GitHub disables Microsoft repos pushing password-stealing malware
Microsoft removed 73 repositories across its Azure, microsoft, Azure-Samples, and MicrosoftDocs organizations on GitHub, disrupting continuous integration pipelines. [...]
// AGGREGATED SECURITY NEWS // STATIC SNAPSHOT
SECURITY NEWS DIGEST
Snapshot date: June 09, 2026. 45 unique stories grouped by AppSec-oriented theme priority.
Sources marked with ★ are recommended additions.
// DEVELOPER SECURITY // 18 STORIES
Claude Mythos Turns N-Days Into N-Hours With Rapid Exploit Creation
Public LLM models with safeguards turned off can also build working exploits, increasing patch gap risks.
Docker Pass vs Docker Secret: What Is the Difference?
If you have been working with Docker secrets locally, you may have noticed two commands that sound...
New Veeam vulnerability exposes backup servers to RCE attacks
Veeam has released security updates to patch a critical Backup & Replication security flaw that can be exploited to gain remote code execution (RCE) on domain-joined backup servers. [...]
Implementing Forward Secrecy in Rust: A Double Ratchet and Three Storage Formats
Per-message key rotation, KDF chains, and the three different ways I ended up storing ephemeral keys because chat and file transfer want different things. Part 4 of the Anyhide series.
Your Agent Doesn't Need That 10,000-Token API Response: Context Offloading with Strands
Context engineering matters for two reasons: reliability and cost. If your agent's context window is...
Anyone with GitHub issue access can steal your CI/CD secrets. Here's why.
Anyone who can file an issue on your GitHub repo can now leak your CI/CD secrets. No code, no...
New FROST Attack Lets Websites Track What Sites and Apps You Open via SSD Timing
A malicious website can work out which sites you visit and which apps you open, using nothing but JavaScript and the timing of your SSD. The attack, called FROST, needs no native code, no extension, and no permission prompt.
'Hades' Campaign Against PyPI Puts New Spin on Shai-Hulud
The latest attacks, which hit 37 PyPI wheels and 19 code packages, show a continued evolution of the persistent software supply chain threat.
Age verification is coming. Free Software can build it right.
In December 2025, Australia became the first country to ban under-16s from social media. Ten...
Lawmakers Demand Answers as CISA Tries to Contain Data Leak
Lawmakers in both houses of Congress are demanding answers from the U.S. Cybersecurity & Infrastructure Security Agency (CISA) after KrebsOnSecurity reported this week that a CISA contractor intentionally published AWS GovCloud keys and a vast trove of other agency secrets on a.
GitHub Breached via VS Code Supply Chain; CISA Secrets Were Stored in Public Repo; Verizon 2026 Data Breach Investigations Report
Courses Build cyber prowess with training from renowned experts Ways to Train Multiple training options to best fit your schedule and preferred learning style
CISA Admin Leaked AWS GovCloud Keys on Github
Until this past weekend, a contractor for the Cybersecurity & Infrastructure Security Agency (CISA) maintained a public GitHub repository that exposed credentials to several highly privileged AWS GovCloud accounts and a large number of internal CISA systems. Security experts said the public.
Issue 289: SolarWinds RCE, Supply-Chain API Exposure, SQL Injection, and Identity for APIs in the Age of Agentic AI
This week, we look at how familiar API security failures — authentication bypasses, missing input validation allowing old school attacks like SQL injections — continue to surface across enterprise platforms and critical infrastructure. From exposed supply-chain APIs to identity-layer weaknesses and unauthenticated.
Issue 288: State of API Security 2026, Agentic AI, Authentication Bypasses, and the Race to Patch APIs
This week, we look at how long-standing API security failures are being amplified by automation, AI, and increasingly aggressive exploitation timelines. From agentic AI vulnerabilities in ServiceNow to authentication bypasses actively exploited in SmarterMail and Fortinet infrastructure, this issue highlights how broken.
Issue 287: Critical RCEs in n8n, HPE OneView, SmarterMail, and an Authentication Bypass in IBM API Connect
Welcome to this first edition of the APIsecurity newsletter for 2026, I’m Philippe Leothaud, CTO and co-founder of 42Crunch, and your new Newsletter Editor. I’d like to thank Anthony Lonergan for the excellent work he’s done over the years building this newsletter.
Issue 286: The APISecurity.io Top 5 API Vulnerabilities in 2025
This week, in our final 2025 issue of APISecurity.io, we look back at the five most frequent API vulnerabilities covered in the newsletter over the past 12 months. These issues highlight common mistakes teams make in API development and can help to.
Issue 285: API hack at Avelo Airlines, 3.5 billion leak at WhatsApp, F5 API security survey, AI-generated code risks
This week, we share news of API vulnerabilities affecting Avelo Airlines, WhatsApp, and Oracle, and an incident notification from OpenAI to API developers about potential information exposure. We also highlight a new survey from F5 on the role of API security in.
// AI & SECURITY // 17 STORIES
Russian Attackers Weaponize WinRAR Flaw Against Ukrainian Orgs
Two separate campaigns target CVE-2025-8088, fixed last July, to conduct data theft and cyberespionage against military and government targets in Ukraine.
New Platform Uses Cryptographic Invisibility to Protect AI-Built Applications
Atsign’s AI Architect applies cryptographic protections to agentic software development, aiming to prevent attackers from exploiting vulnerabilities by making application identities effectively invisible.
WinRAR Flaw Exploited by Russia-Aligned Groups to Deploy Stealers in Ukraine
Two Russia-aligned cyber attack campaigns have continued to exploit a security flaw in WinRAR to target Ukrainian organisations, almost a year after patches for the vulnerability were released. The activity has been attributed by Trend Micro to Earth Dahu (aka Gamaredon) and.
Researchers Build Self-Replicating AI Worm That Operates Entirely on Local, Open-Weight Models
University of Toronto researchers have built and tested a proof-of-concept AI-driven computer worm that uses a locally hosted open-weight large language model to reason its way through a network, generate tailored attack strategies for each target it encounters, and replicate itself, all.
Over 100 NPM, PyPI Packages Hit in New Shai-Hulud Supply Chain Attacks
The most recent variants of the self-propagating attacks are named Miasma and Hades.
The Hidden Security Risk in Modern Networks: The Work Between Tools
Organizations have more visibility than ever. Growing tech stacks provide greater coverage, and network security teams are increasingly adopting AI and automation to help with routine tasks and reduce manual effort.
Will AI Kill the Bug Bounty Industry?
Anthropic's Mythos is accelerating vulnerability discovery to machine speed, forcing the bug bounty industry and offensive security teams to adapt to a future where finding flaws is no longer the hard part.
French govt messaging service breached in account hijacking attack
DINUM, the digital affairs directorate of the French government, warned that hackers used a hijacked user account to breach Tchap, the French government's encrypted messaging platform. [...]
CISA gives feds 3 days to patch Check Point VPN bug exploited as zero-day
CISA has ordered U.S. government agencies to secure their Check Point Remote Access VPN and Mobile Access deployments against a critical vulnerability exploited in zero-day attacks by Qilin ransomware affiliates.
Armenia’s pro-Europe party wins election despite Russia-linked disinformation
Pashinyan's Civil Contract party won nearly 50% of Sunday's vote, defeating the pro-Russian Strong Armenia party led by Russian-Armenian billionaire Samvel Karapetyan, which received around 23% of the vote.
WhatsApp says NSO targeted users with spearfishing attacks in violation of court order
WhatsApp said it is filing a federal court contempt order against NSO for violating a permanent injunction that bars it from mounting attacks against its users.
Fuel Tank Monitoring Systems Targeted in Cyberattacks, Warn US Agencies; Mirasvit Flaw Added to KEV with Three-Day Deadline; White House Issues EO on AI and Cyber
Courses Build cyber prowess with training from renowned experts Ways to Train Multiple training options to best fit your schedule and preferred learning style
PAN VPN Bug Exploited; US Troops' Phones Leaking Location Data; CT Data Privacy Law Enhancements
Courses Build cyber prowess with training from renowned experts Ways to Train Multiple training options to best fit your schedule and preferred learning style
Hackers Used Meta’s AI Support Bot to Seize Instagram Accounts
The Instagram accounts for the Obama White House and the Chief Master Sergeant of the U.S. Space Force were briefly defaced with pro-Iranian images and messages over the weekend, after instructions began circulating on Telegram showing how to trick Meta's "AI support.
Exploited Flaws Added to CISA KEV: Drupal SQL Injection; cPanel Plugin Privilege Escalation; Apex One Path Traversal
Courses Build cyber prowess with training from renowned experts Ways to Train Multiple training options to best fit your schedule and preferred learning style
Netherlands Seizes 800 Servers, Arrests 2 for Aiding Cyberattacks
Authorities in the Netherlands have arrested the co-owners of two related Internet hosting companies for operating IT infrastructure used by Russia to carry out cyberattacks, influence operations and disinformation campaigns inside the European Union. The two men were the focus of a.
AI Speeds Bug Hunters but Slows Bug Bounties; Fast16 Malware Analyzed
Courses Build cyber prowess with training from renowned experts Ways to Train Multiple training options to best fit your schedule and preferred learning style
// SUPPLY CHAIN // 01 STORIES
Iran Signed a Ceasefire — Its Hackers Didn't
An extension of the Geneva Conventions could impose restrictions on cyberwarfare under ceasefire conditions and close a major loophole in international conflict.
// VULNERABILITIES & EXPLOITS // 05 STORIES
Hackers pose as women seeking romance to spy on Russian soldiers
The group, dubbed SiribClone by Russian cybersecurity firm F6, has been active since at least the summer of 2025 and has primarily targeted members of the Russian armed forces stationed in border regions and combat zones.
SAP Patches Critical NetWeaver, Commerce Vulnerabilities
The flaws could lead to the disclosure of sensitive information, memory corruption, and disruption of normal system usage.
Chrome V8 Zero-Day CVE-2026-11645 Exploited in the Wild - Patch Now
Google has released security updates to address 74 vulnerabilities, including one that has come under active exploitation in the wild. The high-severity vulnerability, tracked as CVE-2026-11645 (CVSS score: 8.8), has been described as an out-of-bounds memory access in V8, Chrome's JavaScript and.
Google patches new Chrome zero-day flaw exploited in the wild
Google has released emergency updates to patch another Chrome zero-day vulnerability that has been exploited in the wild, the fifth such flaw patched since the start of the year. [...]
Check Point VPN Flaw Exploited Since Early May
A newly discovered, critical zero-day vulnerability is under attack; a Qilin ransomware affiliate has been blamed for at least one incident.
// CRITICAL INFRASTRUCTURE / OT // 02 STORIES
Silent Ransom Group Hits US Law Firms in Escalating Extortion Attacks
The financially motivated group is combining vishing, IT impersonation, and in-person office intrusions to steal data and extort victims.
Alleged Kimwolf Botmaster ‘Dort’ Arrested, Charged in U.S. and Canada
Canadian authorities on Wednesday arrested a 23-year-old Ottawa man on suspicion of building and operating Kimwolf, a fast spreading Internet-of-Things botnet that enslaved millions of devices for use in a series of massive distributed denial-of-service (DDoS) attacks over the past six months..
// POLICY, LEGAL & INDUSTRY // 02 STORIES
UK gives big tech 3 months to create device controls to block nude images of kids
The companies “must activate built-in features or implement technical solutions on smartphones and tablets to detect and block nude images for children,” according to a press release from the Home Office. Prime Minister Keir Starmer announced the measure in a speech at.
Russia upgrades rules for its digital spy system to better track citizens online
New regulations published by Russia's Ministry of Digital Development at the end of May updated the technical standards governing SORM, formally known as the System for Operative Investigative Activities.