Skip to main content
Back to articles
Security Solutions Team

CISO Daily Digest: Miasma Supply Chain Worm Hits 73 Microsoft Repos, Record Patch Tuesday (20260610)

Miasma supply chain worm compromises 73 Microsoft repos, record 206-CVE Patch Tuesday, Russian WinRAR zero-day attacks against Ukraine, and Check Point VPN 0-day exploited by ransomware

CISO cybersecurity threat intelligence supply chain patch tuesday ransomware zero-day

The largest supply chain worm attack in recent memory β€” Miasma β€” burrowed into 73 Microsoft GitHub repositories, forcing partial repo shutdowns as Microsoft’s investigation continues. Meanwhile, the June 2026 Patch Tuesday shattered records with 206 CVEs fixed across Microsoft, Adobe, and other vendors, driven in part by AI-assisted vulnerability discovery. Russian APT groups escalated attacks against Ukrainian organizations using a WinRAR zero-day, while ransomware operators exploited a Check Point VPN 0-day for over a month before detection.

πŸ”— References: Miasma (Dark Reading | The Hacker News), Patch Tuesday (Krebs on Security | Dark Reading), WinRAR (Dark Reading), Check Point (Xakep.ru)

πŸ“Œ Miasma Supply Chain Worm β€” 73 Microsoft Repositories Compromised

The Miasma worm represents a new class of supply chain threats, autonomously propagating across GitHub repositories by compromising CI/CD pipelines and personal access tokens. Microsoft has restored some repos but keeps others offline. The attack’s scope may grow as forensic analysis continues β€” organizations with dependencies on any of the 73 affected repos should audit their software supply chain immediately.

πŸ”— Reference: Dark Reading | The Hacker News

πŸ“Œ Record Patch Tuesday β€” 206 CVEs Fixed in a Single Day

June 2026’s Patch Tuesday set a new record with 206 CVEs addressed, breaking the previous high by a wide margin. Security researchers attribute the surge to AI-assisted vulnerability discovery, which accelerates both finding and patching. Critical patches include Microsoft Exchange, Windows kernel, and Adobe Reader. Enterprise teams should prioritize deployment given the volume of actively exploited bugs.

πŸ”— Reference: Krebs on Security | Dark Reading

πŸ“Œ Russian APTs Weaponize WinRAR Flaw Against Ukrainian Organizations

Russian-aligned threat actors are actively exploiting a WinRAR vulnerability (CVE-2025-21200) against Ukrainian military and government targets. The attacks use specially crafted archive files that execute code upon extraction. Users still relying on WinRAR should upgrade immediately or migrate to alternatives.

πŸ”— Reference: Dark Reading

πŸ“Œ Check Point VPN 0-Day Exploited for Over a Month by Ransomware Operators

Ransomware groups exploited a zero-day vulnerability in Check Point VPN appliances for more than 30 days before the flaw was publicly disclosed. The attack targeted perimeter VPN gateways β€” a critical blind spot for many organizations. Check Point has issued emergency patches; all affected appliances should be updated immediately.

πŸ”— Reference: Xakep.ru

πŸ“Œ Microsoft Exchange Spoofing Flaw Allows Email Address Impersonation

A critical vulnerability in Microsoft Exchange allows attackers to spoof any email address, bypassing typical authentication checks. This flaw enables highly convincing phishing campaigns targeting C-level executives and suppliers. No authentication bypass is needed; the flaw exists in Exchange’s message-handling pipeline.

πŸ”— Reference: Dark Reading

πŸ“Œ ShinyHunters Exploits Oracle PeopleSoft Zero-Day to Breach Universities

The ShinyHunters threat group is actively exploiting CVE-2026-35273, an Oracle PeopleSoft zero-day, to breach higher education institutions worldwide. The flaw allows unauthenticated remote code execution. Universities running PeopleSoft should check for indicators of compromise and apply mitigations.

πŸ”— Reference: The Hacker News

πŸ“Œ The Gentlemen Ransomware Claims 478 Victims with Worm-Like Spread

The newly emerged Gentlemen ransomware group claims to have compromised 478 victims, using worm-like self-propagation techniques that distinguish it from previous ransomware-as-a-service operations. Krebs on Security is actively investigating the group’s leadership and infrastructure.

πŸ”— Reference: The Hacker News | Krebs on Security

πŸ“Œ GreatXML Exploit Bypasses Windows BitLocker via Recovery Partition

A newly documented technique dubbed GreatXML bypasses Windows BitLocker encryption by exploiting XML parser behavior in recovery partition tools. The attack requires physical access but demonstrates that full-disk encryption alone is insufficient against determined adversaries.

πŸ”— Reference: The Hacker News

πŸ“Œ Max-Severity Ivanti Sentry Flaw Exploited Within 24 Hours of Disclosure

A critical vulnerability in Ivanti Sentry was weaponized within 24 hours of its patch being released, underscoring the vanishingly short window defenders have to apply fixes for edge-device vulnerabilities. Ivanti Sentry is widely deployed for enterprise VPN and secure access.

πŸ”— Reference: Dark Reading

πŸ“Œ Langflow CVE-2026-5027 β€” Unpatched Unauthenticated RCE Exploited

A critical vulnerability in Langflow, the popular AI workflow development platform, is being actively exploited for unauthenticated remote code execution. No patch was available at time of disclosure, leaving Langflow deployments exposed. Organizations running Langflow should isolate it from production networks until a fix is released.

πŸ”— Reference: The Hacker News

πŸ“Œ OpenClaw AI Agent Attacks β€” Code Execution and Secret Leakage via Prompt Injection

Novel attacks against the OpenClaw AI agent framework demonstrate how prompt injection can lead to arbitrary code execution and secrets exfiltration. As enterprises deploy AI agents with tool access, this class of attack represents a growing threat surface.

πŸ”— Reference: The Hacker News

πŸ“Œ Meta Accuses NSO Group of Violating Court Order β€” Continued WhatsApp Pegasus Attacks

Meta has filed new allegations that NSO Group violated a US court injunction by continuing to develop and deploy Pegasus spyware against WhatsApp users. The escalation suggests NSO is operating outside the bounds of prior legal settlements.

πŸ”— Reference: Xakep.ru

πŸ“Œ CISA Adds Cisco, Chrome, and Arista Flaws to KEV Catalog

CISA has added multiple actively exploited vulnerabilities from Cisco, Google Chrome, and Arista Networks to its Known Exploited Vulnerabilities (KEV) catalog. Federal agencies must patch within mandated timelines; private sector organizations should follow suit.

πŸ”— Reference: The Hacker News

OPSWAT Relevance

Many of today’s threats highlight the critical need for layered defenses that OPSWAT solutions address:

  • Miasma supply chain worm β€” MetaDefender’s deep CDR and multiscanning can detect malicious payloads in CI/CD artifacts before they propagate
  • Record Patch Tuesday (206 CVEs) β€” MetaDefender Vulnerability Management provides unified patch prioritization across the attack surface
  • GreatXML BitLocker bypass β€” MetaDefender CDR neutralizes XML-based attacks by stripping active content from documents
  • WinRAR/Exchange/PeopleSoft exploits β€” MetaDefender Multiscanning (30+ AV engines) catches zero-day malware that single-engine solutions miss
  • Langflow/OpenClaw AI attacks β€” MetaDefender’s proactive DLP for AI pipelines prevents prompt injection and secret leakage
  • Check Point VPN 0-day β€” MetaDefender Network Security solutions provide perimeter defense for edge devices