CISO Daily Digest: Check Point VPN Zero-Day Crisis Intensifies (20260609)
Check Point VPN zero-day exploited by Qilin ransomware with CISA 4-day mandate; Miasma worm hits 70+ Microsoft repos; Chrome V8 zero-day; Meta blocks NSO WhatsApp phishing; self-replicating AI worm demonstrated.
Check Point VPN Zero-Day Exploited by Qilin Ransomware
The Check Point VPN zero-day saga escalated dramatically this weekend, with the Qilin ransomware group weaponizing the IKEv1 authentication bypass vulnerabilities (CVE-2026-50751 / CVE-2026-50752) in active ransomware campaigns.
- Check Pointβs Quantum Security Gateway and CloudGuard Network Security products are affected by the IKEv1 authentication bypass flaw, which allows attackers to bypass password-based authentication and gain network access
- Qilin ransomware has been observed leveraging the vulnerability to deploy payloads inside protected networks, marking the first known ransomware campaign exploiting this flaw
- CISA has ordered all US federal agencies to patch within 4 days β an unusually aggressive timeline
- Check Point released patches on June 4; security teams should verify immediate deployment
The rapid weaponization of a VPN vulnerability by a major ransomware group within days of patch release highlights the shrinking window between disclosure and exploitation. Organizations still running unpatched Check Point appliances face imminent risk of ransomware deployment.
π References: Comprehensive coverage (The Hacker News | DarkReading | iThome: Qilin Activity | iThome: CISA 4-Day)
Active threats this week
π Miasma Worm Compromises 70+ Microsoft GitHub Repositories
The Miasma worm has expanded its supply chain attack, compromising over 70 Microsoft-owned GitHub repositories and disabling them within two minutes of infection. The worm uses automated takedown capabilities to delete repository contents. This marks one of the largest supply chain attacks targeting a single vendorβs code infrastructure.
π Reference: The Hacker News | iThome
π Hades PyPI Attack Poisoned 19 Packages with Bun Credential Stealer
The Hades campaign against PyPI poisoned 19 packages using a novel technique β a malicious Bun runtime-based credential stealer that auto-executes on installation. This marks a shift from Python-native attack tooling to cross-runtime malware.
π Reference: The Hacker News | DarkReading
π Chrome V8 Zero-Day (CVE-2026-11645) Exploited in the Wild
Google confirmed a Chrome V8 engine zero-day (CVE-2026-11645) is being actively exploited in the wild. Users should apply the emergency Chrome update immediately alongside the broader Chrome 149 patch batch which addressed 429 security vulnerabilities including 74 critical/high severity issues.
π Reference: The Hacker News: V8 Zero-Day | The Hacker News: Chrome 149
π Meta Blocks NSO Groupβs New WhatsApp Phishing Attack, Files Contempt Order
Meta has successfully blocked NSO Groupβs latest WhatsApp phishing campaign, which targeted journalists and human rights defenders. Meta filed a contempt of court order alleging NSO violated a prior settlement by deploying new spyware infrastructure.
π Reference: The Hacker News
π C0XMO Botnet Infects DVRs and Android Devices via Old DD-WRT Flaws
A botnet named C0XMO is exploiting old DD-WRT vulnerabilities to compromise DVRs and Android devices, building a massive IoT botnet. The malware leverages unpatched firmware on consumer and enterprise devices.
π Reference: iThome
π Silent Ransom Group Hits US Law Firms in Escalating Extortion Attacks
The Silent Ransom Group has intensified operations targeting US law firms, exfiltrating sensitive client data and extorting victims under threat of public exposure.
π Reference: DarkReading
π Self-Replicating AI Worm Built Entirely on Local, Open-Weight Models
Researchers demonstrated a self-replicating AI worm that operates entirely on local, open-weight models β no cloud APIs required. The worm spreads between AI agents, stealing credentials and propagating to new systems autonomously, representing a new class of AI-native malware.
π Reference: The Hacker News
π LiteLLM Flaw (CVE-2026-42271) Exploited in the Wild for Unauthenticated RCE
A critical vulnerability in LiteLLM, an open-source LLM proxy, is being actively exploited for unauthenticated remote code execution. The flaw chains multiple issues to allow complete server compromise without authentication.
π Reference: The Hacker News
π OpenAI Introduces Lockdown Mode to Defend Against Prompt Injections
OpenAI released a new Lockdown Mode feature designed to protect against the consequences of prompt injection attacks, marking the first major platform-level defense against this growing attack vector.
π Reference: xakep.ru
How Can OPSWAT Help
The Miasma worm and Hades PyPI supply chain attacks underscore the growing risk of software supply chain compromise. OPSWAT MetaDefenderβs multi-engine scanning (aggregating 30+ anti-malware engines) and Content Disarm and Reconstruction (CDR) technology can detect and block both known and unknown malware variants embedded in package dependencies and CI/CD pipelines, reducing exposure to supply chain-driven infections.