June 11, 2026 by sig9

Hacker Wars - June 11, 2026

bulletin-feature-image

Your daily dose of infosec chaos

Thursday is serving up the usual mix: a 450k-record university breach, two more actively exploited CVEs to patch before the weekend, and GitHub finally turning off the thing attackers love most about npm. Patch early, patch often.

GitHub Pulls The Plug On Npm Install Scripts

With Npm 12, GitHub is disabling install scripts by default because attackers keep abusing postinstall hooks to drop miners, stealers, and backdoors the moment you run npm install. This is a meaningful shift for the ecosystem, even if it is going to break a lot of perfectly innocent packages along the way. Supply chain defenders finally get a default that does not assume every maintainer is trustworthy.

What to do: Prepare for breakage in your builds, audit which of your dependencies rely on install scripts, and document any you explicitly need to re-enable.

Ivanti Sentry Max Severity Flaw Now Under Active Exploitation

Attackers are hitting a max-severity vulnerability in Ivanti Sentry, the secure mobile gateway product, giving them root-level code execution on internet-exposed instances. Ivanti has shipped a patch but the exploitation window tells you everything you need to know about exposure. If you run Sentry on a public IP and have not patched yet, you are behind.

What to do: Patch Ivanti Sentry immediately, hunt for indicators of compromise on the appliance, and review any internet-facing management interfaces for signs of abuse.

Nottingham University Breach Leaks 450,000 Student Records

ShinyHunters has taken credit for a breach of the University of Nottingham, dumping more than 450,000 email addresses plus additional personal data from current students and alumni. Universities continue to be soft targets: large user bases, sprawling third-party integrations, and security budgets that would not cover a Zurich coffee budget. Expect a wave of credential-stuffing and phishing follow-on activity.

What to do: Rotate credentials for anyone with a university-affiliated account, enable MFA everywhere, and warn users to expect targeted phishing tied to their .ac.uk address.

Microsoft Finally Patches Exploited Exchange Server Zero Day

Microsoft has fixed CVE-2026-42897, an Exchange Server flaw that was disclosed as under active zero-day exploitation back on May 14. The “Patch Tuesday will catch up eventually” strategy is not a strategy, it is a coin flip, and this one landed attacker-favoured. Anyone running on-prem Exchange should be treating this as urgent and not waiting for the next cumulative update.

What to do: Apply the June update to all on-prem Exchange servers today, hunt for web shells and suspicious mailbox activity from the past 30 days, and consider moving the rest of your mail flow to a managed cloud provider.

Langflow Path Traversal Flaw Lets Attackers Write Files On Your Box

CVE-2026-5027, a high-severity path traversal bug in the AI development platform Langflow, is being actively exploited to drop arbitrary files on exposed servers. Langflow instances tend to live on developer laptops and internal hosts that are rarely hardened, which turns a file-write primitive into a much bigger problem very quickly. If your team is using Langflow to wire up LLM pipelines, assume your dev box is interesting to attackers.

What to do: Update Langflow to the patched version, restrict network access to the Langflow UI, and review exposed instances for unexpected files in the application directories.

Stay paranoid, stay patched, and have a good one.

Brought to you by sig9 - sig9.ch | Protecting the unseen, securing the unknown

This bulletin is provided for informational purposes. Contact us for tailored security analysis.