Here are today’s top cybersecurity stories for Thursday, June 25, 2026.
DOJ Seizes Huione Group Infrastructure Linked to $70 Billion in Crypto Crime Laundering
The U.S. Department of Justice seized backend cloud infrastructure used by subsidiaries of the Huione Group, a Cambodia-based conglomerate alleged to have processed more than $70 billion in cryptocurrency transactions tied to pig-butchering scams, North Korean cyber heists, and other fraud over five years. Chainalysis estimates the network accounted for over 20% of global crypto laundering activity. The DOJ seizure follows a Treasury FinCEN action from October 2025 that severed Huione from the U.S. financial system. U.S. Department of Justice
Google Releases Chrome 149 Security Update Fixing 18 Vulnerabilities Including Four Critical RCE Flaws
Google rolled out Chrome 149 version 149.0.7827.196/197 for Windows and macOS, patching 18 vulnerabilities including four critical and 14 high-severity bugs. More than half of the fixed issues are use-after-free flaws, which in Chrome can be chained with OS or privileged-process bugs to achieve sandbox escape. None of the patched vulnerabilities are reported as actively exploited. Users should update immediately. SecurityWeek
GitLab Patches 13 Vulnerabilities Including High-Severity XSS Flaws in CE and EE
GitLab released Community Edition and Enterprise Edition security updates addressing 13 vulnerabilities, including three high-severity bugs. CVE-2026-10086 is an XSS flaw in the GitLab EE Analytics dashboard that allowed an authenticated developer to execute arbitrary client-side code in other users’ sessions. CVE-2026-10712 is an unauthenticated XSS in the Web IDE workbench asset handler. Organizations running self-hosted GitLab instances should apply the update immediately. SecurityWeek
Adblock for YouTube Chrome Extension With 10M+ Installs Has Dormant Arbitrary JavaScript Injection Capability
Island security researchers disclosed that “Adblock for YouTube,” a Chrome extension with more than 10 million installs and a Featured badge on the Chrome Web Store, contains architectural capability to execute arbitrary JavaScript on any website via a server-side configuration change — no extension update required. The capability has been present since February 2025 and is currently dormant with no evidence of active exploitation, but prior extensions by the same developer were removed from the store for malware. The Hacker News
CISA Adds Lantronix EDS5000 CVE-2025-67038 to KEV Catalog — June 26 Federal Patch Deadline
CISA added CVE-2025-67038, a CVSS 9.8 code injection flaw in the Lantronix EDS5000 serial-to-IP device server, to the Known Exploited Vulnerabilities catalog with a June 26 federal patch deadline. Exploitation allows unauthenticated root command execution. The EDS5000 bridges legacy serial OT equipment to IP networks, making exploitation a direct path into industrial control environments. Firmware version 2.2.0.0R1 contains the fix. The Hacker News
NIST Opens Updated IoT Security Guidance SP 800-213 Rev.1 to Public Comment Through August 24
NIST published the initial public draft of SP 800-213 Revision 1, “IoT Product Cybersecurity Guidelines for the Federal Government,” opening it to public feedback through August 24, 2026. The update shifts language from “devices” to “products” and provides updated cybersecurity requirements for federal IoT deployments. SecurityWeek
Microsoft Quietly Extends Free Windows 10 ESU to October 2027
Microsoft updated its Windows 10 Extended Security Updates documentation on June 25 to extend the free consumer ESU program by one year, from October 2026 to October 12, 2027. The change was made without a formal announcement. Devices already enrolled continue receiving security updates automatically. BleepingComputer
Secure Boot Certificate Enforcement Deadline Arrives Tomorrow — June 26, 2026
The Microsoft Corporation KEK CA 2011 certificate expires June 24, and Windows systems that have not received the 2023 replacement certificates will permanently lose access to DBX revocation list updates after June 26, degrading Secure Boot protection without triggering boot failures. Enterprise teams should verify compliance through Intune Autopatch or the Windows Security app Device security view before end of day today. Microsoft Support
Stay tuned for today’s in-depth analysis posts.
