Microsoft Confirms RoguePlanet Defender Zero-Day, Says Patch is in Development
Microsoft formally acknowledged RoguePlanet, a Defender zero-day now tracked as CVE-2026-50656 with a CVSS score of 7.8, confirming it is working on a fix for the privilege escalation flaw in the Microsoft Malware Protection Engine nearly a week after a researcher going by Chaotic Eclipse released a working exploit. The exploit relies on a race condition that grants attackers a SYSTEM-level shell, with the researcher noting it works reliably on some machines while struggling on others, and testing confirmed it succeeds even on fully patched Windows 11 and 10 systems. RoguePlanet is the fourth Defender flaw disclosed by this researcher in recent months, following BlueHammer, UnDefend, and RedSun — all part of an ongoing pattern of uncoordinated disclosures the researcher has framed as retaliation over a breakdown in communication with Microsoft’s vulnerability disclosure process.
Kodak Confirms Data Breach Claimed by ShinyHunters Extortion Gang
Kodak confirmed it is working with external cybersecurity experts to investigate a security breach after hackers gained access to company data, following ShinyHunters’ claim on its dark web leak site that it stole over 2.2 million records containing customer PII and internal corporate data. The extortion group set a final warning deadline of June 18 for Kodak to make contact before the stolen data is leaked alongside what the group called “several annoying digital problems.” Kodak said it is working with law enforcement and is confident there is currently no threat to its systems or operations, though the company has not yet independently attributed the breach to ShinyHunters.
Security researchers at Hudson Rock and SOCRadar uncovered a sweeping campaign dubbed FortiBleed in which suspected Russian-speaking threat actors compiled a database of more than 30,000 verified working credentials for Fortinet firewalls and VPN gateways across 194 countries, with Hudson Rock estimating the true number of affected devices closer to 73,000. Rather than exploiting any new vulnerability, the attackers relied on previously leaked Fortinet credentials that many organizations never rotated, scanning the internet for exposed devices and using compromised firewalls as listening posts to harvest even more passwords from passing traffic in a self-sustaining cycle. Affected organizations reportedly include Accenture, Comcast, Foxconn, Lenovo, Oracle, Samsung, Siemens, and PwC; Fortinet has acknowledged the campaign but characterizes it as a resharing of previously breached credentials combined with brute-forcing rather than a new incident, and anyone running Fortinet firewalls should immediately rotate all administrative and VPN credentials and enable multi-factor authentication.
Sensitive Enterprise Data Uploads to AI Models Double in a Year
Zscaler’s 2026 AI Threat Report found a 93% year-over-year increase in employees attempting to upload sensitive enterprise data to AI assistants and applications, with more than half of these transfers driven by employees using just two popular AI tools. The surge reflects how quickly generative AI tools have embedded themselves into everyday workflows, often outpacing the data governance and monitoring controls organizations have in place to track where sensitive information actually goes once it leaves managed systems. The findings reinforce a broader theme security teams are grappling with this year: shadow AI use is no longer an edge case but a default behavior, and organizations without visibility into AI tool usage are effectively flying blind on a fast-growing category of data loss risk.
GitBait Phishing Campaign Abuses GitHub Pages to Attack Financial Institutions
Group-IB identified a phishing campaign called GitBait that has been quietly running for over three years, targeting at least 24 financial institutions in Mexico by hosting fake banking portals on GitHub Pages and routing stolen credentials through SheetBest, a legitimate API that writes data directly into attacker-controlled Google Sheets. The fully serverless design eliminates any traditional command-and-control infrastructure for defenders to track or seize, while GitHub Pages’ trusted reputation and default HTTPS coverage let the phishing pages slip past most automated security tools and blocklists. Group-IB has reported the more than 100 identified GitHub-hosted domains tied to the campaign, and financial institutions are urged to monitor for repositories impersonating their brand and watch for unexpected outbound traffic to the SheetBest API from customer-facing sessions.
