IT News Roundup: Splunk RCE, Node.js Fixes, and WordPress Supply Chain Attack - June 19, 2026

A busy week for IT professionals: from a critical unauthenticated remote code execution flaw in Splunk Enterprise to a massive Microsoft Patch Tuesday releasing fixes for over 200 vulnerabilities. Supply chain attacks continue to dominate headlines with malicious JetBrains IDE plugins targeting AI API keys and a compromised WordPress plugin CDN affecting over a million sites.

Critical Splunk Enterprise Vulnerability Enables Unauthenticated Remote Code Execution

Splunk has released security updates addressing CVE-2026-20253, a critical vulnerability rated 9.8 on the CVSS scale that allows unauthenticated remote code execution in Splunk Enterprise. The flaw enables attackers to execute arbitrary commands on affected systems without requiring any form of authentication, making it one of the most severe enterprise security issues disclosed this month.

The vulnerability stems from improper input validation in file operation handling within the Splunk web interface. Security researchers demonstrated that an attacker with network access to a vulnerable Splunk instance could achieve full remote code execution, potentially compromising all indexed data and the underlying host system.

Splunk administrators are urged to apply the latest security patches immediately. Organizations running exposed or internet-facing Splunk instances should prioritize remediation given the zero-authentication requirement for exploitation. Read more on The Hacker News

Node.js Releases Security Patches Addressing WebCrypto AES DoS and Other Flaws

The Node.js project released security updates across all active LTS lines (v26.3.1, v24.17.0, v22.23.0) on June 18, addressing four CVEs including a high-severity denial-of-service vulnerability in the WebCrypto API.

CVE-2026-48933 involves an integer overflow in the AES encryption implementation within Node.js's subtle.encrypt() function. When input data is a multiple of 2 GiB, the overflow causes a remote process abort, enabling attackers to crash Node.js applications that expose WebCrypto endpoints without authentication.

The release also addresses unicode dot separator handling issues and other security hardening improvements. Node.js users across all supported versions should upgrade promptly, particularly those running services that accept untrusted input through cryptographic APIs. Read the full advisory on nodejs.org

Microsoft Patch Tuesday Fixes Record 204 Vulnerabilities Including HTTP/2 DoS Bomb

Microsoft's June 2026 Patch Tuesday was one of the largest in recent history, with 204 vulnerabilities patched across Windows, Office, Azure, and other products. Of these, 38 were classified as critical severity.

The most notable flaw is CVE-2026-49160, an HTTP/2 denial-of-service vulnerability in the HTTP.sys component rated 7.5 on CVSS. Proof-of-concept testing showed that an unauthenticated attacker could exhaust 64 GB of RAM on an IIS server in approximately 45 seconds by exploiting uncontrolled resource consumption in the HTTP/2 stack.

Three vulnerabilities were publicly disclosed before patching, indicating active exploitation potential. System administrators should deploy these updates as soon as possible, with particular attention to internet-facing web servers and mail gateways running IIS or Exchange. Read the Rapid7 analysis

Fifteen Malicious JetBrains Plugins Caught Stealing AI Provider API Keys

A coordinated malware campaign targeting developers was uncovered on the JetBrains Marketplace, with 15 malicious plugins published under seven vendor accounts designed to exfiltrate AI provider API keys from users' IDEs.

The plugins appeared legitimate and were distributed across popular JetBrains products including IntelliJ IDEA, PyCharm, and WebStorm. Once installed, they silently harvested API keys configured for AI coding assistants (such as OpenAI, Anthropic, and other providers) and transmitted them to attacker-controlled servers. The campaign was reported on June 16 and JetBrains has since removed all identified malicious plugins.

This incident highlights the growing supply chain risk in developer tooling ecosystems. Developers are advised to audit installed IDE extensions, verify plugin publishers against known accounts, and rotate any AI API keys that may have been exposed during the campaign window. Read JetBrains' official statement

Google Cloud Vertex AI SDK Flaw Allowed Cross-Tenant Model Upload Hijacking

Palo Alto Networks Unit 42 disclosed a critical vulnerability in the Google Cloud Vertex AI Python SDK that allowed attackers to hijack machine learning model uploads and achieve cross-tenant remote code execution through a technique called bucket squatting.

The flaw exploited how the SDK selected temporary Cloud Storage buckets for model file uploads. An attacker could pre-create a bucket with a predictable name before the victim's upload process, causing the SDK to write model files (including serialized Python objects via pickle) into the attacker-controlled bucket. When the victim later loaded the compromised model, arbitrary code execution occurred.

Google patched the issue in Vertex AI SDK version 1.148.0. Users of the Vertex AI Python SDK should upgrade immediately and review any models that may have been uploaded during the vulnerable period for signs of tampering. Read Unit 42's full analysis

WordPress Supply Chain Attack Compromises OptinMonster, TrustPulse, and PushEngage Plugins

A supply chain attack targeting Awesome Motive plugins — including OptinMonster (used by over 1.2 million sites), TrustPulse, and PushEngage — was discovered when attackers tampered with JavaScript served from the company's CDN infrastructure.

The compromised scripts injected rogue administrator accounts and hidden backdoors into WordPress installations that loaded the affected plugins. The attack vector involved runtime injection through third-party JavaScript rather than a traditional plugin file compromise, making it harder to detect through standard integrity checks on local plugin files.

Dutch security firm Sansec detailed the attack on June 13. Site administrators using any of the three affected plugins should verify their admin user lists for unauthorized accounts, review server access logs for suspicious activity, and ensure all plugin scripts are loading from verified CDN sources. Read more on Infosecurity Magazine

GitBait Phishing Campaign Abuses GitHub Pages to Target Mexican Financial Sector

A sophisticated phishing operation dubbed "GitBait" has been uncovered, abusing GitHub Pages hosting infrastructure to target 24 major Mexican banks. The campaign uses modular phishing pages designed to steal banking credentials and credit card data.

The attackers leveraged the credibility of GitHub's domain reputation to bypass email filters and security awareness training. Stolen credentials were exfiltrated into attacker-controlled Google Sheets via the SheetBest API, creating a streamlined pipeline from victim interaction to data collection. The modular design allowed operators to quickly generate new phishing pages tailored to specific financial institutions.

This campaign underscores the ongoing challenge of trusted-domain abuse in social engineering attacks. Organizations should implement additional verification steps for login pages loaded from unexpected domains and consider blocking or monitoring access to known file-sharing APIs used as data exfiltration channels. Read more on CyberSecurityNews