Late Tuesday, Germany's national rail network stopped. Every Deutsche Bahn train across the country stopped abruptly wherever it was, going nowhere. The culprit - a failure in GSM-R, the Global System for Mobile Communications for Railways. It's the backbone of how train drivers talk to traffic control centers. When it goes down, trains don't move. Not because there's a safety threat in the conventional sense, but because no communication means no authorization to move, and rail safety protocols are unambiguous about that. You sit and wait.

Incogni was built by Surfshark in 2021 and is now owned by Cyberspace B.V., the Netherlands-registered holding company created when Surfshark merged with Nord Security in February 2022. That same corporate family, traced back to Lithuanian venture builder Tesonet, also backs Oxylabs, one of the largest residential proxy and web-scraping infrastructure providers on earth

FortiBleed exposed how a Russian-speaking threat group quietly compromised around 75,000 Fortinet firewalls worldwide by abusing old credential leaks, infostealer logs, automated login testing, offline cracking, and compromised FortiGate devices. The campaign turned exposed firewalls into credential-harvesting nodes, creating a self-feeding access pipeline for future attacks and possible ransomware operations.

Telegram faced major connectivity disruptions after researchers reported that Reliance Communications’ AS18101 allegedly announced Telegram’s 91.108.56.0/22 IP prefix, a route normally originated by Telegram’s AS62041. The announcement reportedly spread through FLAG Telecom and reached international peers, causing Telegram traffic in India and parts of the UAE, Europe, and Asia to be misrouted or dropped.

The incident came around the same time as India’s temporary Telegram restriction linked to NEET exam security, but the network-layer impact went far beyond a domestic block. Researchers say the route should have been flagged as RPKI-invalid and filtered, raising fresh concerns about weak BGP security enforcement, poor route filtering, and how a single unauthorized routing announcement can disrupt a major platform across borders.

A single support ticket allegedly became the entry point for one of the biggest EdTech security incidents of 2026. The Canvas breach shows how stored XSS, weak session scoping, and missing browser-layer defenses can turn a routine help-desk workflow into a large-scale data exposure.

This breakdown walks through the attack chain: malicious ticket content, hijacked support session, API abuse, ShinyHunters’ role, CSP failures, and the practical lessons SaaS and EdTech teams should take seriously.

A newly disclosed Jenkins vulnerability, tracked as CVE-2026-53435, is now being actively exploited in the wild. The flaw allows an authenticated attacker with relatively low privileges to POST a malicious config.xml file, abuse Jenkins’ deserialization handling, and route requests through Stapler to access sensitive files on the Jenkins controller.

The issue affects Jenkins weekly versions up to 2.567 and LTS versions up to 2.555.2. Successful exploitation can lead to arbitrary file read, user impersonation, Script Console access, and possible exposure of SSH keys, credentials, and internal Jenkins secrets. Administrators are urged to upgrade immediately to Jenkins weekly 2.568 or LTS 2.555.3, review logs for suspicious createView requests, and audit users with View/Configure, Item/Configure, or Agent/Configure permissions.

CVE-2026-20253 is a critical Splunk Enterprise flaw where the PostgreSQL sidecar’s unauthenticated backup/restore API can be reached through Splunk Web, letting an attacker abuse pg_dump/pg_restore to pull a malicious database from attacker infrastructure, restore attacker-controlled SQL locally, write files as the Splunk user, and eventually overwrite a scheduled Python script for remote code execution. This all highlights that Splunk Enterprise on AWS is especially exposed by default, affected versions below 10.2.4 / 10.0.7 should be patched immediately, and the impact is severe because compromising Splunk means compromising a system that often stores logs, auth events, firewall data, EDR telemetry, and other sensitive enterprise visibility data.

Atomic Arch is a major AUR supply-chain attack (over 1.5K packages affected as of now) where attackers hijacked orphaned Arch packages and used malicious install hooks to pull npm payloads that executed a Linux ELF infostealer. It targeted developer secrets like SSH keys, GitHub/npm tokens, browser sessions, Docker/Vault credentials, and chat app data, while also using an eBPF rootkit to hide itself when run as root.

University of Nottingham has confirmed a major breach of its Campus Solutions system, with ShinyHunters claiming responsibility. Around 454,600 students and alumni were reportedly affected, with exposed data including names, emails, addresses, phone numbers, passport numbers, ethnicity/disability information, academic enrolment records, and fee/payment details. The suspected attack vector is Oracle PeopleSoft, a platform widely used by universities for student records and administration. Nottingham says it detected the incident on June 9, 2026, took systems offline, notified affected users, reported it to the ICO and Action Fraud, and launched a forensic investigation.

A misconfigured ServiceNow REST endpoint (/api/now/related_list_edit/create) shipped with authentication disabled, allowing unauthenticated access to customer instances. Attackers exploited this on June 2–3, 2026, successfully querying data from a subset of customer tenants. ServiceNow had internally documented the vulnerability since April 7 but didn't treat it as urgent until a customer forced escalation. The company patched hosted instances on June 5. Affected customers were notified directly. The issue primarily impacts the Australia platform release although according to multiple reports, customers outside Australia were also affected accorgin to the email they received. ServiceNow has release KB3067321 acknowledging the incident. A CVE is pending. If you didn't receive an email from ServiceNow, your instance may not be compromised.

cross-posted from: https://lemmy.world/post/47960526

The Miasma supply chain worm just went open source. Here's an analysis of it... Initial observations - 5-layer obfuscation, GitHub-as-C2, AI tool config hijacking, dead-man switches, and a self-perpetuating PAT flywheel.