Threat Alerts — Watch
A live, severity-rated stream of the threats actually hitting small and medium businesses worldwide, each with the one or two actions that matter most.
Active alerts
- Unpatched Flaws Found in Filesystem Used in Millions of DevicesWatch · Vulnerability / CVE · 2026-07-06Security firm runZero has disclosed seven vulnerabilities in FatFs, a small filesystem library buried inside security cameras, drones, industrial controllers, and hardware crypto wallets. On the worst-affected devices, a booby-trapped USB drive or SD card can hand over full control. The lone maintainer hasn't responded, so most fixes now depend on individual device vendors.
- Apple Patches Three Dozen Flaws, Some Found by AI ToolsWatch · Vulnerability / CVE · 2026-06-30Apple's latest round of updates fixes more than 30 security bugs across iPhone, iPad, Mac, and Safari, including four in the WebKit browser engine. Some of the flaws were uncovered with help from AI tools. None are known to be under attack yet, which makes this the easy kind of update to install before it matters.
- Supply Chain Worm Spreads From npm Into the Go EcosystemWatch · Supply chain · 2026-06-28The Shai-Hulud supply chain attack, also tracked as Miasma, has hit a fresh batch of npm packages and crossed into the Go ecosystem for the first time. It steals developer credentials and CI/CD secrets, then uses them to poison more packages automatically. Any business that builds software on npm or Go should check its pipelines.
- Poland Arrests Four in SIM-Swap Gang That Stole Millions in CryptoWatch · Other · 2026-06-26Polish police and the FBI arrested four people on 25 June after a joint investigation into a SIM-swapping network that drained cryptocurrency exchange accounts by compromising telecom partner systems. Prosecutors put the laundered total at over five million US dollars.
- Popular Chrome Ad Blocker Hides a Dormant Code Injection PathWatch · Other · 2026-06-25A Chrome extension called Adblock for YouTube, installed more than 10 million times, contains a hidden way to run any code the developer chooses on every site you visit. Researchers at Island found it is switched off for now, but it could be turned on from the developer's server with no update and no review. The safe move is to remove it.
- Squidbleed (CVE-2026-47729): A 29-Year Memory Leak in Squid Proxy Exposes CredentialsWatch · Vulnerability / CVE · 2026-06-23CVE-2026-47729, nicknamed Squidbleed, is a memory leak in Squid Proxy's FTP parser that has sat undetected since 1997. In shared proxy environments, it can expose authentication credentials, session tokens, and API keys from one user's HTTP session to another. A patch is available in Squid 7.6, released June 2026. CVEs: CVE-2026-47729.
- Canada's Spy Agency Disinfected Botnet Victims Using a Legal FirstWatch · Other · 2026-06-22The Canadian Security Intelligence Service used a threat reduction warrant to push disinfection commands to routers and servers inside Canada enrolled in two foreign-linked botnets. A Federal Court ruling made public on 15 June authorized the operation, the first time CSIS has used this legal power on privately-owned networked devices. For businesses in Canada and those watching how governments respond to botnet infrastructure globally, this sets a precedent worth understanding.
- INTERPOL's Asia-Pacific Report: AI Scams and Ransomware Both AcceleratingWatch · Ransomware · 2026-06-22INTERPOL's 2025-2026 Asia-Pacific Cyberthreat Assessment covers 23 member countries and identifies phishing as the most widespread threat in the region, with AI-powered fraud and ransomware both growing faster than defensive adoption. Business email compromise and deepfake-enabled executive impersonation are producing the largest financial losses, hitting smaller businesses hardest. Organisations with any supply-chain or operational exposure to Asia-Pacific should treat this as a forward-looking threat indicator.
- Prinz Eugen Ransomware Targets Files in Active Use, Skips Ransom NotesWatch · Ransomware · 2026-06-21Security analysts at Threatdown have identified a new ransomware group called Prinz Eugen that breaks in via stolen Remote Desktop credentials and deliberately encrypts the files employees were most recently working on. Unlike most ransomware, the group leaves no note on infected systems, delivering demands by email and phone to complicate incident response. Standard Bank in South Africa has confirmed it is among the group's first victims.
- WordPress Email Plugin Flaw Leaks API Keys From 100,000 SitesWatch · Vulnerability / CVE · 2026-06-20Attackers are actively exploiting a flaw in Gravity SMTP, a WordPress plugin on roughly 100,000 sites, that hands unauthenticated visitors the site's API keys, secrets, and email credentials. Wordfence has blocked more than 17 million exploit attempts. Sites running an old version should assume their connected email accounts are compromised.
- One-Click Microsoft 365 Copilot Flaw Could Have Leaked Emails and FilesWatch · Vulnerability / CVE · 2026-06-17Researchers chained three bugs in Microsoft 365 Copilot Enterprise Search into a one-click attack that could pull a victim's emails, calendar, and indexed files using only a trusted microsoft.com link. Microsoft assigned CVE-2026-42824, rated it critical, and has already fixed it on its own servers, so there is nothing for customers to patch. No real-world attacks were seen, but the technique shows how AI assistants reopen old web flaws. CVEs: CVE-2026-42824.
- Cisco Patches Exploited SD-WAN Manager Flaw That Grants Root AccessWatch · Vulnerability / CVE · 2026-06-16Cisco has patched CVE-2026-20262, a flaw in Catalyst SD-WAN Manager already under active attack, after intruders used it to overwrite files and gain root on the system that runs corporate networks. CISA added it to its Known Exploited Vulnerabilities catalog with a June 29 deadline for federal agencies. Any business whose network is managed through Cisco SD-WAN should patch now. CVEs: CVE-2026-20262.
- INTERPOL Dismantles Free Phishing Service After Decade OnlineWatch · Phishing & BEC · 2026-06-15Police across 13 Middle East and North Africa countries arrested 201 people and shut down Sniper Dz, a phishing-as-a-service platform that ran free for a decade and collected over 45,000 victim records. New research shows the same operation also milked victims through fake Facebook offers and browser notification scams.
- GitHub Will Disable npm Install Scripts by Default to Stop Supply Chain AttacksWatch · Supply chain · 2026-06-12GitHub is turning off npm install scripts by default in npm version 12, due next month. The change blocks a common path attackers use to run malicious code during npm install. Any business whose developers or build servers pull npm packages should prepare now to avoid broken builds.
- Europol Disrupts AudiA6 Crypto Laundering Service Used by Ransomware GangsWatch · Ransomware · 2026-06-12Europol and the US Justice Department dismantled AudiA6, a cryptocurrency laundering service that washed more than 336 million euros in criminal profits since 2021. Two men were arrested and charged. The takedown cuts a cash-out pipeline ransomware crews relied on, but the gangs that hit small businesses are still operating.
- Supply Chain Worm Compromises 73 Microsoft GitHub Repos and PyPI PackagesWatch · Supply chain · 2026-06-10A supply chain campaign called Miasma compromised 73 Microsoft repositories across GitHub and poisoned three versions of the durabletask Python package on PyPI, targeting developers who use AI coding tools. The attack harvested OIDC tokens from CI/CD pipelines and installed credential stealers on developer machines. All Microsoft repos have been restored; developers who pulled the malicious durabletask versions need to rotate credentials immediately.
- ServiceNow Discloses Breach via Unauthenticated API EndpointWatch · Other · 2026-06-10ServiceNow disclosed a security incident in which attackers used an unauthenticated REST API endpoint to query customer instance data. The affected endpoint required no login. IT support tickets were among the data accessible, and those frequently contain credentials, API keys, and internal system details.
- French Government Messaging Platform Tchap Breached via Social EngineeringWatch · Other · 2026-06-09France's government-mandated messaging platform Tchap was breached through a socially engineered employee account, exposing 650,000 messages and data on 73,000 civil servant accounts. The attacker also claims all files shared on the platform were downloadable without valid authentication tokens. DINUM confirmed the breach; France's CNIL data protection authority was notified.