Last updated: July 6, 2026 at 12:53 AM UTC
All 559 Vulnerability 199 Breach 107 Threat 246 Defense 7

French government messenger Tchap breached, hitting 73,000 public servants

France's government messaging platform Tchap, the in-house, Matrix-based app that civil servants are required to use instead of WhatsApp or Signal, was breached after a threat actor hijacked a single user account, no software exploit needed. The cyber agency ANSSI detected it on June 7. Officials say data tied to about 73,000 accounts, roughly 9 percent of users, was exposed: the attacker scraped everything shared in public chat rooms, which are not encrypted, while private end-to-end conversations stayed protected. The haul includes over 13.5GB of documents and media plus hardcoded LDAP credentials leaked in a PowerShell script. Entry was via the education ministry's server.

Check
Review what your organization shares in unencrypted public or group chat channels, and scan scripts and config files for hardcoded credentials like the LDAP secret exposed in this breach.
Affected
Around 73,000 French public-sector Tchap accounts; data posted in unencrypted public chat rooms was exposed, while end-to-end-encrypted private conversations were not. The entry point was one hijacked account.
Fix
Enforce phishing-resistant MFA so single accounts cannot be hijacked, remove hardcoded credentials from scripts, treat public chat rooms as non-confidential, and monitor for bulk data access across collaboration platforms.

Google sues Chinese network for weaponizing Gemini AI in smishing scams

Google has filed suit against a Chinese cybercrime network it says abused its Gemini AI to mass-produce phishing text messages and fake websites targeting Americans. The group runs a phishing-as-a-service kit called Outsider and used Gemini to generate fraudulent pages and large smishing campaigns. The texts impersonate trusted brands, warning of "brokerage account issues" or dangling carrier "rewards," and link to lookalike sites that harvest personal and financial details. Google says the lawsuit aims to dismantle the network's infrastructure. The case underscores how criminals are folding mainstream AI tools into industrialized phishing operations.

Check
Remind staff and yourself to treat unexpected texts about account problems or rewards as suspect, and review mobile-threat and link-protection telemetry for spikes in smishing referencing banks or carriers.
Affected
Mobile users, especially in the US, targeted by SMS phishing impersonating banks, brokerages, and phone carriers via the Outsider phishing-as-a-service kit; financial and personal data are the goal.
Fix
Never click links in unsolicited texts; navigate to institutions directly. Enable carrier and device spam filtering, report smishing, and use phishing-resistant MFA so stolen passwords alone cannot unlock accounts.

Oracle issues emergency PeopleSoft fix as exploited zero-day drives breaches

The ShinyHunters data-theft wave against Oracle PeopleSoft, covered yesterday, now has a confirmed root cause: a zero-day. Oracle has issued an out-of-band emergency mitigation for CVE-2026-35273, a critical flaw (rated 9.8) in PeopleSoft PeopleTools that lets an unauthenticated attacker run code on the server over HTTP, with no login required. Google's Mandiant says the bug was exploited from May 27 to June 9, before any advisory existed, and notified more than 100 affected organizations, 68 percent of them universities. The exposed component is the Environment Management Hub. Affected versions are PeopleTools 8.61 and 8.62; a full patch is still pending.

Check
Determine whether PeopleSoft PeopleTools 8.61 or 8.62 is in use and whether the Environment Management Hub is reachable externally, then review logs for the published attacker IPs and credential-spray activity.
Affected
Oracle PeopleSoft Enterprise PeopleTools 8.61 and 8.62 with the Environment Management Hub exposed to untrusted networks (CVE-2026-35273); PeopleSoft Enterprise Applications customers may also be affected.
Fix
Apply Oracle's emergency mitigations from the June out-of-band alert immediately and restrict access to the Environment Management Hub, then watch for the full patch and assume compromise where exposed.

Critical Ivanti Sentry flaw now exploited within a day of disclosure

The critical Ivanti Sentry flaw covered yesterday is now under active attack, with researchers reporting compromised gateways within about 24 hours of the patch and public patch analysis. CVE-2026-10520, rated a perfect 10, is an OS command injection in an internal configuration API that accepts commands from anyone who can reach it over the internet, granting remote code execution as root with no login. A second flaw, CVE-2026-10523, lets attackers create their own admin accounts. With exploitation confirmed and detection tooling public, the time to patch has effectively run out for internet-exposed appliances. Ivanti released fixes earlier this week.

Check
Treat any unpatched, internet-facing Ivanti Sentry as potentially compromised: review appliances for rogue administrator accounts, unexpected root commands, and connections from unfamiliar IPs before and after patching.
Affected
Internet-exposed Ivanti Sentry (formerly MobileIron Sentry) 10.5.1, 10.6.1, 10.7.0 and earlier, now actively exploited via CVE-2026-10520 (root RCE) and CVE-2026-10523 (admin auth bypass).
Fix
Patch to R10.5.2, R10.6.2, or R10.7.1 immediately if not already done, then perform incident response: rebuild compromised appliances, remove rogue accounts, and rotate connected credentials and secrets.

New unpatched GreatXML exploit bypasses Windows BitLocker encryption

The researcher known as Nightmare Eclipse has published a second unpatched Windows exploit in two days, this one defeating BitLocker disk encryption. Called GreatXML, it abuses the Windows Defender Offline Scan feature: any machine that has ever run an offline scan is left permanently vulnerable. An attacker with physical access copies a crafted unattend.xml file and a Recovery folder to the recovery partition, reboots into the Windows Recovery Environment with Shift plus Restart, and gets a privileged shell with full access to the encrypted drive, no login needed. Proof-of-concept code is public on GitHub, there is no patch yet, and Microsoft says it is investigating.

Check
Identify Windows devices protected only by BitLocker without a startup PIN, especially laptops that travel, and check whether Windows Defender Offline Scan has ever been run on them.
Affected
Windows devices using BitLocker where a Defender Offline Scan has run at least once; an attacker with physical access to the machine can reach the encrypted volume. No patch yet.
Fix
Require a TPM-plus-PIN or startup password for BitLocker so pre-boot recovery cannot be abused, restrict physical access to devices, and watch for a Microsoft fix to apply once released.

The Gentlemen ransomware adds worm-like spread, tops 478 victims

The Gentlemen, a ransomware-as-a-service operation tracked by Microsoft as Storm-2697, has been upgraded with a self-spreading mode and now claims 478 victims across dozens of countries and industries. Written in Go and obfuscated to evade analysis, its optional --spread switch turns a single-machine infection into a network worm that deploys the encryptor to every reachable system, using stolen or reused credentials to move laterally. A --wipe switch destroys recoverable data and forensic traces. On each host it disables Defender, weakens firewall and authentication settings, and adds scheduled tasks for persistence. Initial access often comes through compromised Fortinet edge-device credentials.

Check
Hunt for The Gentlemen's persistence markers (scheduled tasks named UpdateSystem or UpdateUser, Run keys GupdateS and GupdateU), and audit Fortinet edge devices for compromised or reused credentials.
Affected
Windows-based organizations, plus Linux, NAS, BSD, and ESXi systems; networks with flat segmentation and shared credentials are most exposed to the worm-like lateral spread.
Fix
Enforce unique credentials and phishing-resistant MFA, segment networks to limit lateral movement, keep offline tested backups, patch and monitor Fortinet edge devices, and harden Defender against tampering.

Japanese utility Kyushu Electric loses drive holding 10.9 million customer records

Kyushu Electric Power, one of Japan's largest utilities, has disclosed a physical security incident: a storage drive containing the personal data of more than 10.9 million customers went missing. Because the exposure stems from lost media rather than a network intrusion, the risk depends largely on whether the drive was encrypted, a detail that determines if the data is readable by whoever finds it. The incident is a reminder that data-governance failures, like unencrypted or poorly tracked portable storage, can expose as many records as a sophisticated hack. Affected customers should watch for fraud and phishing attempts referencing their utility account.

Check
Kyushu Electric customers should watch statements and inboxes for fraud or phishing referencing their utility account; organizations should audit how portable drives holding personal data are encrypted and tracked.
Affected
More than 10.9 million Kyushu Electric Power customers whose personal data was stored on the missing drive; exposure severity depends on whether that storage was encrypted.
Fix
Encrypt all portable and removable media holding personal data, maintain strict chain-of-custody and inventory for such drives, and minimize the data placed on movable storage in the first place.

Critical FortiSandbox flaw lets unauthenticated attackers run commands

Fortinet has patched a critical flaw in FortiSandbox, the appliance that detonates suspicious files and feeds malware verdicts to the rest of a Fortinet security deployment. The bug (CVE-2026-25089, rated 9.8) is an OS command injection in the web interface that lets a remote, unauthenticated attacker run arbitrary commands by sending crafted HTTP requests. Compromising a sandbox is especially dangerous because attackers can both pivot deeper into the network and blind the very system meant to catch malware. Fixed versions are FortiSandbox 5.0.6 and 4.4.9, with matching updates for the Cloud and PaaS editions.

Check
Identify FortiSandbox appliances and their version and whether the web interface is reachable from untrusted networks, and review HTTP and admin logs for unexpected command execution.
Affected
FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS web interfaces before the fixed releases (CVE-2026-25089), reachable by remote unauthenticated attackers over HTTP.
Fix
Upgrade FortiSandbox to 5.0.6 or 4.4.9 (and the matching Cloud and PaaS releases) now, and restrict management-interface access to trusted networks until patched.

Attackers post fake breach notices to Maine's public disclosure portal

In an unusual misinformation campaign, fraudulent data-breach notices were submitted to Maine's official Attorney General breach portal and published before anyone verified them, forcing named companies to issue denials. One filing falsely claimed a Discord breach affecting more than 10 million people, submitted not by a company representative but by an individual using a personal Gmail address, a placeholder phone number, and impossible dates. Because the portal is public and a listing does not mean a breach is confirmed, the fakes can spread fear, damage reputations, and seed convincing phishing lures. It highlights how trusted disclosure channels can be weaponized.

Check
Monitor state breach-notification portals for filings naming your organization, and verify any breach claim about a vendor or partner through that company's official channels before acting on it.
Affected
Any organization that can be named in a fraudulent filing, and the public and journalists who treat a portal listing as confirmation; the underlying portal trust model is the weakness.
Fix
Establish monitoring and a rapid-denial process for fake filings, brief staff and customers to confirm breach notices via official sources, and press regulators to add basic submitter verification.

Cheap OnyxC2 service puts enterprise-grade data theft within easy reach

Researchers at BlackFog have detailed OnyxC2, a new malware-as-a-service sold on cybercrime forums that packages professional-grade data theft for as little as $250 a month, with a $500 premium tier adding hidden-desktop control and a $6,000 buyout option. It ships with a polished control panel and ready-made lures disguised as FinePrint, Windows Settings, a fake Windows update, and a game installer. Its payloads slipped past VirusTotal scanning when first uploaded and were still undetected weeks later, and builds use AES-256 encryption. The low price and turnkey design lower the barrier for less-skilled criminals to run capable infostealing campaigns.

Check
Watch endpoints for execution of lure-style installers impersonating FinePrint, Windows Settings, or Windows updates from untrusted sources, and hunt for unexplained outbound data transfers and hidden-desktop activity.
Affected
Organizations whose staff can be tricked into running disguised installers; the low cost and bundled lures widen the pool of attackers able to deploy capable infostealers.
Fix
Restrict software installation to approved sources, enforce application allow-listing and EDR with behavioral detection, train staff on disguised-installer lures, and monitor for and block anomalous data exfiltration.