IT News Roundup: WordPress Supply Chain Attack, Quantum Encryption Mandate, Record Patch Tuesday - June 17, 2026

A busy period for security teams: a major WordPress supply-chain compromise exposed millions of sites to backdoors, France announced it will stop certifying products without quantum-resistant encryption, Microsoft released its largest-ever Patch Tuesday update, and several critical vulnerabilities across OpenSSL, Oracle, and Palo Alto Networks came under active exploitation.

WordPress Plugin Supply Chain Attack Hits 1.4 Million Sites

E-commerce security firm Sansec discovered an active supply chain attack targeting three popular WordPress plugins from Awesome Motive: OptinMonster, TrustPulse, and PushEngage. The attacker compromised the CDN files serving JavaScript for all three plugins, injecting malicious code that created rogue administrator accounts and planted hidden backdoors on affected sites.

The OptinMonster plugin alone has over 1.4 million active WordPress installations worldwide. PushEngage confirmed the breach a day after Sansec's disclosure, noting that attackers had served tampered copies of its script to visitors. Sites loading these compromised scripts risked full takeover by threat actors who could create admin accounts and modify site content.

The incident underscores growing concerns about third-party JavaScript dependencies in web applications. Source: Sansec Research

France Halts Certification of Non-Quantum-Safe Encryption Products

France's national cybersecurity agency, ANSSI, announced on June 16 that it will stop certifying security products lacking quantum-resistant encryption. The mandate, revealed at the France Quantum conference in Paris, means all products used by government entities and critical infrastructure operators must transition away from classical public-key cryptography vulnerable to future quantum computing attacks.

ANSSI chief of staff Samih Souissi outlined a timeline requiring organizations to begin migrating to post-quantum cryptographic algorithms. The move positions France as one of the first major governments to enforce quantum-safe encryption requirements, potentially setting a precedent for other nations and regulatory bodies considering similar mandates.

The announcement comes as NIST continues standardizing post-quantum cryptography algorithms, with several already approved for deployment. Source: Reuters

Microsoft June Patch Tuesday Sets Record with 200 Vulnerabilities Fixed

Microsoft's June 2026 Patch Tuesday release addressed a record-breaking 200 security vulnerabilities across its software ecosystem, surpassing the previous single-month record of 167 CVEs. The update included fixes for six zero-day vulnerabilities — five publicly disclosed and one actively exploited in attacks.

The massive patch cycle covered Windows, Office, Azure, Edge, and related products. Security teams faced significant triage challenges as the sheer volume of patches made prioritization difficult. The release highlights the growing complexity of Microsoft's software portfolio and the increasing pace at which vulnerabilities are being discovered.

Industry analysts noted that traditional quarterly patch cycles may no longer be sufficient given the scale of modern vulnerability disclosures. Source: BleepingComputer

Oracle PeopleSoft Zero-Day Exploited by ShinyHunters in Education Sector Attacks

Oracle disclosed a critical unauthenticated remote code execution vulnerability in its PeopleSoft PeopleTools application, tracked as CVE-2026-35273 (CVSS: 9.8). The flaw was already being actively exploited by the threat group ShinyHunters (UNC6240) before Oracle's June 10 advisory, with attacks targeting university and education sector infrastructure.

Mandiant and Google Threat Intelligence confirmed that ShinyHunters used the zero-day between May 27 and June 9 to compromise PeopleSoft deployments, exfiltrate data, and launch extortion campaigns. The vulnerability allows complete system takeover without any authentication, making it one of the most dangerous enterprise application flaws disclosed this year.

Oracle issued emergency guidance urging all PeopleSoft customers to apply patches immediately. Organizations running PeopleSoft should verify their patch status as a top priority. Source: Oracle Security Alert

OpenSSL Patches Critical Heap Use-After-Free Vulnerability (CVE-2026-45447)

OpenSSL released a batch of security fixes on June 9 addressing 18 vulnerabilities, headlined by CVE-2026-45447 — a high-severity heap use-after-free bug in the PKCS7_verify function. The flaw can be triggered by processing specially crafted PKCS#7 or S/MIME signed messages and may lead to crashes, heap corruption, or potentially remote code execution.

The vulnerability stems from an incorrectly freed caller-owned BIO object when the SignedData digestAlgorithms field is processed during signature verification. Applications that handle email signatures, certificate validation, or any PKCS#7-signed content are at risk if running unpatched OpenSSL versions across all supported branches (1.0.2 through 4.0).

The vulnerability was notably discovered using AI-assisted analysis tools, highlighting the growing role of automated techniques in security research. Source: SecurityWeek

Palo Alto Networks PAN-OS GlobalProtect Authentication Bypass Under Active Exploitation

Palo Alto Networks confirmed active exploitation of CVE-2026-0257, an authentication bypass vulnerability in the GlobalProtect portal and gateway components of its PAN-OS software. The flaw (CVSS: 7.8) allows remote, unauthenticated attackers to forge valid authentication override cookies and establish unauthorized VPN connections.

Palo Alto Networks Unit 42 observed threat actors leveraging this vulnerability to bypass security controls and gain access to internal networks through GlobalProtect deployments. While Panorama and Cloud NGFW products are not affected, organizations relying on traditional PAN-OS GlobalProtect gateways should prioritize patching immediately.

The vulnerability demonstrates the ongoing risk of authentication bypass flaws in VPN infrastructure — a critical attack surface for remote workforce security. Source: Palo Alto Networks