Last updated: July 6, 2026 at 12:53 AM UTC
All 559 Vulnerability 199 Breach 107 Threat 246 Defense 7

OXLOADER malvertising poses as Node.js installer to drop an infostealer

Elastic Security Labs detailed OXLOADER, a previously undocumented Windows loader that reaches victims through malicious Google Ads impersonating the Node.js download page and other developer tools. A developer searching for Node.js clicks a sponsored result, lands on a convincing fake site, and runs a script that quietly installs the loader, which then deploys an in-memory infostealer called CastleStealer to harvest credentials and other data. OXLOADER is heavily obfuscated, runs several anti-analysis checks, and skips machines set to Russian or in Russian-aligned regions, pointing to a financially motivated Russian-speaking operator. Google removed the advertiser account, but the technique of buying ads against developer searches remains widespread.

Check
Remind developers and staff not to install tools from sponsored search ads, and check endpoints for unexpected installs that began with a downloaded Node.js or developer-tool installer from a non-official site.
Affected
Developers and technical users who search for tools like Node.js and click sponsored ads leading to fake download sites; the payload is an infostealer that harvests credentials and sensitive data.
Fix
Download developer tools only from official project sites or package managers, use ad-blocking or DNS filtering to cut malvertising, and deploy endpoint detection that flags in-memory loaders and credential-stealing behavior.

Attacker drains Ethereum MEV bot JaredFromSubway using fake-token honeypot

An attacker drained the well-known Ethereum trading bot JaredFromSubway by patiently baiting it into a trap rather than exploiting a software bug. Over several weeks, the attacker deployed 66 fake token contracts and sham liquidity pools mimicking WETH, USDC, and USDT, structured so the bot's automated logic treated them as profitable opportunities and granted token-spending approvals to attacker-controlled contracts. Later trades left those approvals active, and a single transaction then swept the bot's real funds. Security firms estimate the loss near $7.5 million, while the operator claims around $15 million. It is a reminder that standing token approvals in automated systems are dangerous even when the underlying contracts are sound.

Check
If you run automated trading or other systems that grant token or spending permissions, review where standing approvals exist, whether they are scoped, and whether they are revoked after each use.
Affected
Operators of automated on-chain trading bots and similar systems that grant token-spending approvals based on automated logic; attackers can manipulate that logic with fake but convincing opportunities to win lasting permissions.
Fix
Scope and time-limit token approvals, revoke them immediately after use, validate counterparties beyond surface-level profitability signals, and monitor for unusual approval grants so automated systems cannot be tricked into arming attackers.

Deploy 2023 Secure Boot certificates before Microsoft's 2011 ones expire this week

The original 2011 Microsoft certificates that underpin UEFI Secure Boot begin expiring in late June 2026, and organizations that have not rolled out the replacement 2023 certificates risk a slow erosion of boot-level security. Devices will keep starting normally, but once the old certificate authorities lapse they stop receiving Secure Boot updates for pre-boot components, leaving them more exposed to bootkits, and future bootloaders signed only with the new keys may fail to verify. Most consumer Windows PCs receive the 2023 certificates automatically through Windows Update, but Windows Server and many self-managed or older fleets need manual action. A second certificate that signs the Windows bootloader expires in October.

Check
Inventory Windows devices and servers with Secure Boot enabled and check whether the 2023 certificates are present using the Windows Security app, the UEFICA2023Status registry value, or System log Event ID 1808.
Affected
Windows devices, servers, and VMs still relying on the 2011 Secure Boot certificates; Windows Server and self-managed systems are most at risk because they do not receive the 2023 certificates automatically.
Fix
Apply current cumulative and OEM firmware updates, deploy the 2023 KEK and DB certificates (manually on servers), verify completion, and suspend BitLocker if prompted during the update to avoid recovery prompts.

Texas Parks and Wildlife vendor breach exposes 3 million license holders

The Texas Parks and Wildlife Department says a breach at the third-party vendor that runs its hunting and fishing license sales exposed personal data for 3,087,721 customers, in what officials call the state's largest government data breach this year. The exposed information includes driver's license details, passport numbers where provided, email addresses, phone numbers, and home addresses; the department says Social Security numbers, dates of birth, and financial data were not taken. Texas Cyber Command detected the intrusion, which reached customer profile data through the vendor's systems. Because driver's license and passport numbers cannot be reset, affected people face lasting identity-theft and phishing risk.

Check
Texas hunting and fishing license holders should enroll in the offered Kroll credit monitoring before September 14, watch for phishing referencing licenses or state agencies, and review financial statements for fraud.
Affected
The 3,087,721 Texas hunting and fishing license customers whose driver's license, passport, and contact details were exposed through the department's third-party license vendor; minors were reportedly not affected.
Fix
Place a credit freeze or fraud alert with the major credit bureaus, enroll in the free monitoring, and stay alert to identity fraud. Organizations should tighten third-party vendor access controls and monitoring.

AryStinger botnet hijacks thousands of outdated D-Link routers as proxies

Researchers at XLab have documented a previously unknown botnet called AryStinger that has taken over more than 4,000 outdated routers, mostly D-Link DIR-850L and DIR-818LW models, and turned them into proxies for malicious traffic. It spreads by exploiting old, unpatched vulnerabilities and can scan networks, tunnel and proxy traffic, run commands, and tamper with DNS settings to hijack users' browsing. A more advanced Go-based variant targets NAS devices and adds internal network reconnaissance using open-source pentest tools. Infections cluster in South Korea and China but reach Sweden and Southeast Asia too. The compromised devices are end-of-life and will not receive fixes.

Check
Identify end-of-life D-Link routers and internet-exposed NAS devices on your networks, check for unexpected DNS settings, outbound proxy or tunneling traffic, and signs of remote command execution or scanning.
Affected
Outdated, end-of-life D-Link routers (notably DIR-850L and DIR-818LW) and exposed NAS devices running unpatched firmware; tampered DNS can silently hijack browsing for every device behind the router.
Fix
Replace end-of-life routers with supported models, update firmware on NAS devices, change default credentials, disable remote management and internet-exposed admin interfaces, and reset DNS settings to trusted resolvers.

Hackers mass-exploit Gravity SMTP WordPress flaw to steal email API keys

Attackers are mass-exploiting a flaw in Gravity SMTP, a WordPress email plugin installed on about 100,000 sites, to harvest credentials without any login. The bug (CVE-2026-4020) leaves a REST API endpoint with a permission check that always passes, so a single unauthenticated request returns a 365 KB system report containing API keys, secrets, and OAuth tokens for connected email services like Amazon SES, Mailjet, and Zoho, plus detailed software-stack information. Wordfence has blocked more than 17 million attempts, with activity spiking around June 6 and 7. A patch shipped in version 2.1.5, but updating does not revoke keys attackers may have already grabbed.

Check
Identify WordPress sites running Gravity SMTP at version 2.1.4 or earlier, and review web server access logs for requests to the /wp-json/gravitysmtp/v1/tests/mock-data endpoint, which indicate attempted or successful data exposure.
Affected
WordPress sites running Gravity SMTP through 2.1.4 with email integrations configured (CVE-2026-4020); exposed API keys and OAuth tokens let attackers abuse connected email services and map the site for follow-on attacks.
Fix
Update Gravity SMTP to 2.1.5 or later, then assume compromise: rotate all API keys, secrets, and OAuth tokens set in the plugin's email connectors, and block the published attacker IPs.

New Prinz Eugen ransomware breaches organizations via stolen RDP credentials

Researchers at ThreatDown have detailed a new ransomware operation called Prinz Eugen that breaks from convention in two ways: it prioritizes recently modified files for encryption, hitting the data victims most likely still need, and it leaves no ransom note on the system. The operators break in manually using stolen RDP credentials, deploy remote management tools, steal data for double extortion, and encrypt with a modern cipher combination. At least five victims have been identified, including South Africa's Standard Bank, where the attacker demanded one bitcoin and was refused. The lack of a ransom note can delay detection and complicate incident response.

Check
Review internet-exposed RDP and remote-access services for weak or reused credentials and missing MFA, and check for unauthorized remote management tools and unexpected encryption of recently modified files.
Affected
Organizations exposing RDP or remote access with weak authentication; Prinz Eugen has hit at least five victims so far, including financial institutions, entering through stolen RDP credentials and hands-on intrusion.
Fix
Require phishing-resistant MFA on all remote access, restrict and monitor RDP, control remote management tools through allowlisting, segment networks, and keep tested offline backups to recover without paying.

Ralph Lauren breach exposes customer data as ShinyHunters extends retail spree

Have I Been Pwned has added 139,903 accounts from a breach of fashion brand Ralph Lauren, which the extortion group ShinyHunters claimed as part of its sweeping 2026 campaign against retail and luxury names. ShinyHunters says it took around 220 GB of data, including customer personal information, purchase histories, and financial transaction details, along with unreleased product and strategy plans. The group typically breaks in not through a brand's core systems but via connected platforms like Salesforce or customer-service tools. Exposed purchase and contact data is prime material for convincing phishing and fraud aimed at the retailer's customers.

Check
Ralph Lauren customers should check Have I Been Pwned for their email, watch for phishing or fraudulent charges referencing orders or accounts, and review payment statements for unauthorized activity.
Affected
Ralph Lauren customers whose personal, purchase, and transaction data was exposed (139,903 accounts confirmed); the breach is part of a broader ShinyHunters wave hitting retail and luxury brands through connected platforms.
Fix
Reset and stop reusing any Ralph Lauren account passwords, enable MFA, stay alert to order- and refund-themed phishing, and consider monitoring payment cards used with the retailer for fraud.

Splunk Enterprise flaw now exploited, added to CISA must-patch list

A critical Splunk Enterprise flaw disclosed earlier this month is now being exploited in the wild, and CISA has added it to its known-exploited list with a June 21 federal patch deadline. The bug (CVE-2026-20253, rated 9.8) is a missing-authentication issue in a PostgreSQL sidecar service: an unauthenticated, network-reachable attacker can create or truncate arbitrary files on the Splunk host, which can cascade into log corruption, broken monitoring, and remote code execution. Both Splunk and Resecurity have confirmed active exploitation, and a public proof-of-concept and Nuclei template exist. Because Splunk underpins many SOC and SIEM operations, a compromise can blind defenders.

Check
Identify Splunk Enterprise instances on 10.2 before 10.2.4 or 10 before 10.0.7, check whether the PostgreSQL sidecar endpoint is network-reachable, and review logs for path-traversal and unexpected PostgreSQL connections.
Affected
Splunk Enterprise 10.2 versions before 10.2.4 and 10 versions before 10.0.7 (CVE-2026-20253); instances whose PostgreSQL sidecar endpoint is reachable from untrusted networks are at highest risk.
Fix
Patch to Splunk Enterprise 10.2.4 or 10.0.7 immediately, or disable the PostgreSQL sidecar service as a temporary mitigation. Then run forensic triage for file tampering before assuming systems are clean.

Unpatchable BootROM exploit hits Apple A12 and A13 chips via USB

Researchers at Paradigm Shift published usbliter8, a working exploit that runs unauthorized code inside the SecureROM of Apple's A12 and A13 chips, the boot code burned into the silicon of devices from the iPhone XS through the iPhone 11, plus the S4 and S5 Apple Watch chips. Because the flaw lives in immutable hardware, no software update can fix it, so affected devices stay vulnerable for life. The catch is that it is not remote: an attacker needs physical possession of the device, must put it in DFU mode, and connect it to a special USB board, after which the exploit runs in under two seconds. It succeeds 2019's checkm8.

Check
Assess whether high-risk staff or sensitive workflows rely on older Apple devices with A12 or A13 chips (iPhone XS through iPhone 11), which could be compromised if physically seized or lost.
Affected
Apple devices on A12 and A13 chips, roughly iPhone XS through iPhone 11 plus Apple Watch S4 and S5; exploitation needs physical access and DFU mode, so remote risk is nil.
Fix
There is no software fix. Retire or replace affected older devices for high-risk users, enforce strong passcodes and device encryption, keep physical control of devices, and avoid leaving them unattended.