This Week in Cybersecurity: Microsoft's Record Patch Tuesday, Arch Linux Supply Chain Compromised, and China's 10-Year Air-Gap Breach

Explore this content with AI:

ChatGPT | Perplexity | Claude | Google AI Mode

Microsoft June 2026 Patch Tuesday sets an all-time CVE record — and a Defender zero-day PoC drops the same day

On June 10, 2026, Microsoft released the largest security update in Patch Tuesday's history, addressing more than 200 vulnerabilities across Windows, Microsoft Exchange, Office, Defender, and related components, breaking the previous record of 167 CVEs set in October 2025. The update included patches for six publicly disclosed zero-days. Among the notable patches: CVE-2026-45657, a wormable remote code execution flaw in the Windows kernel's TCP/IP stack that requires no authentication; CVE-2026-48579, a critical information disclosure vulnerability in Microsoft Exchange Online (CVSS 9.1); and the formal distribution of the Exchange Server CVE-2026-42897 mitigation through the official update channel (the zero-day we covered in our May 19 post, where no permanent patch yet existed — Microsoft advises keeping the mitigation in place even post-update). Hours after the patch drop, a researcher publishing as Chaotic Eclipse and Nightmare-Eclipse released RoguePlanet — a proof-of-concept for CVE-2026-47281 (CVSS 9.6), a separate, still-unpatched Defender privilege-escalation zero-day that exploits a TOCTOU race condition. ThreatLocker confirmed successful reproduction on fully patched systems the same day.

RoguePlanet is the sixth zero-day proof-of-concept published by the same researcher since early April 2026. In its published form, the exploit does not function on Windows Server instances because standard users cannot mount ISO images; Windows 10 and Windows 11 desktops are the documented exposure surface. Microsoft has not issued an out-of-band patch as of June 16.

Why it matters: A 200-CVE Patch Tuesday is not an argument for patch fatigue — it is an argument for faster prioritization. Windows administrators should lead their June deployment with CVE-2026-45657 and CVE-2026-48579. But the more urgent point is that applying the June PT update does not close CVE-2026-47281: RoguePlanet is a live, unpatched Defender zero-day with public weaponized code that grants SYSTEM access on fully updated Windows 10 and 11 desktops. The gap between "Patch Tuesday shipped" and "new unpatched Defender zero-day published with working exploit code" was measured in hours.

Read more at Zero Day Initiative

Velvet Ant spent ten years inside an air-gapped network by backdooring the authentication stack

On June 8, 2026, Sygnia published a forensic investigation revealing that a China-nexus threat actor, tracked as Velvet Ant, had maintained undetected access to a large organization's isolated internal network for nearly a decade, from 2016 through its discovery in 2026. Sygnia named the campaign Operation Highland. The intrusion began with the compromise of internet-facing systems, then pivoted to an air-gapped environment with no direct internet connection. The victim organization was not named, and Sygnia did not formally attribute the activity to any specific Chinese government entity.

Velvet Ant's persistence technique was not an application-layer backdoor or a remote exploit — it was a systematic compromise of the authentication stack itself. Researchers identified nine distinct backdoored variants of pam_unix.so, the PAM module responsible for password authentication on most Linux systems, each compiled in a separate build environment, alongside trojanized OpenSSH binaries deployed across multiple hosts. The modifications gave the attackers complete visibility into every authentication event on the network: every administrator who logged in, every credential entered, and every access path that remained available. A custom SOCKS5 proxy tunneled traffic through internal relay hosts, allowing Velvet Ant to reach systems not directly accessible from the initial compromise. The nine distinct pam_unix.so variants, built in separate environments, indicate a structured development pipeline and significant operational resourcing. Velvet Ant is the same China-nexus actor previously documented by Sygnia for three-year persistence inside F5 BIG-IP devices and by Recorded Future for exploiting a Cisco Switch zero-day (CVE-2024-20399).

Why it matters: Operation Highland is a clear demonstration that network isolation does not provide meaningful security if the authentication layer governing access to that isolated network is compromised. Velvet Ant didn't need to cross the air gap repeatedly — it controlled the mechanism that legitimized every legitimate crossing. For security teams operating critical infrastructure with isolated segments: auditing the cryptographic integrity of authentication binaries (pam_unix.so, sshd, and related components) against known-good baselines, reviewing PAM module hashes for unexpected variants, and treating the authentication stack as part of the attack surface rather than part of the trusted perimeter should be standing procedures, not post-incident discoveries.

Read more at Help Net Security

Over 400 Arch Linux AUR packages hijacked in "Atomic Arch" supply chain attack delivering credential stealer and eBPF rootkit

Beginning June 11, 2026, attackers compromised more than 400 packages in the Arch User Repository (AUR) by adopting abandoned community packages and modifying their PKGBUILD build scripts to pull a malicious npm dependency. Sonatype, which named the campaign "Atomic Arch" and tracks it as Sonatype-2026-003775 (CVSS 8.7), found that attackers specifically targeted orphaned packages — projects whose original maintainers had walked away, leaving them open for adoption through AUR's standard process. Once in control, attackers edited build scripts to run npm install atomic-lockfile during compilation, triggering a preinstall hook that executed a bundled Linux ELF payload (named deps) before any application code ran. The official Arch Linux repositories were not affected; only community AUR packages were compromised. A second wave extending the campaign used bun install js-digest, with community trackers reporting more than 1,600 total affected packages across both waves. No CVE has been assigned; both Socket and Snyk confirmed atomic-lockfile as malicious before it was pulled from the npm registry.

Independent researcher Whanos reverse-engineered the deps payload and identified a Rust credential stealer targeting developer workstations: browser session data and saved passwords from Chromium-based browsers, session tokens from Electron applications including Slack, Discord, and Microsoft Teams, GitHub and npm tokens, HashiCorp Vault credentials, OpenAI bearer tokens, SSH private keys, shell histories, Docker and Podman credentials, and cloud provider keys. Exfiltration runs over HTTP to temp.sh; command-and-control uses a Tor onion service via local loopback proxy. For persistence, the binary installs a systemd service with Restart=always. When already running as root, it loads an optional eBPF rootkit that hides the malware's own processes, process names, and socket inodes from standard monitoring tools using pinned BPF maps (hidden_pids, hidden_names, hidden_inodes). The eBPF rootkit does not escalate privileges — it activates only after the binary already has root — but its presence means that uninstalling the AUR package after the fact does not prove the host is clean. The attack exploited trust, not a software flaw: the compromised packages kept their names, version histories, and community standing, with only the build instructions changed.

Why it matters: For any developer using AUR: check every package installed or updated on or after June 11 against community detection scripts and the affected-package list; grep recent build histories and package caches for npm install atomic-lockfile and bun install js-digest. If a flagged package ran, treat the host as fully credential-compromised and rotate everything the stealer reaches: browser sessions, SSH keys, GitHub and npm tokens, Slack, Teams, and Discord sessions, Vault credentials, Docker credentials, and cloud keys. For teams running CI/CD pipelines on Arch-based images, treat the entire build host as compromised. The broader lesson: a recently adopted AUR package, or one that suddenly gains new install hooks after long dormancy, now warrants the same scrutiny as a package from an unknown publisher.

Read more at BleepingComputer

ShinyHunters claims 297 GB of Council of Europe payroll data via Oracle PeopleSoft zero-day, ransom deadline expires today

On June 14, 2026, the ShinyHunters extortion group posted a claim asserting it had stolen 297 GB — more than 429,000 files — from the Council of Europe, the Strasbourg-based intergovernmental organization that oversees the European Convention on Human Rights across 46 member states. The group set a ransom deadline of June 16, 2026. The Council of Europe confirmed it is investigating the claims; as of June 15, the breach had not been independently verified. According to the ShinyHunters claim, the stolen data includes 409,000 payslips, 14,000 CVs, and 3,700 internal HR documents from multiple Council entities — the Secretariat, Human Resources Directorate, Parliamentary Assembly, and the European Directorate for the Quality of Medicines and Healthcare (EDQM) — as well as salary details, bank account information, tax records, social security numbers, and personal identifiers for more than 10,000 employees. ShinyHunters identified the attack vector as CVE-2026-35273, an Oracle PeopleSoft authentication bypass that is remotely exploitable without credentials and can result in remote code execution.

The Council of Europe intrusion is part of a broader ShinyHunters PeopleSoft campaign that exploited CVE-2026-35273 against more than 300 instances at over 100 organizations — primarily universities and higher education institutions — between May 27 and June 9, 2026. Across that campaign, the group used MeshCentral for command-and-control, named its agents after Microsoft Azure services to blend into normal network traffic, and deployed a custom SSH credential-spraying script to spread laterally through compromised environments. ShinyHunters previously breached Canvas/Instructure (275 million records, which we covered in our May 12 post and ran an estimated 300–400 organization Salesforce Aura Campaign through a separate attack vector since September 2025. Today's ransom deadline has now passed; if the data is released or verified, expect additional reporting.

Why it matters: CVE-2026-35273 is the operational priority here for any organization running Oracle PeopleSoft. The fact that ShinyHunters breached 100-plus organizations with this single vulnerability across two weeks before pivoting to the Council of Europe suggests the flaw is reliable and the campaign is ongoing. Any organization with internet-facing PeopleSoft instances that hasn't verified the patch status for CVE-2026-35273 should treat this as an emergency. The Council of Europe breach also illustrates the stakes of centralizing HR, payroll, and identity data: a compromise here isn't a leaked email list — it's bank account numbers, tax identifiers, and social security records for thousands of employees across an international institution.

Read more at SecurityWeek

Public exploit released for Linux kernel nf_tables flaw CVE-2026-23111, enabling local root and container escape

On June 8, 2026, Exodus Intelligence released a working proof-of-concept exploit for CVE-2026-23111, a use-after-free vulnerability in the Linux kernel's nf_tables packet-filtering subsystem. The underlying bug is a one-character error — an inverted logical check ("!") in the nft_map_catchall_activate() function that causes incorrect handling during transaction abort operations. An upstream kernel patch was released on February 5, 2026, and FuzzingLabs published an independent reproduction in April; the Exodus Intelligence release on June 8 is a tested, working exploit rather than a crash proof-of-concept. Ubuntu rates the flaw CVSS 7.8. Exodus Intelligence confirmed the exploit against Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, Debian Bookworm, and Debian Trixie. An unprivileged local user on any of those unpatched distributions can use it to escalate privileges to root and escape containerized environments. CISA had not added CVE-2026-23111 to its Known Exploited Vulnerabilities catalog as of June 16, 2026.

The four-month gap between the upstream patch (February 5) and the public exploit (June 8) is notable primarily because many production Linux environments — particularly large enterprises with slow kernel-update cycles — may have applied distribution updates but lag behind upstream kernel patches. Whether a given system is protected depends on whether the distribution has backported the fix, not on whether it has received recent updates in general.

Why it matters: A CVSS 7.8 kernel flaw with a public, tested exploit is an immediate priority for any organization running multi-tenant Linux environments or containerized workloads. The container-escape capability elevates the risk beyond standard local privilege escalation: in Kubernetes clusters or shared CI runners, escaping the container boundary reaches the host node and potentially the broader cluster. Check your kernel version against the February 5 upstream patch; if you are running nf_tables in your container networking stack — which includes most Kubernetes setups using iptables or nftables-based network policies — assume exposure until you verify the patch is in place.

Read more at Falcon Internet Blog

Final thoughts

The common thread this week is the systematic targeting of trust. Velvet Ant didn't bypass an air-gapped network through brute force — it compromised the authentication layer that everyone on that network trusted by default. The Atomic Arch attackers inherited the reputations of abandoned community packages rather than building malicious ones from scratch. Microsoft Defender, the software running specifically to protect Windows machines, was the vehicle for the week's most actively exploited zero-day. And ShinyHunters turned the Oracle PeopleSoft vulnerability it had used against universities into a direct attack on the institution most closely associated with European human rights standards.

For security teams, the practical response isn't to trust nothing — it's to verify everything you're currently trusting by assumption. Audit your Linux authentication binaries. Read your AUR build files before you run them. Confirm your PeopleSoft and Windows patch status. And treat Patch Tuesday as the floor, not the ceiling — because this week, a new Defender zero-day dropped the same afternoon the record patch load shipped.

Check back next Tuesday.