Three Microsoft Flaws, Drupal RCE & Iran Wiper Escalation | This Week's Threats

CISA's June 11 Deadline, Chrome's 5th Zero-Day & 698 Ransomware Attacks in May

(00:00:00) CISA's June 11 Deadline, Chrome's 5th Zero-Day & 698 Ransomware Attacks in May (00:01:18) Chrome V8 Fifth Zero-Day 2026 (00:02:04) Microsoft's Record Patch Tuesday (00:03:04) Ransomware Surge May 2026 (00:03:34) GenAI Leakage and Azure Supply Chain (00:04:25) What to Watch Next CISA has issued one of its tightest-ever emergency directives: every US federal civilian agency must patch CVE-2026-50751, an authentication bypass in Check Point Remote Access VPN, by end of day June 11 — or disconnect. Qilin ransomware affiliates have had a working exploit since at least May 7, with confirmed attacks across dozens of organizations globally. Mitigation paths exist — disable IKEv1 or enforce machine certificate authentication — but the three-day clock leaves no room for low-priority treatment of legacy VPN debt. Elsewhere on the threat landscape, Google has patched CVE-2026-11645, a V8 out-of-bounds read/write flaw in Chrome that enables remote code execution via a crafted HTML page. This is Chrome's fifth confirmed zero-day in 2026, with a $55,000 bounty paid on discovery. Microsoft's June Patch Tuesday broke records: more than 200 critical CVEs addressed, including 360 Chromium-related fixes. Three had public exploits at release time. A researcher known as Nightmare Eclipse — claiming former Microsoft employee status — has publicly pledged a mass exploit drop on July 14, a date now worth monitoring. May 2026 ransomware data paints a stark picture: 698 reported attacks globally, up 48% year-over-year. Business Services saw a 359% spike. Three groups account for 39% of all attacks; 58 additional groups share the rest — a resilient, industrialized ecosystem. Finally: enterprise GenAI tools are leaking credentials and IP at scale, with 1 in 25 prompts carrying high-risk content, and Microsoft's Azure Durable Task SDK has suffered a second Shai-Hulud worm infection across 72 public repositories — raising questions about whether remediation of the May attack was ever complete. This episode includes AI-generated content.

Check Point VPN Zero-Day, 44% Ransomware Surge & FBI Network Breach

(00:00:00) Check Point VPN Zero-Day, 44% Ransomware Surge & FBI Network Breach (00:00:44) Ransomware Surge: 44% of Breaches (00:01:30) SMBs: 61% Breached, Zero Budget (00:02:05) Nation-State Infrastructure Attacks (00:02:34) FBI Breach and Open Source Compromise (00:03:08) ETHS Closure and Hasbro Outage A Qilin ransomware affiliate is actively exploiting CVE-2026-50751, an authentication bypass in Check Point's Remote Access and Mobile Access VPN products, with dozens of confirmed victims and no patch timeline announced. The vulnerability targets systems still running the deprecated IKEv1 protocol — an attack surface defined entirely by deferred maintenance. That campaign lands against a dramatically worsened ransomware landscape. New figures show ransomware now appears in 44% of all data breaches, up from 32% the prior year — a 38% year-over-year rise. The ransomware-as-a-service ecosystem currently tracks 95 active gangs, 55 new families emerged in the past year, and double extortion is now standard in 88% of incidents. Small businesses face the sharpest exposure: 88% of SMB breaches involve ransomware, 61% of small firms were hit in the past year, and yet 47% of companies with fewer than 50 employees maintain zero dedicated cybersecurity budget. Elsewhere, Russia-linked actors are targeting European energy and water infrastructure across Poland, Sweden, and Norway. Iranian hackers struck US water utilities and Stryker medical devices with destructive wiper malware. The FBI declared a major cyber incident after an unclassified network breach exposed surveillance target phone numbers, with attribution pointing to Chinese government actors. A supply chain compromise also backdoored widely-used open source tools including Trivy, Bitwarden, and Checkmarx, with downstream impact reaching OpenAI and Vercel. Evanston Township High School closed through Tuesday following a ransomware attack. Hasbro remains largely offline weeks after a March intrusion. Key watchpoints: Check Point customers on IKEv1 need to act now. The open source supply chain map is still incomplete. The FBI breach is an unresolved national security question. This episode includes AI-generated content.

Cisco SD-WAN Zero-Day Exploited, FBI Breach & Iran Hits Water Utilities

(00:00:00) Cisco SD-WAN Zero-Day Exploited, FBI Breach & Iran Hits Water Utilities (00:01:00) FBI Breach Exposes Surveillance Targets (00:01:32) Infrastructure as Active Battleground (00:02:12) Social Security Database Under Investigation (00:02:41) Supply Chain Breaches Continue Weekly (00:03:09) Infostealers Feeding Ransomware Pipeline A zero-day in Cisco's Catalyst SD-WAN Manager is being actively exploited in the wild — no patch exists, and it's the seventh SD-WAN flaw weaponised this year. CVE-2026-20245 carries a CVSS score of 7.8, enabling root command injection on edge devices. Cisco has confirmed unauthorised configuration changes in the wild, with no vendor fix available. Today's episode opens there and doesn't move on quickly. From federal networks to critical infrastructure: the FBI has confirmed Chinese-linked actors compromised an unclassified network, exposing active surveillance targets and wiretap numbers from pen register data. The counterintelligence fallout could extend for years. Meanwhile, Iran-linked actors are actively targeting U.S. water utilities, Russia is sustaining its campaign against European power grids, and Iranian hackers wiped tens of thousands of devices at Stryker in March. Three nation-state actors are simultaneously running live operations against civilian infrastructure. On the domestic data exposure front, DOGE-led access to the Social Security Administration's database remains under investigation. If worst-case assessments hold, this could be the largest government data breach in U.S. history by affected population. Open source supply chain compromises — hitting Trivy, Bitwarden, and Checkmarx — are now running at a weekly cadence, with stolen developer credentials cascading into downstream platforms including OpenAI and Vercel. Rounding out today's briefing: infostealers have become the primary entry point for ransomware operations, with stolen session tokens remaining valid even after malware removal. ClickFix delivery and fake CAPTCHAs are the delivery mechanism of choice. This episode includes AI-generated content.

Miasma Worm Hits 73 Microsoft GitHub Repos via AI Coding Agents

(00:00:00) Miasma Worm Hits 73 Microsoft GitHub Repos via AI Coding Agents (00:00:49) Trust Model Broken, Not Bypassed (00:01:40) Credential Persistence and Re-Compromise (00:02:12) Scope Still Unknown (00:02:46) Structural Risk Across Open-Source (00:03:22) What to Watch Next A supply chain worm called Miasma has compromised 73 Microsoft GitHub repositories across four Microsoft organisations — Azure, Azure-Samples, Microsoft, and MicrosoftDocs — and it did so without exploiting a single vulnerability. No zero-day. No exploit signature. Just valid credentials and authenticated maintainer access. Miasma is a variant of Mini Shai-Hulud, first deployed by threat group TeamPCP in May against the durabletask PyPI package. The June campaign returned to that same package — suggesting TeamPCP never lost access after the initial compromise — and expanded dramatically in scope. The 4.3 MB payload runner was injected directly into infected repositories, bypassing npm registry scanning entirely. What makes this campaign structurally significant is the execution trigger. The payload detonates when a developer clones an infected repo and opens it in an AI coding assistant: Claude Code, Gemini CLI, Cursor, or VS Code, or during npm test runs. This is the first documented case of malware deliberately weaponising AI coding agents as an execution context — an attack surface that simply didn't exist two years ago. The downstream exposure is unquantified. Production environments pulling durabletask or mantine-datatable packages before the takedown may have received the payload with no visible indicator. The full scope of compromised credentials remains unconfirmed. For security teams: audit your dependency tree for durabletask and mantine packages pulled before the takedown, watch for Microsoft's credential-scope disclosure, and treat AI coding agent integrations as a threat surface requiring formal policy. Across npm and GitHub, roughly 95 repositories have now been compromised in connected campaigns. The open-source trust model has no detection layer for maintainers operating normally on stolen credentials. This episode includes AI-generated content.

Azure Cloud Vulns Surge 16%, Cisco SD-WAN Zero-Day & Silent Ransom Goes Physical

(00:00:00) Azure Cloud Vulns Surge 16%, Cisco SD-WAN Zero-Day & Silent Ransom Goes Physical (00:00:41) Cisco SD-WAN Zero-Day Exploited (00:01:23) Silent Ransom Group Goes Physical (00:02:17) SharePoint RCE Patch Released (00:02:41) CBSE India Portal DDoS Attack (00:03:12) Closing Watchpoints Today's briefing opens with a counterintuitive signal: total Microsoft CVEs fell six percent this year, but critical vulnerabilities inside Azure and Entra ID climbed sixteen percent. That divergence reveals a deliberate attacker reorientation toward cloud identity infrastructure and Global Administrator access — the keys to everything downstream. Cisco Catalyst SD-WAN Manager is under active attack. CVE-2026-20245 is a privilege escalation zero-day confirmed exploited in the wild by Mandiant, with no patch available. Authenticated access is required, but that pre-condition shrinks the window to act, not the urgency. The FBI and Google issued a joint alert on Silent Ransom Group — a threat actor now sending physical imposters into law firm offices, posing as IT workers and exfiltrating data via USB drives and remote tools. No encryption. Pure extortion through threatened publication of stolen contracts and personal records. The ransomware playbook now has a physical chapter. Microsoft released an out-of-band patch for CVE-2026-45659, a remote code execution flaw in SharePoint Server scoring CVSS 8.8. No active exploitation confirmed — worth queuing on the normal patch cycle. Finally, India's CBSE exam results portal weathered a multi-day coordinated DDoS between June 2nd and 5th. No confirmed breach, but the timing and scale fit a pattern of high-visibility public sector targeting. The closing watchpoint: CVE counts falling while exploit pressure rises, severity concentrating in cloud identity, and threat actors expanding beyond digital methods. The gap between security guidance and enterprise implementation is where most real risk lives right now. This episode includes AI-generated content.