Breaking news and updates from the world of technology.
Microsoft's June 2026 Patch Tuesday is the largest in the company's monthly update history: 200 vulnerabilities patched, 38 rated critical, and six zero-days — three with exploit code already public. Researchers say AI-assisted bug hunting is why, and that this volume may not be a one-time event.
Google and Mandiant confirm the hacking group targeted over 100 organizations — mostly US universities — using an unauthenticated remote code execution flaw with no patch currently available.
CVE-2026-35273 is a CVSS 9.8 unauthenticated remote code execution flaw in Oracle PeopleSoft PeopleTools 8.61 and 8.62 that ShinyHunters is actively exploiting. The University of Nottingham has confirmed a breach; nearly 500,000 student records are exposed. Oracle has issued an emergency out-of-band security alert.
CVE-2026-11645 is an out-of-bounds memory access in Chrome's V8 engine that allows remote code execution via a crafted web page. Update to Chrome 149.0.7827.102 now — all platforms are affected.
Microsoft released its largest-ever Patch Tuesday update today, fixing 208 vulnerabilities including a wormable CVSS 9.8 kernel flaw — and a researcher immediately responded by publishing a fresh Windows Defender zero-day exploit.
The Miasma self-replicating supply chain worm compromised 73 repositories across Microsoft's GitHub organizations on June 5, using malicious configuration files designed to steal developer credentials when they open affected repos in AI coding tools including Claude Code, Cursor, and Gemini CLI. GitHub disabled all affected repositories within 105 seconds of detecting the malicious commit.
A critical authentication bypass flaw in Check Point's Remote Access VPN products is being actively exploited by affiliates of the Qilin ransomware group. CISA added CVE-2026-50751 to its Known Exploited Vulnerabilities catalog on June 8 and has ordered US federal agencies to apply hotfixes by June 11.
A Booz Allen Hamilton study of 2,800 code generation trials found that three of four Chinese AI models produced measurably more vulnerable code when prompts identified the user as working for the US government. Qwen3-Coder generated 130% more flaws. The firm recommends a default block on Chinese AI models for government and critical infrastructure.
Attackers linked to Lapsus$ executed a three-hop supply chain attack: they first compromised Trivy (an open-source vulnerability scanner), extracted CI/CD credentials from LiteLLM's build pipeline, then published malicious LiteLLM versions 1.82.7 and 1.82.8 to PyPI. Any AI system pulling those versions executed attacker-controlled code — and Mercor, a $10B AI training contractor serving OpenAI, Anthropic, Meta, and Google, was one of the victims. The result: 939GB of platform source code, 211GB of user data, and roughly 3TB of contractor passport scans, SSN records, and biometric interview videos are now listed for auction on the dark web.
CISA has added CVE-2026-28318 to its Known Exploited Vulnerabilities catalog: an uncontrolled resource consumption flaw in SolarWinds Serv-U that lets unauthenticated attackers crash the service with a single crafted HTTP POST request. Federal agencies must patch to Serv-U 15.5.4 Hotfix 1 by June 19, 2026. Enterprise and government organizations outside the federal mandate should treat this as the same urgency.
A flaw in Meta's High Touch Support system — an AI-assisted tool meant to help users regain account access — let attackers reset passwords on accounts they didn't own, exploiting the tool with prompt injection.
Notorious extortion group ShinyHunters has published the entire 234 GB haul stolen from dental benefits administrator DentaQuest after the company refused to pay their ransom demand. The leaked files contain names, addresses, government-issued IDs, Medicaid numbers, and health insurance details for an estimated 2.6 million individuals.