Breaches, ransomware and regulation — analysed the day they break, with the practical lessons your team can act on. Free to read, no account required.

Microsoft addresses a record number of vulnerabilities amid AI-assisted bug discoveries and a high-profile researcher threatening further zero-day releases.

The June 2026 cumulative update for Windows 10 22H2 Extended Security Updates enrollees bundles this month's vulnerability fixes and adds diagnostic hooks for a looming Secure Boot certificate transition that could leave unpatched systems open to bootkit attacks.

A federal jury awarded Meta roughly $168 million in May after NSO's Pegasus spyware abused a WhatsApp voice-call flaw in 2019. Now Meta says NSO's operators are back — this time with social-engineering lures — and is asking a judge to hold the vendor in contempt.

CVE-2026-20245 lets an authenticated attacker escalate to root through the CLI. Mandiant reported the bug after spotting real intrusions, and Cisco has confirmed unauthorized configuration changes in the wild.

A weaponized proof-of-concept for a use-after-free in nf_tables dropped on June 8, 2026 — four months after the upstream fix — and it works reliably against hardened kernels with KASLR and SMAP enabled.

A self-replicating campaign is chaining stolen developer tokens into an ever-widening blast radius — and Microsoft's own GitHub organizations were not immune.

An autonomous AI fuzzer exposed 21 previously unknown vulnerabilities in the media library embedded in nearly every video-capable product on earth. Days later, Google released Chrome 149 with 429 patches — the largest single browser security update on record. Neither story is routine.

A financially motivated extortion crew is impersonating IT staff over the phone, tricking employees into handing over remote access, and exfiltrating privileged client files before most firms even open a help ticket.

CVE-2026-28318 crashes the Serv-U file transfer service in the wild. Federal agencies have roughly three weeks to patch. Everyone else should treat that deadline as their own.

A reverse-engineering of Bright Data's iOS SDK reveals how consumer apps — including always-on televisions — quietly enlist household devices as exit nodes in a massive residential proxy network increasingly serving AI data demands.

A single crafted link was enough to drain a developer's GitHub OAuth token from the browser-based VS Code editor — granting read/write access to private repositories with no second click required.

A new --cooldown flag for Bundler delays installation of freshly published gems, buying defenders the time attackers have long exploited.
Sign up and start training your team in minutes. No sales calls, no demos — just pick a plan and go. Phishing simulations, video courses, and certificates from day one.
