🇺🇸 🪪 Hackers breached a Texas state vendor and stole more than 3 million driver’s license and passport numbers. The leak also exposed emails, phone numbers, and home addresses. The Texas Parks & Wildlife Department confirmed the incident but gave few details.

🇦🇺 Mackay Sugar, Australia’s second-largest raw sugar producer, was hit by a ransomware attack that forced some mills to shut down. The company has partially resumed limited, manual operations while restoring systems and advising growers not to harvest yet. The cybercriminal group The Gentlemen claimed the attack but has not yet leaked data.

🔓 Attackers used a compromised Klue app connection to steal Salesforce CRM data via OAuth tokens. Salesforce suspended Klue integrations while Klue revoked credentials and warned customers. The breach exposed sales contacts and quotes for some customers, and investigators say this matches a known OAuth-abuse playbook.

🇺🇸 MCNA Dental agreed to a multimillion-dollar settlement after a 2023 LockBit ransomware attack that exposed data for nearly 9 million people. The settlement offers limited cash payments, two years of medical data monitoring, and covers administrative and legal fees. MCNA denies wrongdoing and says it has improved security measures.

🇪🇺 Extortion group ShinyHunters claims it hacked the Council of Europe and stole about 297–300 GB of data. The group says the haul includes payrolls, CVs, medical records, bank details, and other staff files for thousands of employees. ShinyHunters threatens to publish the files unless the Council contacts them by June 16; the Council has not yet commented.

→ Kodak confirms data breach claimed by ShinyHunters extortion gang

🇺🇸 iRhythm disclosed a data breach after hackers stole patient and personal information from third-party business apps. The company said attackers demanded a ransom and confirmed data was exfiltrated, but its devices and clinical systems were not impacted. iRhythm is investigating with cybersecurity experts and has activated its response plan.

🇫🇷 A hacker calling itself “misère” and French authorities say about 73,000 government Tchap accounts were stolen in a June 7 breach. The attacker claims they also took 13.5 GB of files and hundreds of thousands of messages, but that claim is unverified. Experts warn the exposed names, emails and messages could fuel widespread phishing or worse, yet motive and actor remain unclear.

🇩🇰 Pharmaceutical company Novo Nordisk said hackers accessed some internal IT systems and personal data. The breach exposed limited clinical trial info and some healthcare provider contact details, but not names linked to trial participants. No group has claimed responsibility.

→ More breaches:

❌ Authorities disrupted the SocGholish (aka FakeUpdates) botnet used by Evil Corp to infect websites and steal access since 2017. Law enforcement and partners took down 106 servers, cleaned nearly 15,000 infected sites, and disabled the botnet. Officials warned criminals used traffic distribution systems to redirect victims to malware, ransomware, and credential-stealing schemes.

🇨🇳 ❌ The FBI, with Google and Black Lotus Labs, shut down Outsider Enterprise, a huge China-linked phishing-as-a-service operation that used AI and over a million fake URLs. Authorities say the scams stole millions of credit card records and caused about $1.9 billion in losses. Google filed a lawsuit, helped block messages with carriers, and urges stronger anti-scam laws and AI defenses for users.

🇨🇳 Google's Threat Intelligence Group says a China-linked cyberespionage group, UNC6508, has targeted North American medical, academic, and military research since at least 2023. The attackers used malware called InfiniteRed and abused REDCap servers and email compliance rules to steal data on medicine, AI, drones, and defense. Google disrupted the group’s infrastructure, warned victims, and published technical details and IoCs.

🗓️ {Cyber,Info}Sec Events — A community-maintained list of infosec conferences worldwide. Subscribe to the ICS calendar feed to get events straight into your calendar, or follow @[email protected] on Mastodon for weekly digests. Contributions and ⭐ welcome!

🇮🇳 🚫 India told the Delhi High Court that it warned Telegram before blocking the app over channels selling leaked NEET-UG exam papers. Telegram admitted it could not proactively find such channels and only acted on reports, while it says it cooperated and calls the ban unlawful. The nationwide block disrupted access beyond India and remains in place until the court rules.

📍 Google will start using UK, EEA and Swiss users' IP addresses to identify devices for ad measurement and personalization from about August 3, 2026. This treats IPs as personal data under EU/UK rules and requires user consent, shifting compliance responsibility to advertisers. Regulators warn existing consent rules still apply and Google will add a user choice later in its rollout.

🇬🇧 🤳 The UK will ban under-16s from major social media platforms and require age checks for new accounts starting spring 2027. New users will likely need to upload ID or pass a facial age scan, ending easy anonymous sign-ups. Experts warn this risks privacy and can be bypassed, while platforms say it may push teens to less-regulated spaces.

🇺🇸 President Trump signed NSPM-12 to strengthen cybersecurity for the most sensitive U.S. government systems (NSS) — The memo reestablishes and modernizes the Committee on National Security Systems (CNSS) and names the NSA director as National Manager to oversee standards, emergency directives, and coordination. Agencies must inventory their NSS, update it yearly, and CNSS will revise policies and issue a roadmap within three months.

🪱 A Windows crypto clipper active since Feb 2026 steals clipboard wallet data, replaces addresses, and uploads screenshots. It uses script-based payloads, a portable Tor client (localhost:9050), and hidden-service C2s for stealthy control and runtime tasking. A worm-like component spreads via malicious .lnk shortcuts and creates persistence while avoiding Defender scans.

🕸 📺 Researchers say the Popa botnet has turned millions of Android TV boxes into residential proxies used for ad fraud, account takeovers, and massive web scraping. Multiple firms link Popa traffic to NetNut, a proxy service owned by publicly traded Alarum Technologies, though the company denies it runs a botnet. Security experts warn these proxy SDKs put home and corporate networks at risk and fuel large-scale AI data scraping.

🔙 🚪 Researchers found a new Go backdoor, Backdoor.Turn, used by DragonForce that hides command-and-control traffic inside legitimate Microsoft Teams relay connections. The attackers used this stealthy tool along with DLL sideloading and kernel-level exploits to persist, move laterally, and steal data. This technique makes malicious traffic look like normal Teams activity, evading detection.

🏦 🎠 A new Android banking Trojan called Rokarolla gives attackers near-total control of infected phones to steal credentials and take over accounts. It is spread via fake app downloads and targets over 200 banking, crypto, and social apps while disabling protections like Google Play Protect. Rokarolla intercepts SMS codes, records keystrokes, and uses overlays and call blocking to hide fraud and prevent users from stopping it.

🇰🇵 North Korean group APT37 (ScarCruft) sent fake Microsoft security emails to trick victims into opening a ZIP that ran a malicious LNK file. The LNK launched a multi-stage Python-based loader that installed NarwhalRAT, giving attackers keystroke logging, screenshots, audio capture, file theft, and remote control. The malware uses Korean sites and pCloud as C2 channels and persists via scheduled tasks while hiding data in a folder named to resemble the Naver Whale browser.

🐛 A bug in the Google Vertex AI Python SDK let attackers pre-create predictable storage buckets and hijack model uploads. Attackers could replace models with malicious pickle payloads that ran code in Google's serving containers and stole tokens. Google patched the issue; update to google-cloud-aiplatform v1.148.0+ and set an explicit staging_bucket.

🦠 📦 Hackers poisoned many packages in the Mastra AI npm ecosystem by adding a malicious typosquat dependency that ran a hidden payload. Users who installed @mastra packages should treat their environments as compromised and downgrade or lock to [email protected] immediately. GitHub/npm are rolling out security changes to block automatic scripts from dependencies to reduce such supply-chain attacks.

🤝 🔍 A group of fintech and tech companies formed Athena to find and fix open-source software vulnerabilities before they can be exploited. Members share findings, protections, and patches on a common platform so fixes reach users faster than public disclosure. The goal is to stop fast AI-driven attacks by coordinating defenses across many organizations.

➝ From the Patching Department:

🔥 🧱 Cybercriminals have hacked tens of thousands of Fortinet firewalls and VPNs worldwide by using lists of leaked or weak passwords. Once inside, they monitor traffic to steal more credentials and then use those to breach more devices. Major companies and government agencies in many countries were affected.

💥 Attackers are exploiting two serious bugs in Joomla’s JCE editor (CVE-2026-48907) and LiteSpeed’s cPanel plugin (CVE-2026-54420) to run code and gain root privileges. Both flaws have been actively used in the wild and patches were released in early June. Authorities (CISA) urge immediate updates and checks because automated exploits can fully compromise servers.

⚽ A researcher found a simple bug in FIFA’s systems that let anyone register as an agent and access internal platforms. Using that access, she could control the TV feed and what commentators saw for every World Cup match. She reported it and FIFA fixed the flaw within hours.

🩹 Rockwell Automation released patches for multiple vulnerabilities in its controllers, Flex I/O adapters, RSLinx software, and FactoryTalk suite. Some flaws allow denial-of-service, bypassing authentication, or unauthorized administrative actions. The company says the new issues have not yet been observed being exploited in the wild.

Follow me on Mastodon for quick daily updates and bite-sized content.

Prefer using an RSS feed? Add Infosec MASHUP to your feed here.

Enjoying our newsletter? Forward it to a colleague—
it’s one of the best ways to support us.

Thanks for reading today’s newsletter, and if you're enjoying it and want to support my work, you can buy me a coffee ☕ over at https://www.buymeacoffee.com/0x58

See you next time!

-X.