In a bombshell whistleblower lawsuit unsealed this week, a former IBM VP of Threat Intelligence alleges the tech giant deliberately concealed as many as 56,000 data breaches by Chinese state-sponsored hackers (APT 10) between 2013 and 2016. According to the complaint, IBM suffered the intrusions across its global network, acquired companies, and joint data maintained with AT&T, yet failed to notify US authorities, even though the US government is one of its largest customers. Highlighted by claims of archaic network infrastructure and a lack of basic security logging, this developing legal battle spotlights the critical, high-stakes issue of corporate breach concealment in the tech sector.

Subscribe to this newsletter

View our services

A newly released red team EDRChoker tool introduces a novel technique for severing the connection between Endpoint Detection and Response (EDR) agents and their cloud servers, not by blocking packets outright, but by throttling bandwidth so aggressively that agents continuously time out and lose contact with their command infrastructure. The tool was developed and published by security researcher @TwoSevenOneT, and it targets a fundamental weakness shared by all client-server EDR architectures: without a live server connection, an EDR agent loses most of its telemetry, detection, and response capabilities.
https://cyberpress.org/edrchoker-uses-qos-policies/
https://github.com/TwoSevenOneT/EDRChoker

A former IBM cybersecurity executive has accused the company of concealing multiple data breaches by Chinese state-linked hackers. William Barlow served as IBM’s vice president of threat intelligence until August 2019. In a whistleblower lawsuit unsealed this week, he alleged IBM knew about the breaches and deliberately failed to notify US authorities. The lawsuit was originally filed under seal in 2020. It centres on a hacking campaign by APT 10, a Chinese government-linked group whose members were indicted in 2018. Then-FBI Director Christopher Wray described the group’s targets as a “Who’s Who” of the global economy.
https://thenextweb.com/news/ibm-whistleblower-data-breach-cover-up

Meta has revealed that over 20,000 Instagram users had their accounts hijacked in a recent incident where attackers used Meta's AI-powered support system to reset passwords. As BleepingComputer reported one week ago, the threat actors exploited a flaw in the company's High Touch Support (HTS) tool, an AI-assisted support system that helps users regain access after being locked out of their Instagram accounts.
https://www.bleepingcomputer.com/news/security/meta-ai-support-data-breach-affects-20-000-instagram-accounts/

The self-replicating Miasma worm has reached Microsoft‘s own GitHub repositories. GitHub disabled 73 repositories across four Microsoft organisations, including Azure, Azure-Samples, Microsoft, and MicrosoftDocs, after the worm planted malicious code that harvests developer credentials. It is the most significant escalation yet in an ongoing supply chain attack campaign that has been spreading across the open-source ecosystem for weeks. The attack exploited previously compromised credentials. Last month, the threat group TeamPCP infected the “durabletask” PyPI package hosted in Microsoft’s Azure organisation to deliver an information stealer. Security researcher Paul McCarty pointed out that the same repository is at the centre of this month’s takedown.
https://thenextweb.com/news/miasma-worm-microsoft-github-supply-chain

Microsoft has said it will tighten human-rights controls when working with national security agencies after an inquiry into how the Israeli military used its cloud technology for the mass surveillance of Palestinians. On Thursday, Microsoft announced the completion of the inquiry and a series of new measures that include changes to how the company oversees employees with security clearances issued by foreign governments.
https://www.theguardian.com/technology/2026/jun/04/microsoft-to-tighten-human-rights-measures-after-inquiry-into-israels-use-of-its-tech

OpenAI has begun rolling out Lockdown Mode to ChatGPT, a new security setting designed to block attackers from stealing data through prompt injection attacks. The feature disables live web browsing, agent mode, deep research, image retrieval, Canvas networking, and file downloads. It is available to logged-in users across Free, Go, Plus, Pro, and self-serve ChatGPT Business plans.
https://thenextweb.com/news/chatgpt-lockdown-mode-prompt-injection

Cybersecurity researchers have disclosed details of a financially motivated data theft extortion campaign that has targeted dozens of organizations across professional, legal, and financial services in the U.S. between January and May 2026. The activity has been attributed by Google Mandiant and Google Threat Intelligence Group (GTIG) to a threat actor dubbed UNC3753, which is also known as Chatty Spider, Luna Moth, and Silent Ransom Group (SRG).
https://thehackernews.com/2026/06/unc3753-used-vishing-and-physical.html

Tech giant Toshiba and mega-retailer Muji warned visitors that suspicious sign-in screens popping up on their websites could collect credentials. Both Japanese companies advised users who entered their account login data in the authentication screens to change their passwords to access the service. The login pop-ups were generated by the external service hosted at polyfill[.]io, which in 2024 introduced malicious code in scripts delivered by its CDN. “We have confirmed that some parts of our website may display a sign-in screen like the one shown below. We are currently working to eliminate this screen, but if you do see it, please select "Cancel" without entering any information," Toshiba said in a short communication.
https://www.bleepingcomputer.com/news/security/suspicious-polyfill-login-prompts-pop-up-on-toshiba-muji-websites/

A newly disclosed vulnerability in Trend Micro Deep Security Agent allows a local unprivileged process to force the agent’s own kernel modules to unload and reload, creating a repeatable monitoring gap during which normally blocked content can land on disk undetected. The finding, rated High severity by the researcher, does not require root privileges, kernel module loading rights, or direct calls to rmmod. Instead, it exploits a behavioral recovery path built into the agent itself.
https://cyberpress.org/deep-security-agent-reload-flaw/

An attack chain that silently redirects Claude Code’s Model Context Protocol (MCP) traffic through attacker-controlled infrastructure, intercepting OAuth bearer tokens that grant persistent, broadly scoped access to connected SaaS platforms like Jira, Confluence, and GitHub. Mitiga Labs has demonstrated that the entry point is a malicious npm package engineered to survive casual inspection. Concealed inside is a postinstall lifecycle hook that executes silently during installation, a well-documented supply chain attack class that carries critical new consequences in AI-agentic environments. The hook’s primary target is ~/.claude.json, the global configuration file that governs how Claude Code routes all MCP traffic and stores OAuth tokens in plaintext.
https://cyberpress.org/exploit-claude-code-mcp/

Ubiquiti has patched three critical vulnerabilities in UniFi OS Server that chain together to deliver unauthenticated remote code execution with root privileges. Security researchers at Bishop Fox confirmed the full exploit chain end-to-end on version 5.0.6, turning a single crafted HTTP request into a root shell, no credentials, no user interaction required.
https://cyberpress.org/critical-unifi-os-flaws/

Over 900 automatic tank gauge (ATG) systems across the United States, used to monitor fuel and chemical storage tanks across various critical infrastructure sectors, have been found exposed online and are vulnerable to ongoing attacks. ATG systems are electronic monitoring devices used to remotely track fuel, chemicals, or other liquids in storage tanks, automating inventory control, environmental leak detection, and regulatory compliance. While they're commonly used at gas stations to monitor fuel tank levels, they can also be found in industrial settings to track chemical storage tanks.
https://www.bleepingcomputer.com/news/security/over-900-us-gas-station-tank-gauge-systems-exposed-to-attacks/

Cybersecurity researchers have discovered a previously unreported threat cluster dubbed OP-512 (where "OP" stands for "opponent") that has been observed targeting Microsoft Internet Information Services (IIS) servers to deploy a bespoke web shell framework. ReliaQuest has assessed with moderate to high confidence that the espionage-focused activity is linked to China.
https://thehackernews.com/2026/06/new-threat-cluster-op-512-targets.html

A critical vulnerability in the Everest Forms Pro plugin for WordPress has been actively exploited to hijack vulnerable websites. According to new analysis from WordPress security firm Wordfence, the remote code execution flaw lets unauthenticated attackers run PHP on a target server and take over the site. Tracked as CVE-2026-3300, the bug scores 9.8 on the CVSS scale and affects every release up to and including 1.9.12. Everest Forms Pro is a commercial form builder from developer WPEverest, with roughly 4000 active installations.
https://www.infosecurity-magazine.com/news/everest-forms-pro-rce-actively/

New research from FortiGuard Labs reveals that cybercriminal infrastructure linked to the FIFA World Cup 2026 is already operational. From January to May 2026, more than 13,000 new FIFA World Cup 2026–themed domains were registered. And about 8.8% of these domains have been identified as malicious or suspicious through pattern analysis and scam activity.
https://www.fortinet.com/blog/threat-research/cybercriminals-are-targeting-the-fifa-world-cup-2026

The cyber threat actor Silent Ransom Group (SRG), also known as Luna Moth, Chatty Spider, and UNC3753, is targeting law firms using information technology (IT) themed social engineering calls, then sending an individual posing as an IT support employee to the firm inperson, after which they insert a storage device into a computer to steal sensitive data to extort the victims.
https://www.fbi.gov/file-repository/cyber-alerts/silent-ransom-group-targeting-law-firms-052325.pdf/view

The US cybersecurity agency CISA on Friday warned of attacks targeting a SolarWinds Serv-U vulnerability that had been patched a couple of days earlier. Tracked as CVE-2026-28318 (CVSS score of 7.5), the bug is described as a denial-of-service (DoS) issue that can be exploited via specially crafted POST requests to crash the Serv-U service. Successful exploitation of the security defect does not require authentication, SolarWinds warned on Thursday.
https://www.securityweek.com/solarwinds-patches-exploited-serv-u-vulnerability/

A Chinese espionage group tracked as UNC5221 has been accessing Microsoft 365 environments using the Brickstorm backdoor and previously undocumented malware named Plenet and AgentPSD. An investigation into the incident revealed that the threat actor had gained access to the victim network at least 18 months before detection, and had also compromised the victim organization's managed services provider (MSP). UNC5221 is also tracked as VerdantBamboo and has been involved in attacks that exploited zero-day vulnerabilities in edge devices since at least 2023.
https://www.bleepingcomputer.com/news/security/chinese-apt-deploys-new-malware-to-keep-access-to-hacked-networks/

A man has been sentenced to more than 26 years in federal prison for distributing drugs through a dark web marketplace known as the “Nemesis Market.” DARREN HUGHES operated a vendor store offering free samples of methamphetamine on the Nemesis Market, one of the world’s largest dark web markets. When an undercover law enforcement agent contacted the vendor store, Hughes agreed to mail the law enforcement agent a free sample of meth from California to Chicago.
https://www.justice.gov/usao-ndil/pr/man-sentenced-more-26-years-prison-using-dark-web-distribute-narcotics

A new Magecart campaign is using Stripe's API infrastructure to host the credit card-stealing payload and the data exfiltrated from checkout pages. The entire malicious activity relies on Google Tag Manager and Stripe domains - googletagmanager.com and api.stripe.com - that are trusted implicitly by online stores. The new malware family was discovered by researchers at ecommerce security company Sansec, who found that the malicious code is loaded from a Google Tag Manager (GTM) container and executes on every page that loads it.
https://www.bleepingcomputer.com/news/security/credit-card-theft-campaign-abuses-stripe-to-host-stolen-payment-info/