This was the week attackers stopped breaking in and started logging in — through doors we built for them. ShinyHunters surfaced again, this time leaking 234 GB from DentaQuest and exposing 2.6 million dental-benefits accounts, including Medicaid IDs and health data. A Rust-written npm worm, a poisoned browser, and a Magecart skimmer hosted inside Stripe all hid in traffic defenders are inclined to wave through. And in the week's strangest twist, hackers seized high-profile Instagram accounts simply by asking Meta's AI support bot to send the login code to the wrong place. The common thread isn't a new exploit — it's borrowed trust.

AI moved to the center of the story on both sides of the ledger. Trump signed a scaled-back executive order built around vetting "covered frontier" models and sharing AI-found vulnerabilities with critical infrastructure; Anthropic expanded Project Glasswing to about 150 critical-infrastructure organizations across 15-plus countries; and TechCrunch reported the NSA is readying Anthropic's Mythos for offensive cyber operations. The same model family is being pointed at finding flaws and, reportedly, at exploiting them.

Defenders landed a major blow, too. Dutch Politie and NCSC-NL dismantled Asocks, a residential-proxy botnet built from at least 17 million infected consumer devices — a takedown that chips away at the IP-reputation assumptions every defender quietly relies on. Meanwhile the edge kept burning: Cisco's seventh exploited SD-WAN zero-day of the year landed with no patch, alongside actively exploited Palo Alto GlobalProtect and Windows Netlogon flaws.

Let's get into it.

Agencies charge thousands. They take weeks and then have the audacity to charge you every time you want to update it.

Readdy builds you a professional, mobile-ready website in minutes. 

You get the same polished result at 1% of the price. And it’s all done before your agency would have sent the first draft.

Build your site for free

Breaches

DentaQuest — a Sun Life dental-benefits administrator serving roughly 35 million people — confirmed a breach of 2.6 million accounts after ShinyHunters leaked about 234 GB of data, including names, dates of birth, Medicaid IDs, and health-insurance information. It's the same extortion group that closed out last week with Charter (42M) and Carnival (~6M), now landing on a dataset that mixes government-program identifiers with health data — among the most sensitive and least-rotatable information a person holds.

Why it matters: A Medicaid ID and a date of birth don't expire the way a password does — this data fuels fraud and medical-identity theft for years. The ShinyHunters wave has now run through telecom, retail, hospitality, and healthcare in a matter of weeks, and the constant is the identity-and-CRM layer, not any single sector's defenses. If you administer benefits or hold regulated health data, assume you're in scope and pressure-test how an attacker would reach your CRM through a single employee account.

→ Read the full story

Vulnerabilities

Cisco warned that CVE-2026-20245, a zero-day in Catalyst SD-WAN Manager, is being exploited to gain root — with no patch available. Exploitation needs netadmin access, obtainable by chaining CVE-2026-20182, making it Cisco's seventh exploited SD-WAN zero-day of 2026. It didn't land alone: Palo Alto confirmed active exploitation of CVE-2026-0257, a GlobalProtect auth-bypass that lets attackers open VPN sessions on internet-facing firewalls with no credentials, and Belgium's CCB warned that Windows Netlogon CVE-2026-41089, a pre-auth RCE, is now being used against unpatched domain controllers. Our May CVE roundup captured the irony: Microsoft shipped its first zero-day-free Patch Tuesday since June 2024, while the real action moved to the edge.

Why it matters: Perimeter and edge appliances are where 2026's exploitation is concentrated, and the Cisco flaw has only mitigations — restrict and monitor netadmin access, and treat the CVE-2026-20182 chain as the real entry point. Patch the Palo Alto and Netlogon flaws now; both have confirmed in-the-wild use against exactly the assets attackers want most: VPNs and domain controllers.

→ Read the Cisco SD-WAN story · Palo Alto GlobalProtect · Windows Netlogon · May CVE roundup

Supply Chain

Three developments in one week show the npm worm pattern evolving in real time. Microsoft named the "Mini Shai-Hulud" campaign: a single maintainer alias, vpmdhaj, published 14 typosquatted packages in four hours that harvest AWS, HashiCorp Vault, npm, and GitHub Actions secrets from CI/CD runners. Days later, a compromised Red Hat employee GitHub account pushed a "Miasma" build of the same worm into 32 Cloud Services npm packages (Red Hat says the code stayed internal). And researchers disclosed IronWorm — a Rust-written npm worm — part of a cluster abusing trusted channels that also included a cryptominer slipped into Hola Browser and a Magecart skimmer hosted inside Stripe.

Why it matters: The target is consistent — CI/CD secrets — but the delivery keeps shifting: new languages (Rust), new footholds (a trusted vendor's own employee account), and new hiding places (legitimate platforms). The defensive posture is now permanent: scope CI secrets to least privilege, pin dependencies to commit hashes, and rotate immediately if a poisoned version touched your pipeline. Also live this week: codexui-android, an npm package with 29,000 weekly downloads quietly stealing OpenAI Codex tokens.

→ Read the Mini Shai-Hulud story · Miasma / Red Hat · IronWorm cluster

Policy & Government

Trump signed an executive order on June 2 establishing a voluntary framework for the government to vet "covered frontier" AI models for up to 30 days before release and to share AI-found vulnerabilities with critical-infrastructure operators — notably narrower than an earlier draft. The same week, Anthropic extended Project Glasswing — which uses its Claude Mythos model to find software flaws — to about 150 more organizations across 15-plus countries, most of them critical-infrastructure operators. And TechCrunch reported the NSA is readying Mythos for offensive cyber operations despite a federal restriction, as Anthropic published an analysis of 832 accounts it banned for malicious cyber activity, mapped to MITRE ATT&CK.

Why it matters: AI vulnerability discovery has crossed from product feature to policy infrastructure in a single week — and the same model family is being pointed at both finding flaws and, reportedly, exploiting them. For CISOs, the practical signal is that the disclosure-to-exploit clock is now being set by machine-speed discovery on both sides; the right posture is portfolio coverage of AI-defense tooling, not a bet on any single vendor.

→ Read the executive-order story · Project Glasswing expansion · Mythos & the NSA

Takedowns

Dutch Politie and NCSC-NL took down 200 Netherlands-based servers running Asocks, a residential-proxy service built from at least 17 million infected consumer devices. Residential proxies launder attacker traffic through ordinary home IP addresses, letting fraud, credential stuffing, and intrusions arrive from addresses that look entirely legitimate — and the takedown weakens the IP-reputation assumptions baked into much of the security stack.

Why it matters: This is another infrastructure-layer takedown — like last week's Stark Industries and First VPN actions — that degrades many actors at once by removing shared anonymity, not by chasing individual operators. It's also a reminder that "the traffic came from a residential IP" was never a trust signal; if your fraud or access defenses lean on IP reputation, this is the week to add behavioral and device signals that don't assume a clean IP means a clean session.

→ Read the full story

Threats

Attackers seized high-profile Instagram accounts by exploiting a "confused deputy" flaw in Meta's AI support bot: they asked it to bind a new email address, the bot sent the one-time code to the attacker, and the real owner was locked out. Meta pushed an emergency hotfix. Separately, SafeBreach showed that a single poisoned notification — from WhatsApp, Slack, or SMS — could hijack Google Gemini's voice assistant on Android with no malicious app installed, reaching smart-home controls and poisoning the assistant's long-term memory (Google has patched it). And Sophos documented a threat actor running an AI-orchestrated lab — with a Claude Opus 4.5 coordinator — to test malware against major EDRs, though the lab's claimed evasion gains weren't borne out by Sophos's data.

Why it matters: The AI assistant has become a component with its own vulnerability class — prompt injection and confused-deputy abuse — and it sits inside the trust boundary, acting on the user's behalf with the user's permissions. Treat AI agents that can take actions (bind emails, control devices, write to memory) as privileged systems: constrain what they can do without human confirmation, and assume any untrusted text they ingest is potential instruction.

→ Read the Meta AI story · Gemini voice injection · Sophos AI lab

Mintlify helps you create fast, beautiful docs that developers actually enjoy using. Write in markdown, sync with your repo, and deploy in minutes. Built-in components handle search, navigation, API references, and interactive examples out of the box, so you can focus on clear content instead of custom infrastructure.

Automatic versioning, analytics, and AI powered search make it easy to scale as your product grows. Your docs stay accurate automatically with AI-powered workflows with every pull request.

Whether you're a dev, technical writer, part of devrel, and beyond, Mintlify fits into the way you already work and helps your documentation keep pace with your product.

Get Started for Free Today

A pattern runs through almost every story this week, and it isn't an exploit. It's borrowed trust.

ShinyHunters didn't break DentaQuest's encryption; it walked in through the identity layer and used access that looked authorized. The week's npm worms — Mini Shai-Hulud, Miasma, IronWorm — didn't smash a gate; they rode in on the trust developers place in package registries, in a vendor's own employee account, in legitimate platforms like Stripe and Hola. Attackers turned Meta's AI bot and Google's Gemini into confused deputies, getting trusted software to act against the very users it serves. And the Asocks botnet existed to manufacture exactly this: traffic that arrives wearing the trust of an ordinary home IP address. Even the FIFA scammers are borrowing trust — in a brand, in a kickoff date, in a login page that looks right.

This is a quieter kind of attack than a zero-day, and a harder one to reason about, because every control we've built assumes a boundary between inside and outside. Borrowed-trust attacks dissolve that boundary. The attacker isn't outside trying to get in; they're operating inside a channel we already decided to trust — a CRM session, a package install, an AI agent acting on our behalf, a residential IP. The exploit, where there even is one, is almost incidental. The real weapon is our own prior decision to trust the channel.

What makes this the defining shape of 2026 is that AI is now both the newest trusted channel and the fastest way to abuse the others. An AI assistant sits inside the trust boundary by design — it acts with your permissions, on your data, in your voice — which is precisely why prompt injection and confused-deputy abuse are so potent. And the same week the US government moved to vet frontier models and share AI-found flaws with critical infrastructure, the NSA was reportedly readying one of those models for offense. The tool that can audit the trusted channel at machine speed can also exploit it at machine speed.

The infrastructure takedowns are the encouraging counterweight, because they work on the same logic in reverse: Asocks, like Stark Industries and First VPN before it, degraded many attackers at once by removing a shared layer of borrowed trust. Defense, too, scales when it targets the channel rather than the actor.

The question worth asking before next week's briefing: which of the channels your organization treats as trusted — a CRM login, a package registry, an AI agent, an IP reputation — would survive the assumption that an attacker is already operating inside it?

Until next time,

Stay sharp. Stay ahead.

📩 Share this briefing with a colleague who needs to stay ahead.

📰 Full coverage at thecybersignal.com

☀️ Daily briefing at daily.thecybersignal.com