# Today's Top Stories

Check Point disclosed CVE-2026-50751 (CVSS 9.3), a critical logic flaw in certificate validation affecting Remote Access VPN and Mobile Access deployments using the deprecated IKEv1 protocol, allowing unauthenticated remote attackers to bypass passwords. Active exploitation has been traced back to early May, with a Qilin ransomware affiliate blamed for at least one confirmed incident. Administrators running IKEv1-configured Check Point gateways should patch immediately and consider migrating to IKEv2.

CVE-2026-23111, a use-after-free vulnerability in the Linux kernel's nf_tables packet-filtering subsystem, allows unprivileged local users to escalate to root and escape containers. Exodus Intelligence published a full working exploit on June 8, 2026, despite the upstream patch having been available since February 5, 2026. Unpatched Linux systems running containerized workloads are at acute risk given the public exploit availability.

Meta detected and blocked new spear-phishing campaigns attributed to NSO Group targeting WhatsApp users, and filed a federal court contempt order alleging NSO violated a permanent injunction barring it from attacking WhatsApp and its users. The attacks involved tricking targets into clicking malicious links redirecting to external websites, constituting a direct violation of the court order. This marks a significant legal escalation against the Israeli spyware vendor following Meta's landmark 2019 lawsuit.

Google Mandiant attributed a financially motivated data theft and extortion campaign (January–May 2026) to UNC3753, also tracked as Silent Ransom Group, which targeted dozens of U.S. organizations in professional, legal, and financial services. The group employed vishing, IT impersonation, DNS fast flux to obscure C2 infrastructure, and physical office intrusions to steal data. The multi-vector TTPs make this threat particularly difficult to defend against with purely technical controls.

A new supply chain attack dubbed Shai-Hulud 'Hades' campaign compromised 19 science-focused PyPI packages across 37 wheels, collectively downloaded hundreds of thousands of times, delivering malware designed to steal developer secrets and credentials. The packages were trojanized to run a self-replicating stealer and included a leaked bot token embedded within the malware itself. This is the second iteration of the Shai-Hulud campaign and signals continued evolution of PyPI-targeting threat actors.

Volexity attributed a new espionage campaign to VerdantBamboo (overlapping with Microsoft's Clay Typhoon) deploying a previously undocumented BSD variant of the BRICKSTORM backdoor alongside two new malware families, PLENET (aka GRIMBOLT) and AGENTPSD, targeting Linux network appliances. This China-nexus threat actor's expansion to BSD/Linux platforms broadens the attack surface beyond Windows environments typically monitored by enterprise defenders. Security teams protecting Linux-based network infrastructure should review Volexity's indicators.

Researchers disclosed a chain of three previously fixed vulnerabilities in Ubiquiti's UniFi OS server that can be combined to achieve unauthenticated remote code execution with root privileges. The exploit chain requires no authentication and targets internet-facing UniFi devices, which are widely deployed in enterprise and prosumer networks. Ubiquiti has issued patches and administrators should update UniFi OS immediately.

For the second time in weeks, malicious packages targeting the Microsoft ecosystem were found laced with a credential stealer — 73 packages that execute a self-replicating stealer automatically when opened by an AI coding agent. The attack exploits the growing use of AI-assisted development workflows where agents autonomously install and execute packages. This pattern of recurring supply chain attacks against Microsoft package repositories represents an escalating threat to developer environments.

Attackers abused Meta's AI-powered account recovery support system to hijack over 20,000 Instagram accounts by using it to reset passwords on targeted accounts. Meta has disclosed the incident to authorities and confirmed the accounts were stolen, representing a novel attack vector where AI support tooling itself becomes an exploitation surface. The incident underscores risks introduced when AI systems are given privileged account management capabilities without sufficient fraud controls.

SolarWinds Serv-U file transfer software has a vulnerability being actively exploited in the wild, allowing unauthenticated attackers to crash the Serv-U service via specially crafted POST requests. Given SolarWinds' history as a high-value target and the active exploitation status, organizations running Serv-U should apply available patches immediately and review network exposure. No CVE identifier was specified in the report, but SecurityWeek confirmed in-the-wild exploitation.