Your Antivirus Has a Zero-Day
A zero-day in Windows Defender lets attackers seize full control of any Windows PC — with no patch yet available. Plus: 144 poisoned npm packages, a CVSS 10.0 Joomla flaw, and a hacker who stayed inside a network for 33 days after his server went offline.
Thursday, June 18, 2026 · 5-minute read
🌐 World Intel
On June 17, a single attacker hijacked a contributor account on npm — the massive library of open-source code that developers use to build software — and mass-published 144 malicious packages under the Mastra namespace, a popular framework for building AI applications. Each poisoned package quietly added a dependency called "easy-day-js," a fake clone of a legitimate date library that installs a crypto clipper on the developer's machine. The whole operation took 88 minutes. Two of the compromised packages had more than 25,000 downloads each, and it's not clear how many real downloads those numbers represent.
Source: The Hacker NewsResearchers at Aikido Security found 15 malicious plugins on the JetBrains Marketplace — each posing as an AI coding assistant. They actually worked, which is what made them dangerous: the moment a developer typed their API key to connect to DeepSeek or another AI model, the key was silently sent to an attacker-controlled server. The campaign had been running since October 2025. At least two of the plugins had over 25,000 downloads each. If you've installed a JetBrains AI assistant plugin in the past eight months, check against the full list of flagged plugin names and rotate any AI API keys you've used inside JetBrains IDEs.
Source: The Hacker News⚔️ Active Attacks
Researchers at Cato Networks documented a French-speaking attacker (going by the handle "Poisson") who broke into a small French automotive company, planted a keylogger, and stole banking and email credentials. Ordinary enough. Then, before his command-and-control server went offline, he installed two legitimate remote-access tools — OpenSSH and Tailscale — directly on a victim machine, building a second way in that didn't depend on his C2 at all. When the C2 went offline the next day, his access didn't. Eighteen days later the C2 came back, and his implants reconnected automatically. Cato captured all 339 of his commands over 33 days after Poisson accidentally left his SSH keys and a step-by-step attack playbook in an open storage bucket. He compromised four machines. His targets were narrow — banking logins, email passwords, government portal credentials — but the lesson is broad: shutting down a C2 server is not remediation.
What you can do: Alert on OpenSSH Server or Tailscale appearing on Windows workstations where those tools weren't deliberately deployed. If you discover a C2 infection, hunt for secondary persistence — look for new scheduled tasks, newly installed remote-access software, and outbound SSH tunnels — before declaring the machine clean.
Source: The Hacker News / Cato Networks🔓 New Vulnerabilities
A flaw in the JCE editor extension for Joomla — a widely used website platform — lets anyone on the internet, with no login or credentials, upload and run PHP code directly on the web server. That's full remote code execution with zero authentication required. CISA added it to its Known Exploited Vulnerabilities catalog on June 17, confirming attackers are already using it in the wild. The flaw affects JCE versions 1.0.0 through 2.9.99.4.
A patch is available. If you run a Joomla site with the JCE editor installed, update immediately — this is actively being exploited.
A race condition in the Microsoft Malware Protection Engine — the scanning component at the core of Windows Defender — lets an attacker on your machine run code with full SYSTEM-level privileges. SYSTEM is the highest level of access Windows has; higher than a regular administrator. A researcher named Chaotic Eclipse released a working proof of concept before Microsoft had a patch ready, reporting 100% success rates on some machines. Notably, the exploit works whether real-time protection is on or off.
No patch available yet. Microsoft confirmed the flaw on June 17 and says a fix is in development. Enable automatic Windows Updates so the patch installs the moment it ships.
A zero-day in Chrome's V8 JavaScript engine is being actively exploited in the wild. V8 is the part of Chrome that runs JavaScript on every website you visit — so this affects any Chrome user on any website. Google confirmed active exploitation this week.
A patch is available. Open Chrome → three-dot menu → Help → About Google Chrome, and let it update. Takes 30 seconds.
🛠 New Tech
Intruder, an attack surface management company, published its 2026 Attack Surface Management Index this week after analyzing 3,000 real organizations. The headline finding: most companies have internet-exposed services — admin panels, databases, management ports — that have no legitimate reason to be publicly reachable. The report makes the case for what it calls Adversarial Exposure Validation: instead of endlessly listing vulnerabilities, security teams should continuously test whether those vulnerabilities can actually be reached and used against them. Think of it as the difference between knowing your house has a broken window and actually checking whether anyone can climb through it from outside. The full methodology is useful for any security team that's drowning in scanner output and struggling to know where to start. The report is available free at intruder.io.
💡 Deep Dive
Here's the uncomfortable irony at the center of this week's biggest security story: the flaw that a researcher just exposed lives inside Microsoft Defender — the software whose entire job is to protect your computer from exactly this kind of attack.
The vulnerability, officially designated CVE-2026-50656, was found by a researcher who goes by Chaotic Eclipse. The flaw is a race condition in the Microsoft Malware Protection Engine — the core scanning component inside Defender. In a race condition, two processes try to use the same resource at the same moment. When the timing works out just wrong, the result here is a shell with SYSTEM-level privileges. On Windows, SYSTEM is the top of the hierarchy — higher than an administrator. Whoever has a SYSTEM shell controls the machine completely.
Chaotic Eclipse released a working exploit publicly before Microsoft had a patch. In a note accompanying the release, they wrote that the exploit achieved 100% success rates on some machines, though it was less reliable on others. A follow-up update added a detail that's almost funny: the exploit works whether or not Defender's real-time protection is turned on. The thing that's supposed to catch attacks isn't catching this one.
This is Chaotic Eclipse's fourth Defender vulnerability. The previous three — BlueHammer, UnDefend, and RedSun — were all patched by Microsoft after similar public disclosures. This pattern of public disclosure before patches is controversial. Security researchers argue that vendors move faster under public pressure; vendors argue it exposes users to undue risk. Both are right.
The practical situation right now: every Windows machine running Defender has this flaw, and there is no patch. An attacker who already has any foothold on your machine — through a phishing email, a malicious download, a compromised login — can use RoguePlanet to instantly become the most powerful user on your system. From there, they can install anything, steal anything, or lock everything down for ransomware.
Microsoft confirmed the flaw on June 17, described it as an "elevation of privilege" issue, and said it is "working to provide a high-quality security update." No timeline. The best thing you can do right now: make sure Windows Update is set to install updates automatically, so the moment the patch arrives, it applies without you having to think about it. Watch for a patch — this one's worth tracking.