Cybersecurity Daily: News & Threats

Check Point VPN Zero-Day, 44% Ransomware Surge & FBI Network Breach

(00:00:00) Check Point VPN Zero-Day, 44% Ransomware Surge & FBI Network Breach (00:00:44) Ransomware Surge: 44% of Breaches (00:01:30) SMBs: 61% Breached, Zero Budget (00:02:05) Nation-State Infrastructure Attacks (00:02:34) FBI Breach and Open Source Compromise (00:03:08) ETHS Closure and Hasbro Outage A Qilin ransomware affiliate is actively exploiting CVE-2026-50751, an authentication bypass in Check Point's Remote Access and Mobile Access VPN products, with dozens of confirmed victims and no patch timeline announced. The vulnerability targets systems still running the deprecated IKEv1 protocol — an attack surface defined entirely by deferred maintenance. That campaign lands against a dramatically worsened ransomware landscape. New figures show ransomware now appears in 44% of all data breaches, up from 32% the prior year — a 38% year-over-year rise. The ransomware-as-a-service ecosystem currently tracks 95 active gangs, 55 new families emerged in the past year, and double extortion is now standard in 88% of incidents. Small businesses face the sharpest exposure: 88% of SMB breaches involve ransomware, 61% of small firms were hit in the past year, and yet 47% of companies with fewer than 50 employees maintain zero dedicated cybersecurity budget. Elsewhere, Russia-linked actors are targeting European energy and water infrastructure across Poland, Sweden, and Norway. Iranian hackers struck US water utilities and Stryker medical devices with destructive wiper malware. The FBI declared a major cyber incident after an unclassified network breach exposed surveillance target phone numbers, with attribution pointing to Chinese government actors. A supply chain compromise also backdoored widely-used open source tools including Trivy, Bitwarden, and Checkmarx, with downstream impact reaching OpenAI and Vercel. Evanston Township High School closed through Tuesday following a ransomware attack. Hasbro remains largely offline weeks after a March intrusion. Key watchpoints: Check Point customers on IKEv1 need to act now. The open source supply chain map is still incomplete. The FBI breach is an unresolved national security question. This episode includes AI-generated content.

Cisco SD-WAN Zero-Day Exploited, FBI Breach & Iran Hits Water Utilities

(00:00:00) Cisco SD-WAN Zero-Day Exploited, FBI Breach & Iran Hits Water Utilities (00:01:00) FBI Breach Exposes Surveillance Targets (00:01:32) Infrastructure as Active Battleground (00:02:12) Social Security Database Under Investigation (00:02:41) Supply Chain Breaches Continue Weekly (00:03:09) Infostealers Feeding Ransomware Pipeline A zero-day in Cisco's Catalyst SD-WAN Manager is being actively exploited in the wild — no patch exists, and it's the seventh SD-WAN flaw weaponised this year. CVE-2026-20245 carries a CVSS score of 7.8, enabling root command injection on edge devices. Cisco has confirmed unauthorised configuration changes in the wild, with no vendor fix available. Today's episode opens there and doesn't move on quickly. From federal networks to critical infrastructure: the FBI has confirmed Chinese-linked actors compromised an unclassified network, exposing active surveillance targets and wiretap numbers from pen register data. The counterintelligence fallout could extend for years. Meanwhile, Iran-linked actors are actively targeting U.S. water utilities, Russia is sustaining its campaign against European power grids, and Iranian hackers wiped tens of thousands of devices at Stryker in March. Three nation-state actors are simultaneously running live operations against civilian infrastructure. On the domestic data exposure front, DOGE-led access to the Social Security Administration's database remains under investigation. If worst-case assessments hold, this could be the largest government data breach in U.S. history by affected population. Open source supply chain compromises — hitting Trivy, Bitwarden, and Checkmarx — are now running at a weekly cadence, with stolen developer credentials cascading into downstream platforms including OpenAI and Vercel. Rounding out today's briefing: infostealers have become the primary entry point for ransomware operations, with stolen session tokens remaining valid even after malware removal. ClickFix delivery and fake CAPTCHAs are the delivery mechanism of choice. This episode includes AI-generated content.

Miasma Worm Hits 73 Microsoft GitHub Repos via AI Coding Agents

(00:00:00) Miasma Worm Hits 73 Microsoft GitHub Repos via AI Coding Agents (00:00:49) Trust Model Broken, Not Bypassed (00:01:40) Credential Persistence and Re-Compromise (00:02:12) Scope Still Unknown (00:02:46) Structural Risk Across Open-Source (00:03:22) What to Watch Next A supply chain worm called Miasma has compromised 73 Microsoft GitHub repositories across four Microsoft organisations — Azure, Azure-Samples, Microsoft, and MicrosoftDocs — and it did so without exploiting a single vulnerability. No zero-day. No exploit signature. Just valid credentials and authenticated maintainer access. Miasma is a variant of Mini Shai-Hulud, first deployed by threat group TeamPCP in May against the durabletask PyPI package. The June campaign returned to that same package — suggesting TeamPCP never lost access after the initial compromise — and expanded dramatically in scope. The 4.3 MB payload runner was injected directly into infected repositories, bypassing npm registry scanning entirely. What makes this campaign structurally significant is the execution trigger. The payload detonates when a developer clones an infected repo and opens it in an AI coding assistant: Claude Code, Gemini CLI, Cursor, or VS Code, or during npm test runs. This is the first documented case of malware deliberately weaponising AI coding agents as an execution context — an attack surface that simply didn't exist two years ago. The downstream exposure is unquantified. Production environments pulling durabletask or mantine-datatable packages before the takedown may have received the payload with no visible indicator. The full scope of compromised credentials remains unconfirmed. For security teams: audit your dependency tree for durabletask and mantine packages pulled before the takedown, watch for Microsoft's credential-scope disclosure, and treat AI coding agent integrations as a threat surface requiring formal policy. Across npm and GitHub, roughly 95 repositories have now been compromised in connected campaigns. The open-source trust model has no detection layer for maintainers operating normally on stolen credentials. This episode includes AI-generated content.

Azure Cloud Vulns Surge 16%, Cisco SD-WAN Zero-Day & Silent Ransom Goes Physical

(00:00:00) Azure Cloud Vulns Surge 16%, Cisco SD-WAN Zero-Day & Silent Ransom Goes Physical (00:00:41) Cisco SD-WAN Zero-Day Exploited (00:01:23) Silent Ransom Group Goes Physical (00:02:17) SharePoint RCE Patch Released (00:02:41) CBSE India Portal DDoS Attack (00:03:12) Closing Watchpoints Today's briefing opens with a counterintuitive signal: total Microsoft CVEs fell six percent this year, but critical vulnerabilities inside Azure and Entra ID climbed sixteen percent. That divergence reveals a deliberate attacker reorientation toward cloud identity infrastructure and Global Administrator access — the keys to everything downstream. Cisco Catalyst SD-WAN Manager is under active attack. CVE-2026-20245 is a privilege escalation zero-day confirmed exploited in the wild by Mandiant, with no patch available. Authenticated access is required, but that pre-condition shrinks the window to act, not the urgency. The FBI and Google issued a joint alert on Silent Ransom Group — a threat actor now sending physical imposters into law firm offices, posing as IT workers and exfiltrating data via USB drives and remote tools. No encryption. Pure extortion through threatened publication of stolen contracts and personal records. The ransomware playbook now has a physical chapter. Microsoft released an out-of-band patch for CVE-2026-45659, a remote code execution flaw in SharePoint Server scoring CVSS 8.8. No active exploitation confirmed — worth queuing on the normal patch cycle. Finally, India's CBSE exam results portal weathered a multi-day coordinated DDoS between June 2nd and 5th. No confirmed breach, but the timing and scale fit a pattern of high-visibility public sector targeting. The closing watchpoint: CVE counts falling while exploit pressure rises, severity concentrating in cloud identity, and threat actors expanding beyond digital methods. The gap between security guidance and enterprise implementation is where most real risk lives right now. This episode includes AI-generated content.

VS Code OAuth Exploit, 76% Finance Ransomware Surge & DarkSword iPhone Kit

(00:00:00) VS Code OAuth Exploit, 76% Finance Ransomware Surge & DarkSword iPhone Kit (00:00:48) VS Code OAuth Token Theft Flaw (00:01:23) Financial Ransomware Up 76 Percent (00:02:30) DarkSword iPhone Exploit Kit (00:03:26) Ultrahuman Breach and India Cloud Gaps (00:04:08) Key Signals to Watch Responsible disclosure is fracturing. Researcher Ammar Askar published a working exploit for a Microsoft Visual Studio Code vulnerability just one hour after private disclosure, citing repeated failures by Microsoft's Security Response Center to act in good faith. It echoes the Nightmare Eclipse leaks that preceded it — and the pattern is hardening into a norm. The VS Code flaw itself is serious: attackers can steal OAuth tokens via malicious repository recommendations combined with Jupyter Notebook popups, potentially granting access to any GitHub repository the victim can reach — including production environments. The social engineering surface inside a trusted development tool is wide. On the financial threat front, Q1 2026 data shows direct ransomware attacks on financial institutions rose 76% year over year. Investment firms now account for 41.6% of incidents, overtaking banks as the primary target. Qilin alone claimed 59 financial incidents in the past year. More alarming: critical vendor vulnerabilities across the financial sector surged 387% between 2024 and 2025, and over half carry actively exploited CVEs. Researchers also uncovered DarkSword, a copy-paste iPhone exploit kit targeting iOS 18.4 through 18.6.2 via watering hole attacks, with an estimated exposure window of up to 270 million devices. Attribution remains unknown. Apple responded by launching its new Background Security Improvement system and patching over 60 CVEs in May alone. Finally, two Indian data exposure incidents raise regulatory questions: wearable company Ultrahuman delayed breach notification for over two months, and 366,000 JEE Advanced 2026 records were exposed through unauthenticated cloud storage — following a near-identical CBSE portal exposure days earlier. This episode includes AI-generated content.