Cyber Roundup: Week of June 8
Table of contents
Here are the main stories you missed last week.
1. Check Point: CVE-2026-50751 VPN authentication bypass actively exploited by Qilin affiliate
The headline: On June 8, 2026, Check Point confirmed active exploitation of CVE-2026-50751, a CVSS 9.3 authentication bypass in Remote Access VPN and Mobile Access deployments using the deprecated IKEv1 key exchange. CISA added the vulnerability to its Known Exploited Vulnerabilities catalog the same day with a federal patching deadline of June 11. Check Point linked at least one confirmed incident to a Qilin ransomware affiliate. Exploitation dates back to May 7, with attack volumes surging in early June.
What we’re actually watching: Ransomware affiliates now operate inside a 30-day weaponization window against perimeter VPN appliances. The Qilin attribution turns a vulnerability disclosure into a confirmed ransomware delivery path.
The flaw stems from a logic error in certificate validation that allows attackers to manipulate authentication flags through a custom VPNExtFeatures Vendor ID payload during IKEv1 negotiation. As watchTowr Labs documented on June 12, the vulnerable iked process skips signature verification and trust-chain validation entirely. Three of Check Point’s four user authentication modes hand attackers a session with no resistance.
The Qilin affiliate used a dedicated VPS infrastructure across Kaupo Cloud HK, Shock Hosting, and Vultr Holdings. The actor deployed Rclone for data exfiltration and used the Tox protocol for command and control. The campaign has hit several dozen organizations globally so far, with Rapid7 separately confirming two additional cases with high confidence. Organizations running IKEv1 with non-mandatory machine certificates remain exposed regardless of password strength.
The CISO question: If your VPN appliance still supports a “deprecated” protocol for backwards compatibility, do you know which users and partners actually depend on that legacy path, or are you accepting an authentication bypass risk to avoid a migration conversation?
2. Google Mandiant: UNC3753 escalates from vishing to physical office intrusions at US law firms
The headline: On June 8, 2026, Google Mandiant and the Google Threat Intelligence Group disclosed an active extortion campaign by UNC3753, also tracked as Luna Moth, Chatty Spider, and Silent Ransom Group. The campaign targeted dozens of US legal, financial, and professional services firms between January and May 2026. It combines voice phishing, RMM tool abuse, and physical office intrusions where actors pose as IT technicians and exfiltrate data via USB. An FBI Cyber FLASH Alert dated May 26 corroborates the physical-access component.
What we’re actually watching: The threat model now extends past the firewall to the reception desk. UNC3753 completes initial contact, data theft, and extortion inside a single business day in multiple Mandiant-investigated cases.
The attack chain begins with a benign invoice-themed email sent from a consumer account, followed by a phone call where attackers harvest contact information directly from corporate directories. Victims are convinced to install RMM utilities and grant screen-sharing access. Once inside the VDI, UNC3753 enumerates OneDrive and mapped drives, then targets iManage document repositories using keyword searches for W-2 forms, Social Security numbers, audit records, and legal agreements.
In one Mandiant case, the group exfiltrated 1.7 GB through Google Drive before pivoting to WinSCP for an additional 14.4 GB. Phishing domains follow predictable patterns like organization-itdesk[.]com and organization-helpdesk[.]com, which CybelAngel’s domain monitoring surfaces during the registration phase. Following exfiltration, victims receive a three-day extortion deadline before files appear on the LEAKEDDATA site. CrowdStrike assesses UNC3753 as likely Russia-based, with tradecraft inherited from the Conti ecosystem.
The CISO question: Your help desk has a verification process for password resets. Does your reception desk have an equivalent verification process for unannounced IT technicians carrying USB drives?
3. Microsoft: June Patch Tuesday ships record 208 CVEs with one exploited zero-day and a wormable kernel flaw
The headline: On June 9, 2026, Microsoft released the largest single Patch Tuesday since the program’s founding in 2003, shipping fixes for 208 CVEs across Windows, Office, Azure, Exchange, Hyper-V, Secure Boot, and BitLocker. The cycle includes six zero-days, one of them actively exploited in the wild. The headline flaw is CVE-2026-45657, a CVSS 9.8 use-after-free vulnerability in the Windows Kernel TCP/IP stack that Microsoft classified as wormable under certain network configurations and, again, rated “exploitation less likely.”
What we’re actually watching: Microsoft’s “exploitation less likely” rating is now a reliable contrary indicator. The June 1 Netlogon flaw was rated less likely and exploited within three weeks. CVE-2026-45657 received the same label, and every researcher capable of reversing a patch is already doing so.
CVE-2026-45657 requires no authentication and no user interaction. The wormable classification means a successful exploit could self-propagate to other unpatched machines without operator involvement, a property that has produced every memorable network worm since Conficker. The actively exploited zero-day, CVE-2026-41091, is an elevation-of-privilege flaw in Microsoft Defender’s Real-Time Protection component. A local attacker who already has a foothold can escalate to SYSTEM. The five publicly disclosed zero-days, including the CTFMON elevation flaw and two BitLocker security feature bypasses tied to the ongoing Nightmare Eclipse disclosure dispute, will be reverse-engineered into working exploits inside two weeks.
The 51% volume jump from May’s 138 CVEs to June’s 208 is itself the story. Microsoft has attributed the acceleration to AI-assisted vulnerability discovery tools finding flaws faster than the historical research pipeline could process. Defenders absorbing a record patch cycle face the same scaling problem from the opposite direction.
The CISO question: Your patching capacity was sized for a 130-CVE month. June shipped 208, and the trend line points up. Do you have a triage process that escalates wormable kernel flaws above the queue regardless of vendor rating, or are you still patching in CVSS order and hoping the “less likely” label holds?
4. GitHub: npm v12 disables install scripts by default to break a decade-old supply chain attack vector
The headline: On June 11, 2026, GitHub announced that the upcoming npm v12 release will disable install scripts (preinstall, install, postinstall) by default. The change inverts npm’s default trust model from opt-out to opt-in. Two additional defaults shift in v12: --allow-git and --allow-remote both default to none, blocking Git-based and remote URL dependencies unless explicitly enabled. The release is expected in July 2026. Advisory warnings for the same changes are already available in npm 11.16.0.
What we’re actually watching: The default-trust model that powered the npm ecosystem for a decade is being formally retired. Every CI/CD pipeline running npm install without auditing dependency scripts has roughly thirty days to inventory what would break under v12.
The change is a direct response to a sustained run of supply chain compromises. The Miasma worm hit Red Hat’s @redhat-cloud-services namespace on June 1 with 32 packages and returned three days later with the Phantom Gyp technique to compromise 57 more. Shai-Hulud has continued through the npm registry since September 2025. The Axios library was compromised in March 2026 through stolen credentials. The 18-package debug and chalk hijack in September 2025 affected packages with 2.6 billion combined weekly downloads.
For SOC teams, the operational window is short. The recommended workflow is to upgrade to npm 11.16.0, run npm install normally, and treat every warning as a future failure in CI/CD. Teams that wait for v12 to ship will discover their dependency allowlist the hard way through broken builds. Worth noting: pnpm, Yarn, and Bun have all blocked install scripts by default for years. npm is catching up, not leading.
The CISO question: When npm v12 ships next month, will your CI/CD pipelines break because someone didn’t audit which dependency scripts your build relies on, or have you already converted that audit from a future task into a completed allowlist your engineering team can commit to the repo?
5. BlackFog: OnyxC2 malware-as-a-service offers credential theft against 210 applications for $250 a month
The headline: On June 11, 2026, BlackFog researchers published their analysis of OnyxC2, a stealer toolkit sold on cybercrime forums starting at $250 per month. The malware targets approximately 210 applications and extensions: 37 Chromium-based browsers, 8 Gecko-based browsers, 95 Chromium extensions, 14 Gecko extensions including 6 dedicated 2FA tools, 5 password managers, 17 cryptocurrency wallets, 11 FTP clients, and 5 email clients. Sample builds remained undetected on VirusTotal as of May 30.
What we’re actually watching: Credential theft has moved from cottage industry to commercial product. OnyxC2’s developer offers refunds if a build gets detected, which is a service-level commitment that traditional malware authors never made.
One infected machine documented in BlackFog’s operator panel had already surrendered 55 saved passwords, 4,717 cookies, 719 autofill entries, credit card data, and a crypto wallet. That single haul potentially unlocks banking, business, and cloud accounts. The 6 dedicated 2FA extensions in the target list deserve particular attention. They include the seed material for time-based codes, and successful theft bypasses 2FA on every account derived from those seeds. The 17 cryptocurrency wallets in scope are monetized immediately.
The MaaS pricing structure puts capable credential theft in the hands of buyers who could never write the malware themselves. Standard tier is $250 per month. Premium with HVNC is $500. Full source code with installation guide is $6,000. Detection guarantees and tiered support are the kind of product packaging that commodity software vendors offer. The credential supply chain that fed last week’s UNC3753 victims and the next month’s ransomware affiliates is being assembled in public, at retail prices.
The CISO question: When the credential stealer market has matured to the point of refund guarantees and service tiers, do your detection programs assume the credentials in your environment have already leaked, or are you still building defenses around the assumption that attackers need sophisticated tradecraft to harvest them?
The pattern across all five stories
Every story this week is about a default that’s about to change, or a default that should have changed already.
The Check Point IKEv1 path was deprecated but still on by default for backwards compatibility, and a Qilin affiliate proved deprecation is not deactivation. UNC3753’s victims defaulted to trusting phone calls from people claiming to be IT support. Microsoft’s “exploitation less likely” label is a default rating that researchers now treat as a target marker. GitHub is reversing the decade-old npm install-script default because too many teams trusted dependencies they never inspected. OnyxC2 thrives because browsers default to storing credentials and 2FA seeds on local disk.The common thread is of course defaults.
CybelAngel surfaces the exposed credentials, leaked tokens, malicious lookalike domains, and forgotten internet-facing assets that result when permissive defaults outlive the threat environment they were designed for.
About the author
