Summary6 min read

Risky Bulletin: Nightmare Eclipse Drops Fresh 0day

Date: June 10, 2026
Host: Risky Business Media
Read by: Claire Airdrop
Prepared by: Catalyn Kim Panu

Episode Overview

This episode delivers a rapid-fire roundup of recent cybersecurity news. Major topics include a newly disclosed privilege escalation vulnerability in Microsoft Defender by "Nightmare Eclipse," high-profile spear phishing tied to the NSO Group, zero-day patching by Check Point, notable breaches (including France’s TCHAP messenger and Oxford University), regulatory changes across Russia, the UK, and Europe, and AI’s increasing role in exploit development. The tone remains concise, journalistic, and urgent, closely following breaking updates in the security sector.

Key Discussion Points and Insights

1. Nightmare Eclipse’s 0day in Microsoft Defender

[00:04] Security researcher "Nightmare Eclipse" released a zero-day local privilege escalation vulnerability affecting Microsoft Defender.
- The bug allows attackers to “spawn a local prompt on a targeted system with system privileges.”
- Barred from GitHub/GitLab, Nightmare Eclipse published the proof-of-concept on a self-hosted repo.
“Nightmare Eclipse has been banned from GitHub and GitLab, so published a proof of concept for the vulnerability to a self hosted repository.” (Claire, 00:16)

2. NSO Group Targets WhatsApp—Again

[00:38] NSO Group, despite a U.S. court injunction, is accused of targeting WhatsApp users with spear phishing.
- Meta traced the attacks to NSO infrastructure and has filed a new legal complaint.
“Meta says it tracked new SPEAR phishing attacks targeting WhatsApp users to NSO managed infrastructure… Meta filed a fresh legal complaint against NSO on Monday.” (Claire, 00:44)

3. Check Point Zero-Day Exploits and Patches

[01:07] Check Point patched an authentication bypass zero-day affecting its Access VPN and mobile appliances.
- Exploited since May 7, it was used to deliver Qilin ransomware in some attacks.
- Attacks ramped up in June, targeting organizations using IKEV1 protocol.

4. AI Advances in Exploit Generation

[01:43] Anthropic's “Mythos” cybersecurity model can now write exploits for newly-disclosed bugs “in under one hour.”
- Private tests showed successful exploit creation for both Firefox and Windows bugs.
- Lower-tier models “Claude Opus and Sonnet” are also capable, though slower.

5. Noteworthy Data Breaches and Security Incidents

TCHAP Messenger Breach:
- Hackers accessed the French government’s encrypted messaging app; public channel conversations were scraped and leaked ([02:04]).
- Officials urged using encrypted chat for sensitive discussions.
ServiceNow API Abuse:
- API bug led to data accessed from instances on the “Australia” platform; patch and notifications followed ([02:41]).
Kurdish News Site Nujinha Hacked:
- Iranian group "Handala" attacked, deleting articles, threatening doxxing and harm ([03:07]).
Indonesia’s Tempo Website:
- Massive DDoS after prior breach and article deletions; new CMS protections added ([03:29]).
Oxford University’s Career Connect Breach:
- Data of alumni, research staff, and employers compromised at the end of May ([03:55]).
Russian Max Messenger Bot Compromised:
- Used to spam 30,000+ channels about a bot vulnerability after developers failed to respond ([04:17]).

6. Supply Chain and Infrastructure Risks

Helm Package Manager:
- Malicious takeover of the deprecated Balto CD CDN domain prompted warnings for users to remove the domain ([04:42]).
Kremlin Security Camera Audit:
- Russia shut down internet-connected Kremlin cameras after fears of hacks and adversary surveillance ([05:00]).
- Cites Iran’s 2026 incident, where hacked CCTV led to targeted assassination.
“The audit was meant to prevent adversaries from tracking President Vladimir Putin's movements through hacked cameras.” (Claire, 05:09)

7. Russian Internet Regulations

Site Operators Fined for Foreign Emails:
- Russian law now fines sites up to $10,000 for letting users log in with non-Russian emails ([05:31]).
- Only local phone numbers, Russian emails, or official accounts allowed.
Restrictions on Surveillance Disclosure:
- Makes it illegal for telcos to reveal SORM system details.

8. Other Global Cyber Policy Shifts

Taliban Smartphone Ban:
- Government employees and students can no longer use/bring smartphones at work or school ([06:08]).
EU Lawsuits Over Delayed NIS 2 Implementation:
- France and Spain face legal action for missing a key deadline ([06:29]).
UK Child Safety Tech Mandate:
- All devices must, by September, block kids from sending/receiving nude images ([06:53]).
“Tech companies not complying could face huge fines and criminal prosecution of their executives.” (Claire, 07:15)
Ofcom Orders Emergency Content Protocols
- Social platforms must set up viral illegal content takedown protocols for crisis events ([07:34]).

9. Legal & Legislative Developments

Apple Wins Gag Order Case:
- Overturned a gag order preventing warning a surveilled congressional staffer ([08:00]).
Massachusetts Location Data Bill:
- Passed unanimously, bans sale of precise resident location data ([08:23]).
- Allows data deletion requests to tech firms.

10. Cybercrime Trends

Southeast Asian Scam Migration to Sri Lanka:
- 1,000+ arrests; operations shifting there as Cambodia/Thailand crack down ([08:57]).
Hosting Group Shuts Down:
- Bulletproof provider closed after Dutch police raids; legacy of sanctions for hosting Russian operations ([09:30]).

11. Major Software Security Updates

Google Chrome:
- Fifth in-the-wild V8 zero-day patched this year ([10:05]).
Microsoft Exchange:
- Ongoing spoofing and spam attacks via an unresolved bug ([10:20]).
Apple’s AI Password Updates:
- New iOS uses an AI assistant to detect and change compromised passwords automatically ([10:41]).

12. Latest Anthropic Model Releases

Claude Fable 5 & Claude Mythos 5:
- General use (Fable 5) and cybersecurity-focused (Mythos 5) models launched ([11:05]).
- Mythos 5 access limited to “Project Glasswing.”
“Claude Fable is intended for general use… Mythos 5 is designed for cybersecurity use cases.” (Claire, 11:15)

Notable Quotes and Memorable Moments

“Nightmare Eclipse has been banned from GitHub and GitLab, so published a proof of concept for the vulnerability to a self hosted repository.” (Claire, 00:16)
“Meta says it tracked new SPEAR phishing attacks targeting WhatsApp users to NSO managed infrastructure.” (Claire, 00:44)
“Anthropic claims its Mythos cybersecurity model can now write exploits for newly disclosed bugs in under one hour.” (Claire, 01:43)
“The audit was meant to prevent adversaries from tracking President Vladimir Putin's movements through hacked cameras.” (Claire, 05:09)
“Tech companies that don't comply could face huge fines and criminal prosecution of their executives.” (Claire, 07:15)
“Claude Fable is intended for general use… Mythos 5 is designed for cybersecurity use cases.” (Claire, 11:15)

Important Segment Timestamps

Microsoft Defender 0day: 00:04–00:37
NSO Group/WhatsApp Attack: 00:38–01:06
Check Point Zero-Day & AI Exploits: 01:07–01:57
TCHAP Messenger Breach: 02:04–02:26
ServiceNow API Breach: 02:41–03:06
Kurdish News, DDoS, Oxford Breach: 03:07–04:16
Max Messenger Bot Spam: 04:17–04:41
Helm Malicious Domain Takeover: 04:42–05:00
Kremlin Security Camera Audit: 05:00–05:31
Russia’s Online Regulations: 05:31–06:07
Taliban Smartphone Ban: 06:08–06:29
EU/UK Compliance and Content Orders: 06:29–07:39
Apple Gag Order, Massachusetts Bill: 08:00–08:56
Sri Lanka Cybercrime Surge: 08:57–09:29
Hosting Group Raid/Shutdown: 09:30–10:04
Chrome, Exchange, Apple Updates: 10:05–10:53
Anthropic Model Launch: 11:05–11:23

Conclusion

This episode condenses two intense weeks of global cybersecurity developments, providing rapid updates on zero-days, state-backed hacking, AI’s growing offensive power, critical infrastructure risks, regulatory moves from Moscow to Brussels, and shifting cybercriminal tactics. The concise format, notable quotes, and expert insight make the Risky Bulletin an essential listen for cybersecurity professionals and stakeholders, keeping listeners ahead of the curve on both technical threats and policy shifts.

Loading summary

Transcript1 lines

[00:04]
A
Nightmare Eclipse drops a fresh zero day Meta says NSO is targeting WhatsApp users again hackers breach France's TCHAP Secure messenger network Putin disables some Kremlin security cameras and Gmail Begone Russia bans logins from foreign email addresses. This is the risky bulletin prepared by Catalyn Kim Panu and read by me, Claire airdrop. Today is the 10th of June and this podcast episode is brought to you by Spectrops. In today's top story, the security researcher known as Nightmare Eclipse has dropped another zero day vulnerability in Microsoft's Defender security product. The local privilege escalation bug allows an attacker to spawn a local prompt on a targeted system with system privileges. Nightmare Eclipse has been banned from GitHub and GitLab, so published a proof of concept for the vulnerability to a self hosted repository. In other news, Israeli spyware maker NSO Group has allegedly violated a court order preventing it from targeting WhatsApp users. Social media company Meta says it tracked new SPEAR phishing attacks targeting WhatsApp users to NSO managed infrastructure. A US court banned NSO from targeting WhatsApp in a permanent injunction issued last October. Meta filed a fresh legal complaint against NSO on Monday. Check Point has patched a zero day vulnerability in its Access VPN and mobile access appliances. The company says the zero day was used in attacks against a few dozen organisations. The vulnerability is an authentication bypass on devices where the IKEV1 key exchange protocol was enabled. The earliest observed exploitation was on May 7, and attacks increased this month. In some attacks, the final payload was the Qilin ransomware. Anthropic claims its Mythos cybersecurity model can now write exploits for newly disclosed bugs in under one hour. In private tests, Mythos was able to craft exploits for both Firefox and Windows bugs. The company's lower tier Claude Opus and Sonnet models were also able to develop working exploits, but at slower paces. Hackers have breached an account on tchap, the French government's encrypted messaging app. The hacker joined public channels and harvested conversations. Officials say they've now suspended the account and urged government employees to use the app's encrypted chat feature for sensitive topics. The hacker posted some of the scraped data on a forum over the weekend. Hackers have abused an API bug to access ServiceNow data from customer instances. Service ServiceNow quietly patched the API last week and has now notified affected customers. The company says the incidents mainly impacted customers on its confusingly named Australia platform release. According to Reddit posts, the bug has been exploited in the wild. Since April, Iranian hackers have attacked the Turkey based Kurdish women's news agency Nujinha. The hackers breached the website, deleted articles and disrupted online broadcasts. The Handala Group has taken credit for the hack and is threatening to doxx and harm the agency's employees. Indonesia news site Tempo says it was hit with massive DDoS attacks that brought down its website over the weekend. The attacks come weeks after hackers breached its platform and deleted articles related to corruption cases. Tempo has since altered its CMS, so past articles cannot be deleted. Oxford University in the UK has disclosed a security breach that impacted its Career Connect platform. Hackers accessed the portal at the end of May and stole the data of alumni, research staff and employers. Oxford University uses the platform to connect students and staff with recruiters and employers about internships and jobs. A hacker hijacked a third party bot used by channel administrators on Russia's Max messenger service. The hacker was able to use their access to spam over 30,000 channels with information about the bot's vulnerability. The hacker claimed they'd notified the bot's developers about the bug, but they never replied. The bot is used by channel admins to post scheduled messages. It's now been suspended by the Mac's security team. Kubernetes package manager Helm has warned users that an old, lapsed domain was acquired by a third party and used to deliver malicious content. Helm has urged users to remove the Balto CD cdn.com domain from configuration files to prevent future connections to it. The domain was retired from Helm's infrastructure last September. The Russian presidential administration has shut down parts of a security camera system designed to watch over the Kremlin. Officials inspected the system for hacks and only reconnected cameras that had no Internet connection. The audit was meant to prevent adversaries from tracking President Vladimir Putin's movements through hacked cameras. Israel killed Iran's supreme leader in February by using hacked CCTV systems to track his movements ahead of a missile strike. Russia will fine website operators up to $10,000 for letting users log in using foreign email addresses. The government passed a new law this week mandating that Russian websites only authenticate users via local identifiers. This includes Russian phone numbers, Russian email addresses or an official Gosuslugi government account. There are no fines for users. The new law also includes a clause that makes it illegal for telcos to reveal details on how the SARM surveillance system works. The Taliban has banned government employees from using smartphones at work. Offenders will be prosecuted in a military court. The government has also banned students from bringing phones to school and religious seminaries. Officials didn't reveal the reason for the ban. They previously described smartphones as one of the three main enemies of Muslims. The European Commission is preparing lawsuits against France and Spain for failing to pass mandated cyber security legislation. Both France and Spain missed an October 2024 deadline to implement the NIS 2 directive in their local laws. The NIS 2 directive introduced new rules to help safeguard the bloc's code critical infrastructure operators. The commission is expected to sue both Countries at the EU's Court of Justice after the summer break. Tech companies operating in the UK must introduce device level software that blocks children from taking, sending and receiving nude images. The companies have until September to comply with a new rule announced by UK Prime Minister Keir Starmer on Monday. The new protection must be added to all phones and tablets and sold in the uk. Tech companies that don't comply could face huge fines and criminal prosecution of their executives staying in the UK and the country's communications watchdog Ofcom has ordered social media networks to set up protocols to take down illegal content that goes viral. The new protocols are meant to be used during public riots and terrorist attacks. Ofcom expects the tech platforms to create dedicated crisis teams and work with law enforcement. Apple has won a lawsuit against the US Justice Department to overturn a gag order. The gag order was issued last year and prevented Apple from notifying a congressional staffer that they'd been under surveillance. The surveillance stemmed from an FBI investigation into the staffer, who was suspected of acting as a foreign agent on behalf of Qatar, according to Forbes. The congressional staffer has not come forward to reveal their name. The Massachusetts state government has passed a bill that would ban the sale of the precise location data of the state's residents. The bill passed with a unanimous vote of 146 to 0. It was sent to Governor Healey's office to be signed last week. If signed, the bill would also allow Massachusetts residents to request tech companies to delete their data. Cyberscam syndicates are moving operations to Sri Lanka and as crackdowns intensify across Cambodia and Thailand. Sri Lankan authorities have arrested more than 1,000 suspects linked to cyber scams this year, which is a huge spike compared to last year's numbers. Suspects are operating out of beach resorts and office buildings across the island. A new cybercrime unit has been set up to deal with the rise in cyber scam reports. Bulletproof hosting provider the hosting group has shut down all operations and after police raids, targeted two related companies in a message to customers. The company called the raids unforeseen and unavoidable force majeure circumstances. Dutch police seized more than 800 servers from the Mir hosting and work Titans companies last month. The hosting group is a rebrand of Stark Industries, a bulletproof hosting provider sanctioned across the world for hosting Russian hacking and disinformation infrastructure. Google has released a security update to patch a Chrome Zero Day that's being exploited in the wild. The Zero Day is a memory corruption bug in Chrome's V8 JavaScript engine. It's the fifth in the wild Chrome Zero Day patched this year. Threat actors are abusing a Microsoft Exchange bug to send spoofed email spam. Exchange Online and Exchange Email servers in hybrid configurations are vulnerable, according to Microsoft. Exploitation has been taking place since since late April. An anti spoofing patch was rolled out in April but reverted after five days. The issue remains unpatched. Apple has added a new feature to the iOS passwords app that will detect compromised passwords and use an AI agent to change them. The new Apple Intelligence Assistant will log into the accounts and change credentials on users behalf. The new feature is expected with iOS27 later this year. And finally, Anthropic has released its Claude Fable 5 and Claud Mythos 5 models. Claud Fable is intended for general use and has been released to the public, while Mythos 5 is designed for cybersecurity use cases and will initially only be available to Project Glasswing participants. The guardrails in Claude Fable 5 currently prevent any use of the model for cybersecurity or biology topics, as well as reasoning extraction attempts. And that is all for this podcast edition. Today's show was brought to you by our sponsor Spectrops. Find them@Spectropsio. Thanks C Company.