Threat Alerts — High
A live, severity-rated stream of the threats actually hitting small and medium businesses worldwide, each with the one or two actions that matter most.
Active alerts
- Ohio County Paid $1 Million to a Gang That Never Encrypted AnythingHigh · Ransomware · 2026-07-06A small Ohio county government paid roughly $1 million in bitcoin to a group calling itself Kairos, even though the attackers never locked a single file. A new case study, built from a leaked negotiation chat and the bitcoin trail the payment left, shows how a month-long negotiation moved from a $3 million opening demand down to seven figures. The case is a reminder that "ransomware" increasingly means stolen data held hostage, not scrambled files.
- New Bad Epoll Flaw Turns Any Linux User Into RootHigh · Vulnerability / CVE · 2026-07-06A newly disclosed Linux kernel bug called Bad Epoll lets a normal user account jump straight to root, and it works on desktops, servers, and some Android phones. A public proof-of-concept reaches root about 99% of the time on tested systems, though there's no sign yet that real attackers have picked it up. A patch exists, but epoll can't simply be switched off.
- FBI and Google Seize Botnet Built From 2 Million Home DevicesHigh · Other · 2026-07-03The FBI and Google dismantled NetNut, a residential proxy network built from at least 2 million home devices including smart TVs and streaming boxes. Criminals rented the network to hide password-spray and account-takeover traffic behind ordinary residential IP addresses, the kind many business security tools are built to trust.
- China-Linked Group Hits Power and Water Utilities in AsiaHigh · Other · 2026-07-03A China-linked group tracked as CL-STA-1062 has compromised at least 10 electricity, water, and government organizations across Southeast Asia over the past year using a new stealth backdoor called TinyRCT. Palo Alto Networks says the group may be selling its footholds to other attackers rather than acting alone.
- CISA Sets July 4 Deadline for SharePoint RCE FlawHigh · Vulnerability / CVE · 2026-07-02CISA has added a Microsoft SharePoint flaw to its list of vulnerabilities under active attack, giving federal agencies until July 4 to patch it. The bug lets any logged-in user with basic site permissions run code on the server, no admin access needed, and Microsoft already shipped the fix back in May. If you run SharePoint Server on-premises, this is a today problem.
- Fake Interpol Emails Push Ransomware at Small BusinessesHigh · Ransomware · 2026-07-02A ransomware campaign disguised as an Interpol fraud investigation is targeting small businesses across Europe, Asia, the Middle East, and the US. The email links to a password-protected archive that hides an executable disguised as video evidence, and once it runs, it encrypts local files. The one piece of good news: researchers found the decryption password baked into the malware itself.
- Password Spray Attack Bypasses MFA on 78 Azure AccountsHigh · Other · 2026-07-01An automated password spray campaign made more than 81 million login attempts against Azure in two weeks and compromised 78 accounts across 64 organizations, several of which had multi-factor authentication switched on. The attackers got in by using a legacy login method that skips MFA prompts entirely.
- Photo ZIP Phishing Campaign Hits Hotels in Europe and AsiaHigh · Phishing & BEC · 2026-07-01Since April, hotels across Europe and Asia have been receiving phishing emails posing as angry guests, complete with a ZIP file that claims to hold photos of the problem. Open it, and a hidden implant sets up shop for the long haul rather than cashing out immediately.
- Microsoft Pulls 119 Edge Extensions That Hid Malware in ImagesHigh · Other · 2026-06-30Microsoft removed 119 Edge extensions that smuggled malware inside image and font files, then waited days to wake up and steal logins. The add-ons looked like ordinary ad blockers and VPNs and reached up to 2.6 million installs over two years. Check your browser against Microsoft's list before you trust it again.
- Hijacked npm and Go Packages Hide a Stealer in Fake FontsHigh · Supply chain · 2026-06-29Researchers found two npm packages and 16 Go modules that quietly install a credential and crypto-wallet stealer the moment a developer opens the project in VS Code. The malware hides inside a fake font file and pulls its next stage from blockchain transactions to survive takedowns. It is the latest twist on North Korea's Contagious Interview campaign against developers.
- KDDI Breach Exposes Up to 14 Million Japanese Email LoginsHigh · Supply chain · 2026-06-29KDDI says attackers reached the email systems behind six Japanese internet providers and may have exposed up to 14.2 million email logins, including former and inactive accounts. The intrusion came through a flaw in third-party software and was caught on 17 June. Anyone using one of these mailboxes for business should reset the password and turn on two-step verification now.
- Hotel Phishing Campaign Hides a Node.js Implant in Photo ZIP FilesHigh · Phishing & BEC · 2026-06-28Microsoft is tracking an active phishing campaign that has hit hotels across Europe and Asia since April, using photo-themed ZIP files to plant a Node.js implant on front-desk computers. The emails pass every standard authentication check because they are routed through real Calendly and Google infrastructure. Any business with a public booking inbox is a plausible target.
- Public Exploit Turns a Linux Kernel Flaw Into Instant RootHigh · Vulnerability / CVE · 2026-06-28A new Linux kernel flaw, CVE-2026-46331 or 'pedit COW', lets any logged-in user become root, and a working exploit went public within a day of the patch. It corrupts a cached copy of a system binary in memory, so file-integrity tools see nothing wrong. Shared servers, CI runners, and Kubernetes nodes are the systems most at risk. CVEs: CVE-2026-46331.
- FBI Warns Russian Spies Are Phishing Signal Backup Recovery KeysHigh · Phishing & BEC · 2026-06-27The FBI says two Russian intelligence groups are tricking Signal users into handing over the recovery key that unlocks their encrypted message backups. Once they have it, they restore your full chat history on their own phone. The targets are officials and journalists for now, but the same trick works on anyone who uses Signal for work.
- Hackers Drain 3 Million From Polymarket via a Third-Party ScriptHigh · Supply chain · 2026-06-27Polymarket lost close to 3 million dollars in crypto after attackers broke into one of its outside vendors and slipped malicious code into the website's front end. The company's own servers were never touched. It is a reminder that every third-party script on your site runs with your customers' trust.
- Amazon Q Flaw Let Malicious Repos Steal Cloud Credentials SilentlyHigh · Vulnerability / CVE · 2026-06-27A flaw in Amazon Q Developer, Amazon's AI coding assistant, let a booby-trapped code repository run commands the moment a developer opened it, with no prompt and no click. The payload could lift live AWS keys and cloud tokens straight off the machine. Amazon has patched it, but the lesson about auto-running AI config files is bigger than one tool.
- Bluekit Streams Real Login Pages to Steal Sessions and Bypass MFA at ScaleHigh · Phishing & BEC · 2026-06-26A phishing-as-a-service platform called Bluekit has upgraded to browser-in-the-middle capabilities that stream the real login page to victims while authentication completes inside the attacker's browser. Standard MFA is bypassed, and the attacker walks away with a live session token.
- Police Dismantle Amadey and StealC Malware in Operation EndgameHigh · Other · 2026-06-25An international police operation knocked out the servers behind Amadey and StealC, two malware families that infect computers and steal passwords for a living. Investigators recovered 27 million stolen credentials and froze more than 41 million euros in criminal cryptocurrency. If your saved browser passwords were taken, changing them now is the practical response.
- Cisco SD-WAN Bug Was Exploited as a Zero-Day for MonthsHigh · Vulnerability / CVE · 2026-06-25Mandiant says an unknown attacker exploited a Cisco Catalyst SD-WAN flaw, CVE-2026-20245, for at least two months before it was public, using it to take full root control of a network device. The attacker created a hidden admin account and then erased their own tracks. Any business running Cisco SD-WAN edge gear should run the checks below and confirm the patch is applied. CVEs: CVE-2026-20245.
- macOS Fake CAPTCHA Scam Delivers Atomic Stealer via Mounted Disk ImagesHigh · Other · 2026-06-24Attackers are delivering the Atomic macOS Stealer through a fake CAPTCHA page that tells visitors to paste a Terminal command. The command silently downloads and mounts a disk image without it appearing in Finder, then launches a malicious app that drains credentials from eight browser families, cryptocurrency wallets, and the Apple Keychain. For Ledger Live and Trezor Suite users, the malware also replaces the legitimate app with a trojanised copy designed to steal seed phrases on the next launch.
- World Leaks Hits Tata Electronics, Releasing Apple Manufacturing SchematicsHigh · Ransomware · 2026-06-24Tata Electronics, a key iPhone component supplier in India, confirmed a breach by World Leaks, a data-extortion group that publishes stolen files without encrypting systems. Leaked documents include internal component schematics, PCB designs, and SDK files for Apple products. No customer or employee personal data appeared in the published materials.
- Compromised WhatsApp Accounts Deliver RMM Software to 11 CountriesHigh · Other · 2026-06-23Kaspersky researchers documented an active campaign in which attackers use compromised WhatsApp accounts to send VBScript files disguised as business documents. Opening one on Windows leads to silent installation of ManageEngine Endpoint Central, giving attackers persistent remote control of the machine. The campaign has reached the UK, Australia, and nine other countries.
- Phishing Attack on Healthcare Tech Vendor Exposes 1.4 Million People's Medical RecordsHigh · Phishing & BEC · 2026-06-23A phishing attack on Xsolis, a Tennessee-based healthcare technology company, led to the exposure of protected health information belonging to more than 1.3 million individuals. The breach occurred in January 2026 and was not publicly disclosed until June, appearing on the HHS breach tracker on 23 June. Stolen data includes Social Security numbers, medical treatment records, and health insurance details.
- AryStinger Malware Turns 4,300 Neglected Routers Into a Spy NetworkHigh · Other · 2026-06-22Security researchers at QiAnXin XLab have uncovered a malware family called AryStinger that has quietly enrolled more than 4,300 home and small-office routers into a botnet used for reconnaissance and proxy operations. The infected devices serve as cover for attack traffic targeting cloud services and business accounts. Any organisation running a router that has not received a firmware update in the last two years should consider itself at risk.
- Microsoft Discloses AutoJack Attack That Turns AI Agents Into Code Execution ToolsHigh · Vulnerability / CVE · 2026-06-21Microsoft security researchers have identified a technique called AutoJack that uses a malicious web page to hijack AI browsing agents and execute code on the host machine, with no user credentials or additional interaction required. As businesses deploy AI agents to handle tasks autonomously, AutoJack represents a new attack surface that sits outside the scope of traditional patching. No active exploitation has been confirmed, but the attack does not rely on any single software vulnerability and could emerge in any AI agent capable of browsing the web.
- Texas Breach Exposes 3 Million Hunting Licence Holders' ID DocumentsHigh · Supply chain · 2026-06-21An attack on a third-party vendor that handles Texas hunting and fishing licences has exposed driver's licence numbers, passport numbers, home addresses, and contact details for 3,087,721 Texans. The unnamed vendor has not disclosed how the attacker got in, but Texas Cyber Command is investigating. Businesses should treat this as a reminder that vendor systems can become breach pathways even when your own security is solid.
- Stolen OAuth Tokens Let Hackers Loot Salesforce Data Through Klue AppHigh · Ransomware · 2026-06-20Salesforce has cut off the Klue Battlecards app after an extortion group called Icarus used stolen OAuth tokens to pull customer records from connected Salesforce accounts. Security firm Huntress and others have confirmed data theft. The case shows how one compromised vendor integration can expose hundreds of companies that never dealt with the attacker directly.
- Police Disrupt SocGholish Malware and Clean 15,000 Hacked SitesHigh · Ransomware · 2026-06-20Law enforcement from four countries seized 106 servers behind SocGholish, a malware operation that turns hacked WordPress sites into fake software-update traps, and cleaned 14,971 infected websites. The malware has fed ransomware crews including Evil Corp and LockBit since 2017. Owners of affected sites have been told to change credentials and update their CMS.
- Hackers Hit Mexican Agencies Using Old Fortinet and Ivanti BugsHigh · Vulnerability / CVE · 2026-06-20Researchers at CloudSEK uncovered Operation Escaneo, an intrusion campaign that breached Mexican government bodies, banks, and utilities by exploiting known Fortinet and Ivanti VPN flaws. The attackers stole over 1.3 million personal records and mapped internal networks. Every flaw they used already had a patch, which is the uncomfortable part for smaller firms running the same gear.
- INC Ransomware Tops 830 Victims as Affiliates Flock to the BrandHigh · Ransomware · 2026-06-19INC, a ransomware-as-a-service operation, has claimed more than 830 victims since August 2023 and now ranks among the busiest ransomware brands of 2026. US organisations make up over 65% of its targets, with legal, manufacturing, construction, technology, and healthcare firms hit hardest. INC grew by sticking to well-known techniques rather than exotic tooling.
- DragonForce Hides Ransomware C2 Traffic Inside Microsoft Teams RelaysHigh · Ransomware · 2026-06-19DragonForce ransomware affiliates used a custom backdoor that tunnels its command-and-control traffic through Microsoft Teams relay servers, leaving defenders blind for one to two months. Symantec and Carbon Black documented the attack against a US services firm. Because the traffic looks like ordinary Teams activity, standard firewall monitoring did not catch it.
- Windows Defender Zero-Day Gives Attackers SYSTEM Access, Patch PendingHigh · Vulnerability / CVE · 2026-06-18Microsoft has confirmed a zero-day in Windows Defender, tracked as CVE-2026-50656 and nicknamed RoguePlanet, that lets a logged-in attacker jump to full SYSTEM control. A public proof-of-concept already works on fully patched Windows 10 and 11, whether or not real-time protection is switched on. Microsoft is still writing the fix and has not given a release date. CVEs: CVE-2026-50656.
- Chinese Spies Used Google Workspace Mail Rules To Steal EmailHigh · Other · 2026-06-18A China-linked group hid in North American medical and defense research networks for more than a year, then stole email using a built-in Google Workspace feature rather than malware. They turned the admin mail-compliance rules against the victims, silently copying any message matching their keywords to a Gmail account they controlled. The same technique works in Microsoft 365, and it leaves almost no trace.
- 144 Mastra npm Packages Hijacked to Spread a Crypto-Stealing TrojanHigh · Supply chain · 2026-06-17Attackers hijacked a former contributor's npm account and published 144 malicious packages under the Mastra AI framework's namespace, including @mastra/core, which sees over 900,000 weekly downloads. The packages pulled in a tampered dependency that ran a hidden crypto-stealing trojan during installation. Any developer or build server that installed an affected version since June 17 should treat the machine as compromised.
- Attackers Exploit Three FortiSandbox Flaws Rated CVSS 9.1High · Vulnerability / CVE · 2026-06-17Threat intelligence firm Defused Cyber says attackers spent the past day probing three FortiSandbox vulnerabilities, each rated CVSS 9.1, that let unauthenticated attackers bypass authentication or run commands on the appliance. Two were patched in April and one only last week. Any business running FortiSandbox should confirm it is on the latest firmware now.
- Web Hosting Plugin Flaw Lets Attackers Seize Root on Shared ServersHigh · Vulnerability / CVE · 2026-06-16CISA has flagged CVE-2026-54420, a flaw in the LiteSpeed cPanel plugin that lets an attacker with basic FTP or web shell access escalate to root on shared hosting servers. Because one server holds many small business websites, a single compromise can expose every site on the box. Hosting customers should confirm their provider has patched. CVEs: CVE-2026-54420.
- ClickFix Scams Now Deliver Three New Loaders Tied to Ransomware CrewsHigh · Ransomware · 2026-06-16Researchers at Morphisec, BlueVoyant, and Huntress have documented three malware loaders, BabaDeda, Lorem Ipsum, and Potemkin, all delivered through ClickFix scams that trick people into pasting commands into their own computers. The campaigns hit education, legal, financial, and construction firms and end in stealers, RATs, and Rhysida ransomware. Train staff to never paste a command they did not write.
- Rokarolla Android Trojan Steals Banking PINs and Crypto From PhonesHigh · Other · 2026-06-16A new Android banking trojan called Rokarolla targets 217 banking and cryptocurrency apps and can take near-total control of an infected phone, stealing lock-screen PINs, SMS codes, and crypto payments. It spreads through fake TikTok and Chrome sites and disguises itself as Google Play Protect. Owners who bank from a phone should install apps only from Google Play and guard the Accessibility permission.
- WordPress Plugin Files Hijacked to Backdoor Business SitesHigh · Other · 2026-06-15Attackers tampered with JavaScript served to sites running OptinMonster, TrustPulse, and PushEngage, three plugins from Awesome Motive that reach over 1.2 million sites. The poisoned code quietly created admin accounts and installed a hidden backdoor when a logged-in administrator visited. Affected sites need a server-side scan, not just a plugin update.
- Palo Alto GlobalProtect VPN Flaw Exploited in the WildHigh · Vulnerability / CVE · 2026-06-15Palo Alto Networks confirmed attackers are exploiting CVE-2026-0257, an authentication bypass in the GlobalProtect VPN portal, to set up unauthorised VPN sessions. CISA has ordered federal agencies to fix it, and any business running PAN-OS firewalls should patch now. CVEs: CVE-2026-0257.
- Over 400 Arch Linux AUR Packages Hijacked to Drop Rootkit and Credential StealerHigh · Other · 2026-06-13Attackers compromised more than 400 Arch User Repository packages this week by backdooring build scripts, deploying an infostealer and an eBPF rootkit that hides in the Linux kernel. Developer credentials are the primary target: GitHub tokens, SSH keys, HashiCorp Vault secrets, and messaging-app session data.
- Chrome 149 Fixes 5 Critical Flaws as Google's 2026 Patch Volume Hits 700High · Vulnerability / CVE · 2026-06-13Google released Chrome 149 with fixes for 28 vulnerabilities, five rated critical, including use-after-free bugs in Core and WebMIDI and a GPU heap buffer overflow. No confirmed exploitation has been reported, but use-after-free flaws in browsers have a history of being weaponised quickly after details become public.
- Researchers Trick OpenClaw AI Agent Into Running Code and Leaking DataHigh · Vulnerability / CVE · 2026-06-12Two research teams showed the self-hosted OpenClaw AI agent can be driven to run attacker code or hand over sensitive data through ordinary inputs like a shared contact or a single email. One flaw is patched. The other is a design problem no patch fixes. Businesses adopting AI agents should limit what those agents can do on their own.
- China-Linked JDY Botnet Grows to 1,500 Routers and IoT DevicesHigh · Other · 2026-06-12A China-linked botnet called JDY has grown to more than 1,500 hijacked small-office routers, firewalls, and IoT devices, scanning the internet to map vulnerable systems for state-backed hackers. Most infected devices sit in the US and Brazil. Aging routers in small businesses are the raw material.
- Exchange Server XSS Flaw CVE-2026-42897 Exploited for Weeks Before PatchHigh · Vulnerability / CVE · 2026-06-11Microsoft's June 2026 patches fix CVE-2026-42897, an XSS flaw in Exchange Server's Outlook Web Access that attackers have exploited since mid-May. On-premises Exchange running Server SE, 2016, or 2019 needs the update now. CVEs: CVE-2026-42897.
- The Gentlemen: Second Busiest Ransomware Gang Uses 90/10 Splits to RecruitHigh · Ransomware · 2026-06-11Security researchers have identified the operator behind The Gentlemen ransomware as a 36-year-old from Izhevsk, Russia, running the second most active ransomware-as-a-service platform of 2026. The group targets internet-facing VPNs and firewalls and has logged 332 victims since mid-2025.
- OpenSSL Patches High-Severity Heap Flaw Affecting TLS Servers and EmailHigh · Vulnerability / CVE · 2026-06-10OpenSSL patched 18 vulnerabilities this week, including CVE-2026-45447, a high-severity heap use-after-free flaw in PKCS#7 signature verification that can corrupt server memory and in some conditions enable remote code execution. OpenSSL is the TLS library behind most web servers, VPN endpoints, and email systems. Linux package managers will ship the fix, but self-managed servers and appliances with bundled OpenSSL need manual attention. CVEs: CVE-2026-45447.
- Google Patches Actively Exploited Chrome V8 Zero-DayHigh · Vulnerability / CVE · 2026-06-10Google released emergency patches for CVE-2026-11645, an out-of-bounds flaw in Chrome's V8 JavaScript engine confirmed as exploited in the wild. An attacker can run arbitrary code on a victim's machine by getting them to visit a crafted web page. This is the fifth Chrome zero-day patched in 2026. CVEs: CVE-2026-11645.
- Silent Ransom Group Targets US Law Firms with Phone Extortion and DNS Fast FluxHigh · Ransomware · 2026-06-08The Silent Ransom Group is running a phone-based extortion campaign against US law firms, accounting for nearly 25% of all law firm ransomware incidents in Q1 2026. The group steals data without encrypting files, then demands payment under threat of publication. DNS fast flux across 22 ISPs in 18 countries makes their infrastructure difficult to block.