June 3, 2026 by sig9

Hacker Wars - June 03, 2026

bulletin-feature-image

Your daily dose of infosec chaos

Happy Wednesday. If your dev team lives in VS Code, today’s zero-day should get your attention - researchers just dropped exploit code that can steal GitHub tokens with a single click. Meanwhile, WordPress admins are getting hijacked again and a phishing-as-a-service kit is expanding faster than your attack surface.

VS Code Zero-Day Steals GitHub Tokens With One Click

A researcher published exploit code for a Visual Studio Code vulnerability that lets attackers steal GitHub authentication tokens simply by getting a user to click a crafted link. The flaw abuses VS Code’s handling of URI schemes, and since GitHub tokens grant access to repos, CI/CD secrets, and private code, this is basically a skeleton key for your entire development workflow. The exploit is now public, so expect opportunistic attacks.

What to do: Update VS Code immediately. Rotate any GitHub tokens that may have been exposed. Consider using short-lived tokens and GitHub’s fine-grained personal access tokens to limit blast radius.

Kirki Plugin Flaw Hands WordPress Admins to Attackers

A critical privilege escalation vulnerability (CVE-2026-8206) in the Kirki WordPress plugin is being actively exploited in the wild, allowing unauthenticated attackers to take over any account - including administrators. If your WordPress site runs Kirki, assume compromise and act accordingly. Another day, another WordPress plugin turning your admin panel into a public resource.

What to do: Update the Kirki plugin to the patched version immediately. If you can’t update right now, disable the plugin. Check your WordPress user list for any accounts you don’t recognize and audit recent admin activity.

WeedHack Malware Infects 116,000 Minecraft Systems

A malware campaign dubbed WeedHack has been quietly infecting Minecraft players since January, with over 116,000 systems compromised. The campaign targets players through malicious mods and cheat tools - because nothing says “free diamonds” like a remote access trojan. If your kids (or employees) are downloading Minecraft mods from random Discord servers, you might want to have a conversation.

What to do: Run a full malware scan on any system where Minecraft mods have been installed. Educate younger users about the risks of downloading mods from unofficial sources. Consider application whitelisting on shared family or corporate machines.

Kali365 Phishing Kit Expands Beyond Microsoft 365

The FBI-flagged phishing-as-a-service platform Kali365 has broadened its targeting scope beyond Microsoft 365 to include AWS, Okta, and even Russian platforms. The kit now relies heavily on device code phishing - a technique that abuses legitimate authentication flows to bypass MFA. This is PhaaS evolving faster than most orgs can patch their awareness training.

What to do: Train users to recognize device code authentication prompts they didn’t initiate. Implement conditional access policies that flag unusual authentication patterns. Block known Kali365 infrastructure at your email gateway.

Until next time, may your logs be clean and your alerts be false positives.

Brought to you by sig9 - sig9.ch | Protecting the unseen, securing the unknown

This bulletin is provided for informational purposes. Contact us for tailored security analysis.