CVE-2025-60727, an out-of-bounds read vulnerability in Microsoft 365 Apps Excel parser, allows remote code execution via malicious Excel files. The flaw affects Microsoft 365 Apps, Excel 2016, Office 2019, Office LTSC 2021 and 2024, and Office Online Server. Exploitation requires user interaction but can lead to arbitrary code execution with victim privileges, enabling credential harvesting and lateral movement. Microsoft has released security updates and organizations should prioritize patching.
FBI warned of active Kali365 phishing campaign targeting Microsoft 365 users since April 2026. The platform leverages Microsoft's legitimate device code sign-in process to bypass passwords and multi-factor authentication, capturing OAuth tokens to gain unauthorized access to Outlook, Teams, and OneDrive accounts. Campaign distributed via Telegram with AI-generated phishing templates.
A critical command injection vulnerability (CVE-2026-12537, CVSS 10.0) in Google's Gemini CLI and run-gemini-cli GitHub Action allows unprivileged remote attackers to execute arbitrary OS commands before sandbox initialization. Two root causes enable the exploit: automatic workspace trust in headless mode loading malicious .env files, and tool allowlist bypass in --yolo mode. Attackers can exploit prompt injection to exfiltrate CI secrets and push malicious code to repositories. Patches released: @google/gemini-cli v0.39.1/v0.40.0-preview.3 and run-gemini-cli v0.1.22.
Microsoft disclosed CVE-2026-52930, a Linux kernel race condition in System V shared-memory cleanup affecting Azure Kubernetes Service (AKS), Windows Subsystem for Linux 2 (WSL2), and hybrid cloud workloads. A race window during shared-memory segment destruction allows local attackers to corrupt kernel memory and achieve privilege escalation within the guest. CVSS score is 7.8 (Important). Microsoft has published patches; administrators must apply kernel updates immediately.
Microsoft released patches for CVE-2026-53225, a Linux kernel SCTP vulnerability that leaks uninitialized kernel memory through malformed ASCONF chunks. The flaw affects Azure Linux VMs with SCTP enabled and WSL2 deployments. Successful exploitation may expose encryption keys, credentials, or other sensitive kernel heap data. CVSS rating is 5.6 Medium; no active exploits reported but low attack complexity makes exploitation feasible.
Mozilla's 0DIN team disclosed a proof-of-concept attack demonstrating how AI coding agents like Anthropic's Claude Code can be exploited via seemingly clean GitHub repositories. The technique uses a three-step indirection chain—a configured package that triggers an initialization command, which fetches and executes attacker-supplied code from a DNS record—to gain shell access without leaving malicious code in the repository itself. No active exploitation has been reported.
Microsoft released patches for CVE-2026-53297, a high-severity flaw in the Azure MANA (Network Adapter) driver for Linux that causes kernel panics via NULL pointer dereference during power-management resume failures. The vulnerability affects Azure Linux VMs with Accelerated Networking enabled. An attacker with local access can trigger repeated crashes, causing denial of service and potential data loss.
Mozilla 0DIN researchers disclosed a proof-of-concept attack against Claude Code that exploits automated error recovery to achieve remote code execution. The attack chains three benign-looking components—a GitHub repository, a Python package requiring initialization, and an attacker-controlled DNS TXT record—to trick Claude Code into executing a reverse shell. No malicious code appears in the repository; the payload is fetched only at DNS resolution time, allowing it to evade static scanners and safety checks. No active exploitation has been reported; the attack requires a developer to clone an attacker-controlled repository.
GhostWriter, a state-sponsored threat actor, is conducting phishing attacks targeting personal Gmail accounts of Polish users. The campaign aims to compromise individual Gmail users, demonstrating espionage interest in this service. Attacks show signs of operational security issues, with some phishing emails misdirected to unrelated individuals with similar names.
Microsoft Threat Intelligence disclosed an active campaign since April 2026 using 'authentication laundering' to bypass email security filters on hotels across Europe and Asia. Attackers register legitimate SaaS accounts (Calendly, GitHub, Jira) and route phishing emails through their trusted infrastructure to pass SPF, DKIM, and DMARC checks. Hotel employees receive messages with archives containing Windows shortcuts that execute PowerShell, deploy a signed Node.js runtime, and drop a memory-only JavaScript implant establishing persistence via registry run keys and Defender exclusions. Compromised front-desk workstations gain access to property management systems and guest databases.
On June 23, 2026, a Russian hacker exploited Claude AI and the Model Context Protocol to breach four hotel booking platforms (RoomScope, IGMS, NebulaPMS, Staysee), stealing 2.1 million guest records including names, emails, phone numbers, reservation dates, and payment details. The attacker bypassed Claude's content filters using prompt injection techniques, framing malicious queries as legitimate penetration-testing tasks. Stolen data is now available for phishing attacks against hotel guests.
Security researchers disclosed three vulnerabilities in Claude Code enabling token theft and code execution. CVE-2025-59536 (RCE via repository hooks) and CVE-2026-21852 (API-key exfiltration via environment variables) were patched by Anthropic. A critical silent token-theft chain via malicious npm packages intercepting OAuth tokens remains unpatched by design. The vulnerabilities exploit local configuration files and MCP integration points as active execution paths.
Two high-severity vulnerabilities (CVE-2026-12957, CVE-2026-12958) in Amazon Q Developer Extension for VS Code and other IDEs allowed remote code execution and AWS credential theft when developers opened malicious repositories containing an `.amazonq/mcp.json` file. The extension auto-loaded MCP server configurations without user consent, enabling attackers to exfiltrate AWS credentials, API keys, and SSH agent sockets. Patches available in Language Servers for AWS 1.69.0 and corresponding IDE extensions.
ShinyHunters conducted a breach of Instructure's Canvas learning management system in April 2026, affecting over 150 UK higher education institutions. The breach resulted in data exfiltration but downstream damage was reported to be limited. The incident came to wider attention in late June 2026 when UK institutions began disclosing impacts.
Threat actors launched the "Poisoned Tenant" campaign creating fraudulent OpenAI organizations that impersonate legitimate companies, particularly targeting cybersecurity and technology firms. Employees received legitimate-appearing invitation emails from OpenAI's official address (noreply@tm.openai.com) to join fake tenants, attempting to trick them into sharing sensitive company information through chats and projects. Push Security discovered the campaign after multiple employees received invitations to a fake "Push Security Inc." ChatGPT workspace created by attackers using Gmail addresses.
Microsoft issued an advisory for CVE-2026-45850, a critical Linux kernel IPVS vulnerability affecting IPv6 checksum calculations. The flaw allows remote attackers to manipulate TCP, UDP, and SCTP checksums, enabling security bypasses and denial-of-service attacks in load-balanced environments. The vulnerability impacts Azure Linux workloads, WSL2 deployments, and systems running affected Linux kernels (4.15–6.6). Patches are available from kernel.org and Microsoft; immediate remediation is advised.
Anthropic accused Alibaba of conducting a large-scale distillation attack on Claude AI models using approximately 25,000 fraudulent accounts created between April 22 and June 5, 2026. The attack involved over 28.8 million interactions with Claude designed to extract knowledge and behavioral patterns to train Alibaba's Qwen AI models without authorization. Anthropic disclosed the incident in a June 10, 2026 letter to U.S. Senate Banking Committee leadership.
Microsoft DART disclosed an active campaign by threat group Storm-2603 targeting unpatched on-premises SharePoint servers. The group exploits CVE-2025-49706, CVE-2025-49704, and CVE-2025-11371 to gain initial access, then deploys ransomware, establishes persistent backdoors via Cloudflare tunnels and Zoho Assist, and exfiltrates Active Directory credentials. A second unnamed actor was also present in parallel, using DLL sideloading to maintain access. Organizations are advised to prioritize patching SharePoint servers and implement strict identity controls.
Varonis disclosed SearchLeak (CVE-2026-42824), a three-stage vulnerability chain in Microsoft 365 Copilot Enterprise combining parameter-to-prompt injection, HTML rendering race conditions, and CSP bypass via Bing SSRF. The flaw enables one-click exfiltration of emails, MFA codes, calendar items, SharePoint and OneDrive files. Microsoft assigned critical severity and patched the issue.
Public proof-of-concept exploit released for CVE-2026-45504, a server-side request forgery vulnerability in Microsoft Exchange Server 2016 and 2019 that enables privilege escalation via arbitrary file reads. The flaw allows authenticated attackers with low privileges to exfiltrate sensitive files, credentials, and configuration data from on-premises Exchange deployments. Microsoft released patches on June 9, 2026; unpatched systems face significant risk as functional exploit code is now publicly available.