Morning Review in IT Security — June 7, 2026

The security landscape continues to face mounting pressure as multiple critical vulnerabilities and large-scale breaches dominate the threat intelligence landscape. Today's briefing covers active exploitation of WordPress plugins, compromised government networks across multiple nations, and coordinated attacks targeting cloud infrastructure and sensitive personal data.

Critical Everest Forms Pro Flaw Exploited to Take Over WordPress Sites

Hackers are actively exploiting a critical vulnerability tracked as CVE-2026-3300 in the Everest Forms Pro plugin, enabling complete takeover of affected WordPress websites. The exploitation campaign leverages this flaw to establish rogue administrator accounts and deploy malware including diksimarina. Indicators of compromise associated with this campaign include the IP addresses 202.56.2.126 and 209.146.60.26. Source: Critical Everest Forms Pro flaw exploited to take over WordPress sites

Argentine Army Network Compromised via Fortinet SSL VPN Access

A threat actor operating under the alias GordonFreeman, claiming affiliation with the group L4TAMFUCK3RS, has announced obtaining full Fortinet SSL VPN access to the internal network of the Argentine Army. The actor claims this access provides connection capabilities to the Army's internal infrastructure, representing a significant compromise of a nation-state military network. Source: DarkWebInformer

Vishing Attacks Bypass MFA to Compromise Cloud Environments

The Pink Extortion Group has emerged as a significant threat to Microsoft 365 environments, utilizing voice phishing techniques to circumvent multi-factor authentication and steal files from cloud storage. The group's tactics demonstrate the continued effectiveness of social engineering against even security-conscious organizations. The domain passkeydeploy.com has been identified as associated with this campaign. Source: New Pink Extortion Group Targets Microsoft 365 Cloud Data Via Vishing Scams

Hospital Patient Records Exposed by Threat Actor Black0ut_Exi

Threat actor Black0ut_Exi has begun distributing a dataset allegedly originating from Hospital San Rafael, claiming exposure of approximately 48,341 patient records. The compromised data reportedly includes patient identification numbers, full names, and dates of birth, representing a significant breach of protected health information. Source: DarkWebInformer

Spanish Government Agency Breach Exposes 11.4 Million Citizens' Identity Documents

A threat actor operating under the alias catwoman and claiming affiliation with The Negratas group has announced a breach of a major Spanish state digital administration agency. The actor claims to have obtained approximately 11.4 million Spanish national identity documents and associated citizen data from this critical government infrastructure. Source: DarkWebInformer

Ecuadorian Organizations Hit by Credential Theft Campaign

Threat actor V0lt4r0x has distributed login credentials allegedly stolen from multiple Ecuadorian organizations spanning government institutions, telecommunications companies, the national police, the Red Cross, and various private sector entities. This coordinated credential distribution campaign demonstrates broad targeting across critical infrastructure and essential services. Source: DarkWebInformer

OfferUp User Data Allegedly Compromised in 25 Million Record Breach

Threat actor pablomotos is selling a dataset purportedly containing approximately 25 million user records from OfferUp, the American online marketplace for peer-to-peer commerce. The alleged breach spans the platform's operational history and represents one of the larger consumer-facing data exposures reported this period. Source: DarkWebInformer

Bot Detection Bypass Code Shared by Threat Actor

Threat actor welcometonightbrother has publicly shared source code purporting to bypass Cloudflare's Turnstile bot detection system. The release of functional bypass code for widely-deployed security mechanisms poses significant risks to organizations relying on this protection to defend against automated attacks. Source: DarkWebInformer

The convergence of nation-state targeting, large-scale data breaches, and the public disclosure of security bypass techniques underscores an increasingly challenging threat environment. Organizations must prioritize patch management for critical plugins, implement robust MFA solutions resistant to social engineering, and conduct immediate reviews of access to sensitive systems and data.