IT News Roundup: GitHub Worm Attack, Check Point Zero-Day, Apple AI Comeback - June 9, 2026

The past 24 hours in IT have been dominated by a resurgent supply chain worm targeting GitHub repositories, a Check Point VPN vulnerability that attackers exploited for weeks before patching, and Apple's more measured AI strategy at WWDC 2026. Meanwhile, the NHS is making a massive bet on Microsoft Copilot, Python's JIT compiler faces an uncertain future, and Meta is taking spyware vendor NSO Group back to court.

GitHub Disables 70+ Repos After Miasma Worm Supply Chain Attack

Microsoft's GitHub disabled 73 repositories within 105 seconds after detecting the Miasma worm infecting its projects on Friday, June 5. The attack originated from a compromised contributor account that pushed a malicious commit to the Azure/durabletask repository, dropping configuration files that triggered remote code execution when developers opened the repos in IDEs or AI coding tools like Claude Code, Gemini CLI, and Cursor.

The most immediately disruptive impact came from the takedown of Azure/functions-action, a widely used GitHub Action for deploying code to Azure. Every workflow referencing Azure/functions-action@v1 stopped resolving, breaking CI/CD pipelines across the ecosystem. Security firm StepSecurity traced the attack as a re-opening of the previous Miasma worm campaign that hit Microsoft's durabletask PyPi package on May 19, suggesting the compromised developer account's tokens were never fully rotated.

The Miasma worm is a descendant of the Mini Shai Hulud worm, which ravaged open source packages on npm earlier this month, including Red Hat packages downloaded 80,000 times weekly. Cybercrime group TeamPCP claimed responsibility for developing Mini Shai Hulud, though it is unclear whether they or a separate actor is behind the Miasma variant. StepSecurity also reported that two days before the GitHub attack, the same worm compromised more than 50 npm packages, including a Vapi.ai SDK with over 408,000 monthly downloads.

Source: The Register

Check Point VPN Zero-Day Exploited for Weeks Before Patch

Check Point released an emergency fix on Monday for a critical authentication bypass vulnerability (CVE-2026-50751) affecting its Remote Access VPN and Mobile Access deployments — but attackers had a month-long head start. Exploitation began on May 7 and picked up in early June, with Check Point only spotting suspicious activity and beginning investigation on June 4.

The vulnerability is a logic-flow weakness in the certificate validation process that allows remote attackers to bypass authentication and establish a VPN connection without a user password. It affects Mobile Access/SSL VPNs, Remote Access VPNs, and Spark Firewalls configured to use the deprecated IKEv1 key exchange protocol. Check Point confirmed that post-compromise activity associated with a Qilin ransomware affiliate was observed in at least one case.

During the investigation, Check Point also discovered a second vulnerability, CVE-2026-50752, in its Security Gateways and Spark Firewall products. This bug in the IKEv1 certificate validation logic can lead to man-in-the-middle attacks on VPN site-to-site configurations, though no in-the-wild exploitation has been reported for this second CVE. The vendor published indicators of compromise and recommends customers search logs for suspicious VPN certificate authentication attempts between May 7 and June 5.

Source: The Register

Apple Courts Developers with Privacy-First AI at WWDC 2026

At its 2026 Worldwide Developers Conference, Apple offered a notably sober vision of AI integration that emphasized privacy, responsibility, and practical utility over hype. The keynote focused on platform improvements, child safety enhancements, and the next iteration of Apple Intelligence — with Siri rebranded as Siri AI, slated for general public release this fall.

Apple's key pitch for developers centers on its Foundation Models framework, based on Google's Gemini model family and newly multimodal, available on Private Cloud Compute with no cloud API cost for developers who have yet to scale. This addresses a real concern: many developers cannot risk wiring their apps to costly AI APIs that might produce bills exceeding app revenue. Craig Federighi, Apple's SVP of software engineering, emphasized that privacy in AI is non-negotiable at Apple, contrasting with most providers that retain personal interactions by default.

Other highlights included Safari's Notify Me feature for website change notifications, a low-code extension creation service called Describe an Extension, and performance improvements including 30 percent faster app launches and 70 percent faster Photos loading. IDC VP Francisco Jeronimo noted that the winning AI experience will not be the loudest or most technically complex, but rather the one that understands context, respects privacy, and reduces friction without forcing behavioral changes.

Source: The Register

NHS Rolls Out Microsoft Copilot to Half a Million Staff

NHS England announced plans to roll out Microsoft Copilot to 505,000 clinicians and support staff after a pilot involving 30,000 staff across 90 organizations showed users saved an average of 43 minutes per day on administrative work — roughly five working weeks over the course of a year. Each NHS trust will receive a central allocation of licenses based on headcount, with more than half a million staff expected to have access by October 2026.

The deployment envisions Copilot handling discharge paperwork, bed management, rota planning, meeting minutes, board papers, data analysis, and assorted HR, finance, and procurement tasks. NHS organizations will also receive access to Copilot Studio, Microsoft's toolkit for building custom AI agents for tasks such as handling Freedom of Information requests, processing complaints, and assisting with financial analysis. A governance framework called Agent 365 will oversee the deployment.

The cost of the deal was not disclosed, though at list price, a deployment of this scale would be worth well into nine figures annually. The NHS is not alone in buying into Microsoft's vision of AI-powered digital workers — Lloyds Banking Group signed up for a similar Microsoft 365 Frontier Suite deployment last week.

Source: The Register

Python JIT Compiler Future in Doubt After Steering Council Intervention

The Python steering council has suspended new development on the JIT (just-in-time) compiler project in the main Python repository, pending creation and acceptance of a new PEP. Bug and security fixes for existing JIT code will continue, but if no PEP is submitted and approved within six months, the JIT code will be removed from main — a move that has cast doubt on the future of one of Python 3.15's key features.

The announcement was unexpected because the improved JIT compiler was one of the headline features of Python 3.15, promising 8-9 percent geometric mean performance improvement over the standard CPython interpreter on x86-64 Linux. The JIT compiler is experimental and disabled by default, requiring PYTHON_JIT=1 to activate. The steering council cited concerns that PEP 744, which relates to the JIT, is only informational and contains unresolved questions about future maintenance, compatibility with existing CPython features, and success metrics.

Key JIT contributor Mark Shannon said the moratorium puts the project in an awkward position, putting pressure on the JIT team to produce a new PEP quickly while denying the community time to discuss it. He requested a grace period of a month or two to continue work, warning that a moratorium risks loss of momentum and the new contributors recently gained by the project.

Source: The Register

Meta Holds NSO Group in Contempt for Targeting WhatsApp Users

Meta has asked a federal judge to hold Israeli spyware vendor NSO Group in contempt of court after catching the surveillance company targeting WhatsApp users again despite a permanent injunction ordering it to stop. A US court found NSO liable in December 2024 for hacking WhatsApp users via its Pegasus spyware, and a jury awarded Meta roughly 68 million in damages in May 2025 — though the judge later reduced that to million while issuing the permanent injunction.

Meta reported disrupting NSO-linked social engineering attempts after investigating user reports. The activity involved attempts to lure targets into clicking malicious links that redirected them to websites outside WhatsApp, along with the creation of test accounts and groups on the platform. WhatsApp published several domains linked to the campaign, including ikhwancast.com, ghazacast.com, and fr24cast.com.

Meta adopted a hard line on the spyware industry, repeatedly describing commercial spyware as a national security issue. The company wrote that easing restrictions on NSO would undermine US national security and put American companies and billions of people worldwide who depend on secure communications at risk. Meta provided few technical details about the activity, including when it occurred, how many users were targeted, or whether any compromises were successful.

Source: The Register

North Korean-Linked Phishing Campaign Targets Developers with Fake Job Offers

A previously unseen phishing campaign suspected to have North Korean ties sent more than 250 emails to people working in nearly 100 organizations, mostly based in the US, over six weeks in April and May. Proofpoint threat researchers tracked the campaign as UNK_DeadDrop, designed to steal developer credentials and cryptocurrency wallets.

The attacks begin with emails appearing to originate from real companies, offering developer roles including Full-Stack Engineer or Agent Lead Developer positions. Proofpoint caught the attackers spoofing companies including Ondo Finance and Empower Pharmacy, sending emails from attacker-owned domains. The lures attempt to send victims to attacker-controlled GitHub repositories hosting malicious scripts that execute cross-platform malware across macOS, Linux, and Windows machines.

Researchers noted several differences from previous North Korean campaigns like Contagious Interview, including a shift from arranging fake interviews to unsolicited job offers or code review approaches, and a move from LinkedIn to email as the primary delivery platform. The campaign's industrialization, scale of repository creation, and distinct infrastructure led Proofpoint to classify it as an independent threat cluster.

Source: The Register