< back to blog

Security briefing: June 2026

Crystal Morin
Security briefing: June 2026
Published by:
Crystal Morin
Security briefing: June 2026
Sr. Cybersecurity Strategist
@
Security briefing: June 2026
Published:
July 7, 2026
falco feeds by sysdig

Falco Feeds extends the power of Falco by giving open source-focused companies access to expert-written rules that are continuously updated as new threats are discovered.

learn more
Green background with a circular icon on the left and three bullet points listing: Automatically detect threats, Eliminate rule maintenance, Stay compliant, with three black and white cursor arrows pointing at the text.

Old doors, new tricks

It’s the cybersecurity circle of life: there’s always something new and exciting to talk about, but most incidents are still rooted in familiar foundations. June brought the usual mix of credential mishaps, cloud misconfigurations, and opportunistic attackers, all leading to data loss.

At the same time, we also saw more evidence of agentic threat actors (ATAs), several attackers jailbreaking LLMs, and one attacker building an autonomous offensive hacking tool using stolen AI compute.

So, with threats new and old, let’s dig into your June security briefing:

June 8: Breach of messaging app built for privacy

  • On June 8, the French Interministerial Directorate for Digital Affairs (DINUM) and National Cybersecurity Agency (ANSSI) confirmed the French government’s official messaging application Tchap was compromised
  • Only one year ago, the French government banned the use of foreign apps like Signal and WhatsApp for public sector communications and provided public servants with access to Tchap.  
  • An attacker operating under the alias “misere” claimed responsibility, stating they stole 13.5 GB of data, including email addresses and organizational details from more than 73,000 of the 600,000 user accounts. That stolen data will likely lead to additional social engineering campaigns. 
  • While still under investigation, it appears the cause was likely human error, with the attacker alleging access was via successful social engineering against a single user.

June 11: Incidental cloud exposure leads to massive data leak

  • Novo Nordisk, the Danish pharmaceutical company behind Ozempic and Wegovy, confirmed on June 11 that there had been unauthorized access to a limited number of internal systems and some sensitive information, such as clinical trial data.
  • The cloud extortion group FulcrumSec claimed responsibility, stating that it spent more than two months in the organization’s environment, exfiltrating 1.3 terabytes of data. 
  • FulcrumSec demanded a $25 million ransom, which Novo Nordisk declined to pay, and the group began to leak samples of the organization’s drug research and AI models to entice private buyers. 
  • Initial access was reportedly via two publicly exposed subdomains that contained accessible credentials. For a more detailed look at FulcrumSec and how to defend against cloud-native breaches, read the Sysdig Threat Research Team’s (TRT) full analysis

Additional Sysdig TRT findings

Agentic threat actor escapes a container

  • On June 4, Sysdig TRT published research on an agentic threat actor (ATA) — a fully automated attack with no human at the keyboard.
  • The ATA gained initial access through a marimo vulnerability (CVE-2026-39987), then went on to enumerate the host, create privileged containers, break out of the host, and replay a stolen Kubernetes service account token to dump the entire cluster secret store.
  • The ATA was able to move from the application layer to the orchestration layer, selecting escape primitives in real time and adapting based on live results returned from the victim environment. 

Attackers are jailbreaking LLMs with capture-the-flag framing

  • On June 15, the Sysdig TRT reported a trend of multiple attackers jailbreaking LLM safety guardrails to create CVE exploits by framing their prompts as requests for help with capture-the flag (CTF) events. 
  • LLMs will otherwise decline to produce a working exploit, but in several cases, attackers were able to coax models into generating CVE exploit code with requests targeting competitions and research.
  • Fortunately, this is easy to detect because the prompt leaks into the LLM’s output. The attacker’s target CVE is in the HTTP headers, hardcoded passwords, and IAM logs, a redundancy no human would ever craft into their scripts. 

LLMjacking evolved from free chats to free malicious tool building

  • On June 17, the Sysdig TRT identified a notable evolution in LLMjacking use cases. What started as stolen AI compute for college homework and code scripts has evolved into the development of an automated offensive hacking tool. 
  • The attacker stole access to a misconfigured, publicly exposed Ollama server. 
  • The Sysdig TRT then witnessed the attacker actively developing the tool and testing it in a private practice range owned by the penetration testing lab HackTheBox. 
  • The full intention of the tool’s development is still unclear. It could be used for legitimate research purposes; however, resource theft is still illegal.

Why some vulnerabilities aren’t exploited as often as others

  • On June 26, the Sysdig TRT published the first known exploitation of Langflow CVE-2026-55255, a CVSS 9.9 cross-tenant insecure direct object reference (IDOR).
  • The vulnerability was exploited in the same session and against the same Langflow instance as the widely exploited CVE-2026-33017, a CVSS 9.3 unauthenticated RCE.
  • The operator put sustained effort into the lower-scored RCE and treated the higher-scored IDOR as an afterthought, only adding it to their toolset to cover more Langflow exploitation possibilities. 
  • The reason 55255 isn’t being exploited is because of the attacker’s optimization of effort-to-yield. The IDOR vulnerability is harder to weaponize, even though it is more powerful. This finding is proof that prioritization based on CVSS score isn’t always accurate. The scariest vulnerability on paper isn’t always the one attackers are going for. 

Also in the news

  • pull_request_target abuse has been named: Researchers at Novee Security identified more than 300 exploitable GitHub repositories on June 23 and named the workflow abuse pattern Cordyceps. GitHub pushed a platform-level fix via actions/checkout on June 18. The Sysdig TRT identified and disclosed this same vulnerability class in multiple repositories in June 2025, but the flaw was never fixed. Now, a year later, unauthenticated users will no longer be able to exploit repositories via this weak point. 
  • Cybersecurity companies impacted by supply chain breach: On June 12, competitive market intelligence platform Klue identified unauthorized activity in a portion of its integration infrastructure. Since then, some of their customers, such as LastPass, Recorded Future, and Huntress, have released statements about the incident. Initial access was a compromised legacy integration credential, which the attacker then used to obtain multiple OAuth tokens and exfiltrate basic customer service-type data from the organizations.
  • DirtyClone kernel-layer flaw: Just when we thought we were in the clear following DirtyFrag last month, CVE-2026-43503 dropped in late June. It allows a local unprivileged user to gain root access by corrupting file-backed memory via a cloned network packet. There was a working exploit as of June 25, so get to patching! 

Closing thoughts

June’s throughline isn’t a single breach or vulnerability. It seldom is. But the tools, platforms, and scoring systems defenders have been relying on to make or inform decisions are being gamed, bypassed, or proven wrong. Those are the headlines, but the fundamentals are still where most organizations are getting hurt: forgotten credentials, unrotated tokens, or a single socially engineered user. 

The sophistication of the threat landscape is real, and so is the gap in the basics. Both deserve attention. 

About the author

Cloud Security
Kubernetes & Container Security
featured resources

Test drive the right way to defend the cloud
with a security expert