F5 Patches Two Critical NGINX Open Source Flaws Enabling Remote Code Execution
F5 released out-of-band security updates for two critical NGINX vulnerabilities — CVE-2026-42530 (CVSS 9.2), a use-after-free flaw in the HTTP/3 QUIC module, and CVE-2026-42055 (CVSS 9.2), a heap-based buffer overflow in the HTTP/2 proxy and gRPC modules — both exploitable by unauthenticated remote attackers under non-default but common configurations. Exploitation can cause NGINX worker process crashes and, on systems where ASLR is disabled or can be bypassed, may lead to arbitrary code execution, with the patch covering NGINX Plus, NGINX Open Source, NGINX Gateway Fabric, and NGINX Instance Manager. The fixes come just weeks after CVE-2026-42945 (NGINX Rift) was actively exploited in the wild, continuing a pattern of high-severity NGINX flaws coming under rapid weaponization — teams should apply patches immediately or implement the documented mitigations for HTTP/3 and HTTP/2 proxy configurations.
Law Enforcement Nukes SocGholish Malware From Nearly 15,000 Sites
An international coalition including the Dutch National Police, FBI, RCMP, and Germany’s BKA took down 106 servers and domains linked to SocGholish and cleaned malware and backdoors from 14,971 compromised WordPress websites as part of the latest phase of Operation Endgame. SocGholish, operated by TA569 and associated with Evil Corp, has been active since 2017, infecting legitimate websites with obfuscated JavaScript that delivers fake browser update prompts to unsuspecting visitors — a technique that has been used to drop ransomware, infostealers, and remote access tools against enterprise targets globally. Dutch authorities noted this action marks “the beginning of further action against SocGholish,” suggesting the takedown is the opening move in a broader sustained campaign rather than a one-off disruption.
Klue Breach Led to Salesforce Data Theft Hitting Huntress and Other Customers
Cybersecurity vendor Huntress disclosed it was among multiple companies hit by a breach originating at Klue, a market intelligence platform, after attackers accessed Klue’s backend on June 11 using a long-dormant API credential from an abandoned integration prototype and pushed a malicious code update to harvest OAuth tokens connecting Klue to services including Salesforce, HubSpot, SharePoint, Zoom, Gong, Chorus, Clari, Google Drive, and Slack. Salesforce separately confirmed it disabled the Klue Battlecards app integration after detecting unusual activity, noting the issue was limited to the app’s connection and not a Salesforce platform vulnerability. The extortion group Icarus, active since late April 2026, has claimed responsibility and the incident illustrates the growing risk of third-party SaaS integrations as a supply chain attack vector — each OAuth connection a sales or marketing tool holds to core business platforms represents a potential pivot point into those environments.
ShinyHunters Expands Leak Operation, Promises Stolen Data Will Remain Online “Until the End of Time”
ShinyHunters announced a major infrastructure expansion of its leak operation this week, rolling out new mirrors and torrent downloads for all stolen datasets and vowing the data will remain publicly accessible indefinitely — a direct counter to law enforcement seizure attempts that have repeatedly taken down their hosting. New research from Cato Networks published alongside the announcement describes how ShinyHunters has evolved from a single hacking crew into a resilient cybercrime brand that survives arrests, forum seizures, and operator turnover by operating as a distributed franchise model rather than a centralized group. The expansion comes as the group continues an unprecedented 2026 campaign that has already claimed the European Commission, Council of Europe, Carnival, Kodak, 7-Eleven, Canvas, Grafana, and dozens of other organizations, with the infrastructure upgrade signaling a deliberate effort to make future takedown attempts structurally harder.
Accenture announced it is taking a majority stake in Dragos — valuing the OT security firm at $3.25 billion — and fully acquiring asset discovery platform runZero and firmware intelligence company NetRise, in a combined deal valued at roughly $4.1 billion that represents one of the largest ever investments in industrial cybersecurity. The three companies together are projected to deliver approximately $208 million in ARR as of June 2026, a 53% year-over-year increase, with Accenture framing the acquisitions as a unified answer to the growing convergence of IT, OT, IoT, and medical device security across critical infrastructure. The deal echoes ServiceNow’s $7.75 billion acquisition of Armis earlier this year and signals that professional services giants are positioning aggressively to own the OT security market as critical infrastructure operators face escalating nation-state threats — runZero founder HD Moore, creator of Metasploit, and Dragos CEO Robert Lee, a former Air Force cyber warfare officer, are both expected to remain with the combined entity post-acquisition.
