The botnet browser blues.

International law enforcement disrupts the SocGholish botnet. The UK’s cyber chief says cybersecurity is a contest, not a risk register. Ukraine joins the EU’s cyber reserve. The Gentlemen gang sharpens its ransomware toolkit. A WordPress supply chain attack spreads malware. Critical patches land from F5, Atlassian, and Splunk. Agentjacking targets AI coding assistants. And Kodak confirms a breach claimed by ShinyHunters. Our guest is Ben Yelin from University of Maryland Center for Cyber Health and Hazard Strategies on the failure of FISA section 702 to reauthorize. Criminal coders face automation anxiety.

Today is Thursday June 18th 2026. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

International law enforcement disrupts the SocGholish botnet. 

International law enforcement agencies have disrupted a major malware distribution network linked to the SocGholish botnet and the Russian cybercrime group Evil Corp. As part of Operation Endgame, authorities from the Netherlands, Canada, the United States, and Germany cleaned malware infections from nearly 15,000 compromised WordPress websites and took down 106 servers and domains.

SocGholish, also known as FakeUpdates, infects legitimate websites and tricks visitors into downloading malware disguised as browser updates. Once installed, it gives attackers access to victims’ systems and can deliver additional malware, including ransomware and banking trojans.

Officials say the operation not only removed active infections but also reduced the risk of compromised systems being used in future cyberattacks. Authorities described the takedown as the first step in a broader campaign targeting the infrastructure and operators behind SocGholish and related criminal activity.

The NCSC chief argues cyber defense is an ongoing competition, not mere management of risk registries.

Three-quarters of cyber incidents affecting UK critical infrastructure over the past year were linked to hostile nation-state actors, according to NCSC CEO Richard Horne. Speaking at the Royal United Services Institute’s Annual Security Lecture, Horne said the agency handled around 200 significant incidents between June 2025 and May 2026, with threats largely attributed to countries such as Russia, China, and Iran.

Horne argued that cybersecurity should be viewed as a continuous contest rather than a risk that can be fully managed. He outlined threats across three domains: the “far” space, where governments disrupt adversaries through intelligence and law enforcement; the “mid” space, where attackers exploit cloud platforms, open-source software, and emerging AI capabilities; and the “near” space, where organizations must focus on understanding exposure, defending systems, and responding effectively.

He warned that artificial intelligence is accelerating attackers’ ability to identify and exploit long-standing vulnerabilities, particularly in legacy systems. The NCSC assesses that AI-enabled attacks against critical infrastructure vulnerabilities are highly likely by 2028. Horne also cautioned that adversaries are already pre-positioning inside critical infrastructure networks, citing the Chinese-linked Volt Typhoon campaign as an example.

Industry experts echoed his message, stressing that organizations must move beyond compliance checklists, address unsupported legacy technology, and close knowledge gaps between IT and operational technology environments. Horne’s central message was clear: cyber defense requires continuous investment and improvement, because vulnerabilities tolerated today could become strategic liabilities in future conflicts.

The EU grants Ukraine access to top cyber talent. 

Ukraine has been granted access to the European Union’s Cybersecurity Reserve, enabling Kyiv to request emergency assistance from EU-approved cybersecurity experts during major cyberattacks that overwhelm its own response capabilities. Managed by ENISA, the reserve provides incident response, digital forensics, technical expertise, recovery support, and threat intelligence sharing.

The move carries both practical and political significance. Ukrainian officials say it integrates the country into the EU’s collective cyber defense framework ahead of formal EU membership and reflects deepening security cooperation between Brussels and Kyiv. Ukraine, which has faced sustained cyberattacks since Russia’s invasion in 2022, will be able to draw on specialized expertise from across Europe during large-scale incidents.

Officials also emphasized that the relationship will be reciprocal. Ukraine already shares intelligence on Russian cyber tactics with European partners and hopes its cybersecurity firms may eventually contribute to the reserve as trusted service providers.

The Gentlemen ransomware  gang maintains a mature suite of tools. 

ESET researchers say the Gentlemen ransomware-as-a-service gang maintains a mature suite of tools designed to disable endpoint detection and response, or EDR, products before attacks. The group’s in-house framework, named GentleKiller by ESET, includes at least eight variants that abuse vulnerable or malicious drivers and impersonate legitimate security tools through fake version data, copied certificates, and matching icons.

ESET says Gentlemen also integrates third-party EDR killers, including HexKiller, ThrottleBlood, and HavocKiller, into a standardized toolset for affiliates. The gang can reportedly adapt newly disclosed bring-your-own-vulnerable-driver proof-of-concept code within days.

Gentlemen lowers the barrier for ransomware affiliates and complicates attribution. ESET says defenders should focus on incident-level analysis to identify the group’s tooling and anticipate future EDR-killing variants.

A supply chain attack compromises WordPress plugins. 

A supply chain attack compromised three paid WordPress plugins from ShapedPlugin, distributing malware through the company’s official update system to customers. According to Wordfence, attackers injected malicious code into Product Slider Pro, Real Testimonials Pro, and Smart Post Show Pro releases beginning May 21.

The malware installed hidden fake WooCommerce plugins that could steal WordPress credentials, two-factor authentication secrets, database credentials, administrator details, and recent WooCommerce order data. It also provided attackers with remote file-writing capabilities. Researchers believe the breach originated in ShapedPlugin’s build pipeline rather than WordPress.org, whose hosted versions remained clean.

ShapedPlugin acknowledged the incident and released patched versions of the affected plugins. Administrators who installed the compromised updates are advised to remove any fake WooCommerce plugins, reset passwords, regenerate 2FA secrets, and review user accounts for unauthorized additions.

F5, Atlassian and Splunk issue critical patches. 

F5 has issued emergency security updates for multiple NGINX products to fix two critical vulnerabilities, CVE-2026-42530 and CVE-2026-42055. The flaws affect specific non-default configurations and could allow unauthenticated attackers to trigger denial-of-service conditions or potentially execute code through memory corruption vulnerabilities. F5 also patched two high-severity flaws in NGINX Gateway Fabric. While there is no evidence of active exploitation, administrators are urged to apply updates promptly or implement available mitigations, given F5 products’ history as targets for both cybercriminal and nation-state attackers.

Atlassian and Splunk have released security updates addressing multiple vulnerabilities, including a critical flaw in Splunk AI Toolkit tracked as CVE-2026-20266. The vulnerability could allow authenticated administrators to execute arbitrary operating system commands due to unsafe shell command handling. Splunk also fixed an information disclosure issue that could enable data exfiltration through outbound requests.

Atlassian published 100 security bulletins covering vulnerabilities across products including Jira, Confluence, Bitbucket, Bamboo, and Crowd. Most flaws stem from third-party dependencies, including critical issues in Axios, Apache Tomcat, and Netty. Both vendors urge customers to apply updates promptly to reduce exposure.

Agentjacking exploits AI coding assistants by injecting malicious instructions. 

Tenet Threat Labs has demonstrated “Agentjacking,” an attack technique that exploits AI coding assistants by injecting malicious instructions into fake Sentry error reports. Researchers showed that attackers could use publicly exposed Sentry project identifiers to submit crafted error reports containing hidden instructions. When AI coding agents such as Claude Code, Cursor, or OpenAI Codex analyze those reports through Sentry integrations, they may treat attacker-controlled text as trusted guidance and execute commands on a developer’s machine.

Tenet’s proof of concept used a harmless validation package, but warned the technique could be used to steal credentials or execute malicious code. During testing, AI assistants at more than 100 organizations executed the validation code. Researchers say traditional security tools may struggle to detect the attack because all actions appear authorized. Tenet has released a mitigation tool called Agent-JackStop.

Kodak confirms a ShinyHunters breach. 

Kodak has confirmed a data breach after the ShinyHunters cybercrime group claimed it stole data from the company’s systems. The hackers allege they obtained more than 2.2 million customer and corporate records and threatened to publish the information unless a ransom is paid. Kodak said an unauthorized third party accessed a limited amount of company data but stated the incident has been contained and poses no threat to its systems or operations. The company is investigating with external cybersecurity experts and has notified law enforcement.

 

Criminal coders face automation anxiety. 

It turns out cybercriminals may have more in common with office workers than they’d care to admit: they’re worried AI could take their jobs. Researchers at Sophos found growing debate across underground forums and dark web marketplaces as AI-powered hacking tools become more common. Criminals are already using generative AI to create phishing campaigns, overcome language barriers, generate deepfake personas for fraud, and even assist with malware development.

Not everyone is celebrating. Some forum users worry AI tools could undercut manual malware developers, drive down earnings, and flood the market with lower-quality code. Others remain skeptical, arguing the hype around advanced models like Claude Mythos is overblown. Still, discussions about AI’s impact on the cybercrime economy continue to grow. Meanwhile, Sophos advises defenders to focus on fundamentals such as patching, multifactor authentication, and visibility, because regardless of who writes the malware, attacks still need a way in.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com.

 

N2K’s lead producer is Liz Stokes. We’re mixed by  Tré Hester, with original music by and sound design Elliott Peltzman. Our contributing host is Maria Varmazis. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher. And I’m Dave Bittner. Thanks for listening.