⚡ Weekly Recap: Chrome 0-Day, UniFi Exploits, macOS Stealers, VPN Flaw and More

Ravie LakshmananJun 15, 2026Cybersecurity / Hacking

Stuff broke again. Not in a movie way. An old tool was left exposed. An abandoned package was abused. A deprecated feature was still running in prod.

This week is the same lesson in a new form: phishing kits are easier to rent, AI names are useful bait, old login paths still fail, and forgotten software keeps becoming someone else’s entry point.

Scroll through the full Monday Cybersecurity Recap below for the news, tools, webinars, and fixes worth your time this week.

⚡ Threat of the Week

Google Patches Actively Exploited Chrome 0-Day – Google released security updates to address 74 vulnerabilities, including one that has come under active exploitation in the wild. The high-severity vulnerability, tracked as CVE-2026-11645 (CVSS score: 8.8), has been described as an out-of-bounds memory access in V8, Chrome’s JavaScript and WebAssembly engine. Google acknowledged that an “exploit for CVE-2026-11645 exists in the wild,” but stopped short of sharing additional specifics to ensure that a majority of the users are updated with a fix and to prevent further exploitation. Google has addressed a total of five actively exploited Chrome zero-days since the start of the year. This includes CVE-2026-2441, CVE-2026-3909, CVE-2026-3910, and CVE-2026-5281.

• ShinyHunters Gang Exploits Oracle PeopleSoft Zero-Day – The ShinyHunters (aka UNC6240) extortion crew exploited an unpatched flaw in Oracle PeopleSoft (CVE-2026-35273, CVSS score: 9.8) to break into enterprise networks. The vulnerability relates to a missing authentication for a critical function that could allow an unauthenticated attacker to obtain takeover of PeopleSoft Enterprise PeopleTools. According to Google Mandiant, the exploitation activity was observed between May 27 and June 9, 2026. Following a successful compromise, the attackers have been observed conducting targeted internal reconnaissance using MeshCentral, lateral movement, and data exfiltration. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the flaw to its Known Exploited Vulnerabilities (KEV) catalog, giving Federal Civilian Executive Branch (FCEB) agencies until June 15, 2026, to apply the fixes. The campaign has mainly targeted the higher education sector; 68% of the more than 100 notified organizations were universities and colleges. “The observed exploitation targeted PeopleSoft’s Environment Management Hub (PSEMHUB) endpoints, and data stolen during the campaign was published on the ShinyHunters Data Leak Site (DLS) on June 9, 2026,” Rapid7 said.
• 100s of Arch Linux Packages Compromised to Push Rootkit and Stealer – Unknown threat actors have managed to compromise hundreds of legitimate-but-abandoned packages in the Arch User Repository (AUR) and modify them with preinstall scripts that download and execute a malicious npm package called atomic-lockfile. The campaign has been codenamed Atomic Arch by Sonatype. “Analysis of atomic-lockfile, the malicious dependency, found a bundled Linux payload with functionality tied to credential harvesting, stealth, anti-debugging, and potential data exfiltration,” the company said. Although the initial number of affected packages was 400, it has since risen to over 1,500. As of June 12, 2026, Arch Linux developers have deleted all the malicious commits they are aware of.
• Outside PhaaS Enterprise Taken Down – The U.S. Federal Bureau of Investigation said it took down a number of domains linked to Outsider, a Chinese phishing-as-a-service (PhaaS) software kit behind an estimated 3,870,000 stolen credit cards and a corresponding estimated $1.9 billion in losses since July 2023. In tandem, Google said it pursuing legal action against the operators, who weaponized Gemini to “help generate fraudulent phishing pages and deploy massive SMS phishing (‘smishing’) attacks, often through text messages impersonating legitimate brands, alerting recipients of ‘brokerage account issues’ or insisting they are eligible for ‘rewards through their mobile phone carrier.” According to a complaint filed by Google, the group “built, maintains, and uses a turn-key, online software suite that enables criminals, regardless of technical skill, to publish fraudulent websites designed to rob victims and enrich themselves.” The toolkit costs $88 per week or $200 per month, offering access to more than 290 pre-built templates that mimic legitimate websites. The goal is to steal passwords and corresponding multi-factor authentication codes, as well as financial information in real-time. “Part of the Outsider software’s appeal is the ease with which someone with limited technical expertise -like many members of the Enterprise – can purchase the software, execute various phishing attacks, and, upon purchase, meet other members of the Enterprise who are proficient in other areas,” the tech giant added.
• Critical Check Point VPN Flaw Exploited in Limited Attacks – Check Point warned of active exploitation of a critical vulnerability CVE-2026-50751 (CVSS score: 9.3) impacting Remote Access VPN and Mobile Access deployments that are configured to use the deprecated IKEv1 key exchange protocol. The security flaw is a case of a logic flow weakness in certificate validation that allows an unauthenticated remote attacker to bypass user authentication and establish a remote access VPN connection without a valid user password. The Israeli cybersecurity company said it first observed indications of suspicious activity on June 4, 2026, with the earliest observed exploitation dating back to May 7, 2026. Exploitation efforts are said to have ramped up starting this month. The exploitation activity, Check Point added, has been limited to a “few dozen targeted organizations globally.” In one case, the post-exploitation phase has been associated with a Qilin ransomware affiliate.
• The Gentlemen Ransomware Claims 478 Victims – A new analysis of The Gentlemen operation revealed that the financially motivated threat group initially operated as an affiliate responsible for conducting double extortion attacks, while leveraging resources from various ransomware-as-a-service (RaaS) schemes like LockBit (aka Tenacious Mantis), Qilin (aka Pestilent Mantis), and Medusa (aka Venomous Mantis). The group, which it tracks as Phantom Mantis, is led by a Russian-speaking cybercriminal it calls LARVA-368, who goes by the online aliases hastalamuerte, ArmCorp, zeta88, nobody0, and santamuerte. The Gentlemen is known to be active since March 2025, claiming a total of 478 victims to date. Microsoft, which is tracking the cluster under the moniker Storm-2697, said the operation “initially started as a closed ransomware group then began offering its RaaS to affiliates in September 2025.”

‎🔥 Trending CVEs

Bugs drop weekly, and the gap between a patch and an exploit is shrinking fast. These are the heavy hitters for the week: high-severity, widely used, or already being poked at in the wild.

Check the list, patch what you have, and hit the ones marked urgent first – CVE-2026-11645 (Google Chrome), CVE-2026-50751 (Check Point Remote Access VPN and Mobile Access), CVE-2026-35273 (Oracle PeopleSoft), CVE-2026-5027 (Langflow), CVE-2026-44963 (Veeam Backup & Replication), CVE-2026-23111 (Linux kernel), CVE-2026-45447 (OpenSSL), CVE-2026-44748, CVE-2026-27671 (SAP NetWeaver AS ABAP and ABAP Platform), CVE-2026-22732 (SAP Commerce Cloud and SAP Data Hub), CVE-2026-40128 (SAP NetWeaver Application Server Java Web Container), CVE-2026-10520 (Ivanti Sentry), CVE-2026-28252, CVE-2026-28253, CVE-2026-28254, CVE-2026-28255, CVE-2026-28256 (Trane Tracer SC+ HVAC controller), CVE-2025-46412, CVE-2025-41426 (Vertiv Liebert IS-UNITY-DP network cards), CVE-2026-0274 (Palo Alto Networks Cortex XSOAR and Cortex XSIAM), CVE-2026-20253 (Splunk Enterprise), CVE-2026-9648 (Haskell TLS software stack), from CVE-2026-12007 through CVE-2026-12011 (Google Chrome), CVE-2026-45034 (PhpSpreadsheet), PTT-2026-004, PTT-2026-005, an authentication bypass vulnerability (phpBB), and a maximum-severity code injection vulnerability in Wazuh (no CVE).

🎥 Expert Webinars

• Find Out What Your Automated Pentest Is Missing Before Attackers Do → Automated pentesting is useful. It is also easy to overread. A tool that proves an exploit path worked does not prove your SIEM saw it, your EDR reacted, or your team could respond before damage spread. This webinar cuts through that gap: what automated pentesting actually validates, why repeat runs start returning fewer useful findings, and how BAS helps show which controls failed, not just which vulnerabilities exist.
• Stop AI-Speed Attacks Before Your Legacy Controls Catch Up → AI has changed the pace of cyberattacks. Lures get sharper, campaigns adapt faster, and attackers can test what works before defenders finish investigating. This webinar breaks down how AI-powered threats like Mythos get in, move, and scale, then shows how to fight back with tighter access, reduced attack surface, blocked lateral movement, and in-line controls that stop risky behavior before it becomes an incident.
• Stop Employees From Leaking Source Code, Contracts, and PII Into AI Tools → Employees are already pasting company data into AI tools. Source code, contracts, customer records, and internal notes can leave the business through one prompt. This webinar shows how to move from after-the-fact detection to real-time prevention, with browser-level controls that stop risky AI use at the point where data is about to leak.

📰 Around the Cyber World

• Campaigns Use AI Brands as Lures – Microsoft warned of campaigns capitalizing on the global interest around artificial intelligence (AI) as a social engineering lure in campaigns. “These campaigns, which don’t represent compromise of services, span phishing, malvertising, and search engine optimization (SEO)-driven attacks that ultimately lead to credential theft, financial fraud, or malware infection,” the company said. Some of the campaigns include a ChatGPT-themed lure that leads to a phishing kit collecting credit card data, a Claude-themed phishing campaign collecting credentials and access tokens, an “Awesome AI Windows Plugin” malvertising campaign deploying Vidar Stealer, and Fake DeepSeek V4 installers on GitHub delivering Vidar Stealer. The tech giant said it “observed the initial access broker Storm-3075 employing AI-themed malvertising to deliver payloads, including malware signed by the malware-signing-as-a-service (MSaaS) offering attributed to the financially motivated threat actor Fox Tempest, on behalf of multiple downstream actors.”
• macOS Users Targeted by Fake Installers – Deceptive installers for popular software are being used to push information stealers to macOS users. “The infection chain almost always starts inside a web browser,” Huntress said. “Threat actors lean heavily on search engine optimization (SEO) poisoning to hijack search results, or they seed compromised links across torrent networks and cracked software forums. A user drops their guard, clicks the malicious link, and downloads what they assume is an authentic installer.” The DMG files, once executed, aim to bypass Apple Gatekeeper protections to realize their goals. In 2024, more than 65% of newly reported macOS malware was classified as infostealers.
• History of Chinese-Language Guarantee Marketplaces – Flare has shed light on the “guarantee model” that powers various illicit online Telegram marketplaces like HuiOne Guarantee and Tudou Guarantee. “These marketplaces are third-party escrow services for illicit transactions,” security researcher Chris d’Eon explained. “The marketplace operator stands between buyer and seller, holds the buyer’s funds in escrow, releases them to the seller only when the buyer confirms delivery, and adjudicates disputes when something goes wrong. In return, the operator collects deposits from vendors who want to advertise under its brand, fees on transactions, and revenue from paid promotional slots.” The model, which has its roots in legitimate Chinese consumer-internet trust architecture launched by Alipay in 2003, facilitates the sale of money laundering services, stolen data, fraud kits, fake identity documents, recruitment for scam compounds, retail fraud, deepfake services, and the physical infrastructure that drives human trafficking and forced-labour compounds. Law enforcement crackdown has led to “fragmentation but not elimination” of the criminal enterprise. More than 30 successor marketplaces have emerged following the takedown of HuiOne and Xinbi, almost all of them managing their operations via Telegram owing to its reach, bot infrastructure, and improved resilience despite the platform’s efforts to crack down on such activities. These include Tiancheng, Dabai, Ouyi, Yinuo, Jin Bo, Haihua, Timi, and Lao Niu.
• UniFi OS Flaws Exploited – The UniFi OS Server remote code execution chain, comprising CVE-2026-34908, CVE-2026-34909, and CVE-2026-34910, is now being actively exploited, according to Defused Cyber, following a report from Bishop Fox about how the three flaws could be combined to achieve unauthenticated code execution as root. The attacks culminated in the deployment of commodity malware.
• Khmer Shadow Targets Cambodian Government Entities – A targeted cyber espionage campaign against Cambodian government entities has leveraged a meeting-themed SFX archive to sideload a custom C++ loader dubbed NIGHTFORGE, which then decrypts and executes a Havoc Demon payload in memory. “NIGHTFORGE has demonstrated a moderate level of sophistication, combining advanced defense-evasion techniques such as NTDLL unhooking and Hell’s Gate syscall resolution, a method that enables direct system calls and helps evade user-mode monitoring, with operational shortcomings that suggest the tool is still under active development,” Acronis said. The activity has been attributed to any known threat group, but it’s “likely aligned with regional intelligence collection interests in Southeast Asia.”
• How Attackers Could Exploit Cloud Logging Services – Palo Alto Networks Unit 42 has warned that threat actors could exploit cloud logging services, which are crucial for security monitoring, to “create weak spots, evade detection, and in certain scenarios, establish continuous visibility within a target’s environment.” Attackers could tamper with resources within the cloud logging service (e.g., disabling, altering, or deleting logs, or even impairing logging) to hide their presence or attempt to route logs to their own accounts, establishing continuous visibility over the victim’s environment, performing continuous discovery, and passively monitoring all activity.
• Operation TaxShadow Delivers Multi-Stage Malware Framework – An Indian tax-themed phishing campaign has been observed delivering a sophisticated multi-stage malware framework through a mix of social engineering, phishing infrastructure, and memory-resident malware execution techniques. “The campaign begins with a fraudulent tax notification email impersonating an official Indian tax authority, leveraging government branding, urgency-based messaging, and compliance-related threats to manipulate victims into interacting with a malicious phishing website,” CYFIRMA said. “Victims are subsequently instructed to download a malicious ZIP archive containing three staged payload components: कर विवरण.exe, SbieDll.dll, and SbieDll.bin, which collectively establish the complete infection lifecycle.” The attack makes use of a highly modular malware architecture, coupled with advanced defense-evasion and anti-analysis techniques, to launch a payload in memory. The malware also establishes persistent WebSocket-based communications.
  
• MagicAd Displays Background Ads on Android Devices – A new Android trojan called MagicAd has been found to bypass operating system restrictions to display background ads. “One of these methods is universal, while the others are designed for devices from specific manufacturers,” Russian cybersecurity company Doctor Web said. “These include exploiting third-party software and using the system media player.” The malware is distributed via apps on GetApps, the official app catalog for Xiaomi devices. It has been discovered in more than 50 games and apps. The campaign is assessed to have commenced in 2025, with the threat actors behind it also leveraging the Samsung Galaxy Store as a distribution mechanism. Currently, none of the apps are available for download.
• Residential Proxies in the Wild – Residential proxies are designed to relay internet traffic through devices that belong to regular consumers, such as home routers, mobile devices, IoT devices, and devices with applications embedded with proxyware. One way this is achieved is that application developers themselves can embed software development kits (SDKs) provided by the residential proxy networks into their products as a way to monetize their software, allowing them to receive a small amount of money on each installation. In an analysis published last week, Infoblox said monthly queries to residential proxy domains steadily grew from nearly 400 billion to over 500 billion between January 2025 and April 2026 across its customer base, an increase of about 25%. “There are likely several explanations for this: certainly, the rise in AI-related training, which often requires scraping websites, is a major driver of residential proxy demand,” it said. “Residential proxies bypass many anti-scraping measures, as the traffic appears to be coming from the devices of real people.” Some of the most commonly observed proxy services queried include Bright Data, Hola VPN, Oxylabs Proxy, Honeygain, and Grass. The DNS threat intelligence firm said many residential proxy services operate in a grey space.
• SHEET#CREEP Drops C# Remote Access Trojan – An ongoing cyber espionage campaign dubbed SHEET#CREEP has leveraged a diplomatic-themed ISO phishing lure to distribute a C# remote access trojan (RAT). The activity was previously flagged by Zscaler and Bitdefender, attributing it to a threat actor known as Transparent Tribe. “The RAT abuses the Google Sheets API as its command-and-control (C2) channel, authenticating via an embedded GCP service account private key and using individual spreadsheet tabs per victim for bidirectional communication,” Securonix researchers Shikha Sangwan, Akshay Gaikwad, and Aaron Beardslee said. “The LNK triggers a C# dropper that extracts a bait PDF, drops the RAT payload into the Windows Vault directory, and establishes persistence through a scheduled task, before melting (self-deleting) to remove forensic traces.” The cybersecurity company said it identified 91 active victim tabs in the C2 spreadsheet, including a high-confidence target located in Pakistan.
• Malware Distributed via npm and PyPI Packages – A cryptocurrency-focused software supply chain campaign has used malicious npm packages to facilitate credential harvesting, wallet theft, remote payload delivery, and blockchain-based command-and-control. “Technical analysis uncovered capabilities including cryptocurrency wallet interception, private key and mnemonic phrase theft, SSH credential harvesting, environment variable collection, sensitive file discovery, remote activation mechanisms, blockchain-based infrastructure retrieval, and multi-stage malware deployment,” CYFIRMA said. A second campaign, codenamed Solana FakeFix, has targeted Solana developers with 20 bogus npm and PyPI packages to steal wallet keys, cloud credentials, source-control tokens, SSH keys, and environment secrets, while a third campaign, CMS Windows Loader, has used five npm packages to load remote executables and JavaScript code dynamically. In a related development, two versions of the dbmux npm package (2.2.5 and 1.0.5) were flagged for containing malware. “Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer,” according to a GitHub advisory. “The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.”
• Ransomware Attack Uses Easyupload.io for Data Exfiltration – In one ransomware attack investigated by Huntress, a threat actor accessed the victim’s hypervisor and created a new virtual machine (VM) as a staging location from which they launched the Akira ransomware. The threat actor rapidly progressed through the attack, disabling Microsoft Defender and installing WinRAR, an archival tool typically used by threat actors for staging data. “The threat actor used the Microsoft Edge browser to access Bing, and search for the term ‘eayupload’ before settling on Easyupload.io, a website that provides access to file uploads via drag-and-drop,” the cybersecurity company said. “Shortly after accessing the LimeWire website, presumably to exfiltrate staged archives, the threat actor launched the akira.exe file encryptor against several mounted shares.”

🔧 Cybersecurity Tools

• SpooNMAP → It is a Python tool that wraps Nmap and Masscan to make port scanning easier and faster. It guides users through scan options, supports small, medium, large, full, and custom scans, can grab service banners with Nmap, and lets users scan target IPs or CIDR ranges from a file.
• CVE MCP Server → It connects Claude to 27 security intelligence tools across 21 data sources, helping analysts look up CVEs, check EPSS and CISA KEV status, find PoCs, scan dependencies, review IP reputation, and generate risk reports from one place.

Disclaimer: This is strictly for research and learning. It hasn’t been through a formal security audit, so don’t just blindly drop it into production. Read the code, break it in a sandbox first, and make sure whatever you’re doing stays on the right side of the law.

Conclusion

This week’s lesson is simple: attackers do not need magic. They need old code, busy teams, weak defaults, and one forgotten box nobody wants to claim.

That is the uncomfortable part. The next big incident may already be sitting in your stack, quietly working as designed.