BREACH WATCH

Apple’s WWDC 2026 unveiled iOS 27, an AI‑driven Siri, and prototype smart glasses. The announcements reshape data handling, privacy, and attack surface considerations for vendors and enterprises that rely on Apple platforms.

Security Affairs released its weekly Round 580 newsletter, summarizing over 30 security developments—including newly added CISA‑listed exploits, active ransomware DNS fast‑flux infrastructure, and a zero‑day VS Code disclosure. The briefing helps third‑party risk managers stay ahead of emerging vendor‑related threats.

The Silent Ransom Group is leveraging invoice‑themed phishing emails followed by impersonated IT‑support phone calls to gain remote access to U.S. law firms, install legitimate RMM tools, and exfiltrate sensitive client data. The campaign highlights a low‑tech but high‑impact social‑engineering vector that threatens third‑party risk for legal‑service providers.

Microsoft showcased the Surface Laptop Ultra at Computex 2026, the first laptop powered by Nvidia’s RTX Spark SoC. With up to 128 GB unified memory and AI‑grade GPU performance, the device expands the endpoint attack surface and raises supply‑chain security questions for enterprises.

ZDNet outlines six quick tweaks—launcher ordering, permanent night mode, custom shortcuts, notification fine‑tuning, and more—that let users tailor Android Auto. Enterprises should assess how these settings intersect with mobile device management and data‑leakage controls.

Cisco’s SD‑WAN platform was hit by a zero‑day remote code execution vulnerability that attackers are already exploiting. The flaw impacts any organization using Cisco SD‑WAN, raising urgent TPRM concerns around network‑level compromise and downstream supply‑chain risk.

In May 2026 ShinyHunters published over 102,900 corporate contacts harvested from Baker Distributing’s SharePoint and Salesforce environments. The leak includes emails, names, phone numbers, addresses and support‑ticket metadata, raising phishing and supply‑chain risks for the HVAC/R sector.

ZDNet’s latest guide walks readers through preparing solar generator systems for severe weather, covering safety checks, installation best practices, and maintenance routines. Organizations that rely on third‑party solar power vendors should assess these recommendations to mitigate operational and safety risks.

SolarWinds Serv‑U versions ≤ 15.5.4 contain an unauthenticated DoS flaw (CVE‑2026‑28318) that crashes the service via a crafted HTTP POST. The vulnerability is now in CISA’s Known Exploited Vulnerabilities catalog, prompting mandatory remediation for federal agencies and urging private organizations to patch. TPRM teams must assess supplier exposure and enforce rapid mitigation.

Researchers have uncovered a new extortion gang that employs voice‑phishing to capture MFA codes and gain unauthorized access to Microsoft 365 environments. The actors harvest documents and emails, then threaten to publish the data unless a ransom is paid, putting cloud‑dependent organizations at heightened risk.

Anthropic placed six engineers inside the NSA to help operationalize its restricted Mythos AI model for offensive cyber missions, exposing a significant supply‑chain risk for organizations that rely on the vendor’s technology.

A critical unauthenticated RCE (CVE‑2026‑3300) in the Everest Forms Pro plugin for WordPress is being actively exploited to create rogue administrator accounts. Organizations using the plugin face immediate risk of site takeover, data loss, and downstream supply‑chain compromise.

OpenAI has launched Lockdown Mode for personal ChatGPT accounts, restricting tool usage that could be abused in prompt‑injection attacks. The change affects all Free, Go, Plus, and Pro users and is critical for organizations handling sensitive data to mitigate third‑party data leakage risk.

Apple announced that Google’s Gemini AI will power the next generation of Siri, enabling health‑focused voice interactions on the Apple Watch. The move introduces a new data‑sharing relationship that could affect compliance and privacy for organizations that rely on Apple Watch health data.

A researcher uncovered that Bright Data’s iOS SDK, embedded in free consumer apps, silently converts always‑on devices such as smart TVs into exit nodes for web‑scraping traffic used by AI data pipelines. The covert proxy activity creates legal, privacy, and supply‑chain risks for organizations that deploy or rely on these devices.

CISA has listed CVE‑2026‑28318, a DoS bug in SolarWinds Serv‑U, in its KEV catalog after detecting active exploitation. The flaw can crash file‑transfer services, posing immediate disruption risk to organizations and their supply‑chain partners.

A four‑year‑old vulnerability in Zcash’s Orchard privacy pool, discovered by a researcher using Claude Opus 4.8, could have let attackers mint unlimited ZEC without detection. The issue was patched on June 1 2026, but its existence highlights significant third‑party risk for crypto‑related vendors.

An autonomous AI security startup reported 21 new zero‑day vulnerabilities in FFmpeg, the media library used by countless third‑party products. Simultaneously, Google shipped Chrome 149 with a record‑breaking 429 security fixes. Both events raise urgent TPRM concerns for any organization relying on video processing or Chrome‑based vendor portals.

A self‑replicating Miasma worm infected 73 Microsoft GitHub repositories across Azure, Azure‑Samples, Microsoft, and MicrosoftDocs, forcing GitHub to disable access. The supply‑chain intrusion expands risk for any organization using Microsoft open‑source components.

Cisco has confirmed that CVE‑2026‑20245, a remote code execution flaw in Catalyst SD‑WAN Manager, is being actively exploited in the wild. The vulnerability spans on‑prem and cloud SD‑WAN deployments, and no fix exists yet, creating immediate supply‑chain risk for enterprises that depend on Cisco’s networking platform.

A hijacked JavaScript CDN (polyfill.io) began delivering fake authentication pop‑ups on Toshiba and Muji sites, potentially harvesting user credentials. The incident underscores the risk of unmanaged third‑party script dependencies for TPRM programs.