The June 2026 security updates are available:

Threat actors are increasingly exploiting the hype around AI as social engineering lure in phishing, malvertising, and search-driven attacks. By impersonating trusted tools and services, they capitalize on user curiosity and urgency to improve success rates. msft.it/6019v5k6N Despite using hooks tied to new technologies, these campaigns combine familiar techniques like multi-stage redirects, abuse of legitimate infrastructure, and interaction-based evasion to enable credential theft, financial fraud, or malware infection. Read the latest Microsoft Defender Research blog to get an analysis of some of these campaigns and guidance for detecting, mitigating, and responding to these threats.

Microsoft discovered that Anthropic's Claude Code GitHub Action could expose CI/CD workflow secrets when AI agents process untrusted content, including issue bodies, pull request descriptions, and comments. msft.it/6017vdfUc Following our disclosure, Anthropic mitigated this issue in Claude Code version 2.1.128 by blocking access to sensitive /proc files. Read the blog for details from our research, along with practical guidance for reducing prompt injection, over-permissive tooling, and secret exposure risks in agentic CI/CD workflows.

Attackers are targeting open-source software ecosystems at scale, using coordinated and repeatable approaches that take advantage of dependency chains and maintainer trust models to distribute malicious packages across widely used registries. msft.it/6010vd35O The use of AI is reducing barriers to entry, enabling high‑volume package creation and faster iteration of malicious code. At the same time, shifts in coding patterns and tooling behaviors can provide defenders with signals to better identify and track adversary activity. These campaigns increasingly focus on the software supply chain itself, targeting the tools, libraries, and pipelines used to build and distribute applications. As a result, a single compromised component can propagate across complex dependency trees and significantly expand impact. Learn more from Microsoft Security’s Allie Luhrs and Mario Samolis from their talk at this year’s Blue Hat USA on the Microsoft Threat Intelligence Podcast, hosted by Sherrod DeGrippo.

Microsoft has published an analysis of the npm supply chain compromise affecting 32 maliciously modified packages across >90 versions under the redhat-cloud-services npm scope and leading to credential theft and compromise of addt'l maintainer packages: msft.it/6014vjutQ

Compromised npm packages (utils-terminal@3.2.1, logger-active@3.2.1) are abusing Hugging Face repos as exfiltration infrastructure. The packages deploy a remote access trojan (RAT) that captures keystrokes, screenshots, and crypto wallet credentials. Indicators of compromise (IOCs): - npm user: hexalpha10 / author: toskypi - 195.201.194[.]107:8010 (WebSocket C2) - c2-toskypi.onrender[.]com (HTTP C2) - huggingface[.]co/api (exfiltration endpoint) - HKCU\Software\Microsoft\Windows\CurrentVersion\Run\MicrosoftSystem64 (persistence) - MicrosoftSystem64.service (Linux systemd persistence) - \MicrosoftSystem64 (Windows scheduled task) - MicrosoftSystem64/payload.js (payload directory) Defenders: treat unexpected huggingface[.]co/api calls from non-ML workloads as suspicious.

Microsoft has identified a npm supply chain compromise impacting 90 redhat-cloud-services/* packages, including patch-client 4.0.4, insights-client 4.0.4, rbac-client 9.0.3, host-inventory-client 5.0.3, frontend-components 7.7.2, and others. The payload is a self-propagating worm that infects other npm packages and self-publishes. Each compromised package adds a malicious preinstall hook, embedding an index.js script in the package.json that silently executes “node index.js” during installation, downloads Bun, and runs a payload that steals secrets from npm, GitHub, Amazon Web Services (AWS), and Secure Shell (SSH). The added code bloats index.js from ~8KB to ~4.3MB, acting as a heavily obfuscated ROT-9 eval loader. If any of the compromised packages are installed, users and organizations should assume compromise, rotate credentials, revert to a previously trusted version, and block compromised packages. Identified compromised npm packages have been taken down, and we continue to work with the npm team. Microsoft continues to investigate this attack and will publish updates as more information is available.

Microsoft has uncovered a supply chain attack involving malicious npm packages registered under organizational scopes that mirror real internal corporate namespaces, employing dependency confusion technique to deploy a reconnaissance payload. msft.it/6010vZhZ4 A threat actor operating under three maintainer aliases, mr.4nd3r50n, ce-rwb, and t-in-one, published malicious packages that impersonate internal corporate packages, with several spoofing internal enterprise infrastructure URLs in their package.json to appear legitimate. Once installed, the packages download and execute an obfuscated payload from an attacker-controlled command-and-control (C2) server to collect system information, hostnames, environment variables, and developer context. Read the blog for in-depth analysis and mitigation, detection, and hunting details.

Microsoft has identified an active supply chain attack using typosquatted npm packages to steal cloud and CI/CD secrets. On May 28, 2026, a single threat actor operating under newly created maintainer alias vpmdhaj published 14 malicious packages within a 4-hour window. msft.it/6011vZebf The packages typosquat well-known OpenSearch, ElasticSearch, DevOps, and environment-configuration libraries, and several spoof the upstream OpenSearch project’s repository URL in their package.json to appear legitimate. Once installed, the packages harvest AWS credentials, HashiCorp Vault tokens, and CI/CD pipeline secrets from the host environment. Read the blog from the Microsoft Defender Research team to an in-depth analysis, as well as mitigation, detection, and hunting guidance.

Microsoft Defender Experts uncovered a cryptojacking campaign that combines SEO poisoning, trojanized system utility installers, and remote monitoring tool abuse to hijack GPU resources for cryptocurrency mining. msft.it/6018vkTF2 The campaign impersonates trusted system utilities to target users who are likely to own high-performance GPUs. The custom .NET payload sideloads into legitimate binaries using process hollowing, employs encrypted C2 channels, and establishes multiple persistence mechanisms. Microsoft Defender Antivirus and Microsoft Defender for Endpoint detect and block this threat. Read the blog to get detailed analysis, indicators of compromise, and detection, mitigation, and hunting guidance.

Microsoft Defender research details a multi-stage intrusion that began with a compromised internet-facing firewall appliance and pivoted to an internal Linux host, where a vulnerable SaaS application was exploited to run authentication attacks. msft.it/6013vn80P This activity reflects a broader pattern where internet-facing edge devices are used as entry points to access internal systems and identities. Because they’re often exposed, lightly monitored, and implicitly trusted, compromising these devices provides threat actors a durable, low-visibility foothold. The incident highlights how threat actors move from infrastructure compromise to identity abuse across environments. Defenders should prioritize visibility across edge devices, internal applications, and identity systems to better assess and disrupt attack paths early.

Threat actors are increasingly using device code phishing attacks to capture authentication tokens and gain persistent access to accounts as long as the tokens remain valid. msft.it/6012vVnRq EvilTokens, a phishing-as-a-service (PhaaS) platform that automates device code phishing, is enabling threat actors to launch these attacks at scale. In the latest Microsoft Threat Intelligence episode, Sherrod DeGrippo and @HuntressLabs's Lindsay O’Donnell-Welch and Jamie Levy discuss how threat actors use EvilTokens to leverage legitimate authentication flows, trusted infrastructure, and AI-generated lures to launch stealthy phishing attacks. They discuss this evolution in phishing attacks and how defenders can strengthen identity security.

The Microsoft Defender Research team has published an analysis of the Mini Shai-Hulud npm supply chain compromise targeting antv packages, including attack flow, payloads, and impact, along with mitigation, detection, and hunting guidance: msft.it/6013vpQYv

Emerging attack surfaces, including prompt injection and AI system abuse, are creating new challenges for defenders trying to analyze and secure modern environments. msft.it/6010vpmBQ Today, Microsoft is announcing the open-source release of Rampart, a framework for testing and improving agentic AI system safety, and Clarity, a tool for clarifying design intent and capturing assumptions. Examine how Rampart and Clarity help analysts identify risks, support red teaming efforts, and strengthen secure software development workflows in this blog post from Ram Shankar Siva Kumar.