Home  /  Episodes  /  Jun 1, 2026

Episode show notes

Jun 1's Top Cyber News NOW! - Ep 1143

Aired Jun 1, 2026 Daily Cyber Threat Brief Hosted by Dr. Gerald Auger

At a glance

Eight cyber stories ranging from critical VPN vulnerabilities and malware distribution campaigns to supply chain attacks and data breaches. The week's standout: NIST's National Vulnerability Database is buckling under an avalanche of unprocessed flaws—budget cuts and AI-generated vulnerabilities have created a backlog of over 27,000 unpatched CVEs.

Stories covered

Is Palo Alto's GlobalProtect VPN exploitation really a surprise at this point?

What happened: Palo Alto Networks patched an authentication bypass vulnerability (CVE-2026-257) in GlobalProtect VPN in May with a medium severity rating, but upgraded the advisory to "high" on Friday after discovering active exploitation in the wild. The flaw requires specific configuration (offset cookies enabled) but is now being weaponized against unpatched devices.

Why it matters: VPN and perimeter security flaws are not normal vulnerabilities—they're direct attack vectors into your network. An EPSS score of 41% (97th percentile) signals immediate risk. Organizations still running unpatched instances should treat this as critical, even if it means invoking political capital for emergency maintenance windows outside standard schedules.

What to do: Patch immediately. If you run GlobalProtect VPN and haven't addressed this over the weekend, do it now. If you weren't aware of this by Friday, review your vulnerability notification process; gaps this large are operational failures waiting to cascade.

How are malicious ChatGPT share links distributing fake desktop applications?

What happened: Threat actors are abusing OpenAI's content sharing feature to host fake ChatGPT outage pages on OpenAI's legitimate domain. Victims see a fake "high traffic" warning and are prompted to download a "desktop app"—which is malware. A separate campaign uses Google Ads to drive users to typo-squatted domains mimicking ChatGPT's interface.

Why it matters: This is textbook social engineering at scale. The attack exploits brand trust and user familiarity; nearly everyone has heard of ChatGPT even if they haven't used it. It's an ideal vehicle for end-user awareness training because the example is salient and immediately recognizable to non-technical staff.

What to do: Run targeted awareness training using this attack as a case study. Meet end-users 95% of the way—don't show them hex dumps; show them this exact landing page and ask if they'd click download. Emphasize that service outage messages should never require software installation. For technical controls, flag any unauthorized downloads of executables from OpenAI infrastructure.

Why did a federal audit publicly humiliate NIST over the National Vulnerability Database?

What happened: The Department of Commerce released an audit Friday finding NIST has "mismanaged" the National Vulnerability Database through poor planning, inefficient operations, and failure to communicate with users. The enrichment contract lapsed in February 2024, creating a backlog that has ballooned from 13,000 unprocessed flaws in June 2024 to over 27,000 by end of 2025. NIST admitted it has no long-term plan to clear the backlog.

Why it matters: NIST is the backbone of vulnerability intelligence—they calculate CVSS scores, enrich vulnerability details, and populate data used by security teams globally. A crippled NVD directly impacts your vulnerability prioritization and risk calculations. This isn't a NIST failure; it's a systemic failure caused by budget cuts colliding with an explosion of AI-generated vulnerability submissions.

What to do: Don't trust the audit's framing. Continue using NIST data but supplement with tools like EPSS scoring to prioritize by exploitability, not CVSS alone. Advocate internally for better automation in your own vulnerability enrichment workflows; expect NIST delays to persist for months.

What drove a Google security engineer to insider trade on Poly Market over search trends?

What happened: Michele Spagnolo, a 36-year-old Google security engineer, was arrested in New York for abusing access to non-public Google search data to place bets on Poly Market's decentralized prediction platform. He profited $1.2 million by betting on the top-searched people in 2025 and now faces up to 50 years in prison.

Why it matters: Insider trading is alive and rampant, particularly on permissionless prediction markets. The story signals a broader pattern: corrupt actors with access to sensitive information are exploiting emerging financial instruments before detection mechanisms catch up.

What to do: Monitor for now. If you're a CISO or GRC professional, this reinforces the need for access reviews and behavioral analytics on sensitive data systems—search, financial, healthcare data, any non-public information. Greed typically causes discovery; unusual trading patterns or bulk data exfiltration should trigger investigation.

Why is North Korea's Kimsuky group using social engineering instead of zero-days?

What happened: The state-sponsored threat actor Kimsuky (also tracked as Velvet Kimma) is deploying HTTP Spy malware in attacks against South Korean military and corporate targets. The campaign uses spoofed security software installers and fake WebEx meeting pages hosting legitimate-looking calendar invites to trick users into running malware. Variants have also been observed targeting entities in Brazil and Germany.

Why it matters: This is classic supply-chain-adjacent social engineering: the malware dropper is trivial to deploy once execution is achieved, and the initial compromise relies entirely on user action, not sophisticated exploits. The technique is portable—they can reskin it for any geographic audience.

What to do: Monitor for now unless you operate in South Korea or have Korean military/corporate supply chain exposure. If you do: implement endpoint detection and response (EDR) tooling to catch post-execution behavior, use application allowlisting (Threat Locker-style deny-by-default), and run awareness training on unsolicited WebEx/Teams/Meet invites. Check for IOCs related to meeting.html droppers in your logs.

How are threat actors poisoning npm packages to mimic Elasticsearch and OpenSearch libraries?

What happened: A threat actor published 14 malicious npm packages within a 4-hour window in late May, impersonating popular Elasticsearch, OpenSearch, DevOps, and environment configuration libraries. The attacker targeted AWS, HashiCorp Vault, GitHub Actions, and the npm registry itself, likely aiming to harvest API tokens and secrets for lateral movement.

Why it matters: Supply chain attacks on open-source package registries are accelerating. If your CI/CD pipeline or applications pull these packages, you inherit the attacker's code. The secondary impact—token and credential theft—enables lateral movement across cloud infrastructure and can compromise dozens of downstream services.

What to do: Audit your npm and PyPI dependencies immediately for packages added or updated in the last 30 days. Regenerate and rotate any exposed API keys, credentials, and secrets across GitHub, AWS, and Vault. Implement Software Composition Analysis (SCA) tooling to flag suspicious package publication patterns (new maintainers, sudden name changes, unusual dependency graphs). In your next tabletop exercise, game out the full remediation workflow for a supply chain compromise: detection, scope assessment, key revocation, and redeployment.

Is Meta's 87-billion-dollar data center bet a cyber story or just infrastructure news?

What happened: Meta announced plans to invest up to 75 billion euros (~$87 billion USD) to build French data centers with 5 GW additional capacity, with the first phase launching in Dunkirk, Bokel, and Berk in northern France. It's Meta's largest AI infrastructure investment in Europe to date.

Why it matters: Not directly cyber-relevant, but worth noting: massive data center buildouts are triggering community resistance and raising questions about power distribution, environmental impact, and local infrastructure bottlenecks. These facilities will eventually host sensitive customer data and AI models, which will create new attack surfaces downstream.

What to do: Monitor for now. This becomes a cyber story when: (1) you're a CISO at a company relying on Meta's infrastructure, or (2) regulatory scrutiny forces data residency or compliance changes in European data centers.

Why is California suing 23andMe three years after their credential-stuffing breach?

What happened: California Attorney General Rob Bonta filed suit against 23andMe and its parent company over a 2023 breach that exposed genetic, health, ancestry, and DNA data on nearly 7 million customers (850,000+ Californians). The company had blamed users for reusing weak passwords rather than implementing multi-factor authentication.

Why it matters: The lawsuit hinges on 23andMe's claim to high security standards, but the breach was enabled by missing MFA—a control many companies still don't mandate for users. The real lesson: 23andMe's PR response was catastrophic. They blamed customers for being "fools" with poor password hygiene, which is one of the worst crisis communications moves in breach history.

What to do: Monitor for now unless you're defending a similar platform. If you're in a breach response scenario, never blame users publicly; take responsibility, explain remediation, and communicate next steps. For GRC: mandate MFA for any customer-facing account accessing sensitive data (health, genetic, financial, PII). Expect regulatory scrutiny to increase on data retention and user notification timelines.

Key takeaways

  • VPN and perimeter vulnerabilities are not normal CVEs: Palo Alto's GlobalProtect flaw needs immediate patching despite medium CVSS, because it's a direct entry vector. Use EPSS scoring to override CVSS when exploitation is active.
  • NIST's NVD backlog is a structural problem, not operator error: Budget cuts plus AI-generated submissions have created a 27,000-flaw backlog. Supplement NIST data with EPSS scoring and expect delays to persist; plan accordingly.
  • Social engineering + malware dropper is the highest-ROI attack pattern: Kimsuky, credential-stuffing on 23andMe, and ChatGPT phishing all prove user action beats zero-days. Implement EDR, allowlisting, and salient awareness training.
  • Supply chain attacks are now routine: Malicious npm packages targeting Elasticsearch/OpenSearch are designed to harvest API tokens for lateral movement. SCA tooling and token rotation playbooks are mandatory.
  • Crisis communications matter as much as remediation: 23andMe's decision to blame customers publicly destroyed trust and triggered a three-year-delayed lawsuit. Own breaches; don't weaponize them against users.

Topics covered

palo altoglobalprotect vpncve-2026-257authentication bypasschatgptmalware distributionphishingnistnational vulnerability databasenvdbacklogepss scoringinsider tradingpoly marketsupply chain attacksnpm packagesmalwarethreat huntingcredential stuffingmfamulti-factor authenticationendpoint detection and responsenorth koreakimsukysouth koreadata breach23andmebreach response

Show notes generated from the live transcript using AI on Mon, 01 Jun 2026 19:29:23 GMT. Errors? Open the YouTube replay for the source of truth.

Want the live experience? The Daily Cyber Threat Brief airs live every weekday at 5am PT / 8am ET on YouTube. 400+ practitioners join the chat in real time.