Today’s roundup
U.S. CISA adds Cisco and PTC Windchill and FlexPLM flaws to its Known Exploited Vulnerabilities catalog
macOS.Gaslight: North Korea-Linked Malware That Tries to Gaslight the Analyst
Tata Electronics Confirms Data Breach After 630GB Leak Claim Targets Apple and Tesla
Miasma Malware Targets npm Packages and GitHub Actions in Supply Chain Attack
Google Details Turla's New STOCKSTAY Backdoor Used in Ukraine Espionage Attacks
Inside Mistic, the New Stealth Backdoor in Ransomware Intrusions
Chrome Ad Blocker with 10M+ Installs Found with Dormant Script Injection Capability
Third-Party Breach at Polymarket Leads to $2.94M Crypto Theft
Cisco Vulnerability Exploited Months Before Disclosure, Google Warns
Activist Phone Hacked With Cellebrite After Russia Contract Cancellation
Summary
The U.S. CISA has added critical, actively exploited vulnerabilities in PTC Windchill/FlexPLM (RCE, CVE-2026-12569) and Cisco Unified Communications Manager (SSRF to root, CVE-2026-20230) to its KEV catalog, mandating federal agencies to patch by June 28, 2026.
SentinelLabs identified "macOS.Gaslight," a North Korea-linked Rust implant designed to evade AI-assisted malware analysis via fabricated system-failure messages. It exfiltrates sensitive macOS data using a Telegram-based C2 with novel self-redaction capabilities.
Tata Electronics, a key supplier to Apple and Tesla, confirmed a data breach where the "World Leaks" group claims to have stolen over 630GB of data, including alleged Apple supplier specifications and Tesla manufacturing documents, with a ransom demand under investigation by Apple.
An evolving supply chain attack, linked to the Mini Shai-Hulud, Miasma, and Hades malware families, is now compromising new npm packages (LeoPlatform, RStreams) and abusing GitHub Actions workflows to propagate into the Go ecosystem.
Google detailed "STOCKSTAY," a new .NET backdoor by the Russian state-sponsored Turla APT group, deployed in Ukraine against government and military organizations, as well as entities involved in Italian foreign policy for espionage.
Symantec reported "Mistic," a stealthy backdoor by the KongTuke (Woodgnat) access broker, active since April 2026. It enables long-term covert access for ransomware groups like Qilin, Interlock, and Black Basta, using DLL sideloading, in-memory execution, and a kill switch to remain hidden.
A popular Google Chrome extension, "Adblock for YouTube," with over 10 million installs, was found to harbor a dormant capability for arbitrary JavaScript code execution, posing a significant supply chain risk to its vast user base.
Polymarket, a prediction market platform, confirmed a security breach via a compromised third-party vendor, which led to a malicious script injecting into its frontend and the theft of approximately $2.94 million in PUSD from at least 11 user wallets. Polymarket will fully reimburse victims.
Google warned of a high-severity flaw in Cisco Catalyst SD-WAN Manager actively exploited in the wild for several months prior to its public disclosure in June 2026, indicating a significant zero-day or N-day vulnerability.
Russian authorities used Cellebrite's UFED tools to access activist Andrey Pivovarov's iPhone 12 in June 2021, despite Cellebrite halting sales to Russia three months earlier. Citizen Lab's report confirmed extensive data extraction and targeted searches, highlighting ethical concerns.
Want to dig deeper?
Vulnerabilities
Cyber Groups
| Turla | IRON HUNTER, Group 88, Waterbug, WhiteBear, Snake, Krypton, Venomous Bear, Secret Blizzard, BELUGASTURGEON |
Malware Families