June 8, 2026 by sig9

Hacker Wars - June 08, 2026

bulletin-feature-image

Your daily dose of infosec chaos

Monday kicks off with a bang: threat actors are showing up at your office door, SolarWinds is back in the spotlight (yes, again), and your VS Code extensions just got a speed bump. Grab your coffee and let’s dive in.

Hacker Group Shows Up At Your Door And On The Phone

Google Mandiant just dropped details on UNC3753, a financially motivated crew that combines vishing with actual physical break-ins to steal data and extort U.S. organizations. They hit professional services, law firms, and financial companies between January and May 2026, proving that sometimes the threat model really does include a guy in a polo shirt talking his way past reception.

What to do: Train front desk staff on social engineering, verify all “vendor” and “IT support” visits, and include physical intrusion scenarios in your incident response playbook.

SolarWinds Serv-U Flaw Actively Exploited, No Patch Yet

SolarWinds disclosed a vulnerability in Serv-U that lets unauthenticated attackers crash the service with a crafted POST request. The flaw is already being exploited in the wild, and while SolarWinds is working on a fix, you are currently on your own. The good news: it is a DoS, not RCE. The bad news: if your file transfer service goes down at 3am, your SOC will not be having fun.

What to do: Monitor Serv-U logs for unusual POST requests, restrict network access to the service, and watch for the patch.

VS Code Now Delays Extension Updates By Two Hours

Microsoft is adding a mandatory two-hour delay before VS Code auto-updates extensions, a direct response to the wave of supply chain attacks targeting the extension marketplace. Attackers had been pushing malicious updates that would propagate instantly to millions of developers. The delay gives security teams a window to catch poisoned packages before they hit production dev machines.

What to do: Keep auto-updates enabled but review your installed extensions regularly. Consider pinning critical toolchain extensions to known-good versions.

OpenAI Adds Active Sessions And Lockdown Mode To ChatGPT

OpenAI is rolling out new account security features for ChatGPT, including active session management and a “Lockdown Mode” that restricts account recovery options. This comes after a string of account takeover incidents targeting users with sensitive conversations stored in their chat history. If your SOC team has been dumping threat intel into ChatGPT, this one is for you.

What to do: Enable Lockdown Mode if available, review active sessions, and remember that LLM chat history is a data loss vector.

C0XMO Botnet Targets DD-WRT Routers, Eliminates Competition

A new Gafgyt variant called C0XMO is spreading through vulnerabilities in DD-WRT router firmware, supporting multiple CPU architectures. What makes it interesting: it actively kills rival malware on infected devices, claiming exclusive ownership of compromised routers. The botnet operators are running a hostile takeover of your IoT fleet.

What to do: Update DD-WRT firmware to the latest version, change default credentials on all routers, and segment IoT devices from your main network.

That’s the chaos for today. Stay sharp out there.

Brought to you by sig9 - sig9.ch | Protecting the unseen, securing the unknown

This bulletin is provided for informational purposes. Contact us for tailored security analysis.