Check Point released an emergency fix on Monday for a critical authentication bypass vulnerability affecting its Remote Access VPN and Mobile Access deployments - but attackers, including ransomware criminals, got a month-long head start. Attacks against the bug, tracked as CVE-2026-50751, began on May 7, according to Check Point VP of research Lotem Finkelstein, and picked up in early June. The security software vendor spotted suspicious activity and began investigating the zero-day on June 4, Finkelstein said in a Monday blog. “We have observed indications that exploitation has been limited to a relatively small number of targeted organizations (several dozen globally), primarily over the past few days,” Finkelstein wrote, adding that, in at least one case, investigators observed post-compromise activity associated with a Qilin ransomware affiliate. This same ransomware scum is also likely exploiting other VPN-related vulnerabilities in Palo Alto Networks, Fortinet, and F5 products, Finkelstein said. CVE-2026-50751 is due to a logic-flow weakness in the Remote Access and Mobile Access certificate validation process, and it allows remote attackers to bypass authentication and establish a remote access VPN connection without a user password. It affects Mobile Access/SSL VPNs, Remote Access VPNs, and Spark Firewalls configured to use the deprecated IKEv1 key exchange protocol. While investigating CVE-2026-50751 and affected VPN components, Check Point found another vulnerability, CVE-2026-50752, in its Security Gateways and Spark Firewall products. It’s due to a bug in the certificate validation logic of the deprecated IKEv1 key exchange method, and can lead to man-in-the-middle attacks on the VPN site-to-site configuration. Check Point says that it hasn’t received any reports of in-the-wild exploitation of CVE-2026-50752. Check Point urges customers running vulnerable gateways and firewalls to apply the hotfixes, and the vendor also provided alternative mitigation options with instructions in the security advisories. The software provider also published a list of indicators of compromise, including attacker IPs, and recommends customers search Check Point SmartConsole logs for possible VPN certificate authentication attempts associated with observed attacker infrastructure and certificate subject names for at least May 7 through June 5. ®

An Illinois high school won't reopen until Wednesday at the earliest after suffering a ransomware attack on Sunday, June 7. Evanston Township High School (ETHS), located 14 miles north of Chicago, said it would be closed today and tomorrow, and that the closure also affected summer school, sports camps, and on-campus activities, which are all canceled. "Upon discovering the incident, we immediately activated our incident response procedures and engaged external cyber breach attorneys and cybersecurity forensic experts to assist with the investigation and recovery process," ETHS said in a statement issued via a dedicated information page. "We are working with these specialists to determine precisely what information may have been accessed or acquired and to restore normal systems operations as quickly as possible. The district is cooperating with the Federal Bureau of Investigation (FBI) as part of the ongoing investigation." It said that phone systems are down and staff have limited access to emails. Children and their families may also not be able to access certain online resources, all of which suggests the institution may still be in the containment phase of remediation. Among the online resources currently offline is Home Access Center, which is powered by PowerSchool. PowerSchool itself was was at the center of a cybersecurity disaster in late 2024. However, ETHS has not linked the platform to the ransomware attack. All staff other than safety and operations workers were told to work from home, although their work will be limited since, for the time being, they're locked out of the district's Google accounts and "other network systems, including eSchool." "We understand this situation is disruptive and appreciate your patience and flexibility," ETHS went on to say. "Additional updates and instructions will be provided as they become available." No major ransomware group has claimed responsibility for the intrusion at the high school yet. Education under attack The ETHS incident follows a separate attack on the education sector disclosed on June 4 that affected 13 schools in Powys, Wales. Powys Council set up its own information page about the attack, although it has not revealed much, saying it is awaiting the outcome of investigations by external specialists. However, it said the attack has affected "some school systems" and personal data belonging to both staff and pupils was accessed. The council identified 13 affected schools, although the compromised data only appears to have been taken from one of these, according to current information. Its information page repeatedly uses the phrase "because of the sensitive nature of the data." The council cites this as the reason for not revealing information such as which schools were affected, how many individuals are affected, what types of data have been accessed, and whether this included sensitive or safeguarding-related data. It also refused to say whether the attack involved ransomware or who was responsible for it. However, it said the risk of identity fraud would vary by individual, hinting that different types of personal data may have been accessed. Powys Council confirmed that all schools across the region remain open, and the cyberattack does not affect their day-to-day safety or operations. Education remains a strong target for cybercriminals. Given the sensitivity of the data these organizations store, it makes the sector one of the most attractive for financially motivated criminals looking for an extortion payment. In the UK, the Information Commissioner's Office said that between 2022 and 2024, pupils were responsible for 57 percent of 214 school data breaches, often using stolen login details. ®

Microsoft’s GitHub temporarily disabled over 70 repositories after they were reportedly compromised by a worm in the latest open source supply chain attack. The code shack took down 73 repos within the space of 105 seconds after its alarms were tripped on Friday, June 5, after detecting signs of the Miasma worm infecting its projects, according to StepSecurity’s co-founder and CTO, Ashish Kurmi. “Our priority is to protect customers and the broader ecosystem. We temporarily removed some repositories as we investigated potential malicious content," a Microsoft spokesperson told us on Wednesday, two days after this story was originally published. "All of these repos have been restored after review. As part of our investigation, we notified a small number of customers who may have pulled down content from the affected repositories. We will continue to investigate, and if anything further is identified that requires customer action, we will reach out directly through our established support channels.” Users reported issues quickly on Friday, after visits to those repos all resulted in the same message displayed, indicating that they had been disabled due to terms of service violations. According to StepSecurity’s analysis, the attack kicked off after a compromised contributor account pushed a malicious commit to Azure/durabletask. The commit dropped configuration files that triggered remote code execution on machines when a developer opened the repo in an IDE or AI coding tool, such as Claude Code, Gemini CLI, and Cursor. Several developers soon reported broken CI/CD pipelines, a support thread showed, although a moderator said at the time this was due to “an internal management issue.” "The repo that most immediately caused issues was Azure/functions-action,” Kurmi wrote, used to deploy code to Azure. With it being taken down, every workflow that referenced Azure/functions-action@v1 stopped resolving. GitHub stepped in a few hours after the repos were infected by the malicious commit. Its automated detections kicked in and disabled the repos in under two minutes, in two separate waves. However, it was the borking of the durabletask family that hinted at the bigger picture, that the attack was indeed a re-opening of the previous Miasma worm attack that hit Microsoft last month. Microsoft’s durabletask PyPi package was a previous target of the Miasma worm on May 19. Within a 35-minute window, three versions of the package were uploaded to PyPi, which planted infostealers on developers’ machines, specifically sniffing out cloud secrets and developer tool configurations on Linux systems. Crucially, the re-targeting of durabletask suggests the tokens associated with the compromised developer account used to execute the PyPi attack were not fully rotated, allowing an attacker to gain access and push commits to GitHub, Kurmi said. It was either that, or the contributor was re-compromised through the worm's own propagation loop, or a different contributor's token was used but the attacker altered the metadata to make it look like a repeated attack. Security shop Snyk described Miasma as a descendant of the Mini Shai Hulud worm. It’s the same one that ravaged open source packages over at the npm registry, including Red Hat’s, earlier this month. Cybercrime group TeamPCP claimed responsibility for developing Mini Shai Hulud, which itself is named after an earlier worm of the same name, sans “mini.” However, because TeamPCP open-sourced Mini Shai Hulud, it’s difficult to tell whether it was also behind Miasma or if someone else took the reins on the follow-up project. StepSecurity also reported that two days before the Microsoft attack, the same worm was making a nuisance of itself at npm, compromising more than 50 packages, including a Vapi.ai SDK with more than 408,000 monthly downloads.® Updated on June 10 with new comment from Microsoft and the fact that the repos have now been restored.

Meta has asked a federal judge to hold Israeli spyware maker NSO Group in contempt of court after claiming it caught the surveillance vendor targeting WhatsApp users again despite a permanent injunction ordering it to stop. In a blog post on Monday, Meta said it had disrupted "NSO-linked social engineering attempts" after investigating reports from users. According to the company, the activity involved attempts to lure targets into clicking malicious links that redirected them to websites outside WhatsApp, as well as the creation of test accounts and groups on the messaging platform. "We successfully disrupted NSO-linked social engineering attempts after investigating user reports," Meta said. "They tried to trick people into clicking on malicious links to drive them to external websites outside of WhatsApp, similar to previously reported 1-click phishing campaigns linked to NSO." WhatsApp also published a handful of domains it linked to the campaign, including ikhwancast[.]com, ghazacast[.]com, and fr24cast[.]com, and said it was releasing indicators to help organizations identify related activity. The move marks the latest chapter in the long-running legal battle between Meta and the Israeli spyware maker. A US court found NSO liable in December 2024 for hacking WhatsApp users via its Pegasus spyware. In May 2025, a jury awarded Meta roughly $168 million in damages, but the judge later cut that to $4 million while issuing a permanent injunction barring NSO from targeting WhatsApp or its users. Meta, however, says NSO didn't get the memo. "Last year, WhatsApp made history by securing a landmark verdict and permanent injunction barring NSO Group ... from targeting WhatsApp and its users ever again," the company wrote. "Today, we're asking the court to hold them in contempt of that order." The company provided few technical details about the activity, such as when it occurred, how many users were targeted, whether any compromises were successful, or how it attributed the operation to NSO. Meta did not respond to The Register’s questions. However, the blog post adopts a hard line on the spyware industry than previous updates, repeatedly describing commercial spyware as a national security issue. "When a malicious company on the US government's Entity List continues to defy US courts, existing restrictions must remain firmly in place," WhatsApp wrote. "Easing them would undermine US national security and put American companies and billions of people worldwide who depend on secure communications at risk." If Meta's allegations are accurate, the episode suggests that a court loss is not enough to persuade a spyware vendor to leave a high-value target alone. ®

Oxford University students seeking work will be dismayed to learn that crooks have breached a second external platform provider for the university in as many months. The institution’s CareerConnect platform, provided by Group GTI, was the target of the intrusion, which exposed users’ full names and email addresses. Those who don’t use single sign-on (SSO) had their encrypted passwords leaked, too. CareerConnect forms part of Oxford University’s career services department, supporting students and alumni to find work opportunities. It is available to students, alumni, research staff, and recruiters. The same underlying technology powering the platform, which GTI markets as TargetConnect, is used by other universities in the UK and overseas, according to its website. OxfordUni said the May 28 attack was enabled by a “security vulnerability,” which has since been fixed. GTI has not publicly disclosed the security snafu itself, and did not respond to our requests for more information. The London-based tech company has not confirmed how many individuals were affected by the break-in, nor whether any data was stolen. It has also not explicitly stated which types of individuals were affected, although Oxford’s announcement listed “alumni, research staff, and employer users” as those who had their passwords forcibly reset following the attack. “There is no evidence that course information, uploaded files, appointment information, or financial information were involved in this incident,” the announcement went on to say. “GTI has stated this breach appeared to be focused on gathering credentials which may lead to phishing attempts.” The university did not list current students as among those affected, but told student newspaper Cherwell that names and email addresses might be compromised, and said the attack was entirely separate from the one which hit Instructure’s Canvas last month. Twice bitten Oxford University was just one of the circa 8,800 educational institutions affected by the mega breach at Canvas, a separate platform that’s also relied upon by schools, colleges, and universities. Seemingly timed by ShinyHunters to coincide with exam season, students across multiple countries were left without access to learning materials, tests, and grades at a pivotal time of the year. The scale of the attack was vast, affecting the usernames, email addresses, course names, enrollment information, and messages of up to 275 million students, teachers, and staff. The severity of the situation, coupled with the inopportune timing, led to Instructure “reaching an agreement” with ShinyHunters to prevent the criminal gang from leaking all the data online. In cyberese, this implies Instructure paid the criminals an extortion fee in exchange for their word that they would delete the stolen data. "We received digital confirmation of data destruction (shred logs)," Instructure said, adding "We have been informed that no Instructure customers will be extorted as a result of this incident, publicly or otherwise." ®