Microsoft's Record Patch Tuesday Fixes 206 Flaws; CISA Overhauls Federal Patching; VRChat & Oracle Hit by Breaches
Summary
This edition covers a landmark day in cybersecurity for June 11, 2026. Microsoft released its largest-ever Patch Tuesday, addressing 206 vulnerabilities, including three publicly disclosed zero-days. In a major policy shift, CISA issued a new directive overhauling how federal agencies must prioritize vulnerability remediation based on risk. Major breaches were also disclosed, with social platform VRChat confirming 2.4 million users were affected, and Oracle rushing an emergency patch for a PeopleSoft zero-day actively exploited by the ShinyHunters group. Other significant events include a massive $409M fine for e-commerce giant Coupang over a data leak and continued exploitation of an old WinRAR flaw by Russian APTs against Ukraine.
Today New Articles
VRChat Cloud Breach Exposes Data of 2.4 Million Users, Including Login History and Linked Accounts
The social virtual reality platform VRChat has disclosed a data breach that exposed the personal information of 2,436,782 users. The incident, which occurred in May 2026, resulted from an unauthorized third party gaining access to the company's cloud environme...
Vietnam's OceanLotus APT Pivots to Domestic Spying, Hits Construction and Finance Sectors
The Vietnam-aligned threat group OceanLotus (also known as APT32) has shifted its focus to domestic espionage, targeting a Vietnamese construction firm and stock market investors. According to research from ESET, the group conducted a year-long intrusion and a...
CISA Mandates Risk-Based Patching for Federal Agencies with New Directive BOD 26-04
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued Binding Operational Directive (BOD) 26-04, fundamentally changing how federal civilian agencies must manage cybersecurity vulnerabilities. The new directive, effective June 10, 2026, m...
Researcher Drops 'GreatXML' Zero-Day Exploit to Bypass Windows BitLocker
A security researcher known as Chaotic Eclipse has publicly released details of 'GreatXML,' a new unpatched zero-day exploit that allegedly bypasses Windows BitLocker encryption. The exploit allows an attacker with physical access to a machine to gain SYSTEM-l...
DragonForce Ransomware Gang Claims Attack on Taos Mountain Casino, Stealing SSNs
Taos Mountain Casino in New Mexico has confirmed it was the victim of a ransomware attack that resulted in a data breach. The incident, which occurred in late March 2026, was claimed by the DragonForce ransomware group on June 1. The gang alleges it stole 38.6...
South Korea Hits E-Commerce Giant Coupang with Record $409M Fine Over Data Breach
South Korea's data privacy regulator, the Personal Information Protection Commission (PIPC), has levied a historic fine of 624.68 billion won (approx. $409 million) against e-commerce giant Coupang. The penalty stems from a data breach affecting 37.55 million...
Jamaica's National Health Fund Probes Cyberattack as Hackers Claim Patient Data Theft
Jamaica's National Health Fund (NHF) is conducting an active investigation into a cybersecurity incident after being contacted by a hacker group. The unidentified group claims to have breached the NHF's systems and stolen highly confidential patient data, incl...
Oracle Rushes Emergency Patch for PeopleSoft Zero-Day Exploited by ShinyHunters
Oracle has released an emergency, out-of-band patch for a critical unauthenticated remote code execution (RCE) zero-day vulnerability in its PeopleSoft PeopleTools software, tracked as CVE-2026-35273. The urgent release follows confirmation that the flaw is be...
Russian APTs Persistently Exploit Year-Old WinRAR Flaw in Attacks on Ukraine
A high-severity vulnerability in WinRAR, CVE-2025-8088, patched nearly a year ago, is still being actively exploited by multiple Russian-linked APT groups against targets in Ukraine. According to Trend Micro, the Gamaredon (UAC-0010) and SHADOW-EARTH-066 (UAC-...
Europol Busts 'AudiA6' Crypto Laundering Service Used by Ransomware Gangs
An international law enforcement operation led by Europol has taken down 'AudiA6,' a major cryptocurrency laundering service that allegedly washed over €336 million for cybercriminals, primarily ransomware gangs, between 2022 and 2025. The operation resulted i...
A new study by Unit 42 reveals significant supply chain risks within the burgeoning AI agent ecosystem. Researchers developed a new audit primitive, Behavioral Integrity Verification (BIV), to analyze third-party "skills" used by Large Language Model (LLM) age...
Article Updates
Ransomware Groups Pivot to 'Pure Extortion' as Victim Payment Rates Collapse
Update:A new report from cybersecurity insurer Resilience provides updated statistics on the shift to 'extortion-only' attacks. By late 2025, 65% of all extortion-related insurance claims involved only data theft, without encryption, a significant rise from previous...
Microsoft's Record-Breaking June Patch Tuesday: Over 200 Flaws and Three Zero-Days Patched
Update:The latest report on Microsoft's June 2026 Patch Tuesday confirms a total of 206 vulnerabilities addressed, including 32 critical flaws. This update provides more in-depth analysis of the three publicly disclosed zero-day vulnerabilities (CVE-2026-50507, CVE-2...