Daily Digest

AI, Supply Chain Attacks, and New Backdoors Dominate Cybersecurity News

AI, Supply Chain Attacks, and New Backdoors Dominate Cybersecurity News

June 26, 2026
13 articles (8 new, 5 updated)
39 min read

Summary

The cybersecurity landscape continues to evolve rapidly, with significant updates and new threats emerging. The npm ecosystem is under siege from successors to the Shai-Hulud attack, now targeting the Go language with the Hades malware and exploiting GitHub Actions for credential theft. Phishing attacks are also on the rise, with a 28% spike attributed to AI-powered, multi-channel campaigns that leverage legitimate services like Calendly and Google redirects to bypass security. The Five Eyes Intelligence Alliance warns that AI-powered cyberattacks, particularly in ransomware, are "months away" and will lower the barrier for entry while enhancing advanced threats.

Supply chains remain a prime target, with ransomware attacks in Europe surging by 55%. Cisco SD-WAN zero-day vulnerabilities (CVE-2026-20245) have been exploited for months to achieve root access, following a chain of authentication bypass flaws. New threats include the Russian APT Turla's deployment of the STOCKSTAY backdoor in Ukraine espionage, and the 'Prinz Eugen' ransomware, written in Go, which employs stealthy extortion tactics by not dropping ransom notes.

CISA has added actively exploited PTC and Cisco flaws to its KEV catalog, mandating federal patching. The FCC has adopted new cybersecurity rules for the Emergency Alert System (EAS). Several healthcare data breaches have been reported, including at MN Epilepsy Group, Campbell University, and the City of Middletown, exposing patient information. The LemonDuck cryptomining malware is spreading via PowerShell, and Black's Insurance and Financial Services disclosed a breach affecting Social Security numbers. Finally, a new 'TinyRCT' backdoor has been deployed by Chinese-speaking hackers in attacks on Southeast Asian governments.

Filter by Category

New Articles (8)

Russian APT Turla Unleashes New 'STOCKSTAY' Backdoor in Ukraine Espionage Attacks

HIGH

Google Details Turla's New 'STOCKSTAY' .NET Backdoor Used in Espionage Against Ukraine

The Russian state-sponsored threat group Turla has been observed deploying a new, continuously developed .NET backdoor named STOCKSTAY. According to Google's Threat Analysis Group (GTIG), the malware targets Windows systems and has been used in cyber espionage campaigns against government and military entities in Ukraine. STOCKSTAY shares significant code similarities with Kazuar, another known Turla implant, suggesting it may be its successor. The malware communicates with its C2 via secure WebSockets and leverages a multi-hop infrastructure, including a public GitHub repository, to obfuscate its operations. GTIG assesses that Turla may be deploying STOCKSTAY alongside Kazuar to test its new capabilities in live environments.

June 26, 2026
5 min read
TurlaSTOCKSTAYKazuarAPTEspionage +4 more
Russian APT Turla Unleashes New 'STOCKSTAY' Backdoor in Ukraine Espionage Attacks

New 'Prinz Eugen' Ransomware Written in Go Features Stealthy Extortion Tactics

HIGH

CYFIRMA Discovers 'Prinz Eugen,' a New Go-Based Ransomware with Advanced Encryption and Stealth Features

Researchers at CYFIRMA have discovered a new ransomware strain named 'Prinz Eugen,' written in the Go programming language. This modern malware uses the efficient ChaCha20-Poly1305 encryption algorithm and processes files in parallel for maximum speed. A key distinguishing feature is its stealthy approach; it does not drop a ransom note on the victim's system, instead relying on external communication for extortion demands. This tactic complicates incident response by reducing on-disk artifacts. The group employs a double-extortion strategy, with a data leak site already active, and is currently targeting organizations in the consumer, business, and financial services sectors in France and South Africa.

June 26, 2026
4 min read
RansomwarePrinz EugenGoCYFIRMAMalware +1 more
New 'Prinz Eugen' Ransomware Written in Go Features Stealthy Extortion Tactics

CISA Adds Actively Exploited PTC and Cisco Flaws to KEV Catalog, Mandates Federal Patching

CRITICAL

CISA Adds Two Known Exploited Vulnerabilities in PTC and Cisco Products to KEV Catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, confirming they are under active exploitation. The flaws are CVE-2026-12569, an improper input validation bug in PTC's Windchill and FlexPLM products, and CVE-2026-20230, a Server-Side Request Forgery (SSRF) vulnerability in Cisco Unified Communications Manager. Under Binding Operational Directive (BOD) 26-04, Federal Civilian Executive Branch agencies are now required to remediate these vulnerabilities by a specified deadline. CISA strongly urges all organizations to prioritize patching these flaws to defend against active threats.

June 26, 2026
4 min read
CISAKEVVulnerabilityCVE-2026-12569CVE-2026-20230 +3 more
CISA Adds Actively Exploited PTC and Cisco Flaws to KEV Catalog, Mandates Federal Patching

FCC Adopts New Cybersecurity Rules to Safeguard Emergency Alert System (EAS)

INFORMATIONAL

FCC Mandates Cybersecurity Rules for Emergency Alert System and Opens Inquiry into Alert Modernization

On June 25, 2026, the U.S. Federal Communications Commission (FCC) adopted new rules requiring operators of the Emergency Alert System (EAS) to implement specific cybersecurity measures to protect the critical public warning infrastructure. The rules mandate actions like installing firewalls, monitoring equipment, and performing regular software updates. The FCC also opened a further notice of proposed rulemaking to explore future enhancements for both the EAS and Wireless Emergency Alerts (WEA), including improving geotargeting accuracy and ensuring alerts reach non-English speakers and people entering an emergency area after an alert has been issued.

June 26, 2026
4 min read
FCCRegulationPolicyEASEmergency Alert System +1 more
FCC Adopts New Cybersecurity Rules to Safeguard Emergency Alert System (EAS)

Healthcare Data Breaches at MN Epilepsy Group, Campbell University, and City of Middletown Expose Patient Info

HIGH

Multiple Healthcare Data Breaches Reported, Exposing Patient Social Security Numbers and Medical Data

Several U.S. organizations have recently disclosed data breaches affecting sensitive patient information. Minnesota Epilepsy Group reported a breach impacting patients' names, Social Security numbers, and medical data after a network intrusion in March-April 2026. The City of Middletown, NY, notified over 20,000 individuals of a breach stemming from a 2025 ransomware attack by the SafePay group, which compromised extensive personal and health information. Additionally, Campbell University in North Carolina is investigating a breach of a cloud storage platform that affected at least 500 individuals. These incidents highlight the persistent targeting of the healthcare sector and its supply chain.

June 26, 2026
5 min read
Data BreachHealthcareHIPAARansomwareSafePay +2 more
Healthcare Data Breaches at MN Epilepsy Group, Campbell University, and City of Middletown Expose Patient Info

LemonDuck Cryptomining Malware Spreads via PowerShell in New Campaign

MEDIUM

Barracuda Researchers Detail LemonDuck Malware Campaign Hijacking Endpoints for Cryptomining

Researchers at Barracuda have identified a recent campaign involving the LemonDuck malware, a botnet known for hijacking system resources for cryptocurrency mining. The malware spreads across networks by exploiting vulnerabilities and weak credentials. Once on a system, it uses hidden PowerShell scripts to download additional malicious code and communicates with command-and-control servers. By turning infected machines into a botnet, LemonDuck provides its operators with a distributed platform for cryptomining. In a separate finding, Barracuda also noted a 55% increase in password-spraying attacks from Iran in May 2026, targeting Fortigate VPNs.

June 26, 2026
4 min read
LemonDuckCryptominingBotnetPowerShellBarracuda +2 more
LemonDuck Cryptomining Malware Spreads via PowerShell in New Campaign

Black's Insurance and Financial Services Discloses Data Breach Affecting SSNs

MEDIUM

Black's Insurance and Financial Services Reports Data Breach Compromising Social Security Numbers

CG Black Financial Services, operating as Black's Insurance and Financial Services, has reported a data breach that may have compromised sensitive personal information, including Social Security numbers. A notification was filed with the Vermont Attorney General's Office on June 24, 2026. At present, details regarding the cause of the breach, the number of affected individuals, and the full scope of compromised data are not yet public. The Florida-based company serves customers in several southeastern states. Attorneys have begun an investigation into the incident for a potential class-action lawsuit.

June 26, 2026
4 min read
Data BreachInsuranceFinancial ServicesPIISocial Security Number
Black's Insurance and Financial Services Discloses Data Breach Affecting SSNs

New 'TinyRCT' Backdoor Deployed by Chinese-Speaking Hackers in Attacks on Southeast Asian Governments

HIGH

CL-STA-1062: Chinese-Speaking Threat Actor Targets Southeast Asian Governments and Critical Infrastructure with New TinyRCT Backdoor

Security researchers have identified a sustained espionage campaign by a Chinese-speaking threat actor, tracked as CL-STA-1062 (also known as UAT-7237), targeting government and critical energy infrastructure entities in Southeast Asia throughout 2025. The group, active since at least March 2022, exploits web applications to gain initial access, deploying web shells for command execution and data exfiltration. The attackers utilize a hybrid toolkit of open-source tools like SoftEther VPN, Mimikatz, and JuicyPotato, alongside a newly discovered custom .NET backdoor named TinyRCT. This lightweight remote access trojan (RAT) provides capabilities for command execution, file exfiltration, and screenshot capture, signaling a sophisticated and persistent threat focused on long-term intelligence gathering in the Asia-Pacific region.

June 26, 2026
10 min read
espionagebackdoorAPTweb shellcritical infrastructure +5 more
New 'TinyRCT' Backdoor Deployed by Chinese-Speaking Hackers in Attacks on Southeast Asian Governments

Updated Articles (5)

Phishing Attacks Spike 28% as AI-Powered, Multi-Channel Campaigns Bypass Security

HIGH

AI and Multi-Channel Tactics Fuel 28% Surge in Phishing Attacks, Overwhelming Traditional Defenses

Update:

A sophisticated phishing campaign is targeting the hospitality industry by leveraging legitimate services like Calendly and Google's URL redirection to bypass email security. Emails sent via Calendly's notification system pass authentication checks, leading to links that use Google redirects to obscure the final malicious payload. This payload is a Node.js-based implant designed to establish persistent access. This 'authentication laundering' technique highlights the evolving methods attackers use to evade detection, with specific IOCs identified including C2 IP 178.16.54.27 and domain sec-safe-dc.info.

June 7, 2026
Updated: June 26, 2026
7 min read
phishingAIsmishingquishingMicrosoft +3 more
Phishing Attacks Spike 28% as AI-Powered, Multi-Channel Campaigns Bypass Security

Cisco SD-WAN Zero-Day Exploited for Months to Achieve Root Access

HIGH

Mandiant: Cisco SD-WAN Zero-Day (CVE-2026-20245) Exploited in the Wild for Months Before Patch

Update:

Further analysis of the Cisco SD-WAN zero-day exploitation (CVE-2026-20245) confirms that threat actors likely gained initial access by chaining two previously undisclosed authentication bypass flaws, CVE-2026-20127 and CVE-2026-20182. This multi-staged attack allowed them to establish a foothold before exploiting CVE-2026-20245 for root privilege escalation. The main vulnerability has a CVSS score of 7.8 (High). This clarifies the initial entry point of the sophisticated campaign targeting communications service providers.

June 25, 2026
Updated: June 26, 2026
6 min read
CiscoSD-WANZero-DayCVE-2026-20245Mandiant +2 more
Cisco SD-WAN Zero-Day Exploited for Months to Achieve Root Access

Ransomware Attacks in Europe Skyrocket by 55% as Supply Chains Become Prime Targets

HIGH

European Ransomware Incidents Surge by 55% in Early 2026, Black Kite Report Finds

Update:

This update provides further analysis of the Black Kite report, highlighting the strategic shift by ransomware groups to compromise third-party suppliers and IT service providers as a primary vector for supply chain attacks. New hunting hints include monitoring VPN logs, `psexec.exe` usage, and unusual RDP/SMB traffic. Additional mitigation advice emphasizes implementing the principle of least privilege. The report reinforces the 55.1% surge in European ransomware attacks and the continued prominence of the Qilin group, offering a slightly different perspective on the same core findings.

June 25, 2026
Updated: June 26, 2026
5 min read
RansomwareEuropeBlack KiteQilinAkira +2 more
Ransomware Attacks in Europe Skyrocket by 55% as Supply Chains Become Prime Targets

npm Ecosystem Under Siege as Shai-Hulud Successors Weaponize CI/CD Pipelines

CRITICAL

Unit 42 Report: Shai-Hulud Worm's Evolution Leads to Advanced npm Supply Chain Attacks Targeting Red Hat and TanStack

Update:

The persistent supply chain attack, involving Miasma and Mini Shai-Hulud, has expanded its targeting to include the Go programming language ecosystem. A new malware family, Hades, has been identified. Attackers recently hijacked the 'semantic-release-action' GitHub Action on June 24, 2026, by force-pushing a malicious commit, leading to widespread credential theft and propagation. New techniques include a dead drop resolver using specific strings like 'firedalazer' for dynamic payload updates and AES-128-GCM for exfiltration, indicating increased sophistication and broader reach.

June 3, 2026
Updated: June 26, 2026
23 min read
npmsupply chain attackCI/CDwormmalware +6 more
npm Ecosystem Under Siege as Shai-Hulud Successors Weaponize CI/CD Pipelines

AI-Powered Cyberattacks 'Months Away,' Five Eyes Intelligence Alliance Warns

HIGH

Five Eyes Agencies Issue Urgent Warning on Imminent Threat from Advanced AI in Cyber Warfare

Update:

New expert insights from Infosecurity Europe 2026 confirm AI's role in fundamentally reshaping the cybercrime economy, particularly ransomware. Former FBI officials highlight AI's ability to lower the barrier for novice attackers while enhancing advanced threats, leading to automated, scalable, and highly targeted campaigns. CISOs are urged to adopt continuous visibility, risk-based management for IT/OT, Zero Trust, and proactive threat hunting to counter AI-driven attacks that are now outpacing traditional, perimeter-focused defenses. The article details how AI enhances social engineering, vulnerability discovery, exploit generation, and malware sophistication.

June 23, 2026
Updated: June 26, 2026
5 min read
AIArtificial IntelligenceFive EyesCISANSA +4 more
AI-Powered Cyberattacks 'Months Away,' Five Eyes Intelligence Alliance Warns

📢 Share This Publication

Help others stay informed about cybersecurity threats

đź“… Daily Edition

Curated and deduplicated every day from dozens of trusted sources — giving you one clean, consolidated view of what matters in cybersecurity.

🔢 Deduplication Applied

Related stories are merged into a single evolving article rather than repeated as separate entries — cutting through noise so you only read what's new.

đź”— Full Articles Linked

Every entry links to its full enriched article — complete with MITRE ATT&CK mappings, extracted IOCs, and actionable detection and mitigation guidance.