A monumental new data leak has aggregated over 24 billion stolen credentials into a single 8.3 terabyte repository, granting threat actors an unprecedented toolkit for global account takeovers. Because criminals validate these logins at scale using automated credential stuffing tools that relentlessly probe corporate VPNs and email clients, a single employee's reused password can now directly compromise an entire enterprise network. Mitigating this massive systemic risk requires a shift away from standard password policies toward continuous compromised credential screening and the strict enforcement of phishing-resistant multi-factor authentication to neutralize automated attacks before they reach the perimeter.

Subscribe to this newsletter.

Researchers from Cybernews discovered an exposed Elasticsearch cluster on June 12, revealing more than 8.3 terabytes of data containing approximately 24 billion records. 

The discovery immediately attracted attention because the numbers seemed almost unbelievable. After conducting multiple verification checks, researchers confirmed that the dataset genuinely contained billions of entries. The sheer volume places this leak among the largest credential-related exposures ever documented. Most records consisted of individual credentials stored separately alongside the URLs associated with the services they were intended to access. This structure suggests the database was designed for efficient searching and exploitation rather than simple archival purposes.
https://undercodenews.com/24-billion-stolen-credentials-exposed-in-massive-data-leak-a-cybercrime-goldmine-that-could-trigger-global-account-takeovers-video/

Most ransomware-as-a-service operators leave affiliates to find their own tools for disabling endpoint security. The Gentlemen took a different approach. “Gentlemen demonstrates an interesting approach: operator-managed EDR killers, ready to use by affiliates.” reads the report published by ESET. “While most ransomware gangs continue to delegate EDR killing to affiliates, Gentlemen has chosen to centralize this function by offering affiliates a ready-to-use, standardized EDR-killer suite. This decision makes Gentlemen an attractive operator for affiliates as it materially lowers the entry barrier for them, making their job consequently easier.”
https://securityaffairs.com/193941/uncategorized/inside-gentlekiller-the-edr-killer-powering-the-gentlemen.html

Killing me gently: Inside Gentlemen’s EDR killer framework

ESET Research shares the results of a months-long investigation into the suite of EDR killers maintained by the RaaS gang Gentlemen

Wiz Research uncovered a critical vulnerability (CVE-2026-3854) in GitHub's internal git infrastructure that could have affected both GitHub.com and GitHub Enterprise Server. By exploiting an injection flaw in GitHub's internal protocol, any authenticated user could execute arbitrary commands on GitHub's backend servers with a single git push command - using nothing but a standard git client.
https://www.wiz.io/blog/github-rce-vulnerability-cve-2026-3854

A previously undocumented malware botnet named AryStinger has compromised more than 4,000 outdated routers to turn them into proxies for malicious traffic. Researchers at Qianxin's XLab threat intelligence team say that the malware converts infected devices into remotely controlled “executors” that can perform scanning, proxying, tunneling, command execution, and other activities on behalf of the attacker. “The attacker can split a massive scanning task into multiple small chunks and distribute them to different Executors for parallel execution,” XLab researchers note.
https://www.bleepingcomputer.com/news/security/arystinger-botnet-infected-thousands-of-d-link-routers-worldwide/

Microsoft confirms Recycle Bin glitch affecting all supported Windows versions. Update KB5094126 is causing issues across all supported versions of Windows. What's the issue? When you try to delete a file from the Recycle Bin, the confirmation dialog may display the "internal" filename instead of the standard, readable filename. Microsoft has clarified that this glitch is limited to the dialog box itself and does not affect the file or its deletion
https://www.windowscentral.com/microsoft/windows-11/microsoft-confirms-recycle-bin-glitch-all-supported-windows

Microsoft researchers have detailed an exploit chain, named AutoJack, that turns an AI browsing agent into a delivery vehicle for remote code execution. Steer the agent to load an attacker's web page, and that page's JavaScript can reach a privileged local service on the same machine and spawn a process on the host. No credentials, no sign-in screen, and no further user interaction once the agent loads the page. The attacker only has to get the agent to open it, and a planted link, a URL field, or a prompt injection will do.
https://thehackernews.com/2026/06/autojack-attack-lets-one-web-page.html

Google is progressing with its Android developer verification initiative, aiming to enhance user security by ensuring that only apps from verified developers can be installed on certified Android devices. This measure is designed to combat the proliferation of malicious applications and financial scams.
https://thedailytechfeed.com/google-advances-android-developer-verification-rollout/

FortiBleed, the ongoing campaign stands out not only for its complexity, but for how avoidable it may have been. Currently, hackers do not appear to be exploiting any new or undiscovered flaw in Fortinet’s software. Instead, they are taking advantage of a far more basic lapse by going after companies that have failed to update firewall passwords or ensure that credentials on their external-facing systems are not already in the hands of cybercriminals. It’s a straightforward and effective approach: The hackers scan the internet for exposed Fortinet firewalls and VPNs before breaking into the devices using lists of previously leaked passwords.
https://www.inc.com/amaya-nichole/suprisingly-simple-way-hackers-just-breached-oracle-samsung-accenture/91362810

A newly disclosed Jenkins vulnerability, tracked as CVE-2026-53435, is now being actively exploited in the wild. The flaw allows an authenticated attacker with relatively low privileges to POST a malicious config.xml file, abuse Jenkins’ deserialization handling, and route requests through Stapler to access sensitive files on the Jenkins controller.
https://programming.dev/post/52028392

More than 3 million Texas hunting and fishing license holders may have had personal information exposed in a data breach. The exact figure, according to a state filing, is 3,087,721 people. Texas Cyber Command detected the incident at a third-party vendor that handles license sales for the Texas Parks and Wildlife Department. An unauthorized actor may have obtained driver's license information, passport numbers where provided, email addresses, phone numbers, and residential addresses.
https://www.thetrendswire.com/blog/texas-hunters-anglers-data-breach-tpwd-2026

Qualiflex Solutions Reportedly Targeted by Payload Ransomware Group. Qualiflex Solutions, an automation and managed services provider, has allegedly become the latest victim of a ransomware attack attributed to the Payload ransomware group. While details remain limited and independent verification is still pending, the claim has sparked concern among cybersecurity professionals due to the potential impact such an incident could have on customers, partners, and dependent business operations.
https://undercodenews.com/qualiflex-solutions-reportedly-targeted-by-payload-ransomware-group-growing-concerns-across-business-service-providers-dark-web-recent-claims-video

Cybersecurity monitoring accounts reported that Preferred Properties, Inc. was impacted by a ransomware attack that disrupted operations and affected access to company systems. The attack was allegedly carried out by a ransomware payload actor, though technical details regarding the malware family, attack vector, or encryption methods have not yet been publicly disclosed. Organizations in the property management sector increasingly rely on interconnected platforms to handle tenant communications, lease agreements, maintenance requests, accounting operations, and development planning. When ransomware infiltrates such environments, the consequences often extend beyond IT departments and directly affect employees, tenants, contractors, and business partners.
https://undercodenews.com/preferred-properties-hit-by-ransomware-attack-disrupting-housing-operations-in-ohio-dark-web-recent-claims-video

Security researchers at Paradigm Shift have released usbliter8, a working exploit that achieves arbitrary code execution inside the SecureROM of Apple's A12 and A13 chips. That code is fused into the silicon at manufacture. No software update can reach it. The full technical write-up and a working proof of concept went public on June 18, 2026, after coordinated disclosure with Apple Product Security.
https://threat-intelligence.redeyesecurity.com/blog/usbliter8-apple-a12-a13-securerom-exploit-2026

Officials in Acworth are investigating a cyberattack that compromised a selection of government computer networks on June 8. The city recently identified a cybersecurity incident that impacted specific computer networks on June 8. Officials immediately brought in cybersecurity professionals and alerted law enforcement to help secure the infrastructure. All municipal services remain fully operational because IT teams have completely restored the affected networks.
https://www.fox5atlanta.com/news/acworth-computer-networks-targeted-early-june-cyberattack

A new ransomware operation named ‘Prinz Eugen’ prioritizes recently modified files for encryption and leaves no ransom note on the system. An investigation from Threatdown, Malwarebytes’ enterprise cybersecurity arm, found that the Prinz Eugen hackers have a hands-on-keyboard style and prefer to use legitimate remote monitoring and management (RMM) software and living-off-the-land tools.
https://www.bleepingcomputer.com/news/security/new-prinz-eugen-ransomware-prioritizes-recent-files-for-encryption/

A campaign to spread clipboard hijacker malware uses a sophisticated combination of social media “ghost networks,” VirusTotal vote manipulation, and publications to real new sites to lend legitimacy to its trojanized software, Check Point Research revealed Wednesday. The threat actor advertises fake software offering a competitive edge to crypto traders and players of online gambling games, but Check Point noted its social engineering tactics, particularly targeting VirusTotal, could extend to threats affecting enterprises.
https://www.scworld.com/news/malware-campaign-uses-virustotal-manipulation-legitimate-news-sites-to-gain-reputation

Windows 11’s Search is getting a long-overdue option to completely remove web results, and it is now hidden inside Insider Experimental build 26300.8697, the first build to carry Windows 11 version 26H2. With the toggle turned on, Search is noticeably faster, the panel is cleaner, and local results take over without Bing pushing its way in.
https://www.windowslatest.com/2026/06/21/tested-microsoft-just-debloated-windows-11-search-without-bing-and-its-crazy-fast/

The Canadian government quietly approved tens of millions of dollars in extra spending for a contract it held with the controversial American tech company Palantir. Records from the IJF’s Open By Default database reveal the federal government made over a dozen amendments to a secret contract it held with Palantir’s Canadian subsidiary to provide services to an elite unit of the Canadian military.
https://theijf.org/brief/canadian-palantir-contract-amendments-obd

Microsoft says it has detected new self-propagating malware that spreads through USB drives in search of cryptocurrency credentials, which it then sends to attacker-controlled servers. The company named the worm Crypto Clipper because it monitors the contents of device clipboards for patterns consistent with wallet addresses or seed phrases. When found, the malware also takes five screenshots over a 10-second period. Both the credentials and the screenshots are then sent to the attacker through Tor, a network protocol that provides anonymous routing by sending traffic through redundant nodes so logs can’t capture both the sending and receiving IP addresses.
https://arstechnica.com/security/2026/06/microsoft-spots-new-self-propagating-malware-for-stealing-cryptocurrency/