Here are today’s top cybersecurity stories for Monday, June 22, 2026.
Canada’s Spy Agency Used First-of-Its-Kind Warrant to Clean Botnet-Infected Devices
The Canadian Security Intelligence Service obtained a Federal Court warrant to reach into compromised servers, home routers, and IoT devices in Canadian homes and businesses and neutralize two foreign-run botnets — the first time CSIS has used its threat reduction warrant powers this way. Justice Catherine Kane granted the original warrant in May 2024, renewed it in August, and the redacted Federal Court ruling was released publicly on June 15. The botnets were assessed as likely linked to China, and infected Ring doorbells, security cameras, televisions, and SOHO routers. The Hacker News
Klue Supply Chain Breach Hits Nine Cybersecurity Firms — Icarus Posts Stolen Data
At least nine organisations have confirmed data was stolen from their Salesforce environments following a supply chain attack on market intelligence platform Klue. The Icarus extortion group compromised Klue on June 11–12 by harvesting OAuth tokens through a malicious code update, then exfiltrated data from connected Salesforce instances. Confirmed victims include Gong, HackerOne, Huntress, Jamf, OneTrust, Recorded Future, Snyk, Sprout Social, and Tanium. The threat actor set June 22 as its data release deadline. SecurityWeek
AryStinger Botnet Hijacks 4,300 D-Link Routers as Proxy Network
A previously undocumented malware botnet named AryStinger has compromised over 4,300 D-Link DIR-850L and DIR-818LW routers by exploiting older vulnerabilities including CVE-2013-3307 and CVE-2025-11837. Infected devices are turned into remotely controlled proxies for scanning, tunneling, and traffic interception, and the malware tampers with DNS settings and silently monitors inbound and outbound traffic. A Go-based variant targeting NAS systems was also found. Nearly half of all infections are in South Korea, followed by China and Sweden. BleepingComputer
Gravity SMTP WordPress Plugin Flaw CVE-2026-4020 Under Mass Exploitation — 17 Million Attacks Blocked
Threat actors are mass-exploiting an unauthenticated information disclosure vulnerability in the Gravity SMTP WordPress plugin, active on 100,000 sites. The flaw, CVE-2026-4020, exposes a REST API endpoint that returns a full system report including API keys, secrets, and OAuth tokens for configured email integrations without requiring authentication. Exploitation spiked in early June, with Wordfence blocking over 17 million attempts against protected customers. The vulnerability affects versions 2.1.4 and older; version 2.1.5 released March 17 contains the fix. BleepingComputer
Squidbleed CVE-2026-47729: 29-Year-Old Squid Proxy Memory Leak Discovered With AI Assistance
Researchers at Calif.io, using Anthropic’s Claude Mythos AI model, discovered a Heartbleed-style memory leak vulnerability in Squid Proxy that has existed since 1997 and affects every version in its default configuration. The bug, CVE-2026-47729, stems from a flaw in the FTP parser that causes Squid to read beyond a memory buffer boundary, potentially exposing previous users’ HTTP request data including credentials, session tokens, and API keys. A patch shipped in Squid version 7.6; disabling FTP eliminates the attack surface. The Hacker News
SearchLeak: Patched Microsoft 365 Copilot Flaw Let One Click Steal Emails, Files, and MFA Codes
Varonis Threat Labs disclosed a now-patched vulnerability chain dubbed SearchLeak (CVE-2026-42824) in Microsoft 365 Copilot Enterprise Search that let an attacker exfiltrate emails, calendar data, SharePoint files, and live MFA one-time codes with a single click. The attack chained Parameter-to-Prompt Injection with HTML injection and server-side request forgery to direct Copilot to extract and transmit mailbox data to an attacker-controlled URL. Microsoft patched the flaw on its backend. No exploitation in the wild was observed. The Hacker News
Texas Parks and Wildlife Data Breach Exposes 3 Million Hunting and Fishing Licence Holders
The Texas Parks and Wildlife Department disclosed a data breach affecting 3,087,721 individuals who acquired hunting and fishing licences, after a third-party vendor suffered a cyberattack. Stolen data includes email addresses, physical addresses, phone numbers, driver’s licence information, and passport numbers. Social Security numbers, dates of birth, and financial data were not compromised. The breach was discovered in May and publicly disclosed on June 18; affected individuals have until September 14 to enrol in a year of free credit monitoring through Kroll. SecurityWeek
Five Eyes Agencies Warn: Frontier AI Hacking Models Are Months Away From Broad Availability
Intelligence agencies from the United States, Canada, United Kingdom, Australia, and New Zealand warned that advanced AI models capable of reshaping offensive cyber capabilities are approaching broad public availability faster than the industry expected. The joint statement assesses that frontier AI models will give adversaries access to agentic hacking capabilities — automated vulnerability discovery and exploitation — within the year. The NSA’s director reportedly told US legislators that one frontier AI model broke into classified systems in hours. CyberScoop
Fortinet Responds to FortiBleed Campaign as CISA Issues Customer Warning
Fortinet issued a formal response to the FortiBleed credential harvesting campaign, which has produced a verified database of over 86,644 working credentials from internet-facing FortiGate appliances across 194 countries. CISA separately urged all Fortinet customers to act, noting generic admin accounts made up 35 percent of compromised credentials and built-in Fortinet system accounts another 28 percent — pointing to widespread failure to rename default accounts or rotate factory credentials. Organizations are urged to audit all FortiGate credentials, reset passwords, and enforce MFA immediately. SecurityWeek
Stay tuned for today’s in-depth analysis posts.
