Here are today’s top cybersecurity stories for Tuesday, June 23, 2026.
LastPass Confirms Data Breach in Klue Supply Chain Attack
LastPass disclosed that attackers accessed customer data held in its Salesforce environment after stealing OAuth tokens in the Klue supply chain attack. The stolen data includes customer names, phone numbers, email addresses, physical addresses, and the contents of customer support interactions. LastPass says customer vaults were not affected. Other confirmed victims of the Klue breach now include Recorded Future, Tanium, Jamf, Sprout Social, Gong, and Insurity — all compromised via the same OAuth token theft by the Icarus extortion group.
BleepingComputer
Scattered Spider Members Plead Guilty Over Transport for London Cyberattack
Two members of the Scattered Spider cybercrime group — Thalha Jubair, 20, and Owen Flowers, 18 — pleaded guilty at a London court on the first day of their trial to charges under the UK Computer Misuse Act. The pair breached Transport for London’s network between August 31 and September 3, 2024, accessing Oyster refund system data and causing £39 million in losses and recovery costs. Sentencing is scheduled for July 16.
Krebs on Security
FortiBleed Campaign Used Custom Sniffer to Harvest 110 Million Credentials
New analysis reveals the FortiBleed operation deployed a Golang-based tool called FortigateSniffer that abuses FortiOS’s built-in packet capture functionality to harvest authentication traffic across 24 protocols — including Kerberos, RADIUS, NTLM, and LDAP — without deploying malware. Researchers estimate more than 430,000 FortiGate devices were targeted and over 110 million credentials harvested, with confirmed data exfiltration from a NATO-aligned defence contractor. Cracked hashes were managed via a Hashtopolis-orchestrated GPU cluster, with tooling comments written in Cyrillic.
BleepingComputer | Help Net Security
FFmpeg PixelSmash CVE-2026-8461: Critical RCE Flaw in Widely Used Video Library
A critical heap out-of-bounds write vulnerability in FFmpeg’s MagicYUV decoder, tracked as CVE-2026-8461 (CVSS 8.8), allows attackers to execute arbitrary code via a crafted AVI, MKV, or MOV file. Affected applications include Kodi, mpv, Jellyfin, Emby, Nextcloud, Immich, OBS Studio, and Linux desktop thumbnail generators. On unpatched Linux systems, browsing a folder containing a malicious video file can trigger the exploit. A patch is available in FFmpeg 8.1.2.
BleepingComputer
New Prinz Eugen Ransomware Prioritizes Recently Modified Files, Leaves No Ransom Note
A new ransomware operation named Prinz Eugen has emerged using a Go-based encryptor that targets the most recently modified files first to maximize business impact. Unlike most ransomware groups, Prinz Eugen does not operate under a ransomware-as-a-service model and leaves no ransom note, reducing its forensic footprint. Attackers gain initial access via stolen RDP credentials and use legitimate RMM tools in their post-exploitation workflow. At least five victims have been identified so far.
BleepingComputer
CISA KEV Deadline Today: Cisco SD-WAN, Chrome V8, and Arista EOS Flaws
Federal civilian agencies faced a June 23 remediation deadline for three vulnerabilities confirmed as actively exploited. CVE-2026-20245 affects Cisco Catalyst SD-WAN Manager, CVE-2026-11645 is an out-of-bounds read and write in Google Chrome V8, and CVE-2026-7473 affects Arista Extensible Operating System. Arista has stated it does not plan to patch CVE-2026-7473 due to the risk of breaking existing configurations and instead recommends ACL-based mitigations.
The Hacker News
libssh2 CVE-2026-55200: CVSS 9.2 Unauthenticated RCE via Crafted SSH Packets
A critical vulnerability in libssh2, tracked as CVE-2026-55200 (CVSS 9.2), allows unauthenticated remote attackers to achieve code execution by sending crafted SSH packets that trigger an integer overflow to heap buffer overflow in the ssh2_transport_read() function. The flaw affects libssh2 versions 1.11.1 and earlier and is present in SSH clients, automation frameworks, and file transfer tools across enterprise and cloud environments. A patch is available on the project’s GitHub repository.
CyberSecurityNews
WhatsApp Phishing Campaign Delivers VBScript Loader That Installs RMM Backdoor
Kaspersky researchers documented an ongoing phishing campaign delivering obfuscated VBScript files via WhatsApp, disguised as business and financial documents sent from compromised contacts. Once executed, the script disables UAC protections via Registry modifications and installs a legitimate ManageEngine Endpoint Central RMM agent for persistent remote access. The campaign spans Brazil, India, Mexico, Singapore, the UK, Spain, Taiwan, and Australia, with infrastructure overlapping with ValleyRAT and Gh0st RAT activity.
BleepingComputer
Canada Wide Media Hit by TheGentlemen Ransomware
TheGentlemen ransomware group claimed an attack on Canada Wide Media, a Canadian independent media and publishing company, with the breach listed on June 23, 2026. TheGentlemen is the second most active ransomware group by victim count in 2026, with more than 240 claimed victims this year alone. The group targets internet-facing VPNs and firewalls for initial access and offers affiliates a 90/10 revenue split — above the industry standard 80/20 — to attract experienced operators.
Ransomware.live
Stay tuned for today’s in-depth analysis posts.
