurity breach exposed personal data from the state's hunting and fishing license system. Texas Cyber Command detected the incident at a third-party licensing vendor.
Compromised data includes driver's license numbers, passport numbers, email addresses, phone numbers, and home addresses. No Social Security numbers, financial data, or minors' records were affected. License sales remain unaffected.
Impacted residents can enroll in one year of free Kroll credit monitoring until September 14, 2026. Support is available at (844) 959-7123, weekdays 8 a.m.–5:30 p.m.
Source: CBS News Texas
Texas Parks and Wildlife Department is offering free credit monitoring to over 3 million Texans after a cybersecurity breach exposed personal data from the state's hunting and fishing license system. Texas Cyber Command detected the incident at a third-party licensing vendor.
Compromised data includes driver's license numbers, passport numbers, email addresses, phone numbers, and home addresses. No Social Security numbers, financial data, or minors' records were affected. License sales remain unaffected.
Impacted residents can enroll in one year of free Kroll credit monitoring until September 14, 2026. Support is available at (844) 959-7123, weekdays 8 a.m.–5:30 p.m.
Source: CBS News Texas
Cybersecurity firm Sophos is warning of a dangerous new partnership between ransomware group Vect and TeamPCP, a credential-theft gang tied to the English-speaking Com collective. The collaboration, detailed in a July 2 blog post, combines TeamPCP's large-scale supply chain attacks with Vect's ransomware-as-a-service operation.
The threat is real — Sophos confirmed at least one Vect ransomware deployment using TeamPCP-stolen credentials. In March 2026, TeamPCP compromised 10,000 CI/CD workflows and stole over 500,000 login credentials via Aqua Security's Trivy scanner. The FBI issued a simultaneous FLASH warning, flagging TeamPCP malware including CanisterWorm, Sandclock, and the self-replicating worm Mini Shai-Hulud.
Source: Infosecurity Magazine
Cybersecurity firm Sophos is warning of a dangerous new partnership between ransomware group Vect and TeamPCP, a credential-theft gang tied to the English-speaking Com collective. The collaboration, detailed in a July 2 blog post, combines TeamPCP's large-scale supply chain attacks with Vect's ransomware-as-a-service operation.
The threat is real — Sophos confirmed at least one Vect ransomware deployment using TeamPCP-stolen credentials. In March 2026, TeamPCP compromised 10,000 CI/CD workflows and stole over 500,000 login credentials via Aqua Security's Trivy scanner. The FBI issued a simultaneous FLASH warning, flagging TeamPCP malware including CanisterWorm, Sandclock, and the self-replicating worm Mini Shai-Hulud.
Source: Infosecurity Magazine
The threat actors behind FortiBleed — a massive credential-harvesting campaign targeting Fortinet FortiGate firewalls — are now confirmed working with Inc Ransom and Lynx ransomware gangs. SOCRadar researchers caught a single operator logged into both groups' ransom negotiation panels while using infrastructure tied directly to FortiBleed.
The campaign has compromised roughly 12,000 active FortiGate devices, with credentials stolen from over 30,000. Of 409 targets where attackers gained admin access, 354 saw the full attack chain executed — VPN breach, domain controller access, domain admin. At least 12 ransomware deployments have been confirmed. SOCRadar also flagged an unpatched Nextcloud zero-day being actively exploited by the same group.
Source: Dark Reading
The threat actors behind FortiBleed — a massive credential-harvesting campaign targeting Fortinet FortiGate firewalls — are now confirmed working with Inc Ransom and Lynx ransomware gangs. SOCRadar researchers caught a single operator logged into both groups' ransom negotiation panels while using infrastructure tied directly to FortiBleed.
The campaign has compromised roughly 12,000 active FortiGate devices, with credentials stolen from over 30,000. Of 409 targets where attackers gained admin access, 354 saw the full attack chain executed — VPN breach, domain controller access, domain admin. At least 12 ransomware deployments have been confirmed. SOCRadar also flagged an unpatched Nextcloud zero-day being actively exploited by the same group.
Source: Dark Reading
Aflac has disclosed a significant data breach at its Japanese subsidiary, affecting nearly 4.4 million customers. Hackers accessed Aflac Japan's systems between June 15 and June 25, stealing policy details, personal information, and bank account data — including premium payment records for around 230,000 customers.
The company filed with the SEC on June 30, confirming US operations were unaffected. Some customer portal services remain offline, though claims and payments continue via call centers. Aflac Japan has notified authorities and says no misuse has been confirmed yet.
This marks the third breach targeting Aflac Japan since 2023.
Source: Infosecurity Magazine
Aflac has disclosed a significant data breach at its Japanese subsidiary, affecting nearly 4.4 million customers. Hackers accessed Aflac Japan's systems between June 15 and June 25, stealing policy details, personal information, and bank account data — including premium payment records for around 230,000 customers.
The company filed with the SEC on June 30, confirming US operations were unaffected. Some customer portal services remain offline, though claims and payments continue via call centers. Aflac Japan has notified authorities and says no misuse has been confirmed yet.
This marks the third breach targeting Aflac Japan since 2023.
Source: Infosecurity Magazine
Two critical vulnerabilities in Cursor IDE — the AI coding tool used by over half of Fortune 500 companies — can give attackers full remote code execution without any user interaction. Discovered by Cato AI Labs and dubbed "DuneSlide," both flaws carry a 9.8 CVSS score (CVE-2026-50548 and CVE-2026-50549).
The attack works through prompt injection: a victim simply types a normal prompt that accidentally pulls in attacker-controlled content — from a poisoned web search or rogue MCP server. From there, attackers can overwrite core sandbox binaries and compromise both the local machine and connected SaaS workspaces.
Cato says more disclosures are coming across other AI coding agents.
Source: Cybersecurity News
Two critical vulnerabilities in Cursor IDE — the AI coding tool used by over half of Fortune 500 companies — can give attackers full remote code execution without any user interaction. Discovered by Cato AI Labs and dubbed "DuneSlide," both flaws carry a 9.8 CVSS score (CVE-2026-50548 and CVE-2026-50549).
The attack works through prompt injection: a victim simply types a normal prompt that accidentally pulls in attacker-controlled content — from a poisoned web search or rogue MCP server. From there, attackers can overwrite core sandbox binaries and compromise both the local machine and connected SaaS workspaces.
Cato says more disclosures are coming across other AI coding agents.
Source: Cybersecurity News
Security firm Adversa AI has found a structural flaw — dubbed GuardFall — affecting 10 of 11 popular open source AI coding agents, including Hermes, OpenCode, and Roo-code. The issue lets attackers embed old-school Bash tricks like quote removal and $IFS spacing into content agents ingest, such as a poisoned README or Makefile. Once inside, those commands can silently steal AWS credentials or wipe dev environments, running with the developer's full account authority.
Only one agent, Continue, successfully blocked all test bypasses. Adversa recommends maintainers adopt a tokenize-and-canonicalize evaluator guard — the approach Continue uses — rather than relying on pattern-based text matching that Bash simply rewrites around.
Source: SecurityWeek
Security firm Adversa AI has found a structural flaw — dubbed GuardFall — affecting 10 of 11 popular open source AI coding agents, including Hermes, OpenCode, and Roo-code. The issue lets attackers embed old-school Bash tricks like quote removal and $IFS spacing into content agents ingest, such as a poisoned README or Makefile. Once inside, those commands can silently steal AWS credentials or wipe dev environments, running with the developer's full account authority.
Only one agent, Continue, successfully blocked all test bypasses. Adversa recommends maintainers adopt a tokenize-and-canonicalize evaluator guard — the approach Continue uses — rather than relying on pattern-based text matching that Bash simply rewrites around.
Source: SecurityWeek
AWS has patched a high-severity bug in the Amazon Q Developer extension for Visual Studio Code that could let attackers steal cloud credentials just by getting a developer to open a malicious repository. Tracked as CVE-2026-12957 and discovered by Wiz Research, the flaw allowed Amazon Q to automatically load and execute MCP server configurations without user approval — silently, before any code review happened.
Because spawned processes inherited the developer's full environment, attackers could grab AWS credentials, API keys, and SSH secrets. The fix landed in Language Server version 1.65.0. Similar MCP-related vulnerabilities have also been found in Claude Code, Cursor, and Windsurf.
Source: Dark Reading
AWS has patched a high-severity bug in the Amazon Q Developer extension for Visual Studio Code that could let attackers steal cloud credentials just by getting a developer to open a malicious repository. Tracked as CVE-2026-12957 and discovered by Wiz Research, the flaw allowed Amazon Q to automatically load and execute MCP server configurations without user approval — silently, before any code review happened.
Because spawned processes inherited the developer's full environment, attackers could grab AWS credentials, API keys, and SSH secrets. The fix landed in Language Server version 1.65.0. Similar MCP-related vulnerabilities have also been found in Claude Code, Cursor, and Windsurf.
Source: Dark Reading
The hacking group ShinyHunters has claimed responsibility for a major cyber-attack on the University of Nottingham, confirmed on June 10. Around 455,000 email addresses were compromised, with roughly 40 gigabytes of data stolen from the university's student record system.
Stolen data includes passport numbers, national insurance numbers, dates of birth, financial details, and ethnicity — affecting both current students and alumni. Experts believe the attack was likely a supply chain breach through a third-party platform, though voice phishing remains possible.
The university refused to pay the ransom, so the data was published. EMSOU's Regional Cyber Crime Unit is now investigating. Affected individuals should enable multi-factor authentication and stay alert to unexpected phone calls.
Source: BBC News
The hacking group ShinyHunters has claimed responsibility for a major cyber-attack on the University of Nottingham, confirmed on June 10. Around 455,000 email addresses were compromised, with roughly 40 gigabytes of data stolen from the university's student record system.
Stolen data includes passport numbers, national insurance numbers, dates of birth, financial details, and ethnicity — affecting both current students and alumni. Experts believe the attack was likely a supply chain breach through a third-party platform, though voice phishing remains possible.
The university refused to pay the ransom, so the data was published. EMSOU's Regional Cyber Crime Unit is now investigating. Affected individuals should enable multi-factor authentication and stay alert to unexpected phone calls.
Source: BBC News