Extortion Without Encryption, Third-Party Breach Surge & Q-Day Risk

Record Patch Tuesday: HTTP.sys Zero-Day, BitLocker Bypass & ServiceNow Breach

(00:00:00) Record Patch Tuesday: HTTP.sys Zero-Day, BitLocker Bypass & ServiceNow Breach (00:00:32) Three Zero-Days — CTFMON, HTTP.sys, BitLocker (00:01:39) AI Exploit Generation Shrinks Patch Window (00:02:24) ServiceNow Breach — Silent Disclosure Problem (00:03:19) Credential Exposure and What to Check Now (00:03:58) What Enterprises Must Do Now Microsoft has just released the largest Patch Tuesday in its 23-year history, covering up to 208 vulnerabilities — and three of them are confirmed, actively exploited zero-days that demand immediate action across every enterprise environment. The critical trio: an unauthenticated HTTP.sys remote code execution flaw granting kernel-mode access on internet-facing Windows servers; CVE-2026-45586, a CTFMON privilege escalation that elevates local attackers straight to SYSTEM; and CVE-2026-50507, a BitLocker volume master key bypass that undermines full-disk encryption as an offline defence. All three are in active exploitation. This is emergency patching territory. Making the response window even tighter: large language models can now reverse-engineer patches and generate functional exploits within hours of public release. The old assumption of weeks between patch and weaponised exploit is gone. Meanwhile, ServiceNow confirmed a separate breach of its customer data between June 2–3. Attackers exploited an unauthenticated Scripted REST API endpoint — disabled by a single misconfigured parameter — to query IT tickets and harvest embedded credentials across more than 8,000 enterprise instances. The platform was patched June 5; the advisory appeared June 9, behind a customer-only portal. That four-day gap may already have organisations running behind on GDPR, HIPAA, and SEC notification clocks. In this episode: what to patch first, how to assess your ServiceNow exposure, why the monthly patch cycle no longer fits the threat environment, and the specific actions security teams should take in the next 24 hours. This episode includes AI-generated content.

CISA's June 11 Deadline, Chrome's 5th Zero-Day & 698 Ransomware Attacks in May

(00:00:00) CISA's June 11 Deadline, Chrome's 5th Zero-Day & 698 Ransomware Attacks in May (00:01:18) Chrome V8 Fifth Zero-Day 2026 (00:02:04) Microsoft's Record Patch Tuesday (00:03:04) Ransomware Surge May 2026 (00:03:34) GenAI Leakage and Azure Supply Chain (00:04:25) What to Watch Next CISA has issued one of its tightest-ever emergency directives: every US federal civilian agency must patch CVE-2026-50751, an authentication bypass in Check Point Remote Access VPN, by end of day June 11 — or disconnect. Qilin ransomware affiliates have had a working exploit since at least May 7, with confirmed attacks across dozens of organizations globally. Mitigation paths exist — disable IKEv1 or enforce machine certificate authentication — but the three-day clock leaves no room for low-priority treatment of legacy VPN debt. Elsewhere on the threat landscape, Google has patched CVE-2026-11645, a V8 out-of-bounds read/write flaw in Chrome that enables remote code execution via a crafted HTML page. This is Chrome's fifth confirmed zero-day in 2026, with a $55,000 bounty paid on discovery. Microsoft's June Patch Tuesday broke records: more than 200 critical CVEs addressed, including 360 Chromium-related fixes. Three had public exploits at release time. A researcher known as Nightmare Eclipse — claiming former Microsoft employee status — has publicly pledged a mass exploit drop on July 14, a date now worth monitoring. May 2026 ransomware data paints a stark picture: 698 reported attacks globally, up 48% year-over-year. Business Services saw a 359% spike. Three groups account for 39% of all attacks; 58 additional groups share the rest — a resilient, industrialized ecosystem. Finally: enterprise GenAI tools are leaking credentials and IP at scale, with 1 in 25 prompts carrying high-risk content, and Microsoft's Azure Durable Task SDK has suffered a second Shai-Hulud worm infection across 72 public repositories — raising questions about whether remediation of the May attack was ever complete. This episode includes AI-generated content.

Check Point VPN Zero-Day, 44% Ransomware Surge & FBI Network Breach

(00:00:00) Check Point VPN Zero-Day, 44% Ransomware Surge & FBI Network Breach (00:00:44) Ransomware Surge: 44% of Breaches (00:01:30) SMBs: 61% Breached, Zero Budget (00:02:05) Nation-State Infrastructure Attacks (00:02:34) FBI Breach and Open Source Compromise (00:03:08) ETHS Closure and Hasbro Outage A Qilin ransomware affiliate is actively exploiting CVE-2026-50751, an authentication bypass in Check Point's Remote Access and Mobile Access VPN products, with dozens of confirmed victims and no patch timeline announced. The vulnerability targets systems still running the deprecated IKEv1 protocol — an attack surface defined entirely by deferred maintenance. That campaign lands against a dramatically worsened ransomware landscape. New figures show ransomware now appears in 44% of all data breaches, up from 32% the prior year — a 38% year-over-year rise. The ransomware-as-a-service ecosystem currently tracks 95 active gangs, 55 new families emerged in the past year, and double extortion is now standard in 88% of incidents. Small businesses face the sharpest exposure: 88% of SMB breaches involve ransomware, 61% of small firms were hit in the past year, and yet 47% of companies with fewer than 50 employees maintain zero dedicated cybersecurity budget. Elsewhere, Russia-linked actors are targeting European energy and water infrastructure across Poland, Sweden, and Norway. Iranian hackers struck US water utilities and Stryker medical devices with destructive wiper malware. The FBI declared a major cyber incident after an unclassified network breach exposed surveillance target phone numbers, with attribution pointing to Chinese government actors. A supply chain compromise also backdoored widely-used open source tools including Trivy, Bitwarden, and Checkmarx, with downstream impact reaching OpenAI and Vercel. Evanston Township High School closed through Tuesday following a ransomware attack. Hasbro remains largely offline weeks after a March intrusion. Key watchpoints: Check Point customers on IKEv1 need to act now. The open source supply chain map is still incomplete. The FBI breach is an unresolved national security question. This episode includes AI-generated content.

Cisco SD-WAN Zero-Day Exploited, FBI Breach & Iran Hits Water Utilities

(00:00:00) Cisco SD-WAN Zero-Day Exploited, FBI Breach & Iran Hits Water Utilities (00:01:00) FBI Breach Exposes Surveillance Targets (00:01:32) Infrastructure as Active Battleground (00:02:12) Social Security Database Under Investigation (00:02:41) Supply Chain Breaches Continue Weekly (00:03:09) Infostealers Feeding Ransomware Pipeline A zero-day in Cisco's Catalyst SD-WAN Manager is being actively exploited in the wild — no patch exists, and it's the seventh SD-WAN flaw weaponised this year. CVE-2026-20245 carries a CVSS score of 7.8, enabling root command injection on edge devices. Cisco has confirmed unauthorised configuration changes in the wild, with no vendor fix available. Today's episode opens there and doesn't move on quickly. From federal networks to critical infrastructure: the FBI has confirmed Chinese-linked actors compromised an unclassified network, exposing active surveillance targets and wiretap numbers from pen register data. The counterintelligence fallout could extend for years. Meanwhile, Iran-linked actors are actively targeting U.S. water utilities, Russia is sustaining its campaign against European power grids, and Iranian hackers wiped tens of thousands of devices at Stryker in March. Three nation-state actors are simultaneously running live operations against civilian infrastructure. On the domestic data exposure front, DOGE-led access to the Social Security Administration's database remains under investigation. If worst-case assessments hold, this could be the largest government data breach in U.S. history by affected population. Open source supply chain compromises — hitting Trivy, Bitwarden, and Checkmarx — are now running at a weekly cadence, with stolen developer credentials cascading into downstream platforms including OpenAI and Vercel. Rounding out today's briefing: infostealers have become the primary entry point for ransomware operations, with stolen session tokens remaining valid even after malware removal. ClickFix delivery and fake CAPTCHAs are the delivery mechanism of choice. This episode includes AI-generated content.

Miasma Worm Hits 73 Microsoft GitHub Repos via AI Coding Agents

(00:00:00) Miasma Worm Hits 73 Microsoft GitHub Repos via AI Coding Agents (00:00:49) Trust Model Broken, Not Bypassed (00:01:40) Credential Persistence and Re-Compromise (00:02:12) Scope Still Unknown (00:02:46) Structural Risk Across Open-Source (00:03:22) What to Watch Next A supply chain worm called Miasma has compromised 73 Microsoft GitHub repositories across four Microsoft organisations — Azure, Azure-Samples, Microsoft, and MicrosoftDocs — and it did so without exploiting a single vulnerability. No zero-day. No exploit signature. Just valid credentials and authenticated maintainer access. Miasma is a variant of Mini Shai-Hulud, first deployed by threat group TeamPCP in May against the durabletask PyPI package. The June campaign returned to that same package — suggesting TeamPCP never lost access after the initial compromise — and expanded dramatically in scope. The 4.3 MB payload runner was injected directly into infected repositories, bypassing npm registry scanning entirely. What makes this campaign structurally significant is the execution trigger. The payload detonates when a developer clones an infected repo and opens it in an AI coding assistant: Claude Code, Gemini CLI, Cursor, or VS Code, or during npm test runs. This is the first documented case of malware deliberately weaponising AI coding agents as an execution context — an attack surface that simply didn't exist two years ago. The downstream exposure is unquantified. Production environments pulling durabletask or mantine-datatable packages before the takedown may have received the payload with no visible indicator. The full scope of compromised credentials remains unconfirmed. For security teams: audit your dependency tree for durabletask and mantine packages pulled before the takedown, watch for Microsoft's credential-scope disclosure, and treat AI coding agent integrations as a threat surface requiring formal policy. Across npm and GitHub, roughly 95 repositories have now been compromised in connected campaigns. The open-source trust model has no detection layer for maintainers operating normally on stolen credentials. This episode includes AI-generated content.