OpenSSL advisory CVE-2026-34180: heap buffer over-read in ASN.1 decoder affecting OpenSSL 4.0.0-4.0.0, 3.6.0-3.6.2, 3.5.0-3.5.6, 3.4.0-3.4.5, 3.0.0-3.0.20, 1.1.1-1.1.1zg, 1.0.2-1.0.2zp. Root cause: integer truncation when ASN.1 primitive element content length exceeds 2GB causes length mishandling; may scan for terminating zero byte, reading beyond buffer end. Impact: crash (DoS) or memory disclosure. Affects d2i_X509(), d2i_PKCS7(), all d2i_* decoders on 64-bit Unix/Linux only (32-bit and Windows unaffected). CVE-2026-34181: PKCS#12 PBMAC1 accepts short HMAC keys, enabling certificate/private-key forgery with 1/256 probability. Affects 4.0.0-3.4.0. FIPS modules unaffected.

Microsoft released 200 security patches (record Patch Tuesday) including nearly 40 critical-severity bugs. Exploit code public for 3+ vulnerabilities. AI tools credited as accelerator—OpenAI's Codex reported a DoS flaw (CVE-2026-49160) in IIS. Researcher 'Nightmare Eclipse' disclosed exploits for Windows flaws (GreenPlasma elevation-of-privilege, BitLocker vulnerabilities); Microsoft previously threatened legal action (then clarified: no civil suits, but referrals to authorities for lawbreaking). Nightmare Eclipse claims former Microsoft employee status, pledged 'bone-shattering' zero-day dump for July 14. Browser vulnerabilities: 360 fixes this month (order of magnitude above historical norms), causing Microsoft to stop enumerating Chromium CVEs in official guides. AI-assisted vulnerability discovery cited as driver for volume increase.

npm v12 (July 2026) introduces breaking security defaults: (1) allowScripts defaults off—preinstall/install/postinstall scripts blocked unless explicitly allowed via npm approve-scripts (includes implicit node-gyp builds); (2) --allow-git defaults none—Git dependencies (transitive or direct) blocked unless explicitly allowed (closes .npmrc override code-execution path); (3) --allow-remote defaults none—remote URL dependencies (https tarballs) blocked unless explicitly allowed. Migration path: upgrade to npm 11.16.0+, run normal install to see warnings, use npm approve-scripts --allow-scripts-pending to list scripts, approve trusted packages, commit updated package.json. Unapproved scripts stop running post-upgrade. Docs available for approve-scripts, deny-scripts, allow-scripts config.

CISA ordered all US civilian federal agencies to remediate a critical vulnerability in Check Point remote-access tools and VPNs by end of day June 11. A known ransomware group (Qilin) is actively exploiting the flaw to breach targeted organizations globally; exploitation began May 7, activity spiked last week. Check Point confirmed multiple products affected (firewalls, VPNs, remote-access tools). CISA invoked BOD 22-01 emergency authority to force remediation across Homeland Security, State, Treasury, and other agencies. The vulnerability acts as a network perimeter breach—VPNs/firewalls are gateway security.

CVE-2026-53111: A single errant character (an exclamation mark) in Linux kernel verdictmap code introduced a use-after-free vulnerability allowing privilege escalation. When a verdict map is deleted, catchall elements deactivate and a reference counter decrements. The bug corrupts error-path cleanup, allowing attackers to decrement the counter arbitrarily and free the chain while stale pointers remain. Unprivileged local exploit: >99% stability on idle systems. Affects Debian and Ubuntu. Fixed in February; FuzzingLabs PoC in April; Exodus Intelligence PoC published Monday. Part of a wave of recent elevation-of-privilege bugs that, when chained with separate exploits, bypass OS hardening. Researchers noted the one-character typo cascaded into NP-hard control-flow hijack enabling kernel base/heap leaks.

The U.S. military has covertly broadcast encryption keys via publicly-available GPS satellites for ~20 years, discovered by researcher Steven Murdoch. All 31 operational satellites transmitted a sentinel signal within hours on May 26, 2011—timeline matching declassified military Over-the-Air Distribution (OTAD) and Over-the-Air Rekeying (OTAR) rollout documents. This system replaced manual cryptographic distribution: military GPS receivers worldwide now receive key updates remotely via satellite rather than onsite procedures. Murdoch corroborated the discovery through formal analysis of declassified timelines and automated detection of change points in signal data. Security implications: passive receiver can intercept key material; active adversary might inject malicious updates if crypto/auth is weak.

BRIEFING: Second Microsoft supply-chain compromise in weeks: 73 packages flagged as malicious when opened in AI agents. Malware (Miasma, cloned from TeamPCP's open-sourced Mini Shai-Hulud toolkit) steals credentials from AWS/Azure/GCP/Kubernetes and 90+ developer tool configs, spreads laterally. First incident (May): durabletask Python SDK (400K monthly downloads) compromised via stolen Microsoft OIDC token, same malware signature. Attacker bypassed publish pipeline using legitimate credentials. GitHub initially labeled packages as "terms of service violation" rather than malicious; Microsoft delayed public notice until Monday. Credential theft enables further supply-chain poisoning (OIDC tokens stolen in prior Red Hat attack).

Let's Encrypt announced policy changes restricting certificate issuance in US-sanctioned territories. The announcement came as a PDF that failed to render properly in the provided content. Based on context, the policy likely aligns with OFAC sanctions compliance and affects certificate operations in designated countries. Let's Encrypt must balance providing encryption access broadly against legal obligations under US export control and sanctions regimes.

BRIEFING: Arbitrary code execution in binutils' objdump via missing bounds check in FR30 relocation handler. Vulnerability in rare build configuration (--enable-targets=all or explicit FR30 backend). Exploit uses FR30 R_FR30_48 relocation to write out-of-bounds to heap buffer, defeats ASLR/PIE/hardening in single payload. Root cause: FR30 relocation handler (fr30_elf_i32_reloc) performs unvalidated write using attacker-controlled offset and value. Requires crafted relocatable object file; no bounds check against .debug_info section size. Discovered by Anthropic. Binutils security policy explicitly excludes such issues from vulnerability treatment; fix deployed promptly.

BRIEFING: 70+ Microsoft open-source repositories on GitHub compromised with credential-stealing malware. Affected packages target Azure tools and AI development environments (Claude Code, Gemini CLI, VS Code). Malware stole passwords and developer credentials when tools opened in AI coding agents. Second such breach in weeks: May incident compromised Microsoft's durabletask Python SDK (400K monthly downloads). Malware (Miasma variant, related to TeamPCP's Mini Shai-Hulud) harvested OIDC tokens used in SLSA provenance attestation, bypassing supply-chain verification itself. Microsoft acknowledged "small number of customers" but disclosed no specific count or remediation timeline.

BRIEFING: Zero-knowledge proof vulnerability discovered in Zcash's Orchard shielded transaction pool. Security researcher Taylor Hornby (hired specifically for this work) found critical flaw in transaction input validation using Claude—a check that appeared to enforce rules actually did not. Allowed attacker to generate unbounded ZEC and forge valid zero-knowledge proofs. Issue is fixed; no evidence of exploitation found. Root problem: complex cryptographic systems have a high surface area for subtle bugs; this one wasn't caught despite formal verification efforts on components.

BRIEFING: Astral released two security features for uv (Python package manager): uv audit scans dependencies for known vulnerabilities and deprecated projects, 4-10x faster than pip-audit by leveraging uv's locked resolutions; uv malware check (via OSV database) performs optional lightweight malware detection on every sync operation when UV_MALWARE_CHECK=1 is set. Key distinction: vulnerabilities often need passive remediation (patching), while malware requires active response (credential theft). Malware check prevents sync before malicious code executes, addressing PyPI quarantine gap where lockfiles can still reference yanked packages in object storage. Both features currently in preview.

BRIEFING: WhatsApp reports new phishing/spyware campaign linked to NSO Group (May 2026), violating 2024 permanent injunction. Method: spear-phishing with malicious links leading to Pegasus infection (similar to Jordan 2024 campaign). Also: test account/group creation. WhatsApp filed contempt motion. Context: 2019 NSO mass-hack (1,400+ users), jury verdict $167M (later lowered to $4M). NSO remains on US Commerce blocklist despite 2025 investor buyout attempting reputation rehab and US market entry. Gov't pressure (sanctions on Intellexa, etc.) ongoing. WhatsApp's mitigation: public disclosure, victim notification, legal action.

BRIEFING: Meta's AI support chatbot had critical auth flaw (May 31–June 1, 2026): password reset failed to verify email ownership before sending reset link to unverified address. Allowed attackers to reset arbitrary accounts and hijack them (no 2FA required). Affected 20,225+ Instagram accounts; high-profile targets: Obama White House account, USAF CMSgt, Sephora. Root cause: separate code path skipped email validation. Meta's fix: disabled tool, removed buggy path, invalidated reset links, enforced security checkpoint on affected accounts. Meta claims unaware if PII accessed, but hijackers could've obtained: emails, phone numbers, birthdate, posts, DMs, profile info, activity, linked accounts. Maine notice lists 30 affected users (upper bound).

BRIEFING: Bruce Schneier's critique of Anthropic's Project Glasswing vulnerability disclosure push (April 2026). Announcement: Anthropic's new model finds vulns better than others. Glasswing status report shows high detection volume but almost zero patches deployed—data raises red flags, Anthropic refuses detailed release ("trust us"). Schneier: claims are unsubstantiated, pattern suspicious, lack of transparency is the real problem.