June 2026 Cybersecurity Review: Top Cyber Attacks, Data Breaches & Critical Vulnerabilities

If June 2026 demonstrated one thing clearly, it is that the security industry's patch triage problem is no longer manageable using traditional quarterly cycles. In a single week — the second week of June alone — security teams faced a record-breaking 200-vulnerability Microsoft Patch Tuesday, a new unpatched Windows Defender zero-day dropped hours after those patches landed, a publicly exploited ServiceNow API breach with a four-day notification delay, a fifth actively exploited Chrome zero-day of the year, and a new wave of Shai-Hulud supply chain attacks hitting 100+ packages across npm and PyPI. In this guide, you'll get a verified, source-cited breakdown of every major cybersecurity incident from June 2026 — what happened, what was exposed, what patches exist, and what your team should be doing right now.

## Key Takeaways

• ▸June 2026 was the most patch-dense month in Microsoft's history — 200 vulnerabilities addressed in a single Patch Tuesday, including 33 Critical flaws and six zero-days, five of which were publicly disclosed before a fix existed.
• ▸RoguePlanet — a new Microsoft Defender TOCTOU zero-day — was published by researcher Nightmare Eclipse within hours of Patch Tuesday, confirmed working on fully patched Windows 10 and Windows 11, with no patch available as of June 11, 2026.

• ▸ServiceNow's API breach exposed enterprise customer data through an unauthenticated REST endpoint for days before a patch was applied silently — a four-day gap between remediation and customer notification has raised serious enterprise transparency concerns.
• ▸The Shai-Hulud supply chain worm entered a new escalation phase in June, with copycat campaigns compromising 100+ npm and PyPI packages after TeamPCP open-sourced the worm code in May, including a full compromise of @redhat-cloud-services npm packages.
• ▸Google patched its fifth actively exploited Chrome zero-day of 2026 — bringing Chrome's cumulative 2026 zero-day count to a level that makes browser patch cadence a direct operational security requirement, not a routine maintenance activity.
• ▸France's Tchap government messaging platform was breached through a single compromised account, exposing over 650,000 messages and 73,000 user accounts — a reminder that centralized government communication infrastructure is a high-value, single-point-of-failure target.
• ▸The month's cumulative patch burden and zero-day density illustrate the structural gap in enterprise security programs between policy-driven patch cycles and the real-world pace at which public exploits are being weaponized.

## June 2026 in Numbers

June 2026 delivered a convergence of vulnerability volume and real-world exploitation that defines why continuous exposure monitoring has become a baseline security requirement for organizations of any size. The month's statistics contextualize the operational pressure security teams are operating under.

Microsoft's June 2026 Patch Tuesday addressed 200 vulnerabilities — the largest single-month patch release in the company's history, a record that held for less than two hours before a new, unpatched zero-day was publicly disclosed — Source: BleepingComputer, June 10, 2026. Google addressed its fifth actively exploited Chrome zero-day of 2026 — a milestone that, in prior years, represented an entire year's worth of browser zero-day exploitation — Source: Security Affairs, June 2026. The Shai-Hulud supply chain worm, first observed in September 2025, escalated to compromise over 100 npm and PyPI packages in June alone, following the public release of the worm's source code by its original authors — Source: SecurityWeek, June 2026. Automated malicious reconnaissance continues to accelerate: 36,000 malicious scans per second are being conducted globally, a 16.7% year-over-year increase — Source: Fortinet FortiGuard Labs, 2026. Some threat actor groups now break into networks and begin lateral movement in under 30 seconds — Source: ACI Learning, 2026.

For security teams that want to understand their own externally visible exposure before attackers map it for them, the vulnerability research coverage on this platform provides ongoing analysis of newly disclosed CVEs and their real-world exploitation patterns. The ReconShield vulnerability database offers a continuously updated reference for CVEs affecting internet-facing infrastructure.

## Critical Vulnerabilities Disclosed in June 2026

Microsoft Patch Tuesday: 200 Fixes, Six Zero-Days, Record Scale

Microsoft's June 10, 2026 Patch Tuesday was the largest single-month security update in the company's history, addressing 200 vulnerabilities — 33 classified Critical, 28 of which are remote code execution flaws — and patching six zero-day vulnerabilities. Of the six zero-days, five were publicly disclosed before Microsoft's fixes were available, meaning organizations running unpatched systems had exposure to publicly known attack paths for an undisclosed window before the June 10 update.

The most significant individual fixes addressed the GreenPlasma and YellowKey zero-days — both credited to the researcher known as Nightmare Eclipse. CVE-2026-45586 (GreenPlasma) is a Windows Collaborative Translation Framework (CTFMON) elevation of privilege vulnerability that allows a local attacker to escalate to SYSTEM privileges through improper link resolution before file access. YellowKey is a separate Windows elevation of privilege flaw that was also fixed in the same update. Both are part of a series of Windows vulnerabilities disclosed by Nightmare Eclipse — also including BlueHammer, RedSun, and UnDefend — published as part of an ongoing public dispute with Microsoft over how the company handles vulnerability disclosure, researcher attribution, and platform-level responses to security research.

In addition to Microsoft's own 200 fixes, Google resolved 360 Microsoft Edge/Chromium security flaws during the same period — a figure excluded from Microsoft's official Patch Tuesday count. The combined June 2026 patch burden across Windows, Edge, and Chromium represents one of the most operationally demanding update deployments enterprise patch management teams have ever faced.

RoguePlanet: Unpatched Microsoft Defender Zero-Day Drops Post-Patch Tuesday

RoguePlanet is an unpatched Microsoft Defender zero-day vulnerability — disclosed on June 10, 2026 by Nightmare Eclipse, hours after Microsoft's record Patch Tuesday — that exploits a Time-of-Check to Time-of-Use (TOCTOU) race condition in Microsoft Defender's internal file processing logic, allowing a local attacker to spawn a command shell with SYSTEM-level privileges on fully patched Windows 10 and Windows 11 systems. As of June 11, 2026, no patch exists — and independent researchers at BleepingComputer and ThreatLocker have confirmed the proof-of-concept works on systems with the June 2026 cumulative update (KB5094126) installed.

The exploit mechanism targets a brief timing window between when Microsoft Defender verifies a file path and when it executes an action on it — a classic TOCTOU vulnerability class. Nightmare Eclipse acknowledged that success rates vary between machines given the race condition's timing dependency, reporting near-100% success rates on some configurations and lower reliability on others. The PoC was initially posted to GitHub and GitLab, both of which removed the repositories; it is currently hosted on the researcher's self-managed git server.

RoguePlanet arrives as the latest escalation in a months-long public confrontation between Nightmare Eclipse and Microsoft. The researcher's prior disclosures — BlueHammer, RedSun, UnDefend, GreenPlasma, YellowKey — created a pattern of full public disclosure timed to coincide with or immediately follow Microsoft's Patch Tuesday releases. The cybersecurity industry's broader debate over coordinated disclosure, researcher-platform relationships, and the ethics of full public exploit release is now playing out in real time against Microsoft's largest-ever monthly vulnerability load. Monitoring your external exposure posture and understanding which services are internet-facing is foundational to managing risk from local privilege escalation chains — the attack surface management guide provides a structured methodology for continuous external asset visibility.

ServiceNow API Breach: Unauthenticated Access Exposes Enterprise Customer Data

ServiceNow disclosed on June 9, 2026, that attackers exploited an unauthenticated access flaw in a Scripted REST API endpoint — /api/now/related_edit_list/create — to query enterprise customer instance data without valid credentials, in what is the third significant authentication-related vulnerability at ServiceNow within eight months and the first where attackers reached customer data before a patch was applied. The breach follows a pattern of API authentication failures that has become the defining attack class in enterprise SaaS platforms in 2026.

The root cause was a requires_authentication=false configuration in the endpoint's Scripted REST resource — meaning the endpoint accepted completely unauthenticated HTTP requests and allowed callers to query instance table data directly. ServiceNow's own platform stores some of the most sensitive enterprise data in existence: IT support tickets containing internal infrastructure details and credentials, security incident records with investigation notes, employee data, asset inventories, API tokens, and workflow secrets. For a subset of customers, ServiceNow confirmed that attackers executed successful queries against these tables.

The timeline raises significant disclosure transparency concerns. According to reporting from BleepingComputer and Techtimes — sourced from community reporting and a Reddit post attributed to a security professional — ServiceNow may have been internally aware of the underlying issue as early as April 7, 2026. The security update was applied silently to hosted customer instances on June 5. Customers were not notified until June 9 — a four-day gap between remediation and notification that is generating significant concern in regulated industries where breach notification timelines are legally mandated. As of June 10, ServiceNow updated its position to suggest the activity may have been tied to security researchers or bug bounty submissions rather than malicious actors — though the company acknowledged a bug bounty submission describing a similar issue was received April 22 and no patch was applied until June 5. The IOC for this incident is confirmed API activity targeting /api/now/related_list_edit from IP address 51.159.98.241 and entries attributed to the Guest user account. Organizations should review ServiceNow transaction and node logs for activity around June 2–3, rotate any credentials or API tokens stored in affected support workflows, and audit Scripted REST API resources for authentication configuration. Understanding how unauthenticated API access creates enterprise exposure is directly related to domain and endpoint ownership verification — any public-facing API endpoint without verified authentication controls represents exploitable attack surface.

SAP NetWeaver and Commerce Cloud: Four Critical Flaws in June Patch Day

SAP's June 2026 Security Patch Day addressed 15 vulnerabilities, including four critical-severity flaws affecting SAP NetWeaver and SAP Commerce Cloud — two of the most widely deployed enterprise software platforms in global business operations. SAP NetWeaver in particular has been a recurring high-value target: CVE-2025-31324, a critical zero-day that allowed web shell uploads across hundreds of SAP NetWeaver instances, was actively exploited in April 2025 and added critical urgency to SAP patch discipline for enterprise security teams. Organizations with SAP deployments should treat these critical patches as same-day remediation requirements given the demonstrated attacker interest in SAP infrastructure.

Check Point VPN Authentication Bypass: CVE-2026-50751

Check Point's Remote Access VPN and Mobile Access deployments using the deprecated IKEv1 key exchange protocol are vulnerable to CVE-2026-50751 — a logic flaw in certificate validation that allows an attacker to establish a fully authenticated VPN session without possessing a valid password. Check Point issued patches and confirmed the vulnerability has been exploited against several dozen organizations globally, with at least one incident attributed to a Qilin ransomware affiliate. The attack removes the password requirement entirely by exploiting the certificate validation logic gap, creating a direct authentication bypass for any VPN deployment still using IKEv1. Organizations should apply Check Point's patches immediately and audit VPN configurations for any remaining IKEv1 usage — this protocol has known security weaknesses that extend well beyond this specific CVE.

Chrome Zero-Day #5 of 2026: CVE-2026-11645

Google patched its fifth actively exploited Chrome zero-day of 2026 — CVE-2026-11645, a high-severity out-of-bounds memory vulnerability — in an emergency security update on June 10, 2026, bundled with 73 additional vulnerability fixes. The pace of Chrome zero-day exploitation in 2026 — five confirmed in-the-wild exploits in under six months — confirms that browser security must be treated as a continuous patching requirement rather than a scheduled maintenance activity. Organizations that permit users to run unpatched browser versions are accepting ongoing exposure to known, weaponized vulnerabilities. Auto-update policies for Chrome should be verified as enforced, not assumed.

OpenSSL 18-Vulnerability Patch — and a Notable AI Discovery

OpenSSL's June 2026 security release patched 18 vulnerabilities, including CVE-2026-45447 — a high-severity use-after-free vulnerability in the PKCS#7 verification process — with a notable annotation in the disclosure: the vulnerability was discovered with assistance from Anthropic's Claude AI. This marks one of the first publicly documented instances of an AI model contributing to the discovery of a high-severity vulnerability in a foundational cryptographic library. The disclosure aligns with growing evidence that AI-assisted vulnerability research is accelerating the speed at which security flaws in widely used open-source software are being surfaced — by both defenders and, increasingly, by attackers running the same tooling on the same codebases. All systems using OpenSSL should apply the June update and verify that patched versions are running in production.

## Notable Data Breaches of June 2026

France Tchap: Single Compromised Account, 650,000 Exposed Messages

France's Tchap government messaging platform — a centralized secure communication service for French public officials — was breached through a single compromised account, exposing over 650,000 messages and information relating to more than 73,000 user accounts. The incident demonstrates with precision how centralized enterprise communication infrastructure presents a disproportionate risk-to-access ratio: one set of compromised credentials translates directly into a mass data exposure affecting tens of thousands of users across an entire government ecosystem.

The Tchap breach underscores a consistent architectural risk pattern in secure messaging platforms and collaboration tools: the same centralization that makes them operationally efficient makes them catastrophically vulnerable to credential compromise. Identity and access management hygiene — including phishing-resistant MFA, hardware tokens for high-value accounts, and strict principle of least privilege — is the direct mitigation. Understanding IOC analysis and threat intelligence fundamentals is essential for security teams responding to credential-based intrusions of this type.

TVING South Korean Streaming Service Data Leak

TVING, a South Korean video-on-demand streaming provider, confirmed on June 3, 2026 that personal user data was exposed through unauthorized external access, compromising user IDs, names, birthdates, phone numbers, email addresses, hashed passwords, and refund account numbers. The full scope of affected records remains under investigation. The incident adds to a running pattern of entertainment and media platform breaches throughout 2026 that reflect the sector's consistently high data collection volumes and frequently under-resourced security posture relative to the sensitivity of the data they hold.

## Shai-Hulud: The Supply Chain Worm That Became an Open-Source Weapon

The June 2026 escalation of the Shai-Hulud supply chain worm represents a structural shift in the software supply chain threat landscape — from targeted criminal campaigns to democratized, open-source attack tooling available to any threat actor willing to deploy it. When TeamPCP published the full Shai-Hulud source code to GitHub on May 12, 2026, alongside posts on BreachForums encouraging others to run their own campaigns, the supply chain attack surface effectively expanded from one organized threat actor to an unlimited number of copycat operators within days.

The June 1, 2026 compromise of the @redhat-cloud-services npm namespace is the most technically significant single incident in the June wave. The attacker compromised 32 packages across 96 versions — collectively downloaded 116,991 times per week — by breaching the CI/CD pipeline through GitHub Actions OIDC rather than an npm token. This vector matters: it means the attack bypassed code review entirely, injecting the Miasma payload into packages that passed all standard review gates. The stolen data payload targets CI/CD secrets, cloud credentials across AWS, Azure, Google Cloud, and Kubernetes, SSH keys, npm tokens, and GitHub Actions secrets. Exfiltrated data is encrypted and sent to public GitHub repositories created on the victim's own account — a technique that uses the victim's own trusted infrastructure as an exfiltration channel.

Organizations managing software development pipelines should verify that no compromised package versions from June 2026 are present in any dependency tree, rotate all CI/CD secrets and cloud credentials if affected packages were installed after June 1, and audit GitHub Actions OIDC configurations for over-permissive token scoping. For passive OSINT reconnaissance methodology as applied to open-source package threat analysis, understanding how to map dependency exposure is increasingly central to supply chain risk management. The threat intelligence research category provides ongoing coverage of supply chain compromise techniques and attribution.

## Key Threat Trends Defining June 2026

Authentication Failures Are the Dominant Pre-Exploitation Vector

Across June 2026's major incidents, the most consistent root cause is authentication failure at the API and service layer — not sophisticated zero-day kernel exploitation, but simple misconfigurations that left endpoints open to unauthenticated access. The ServiceNow requires_authentication=false configuration, the Check Point IKEv1 certificate validation bypass, and the Tchap credential compromise all reflect an organization's inability to enforce what authentication policies nominally promise. Auditing every public-facing endpoint for authentication enforcement — not just documentation — is a non-negotiable response to this trend. Use ReconShield's HTTP security headers auditor to surface web-layer authentication control gaps and unenforced security configurations across your public-facing infrastructure.

Supply Chain Is Now a Democratized Attack Capability

The open-sourcing of the Shai-Hulud worm in May 2026 transformed supply chain attacks from a specialized capability requiring technical sophistication into a deployable toolkit accessible to low-skill threat actors. The June 2026 wave — 100+ packages, multiple new variants, copycat operators active across both npm and PyPI — is the direct operational result. Organizations that have not inventoried their software supply chain dependencies and implemented CI/CD secret rotation policies are now at elevated risk from a category of attacker with dramatically lower technical capability thresholds than the original TeamPCP campaigns. The shadow IT and exposed-asset audit methodology applies equally to development environments and package dependencies: if you don't know what's in your dependency tree, you can't respond to compromises in it.

Researcher-Vendor Conflict Is Changing the Zero-Day Disclosure Landscape

The Nightmare Eclipse series — BlueHammer, RedSun, UnDefend, GreenPlasma, YellowKey, and now RoguePlanet — represents a new operational model for zero-day disclosure that security teams must plan around: full public disclosure, including working proof-of-concept code, timed to Microsoft's patch cycles with the explicit intent of maximizing exposure pressure. The resulting environment means that Windows Patch Tuesday no longer marks the end of a vulnerability cycle — it marks the starting gun for the next one. OSINT monitoring of researcher publications, proof-of-concept repositories, and vulnerability disclosure forums has become a direct operational security requirement. The OSINT fundamentals guide covers the passive monitoring workflows that help security teams track public exploit disclosures before they become operational threats.

AI-Assisted Vulnerability Discovery Is Accelerating the Disclosure Pipeline

The OpenSSL CVE-2026-45447 disclosure — noting AI assistance in the vulnerability's discovery — is a data point in what is becoming a clear trend. AI tools are actively being used by security researchers to identify vulnerabilities in foundational software at a pace that human manual code review cannot match. The implication for defenders is a shorter window between introduction and discovery of vulnerabilities in widely used libraries, a higher rate of disclosure events per quarter, and an increased urgency for continuous patch monitoring and live exposure assessment. Query your public-facing infrastructure's IP reputation and threat intelligence context using ReconShield's IP threat intelligence tool to understand whether any threat actors are already probing your exposed services for freshly disclosed vulnerabilities.

## What Security Teams Should Prioritize Right Now

The June 2026 incident cluster translates to a prioritized action list for security teams that is unusually lengthy for a single calendar month — and requires parallel workstreams rather than sequential remediation. Working from most to least urgent based on exploitation status and patch availability:

Immediate — deploy all June 10 Microsoft patches, then monitor RoguePlanet. Apply KB5094126 and all associated June Patch Tuesday updates now. Separately, monitor MSRC advisories for a RoguePlanet patch. As an interim measure, review Defender configuration hardening options and monitor for unexpected SYSTEM-level process spawning events.

Immediate — apply Chrome updates. Chrome auto-update should already handle CVE-2026-11645, but verify enforcement across all managed endpoints. Five actively exploited Chrome zero-days in six months means any unpatched Chrome instance is running against a known-exploitable attack surface.

Priority — apply Check Point VPN patches and disable IKEv1. CVE-2026-50751 is actively exploited by ransomware affiliates. Any Check Point deployment should apply vendor patches and audit for IKEv1 usage. Disabling the deprecated protocol eliminates the attack surface even before the patch is applied.

Priority — audit ServiceNow for indicator activity. Review transaction and node logs for /api/now/related_list_edit access from 51.159.98.241 or Guest-user-attributed activity around June 2–3. Rotate any credentials, API tokens, or secrets stored in affected instance records or support workflows.

Standard — apply SAP June patches. Given SAP NetWeaver's historical exploitation pattern, treat the four critical-severity June patches as high-priority items regardless of whether your specific configuration appears in the worst-case scenario documentation.

Ongoing — audit npm and PyPI dependencies for Shai-Hulud variants. Check all development environments for compromised @redhat-cloud-services package versions installed after June 1. Rotate all CI/CD secrets, cloud credentials, and npm tokens in any environment where affected packages may have been installed. Verify GitHub Actions OIDC token scoping.

Baseline — assess your full external exposure footprint. Run ReconShield's passive exposure assessment tool against all owned domains and IP ranges. The month's incidents share a common prerequisite: attackers had already mapped the target's external posture before the exploitation events occurred. Understanding your DNS security configuration and public-facing service exposure is the precondition for every defensive priority listed above.

The structural message from June 2026 is the same one that enterprise cyber operational resilience frameworks have been built around: patch cycles designed around quarterly windows are incompatible with a threat landscape where public exploits follow Patch Tuesday by hours and supply chain attack tooling is open-sourced before most organizations have finished reading the advisory.

## Conclusion

June 2026 produced a perfect storm of vulnerability volume, real-world exploitation, and structural security architecture failure that will be studied as a case study in the limits of reactive security programs. A record Patch Tuesday followed immediately by a new unpatched zero-day. An enterprise SaaS breach where the vendor held the advisory behind a customer portal login for four days. A supply chain worm weaponized through its own open-source release. A government messaging platform breached through a single account. And a browser reaching five actively exploited zero-days before the halfway point of the year.

The security teams that navigated June 2026 most effectively were the ones that had already built the automation, monitoring coverage, and continuous external visibility to detect and respond at speed — rather than waiting for vendor advisories and monthly patch windows to drive their response timeline. Use ReconShield's free passive security analysis tools to establish a real-time baseline of your organization's internet-facing exposure: DNS records, SSL certificates, open ports, HTTP security headers, IP reputation, and WHOIS intelligence — the same data sources attackers use when they run their reconnaissance before every incident in this review.

Written by Surendra Reddy Cybersecurity Researcher & Founder, ReconShield. Surendra is a cybersecurity engineer specializing in Open Source Intelligence (OSINT), exposure intelligence, and AI-driven threat analysis. He built ReconShield to democratize access to enterprise-grade infrastructure visibility tools and secure digital internet-facing assets.

Reviewed by ReconShield Editorial Team