Here are today’s top cybersecurity stories for Thursday, June 11, 2026.
CISA Issues BOD 26-04: Risk-Based Patching Directive Sets 3-Day Deadlines for Critical Exploited Flaws
The US Cybersecurity and Infrastructure Security Agency published Binding Operational Directive 26-04 on June 10, requiring all federal civilian executive branch agencies to remediate actively exploited, publicly exposed, automatically exploitable vulnerabilities that grant full system control within three days. Lower-risk flaws face a two-week window. Agencies have 60 days to update remediation processes and 180 days — by December 7, 2026 — to fully comply with the new timelines. CISA
AudiA6 Crypto Laundering Network Dismantled: $389 Million in Ransomware Proceeds Seized
An international operation led by the US Department of Justice and Europol, with participation from Canada, Australia, France, Germany, Japan, Switzerland, and the United Kingdom, has dismantled AudiA6 — a cryptocurrency laundering service used by ransomware gangs since 2021. Two operators, Ruslan Tkachuk and Alexander Ledenev, were arrested in Batumi, Georgia, and charged with laundering more than $389 million in Bitcoin across 10,333 BTC. Thirteen domains were seized and blockchain analysis confirmed ties to over 15 international cybercrime investigations. US DOJ
Langflow CVE-2026-5027 Actively Exploited: Unpatched Path Traversal Enables Unauthenticated RCE
A high-severity path traversal vulnerability in Langflow, the open-source AI application builder, is under active exploitation. CVE-2026-5027 (CVSS 8.8) allows unauthenticated attackers to write arbitrary files on exposed servers because Langflow enables auto-login by default and the POST /api/v2/files endpoint does not sanitize the filename parameter. Approximately 7,000 instances were publicly exposed at time of disclosure. Langflow version 1.10.0, released June 11, resolves the flaw. The Hacker News
Six Proto6 Vulnerabilities in protobuf.js Expose Node.js Apps to RCE and DoS
Researchers at Cyera disclosed six vulnerabilities in protobuf.js, a JavaScript and TypeScript implementation of Protocol Buffers. The most severe, CVE-2026-44291, enables remote code execution via prototype pollution — attacker-controlled input reaches a protobuf type resolution path and triggers arbitrary JavaScript execution through a generated Function() call. CVE-2026-44295 (CVSS 8.7) enables code injection via crafted schema names. Affected versions are protobuf.js 7.5.5 and earlier, and 8.0.0–8.0.1. Patches are available in versions 7.5.6 and 8.0.2. Google Cloud client libraries and the Baileys messaging framework are among affected downstream projects. The Hacker News
FBI Seizes 13 Websites Linked to Alleged Chinese Intelligence Recruitment of US Government Workers
US federal authorities seized 13 domains operated by suspected Chinese agents posing as consulting firms — including Centrik Global Consulting, Catalyst Global Solutions, and Gulf Peace Foundation — that targeted current and former US government and military personnel with security clearances. The recruiters used AI-generated photographs, fake personas, and job postings on platforms including Upwork and LinkedIn to solicit sensitive government information, with cryptocurrency used to conceal payments. Help Net Security
Secure Boot June 26 Enforcement: 15 Days to Update Windows UEFI Certificates
The Microsoft Corporation KEK CA 2011 certificate expires June 24, 2026, and the Microsoft UEFI CA 2011 follows around June 27. After enforcement begins, systems without the 2023-dated replacement certificates will be blocked from receiving boot-critical security updates and malware blacklist (DBX) updates. Organizations that have not yet applied KB5094126 from June 2026 Patch Tuesday should treat this as an urgent deadline — Microsoft’s Intune Autopatch console now provides a Secure Boot readiness report for fleet-wide remediation. Krebs on Security
GoFlateLoader Delivers Lumma, Vidar, and StealC to 33,000+ Victims Since April 2026
Gen Digital researchers documented GoFlateLoader, a Golang-based malware loader that uses deliberately oversized executables — typically 700 to 950 MB — to evade antivirus scanning size limits. The loader decodes and executes infostealer payloads in memory, delivering Lumma, Vidar, StealC, Amatera, and Remus. Distribution channels include fake cracked software sites and a malicious traffic distribution system. More than 33,000 unique users have been protected since April 2026, with Brazil, India, Argentina, Mexico, Turkey, and Spain among the most affected countries. Gen Digital
85% of Adults Can No Longer Distinguish Real from AI-Generated Content
A Malwarebytes survey published June 11 found that 85 percent of adults say they can no longer reliably distinguish real content from AI-generated material, up from 66 percent in 2025. Half of respondents reported encountering an AI-driven scam in the past year. Personalized scam messages, manipulated product reviews, AI-generated images, and voice impersonation were the most common experiences, highlighting the growing difficulty of social engineering detection for enterprise security awareness programs. Help Net Security
Stay tuned for today’s in-depth analysis posts.
