Important Tech News Roundup: June 10, 2026 – Exchange, Ivanti, npm, PeopleSoft, Windows

June 10, 2026
 |  No Comments
Jennifer presenting the June 10 2026 technology news recap in a realistic technology newsroom with cybersecurity, Windows updates, npm security, enterprise software, and Apple AI screens
Listen to the local-voice audio recap for June 10, 2026.

Today is Wednesday, June 10, 2026, and this is the daily technology news recap from The IT Guys. The big theme today is that security fixes are available, but several of them need actual follow-through. Microsoft’s June Patch Tuesday kept unfolding with Exchange and Windows zero-day details, Ivanti fixed critical Sentry gateway flaws, GitHub announced safer npm defaults for software supply-chain attacks, Oracle PeopleSoft customers are dealing with ShinyHunters data-theft claims, and Windows 11 users are getting useful performance and hardware-security changes mixed into the same update cycle.

The short version: patch Exchange and Windows carefully, verify Chrome and browser updates from yesterday if you missed them, review Ivanti Sentry exposure immediately if your business uses it, treat developer package installs as a security boundary, and do not ignore enterprise software that quietly sits behind HR, payroll, finance, student systems, or procurement.

Quick Takeaways

  • Good news: Microsoft has now patched the Exchange Server CVE-2026-42897 issue that was being exploited, and GitHub is moving npm toward safer defaults.
  • Bad news: Microsoft’s June security release is large, with BleepingComputer reporting 200 flaws, six zero-days, and one actively exploited vulnerability.
  • Bad news for mobile gateway admins: Ivanti Sentry received critical fixes, including a maximum-severity command-injection issue.
  • Good news for Windows 11 users: June updates include practical improvements like faster app launches, Secure Boot certificate work, Shared Audio, Multi-App Camera, and fixes for some update failures.
  • Bad news for large organizations and schools: Oracle PeopleSoft systems are reportedly being targeted in ShinyHunters data-theft attacks.
  • Mixed Apple news: WWDC’s AI and iOS 27 details are useful, but businesses should wait for final compatibility, privacy, and management documentation before changing policy.

1. Microsoft’s June Patch Tuesday Is Now A Full Business Priority

Microsoft’s June 2026 Patch Tuesday remains the main operational story for home users and businesses. Microsoft’s official June 2026 Security Update Guide release notes are live, and BleepingComputer reported that the release covers 200 flaws, six zero-days, and one actively exploited vulnerability. The critical count is also high: BleepingComputer lists 33 critical vulnerabilities, including many remote-code-execution issues.

That does not mean every home user needs to panic-click every button immediately, but it does mean this is not a month to forget updates until later. For a home PC, the practical path is still simple: save your work, plug in laptops, check Windows Update, install available security updates, and restart. For a business, the job is slightly different: verify backups, confirm BitLocker recovery keys are accessible, patch a pilot group, watch for line-of-business app problems, then roll updates out more broadly.

The important nuance is timing. Businesses should move quickly, but not carelessly. A forced update in the middle of work can interrupt billing, dispatch, production, scheduling, or point-of-sale activity. A delayed update on exposed servers, remote-access systems, or management machines can leave the business with a larger security problem. The better answer is a controlled patch window with a rollback plan, not indefinite delay.

The IT Guys takeaway: if you run Windows machines for a business, treat the June update cycle as a planned maintenance item this week. Do not wait until a computer forces a restart at the worst possible time.

2. Microsoft Patched An Actively Exploited Exchange Server Issue

Microsoft Exchange Server admins have a specific item to handle: CVE-2026-42897. BleepingComputer reported on June 10 that Microsoft patched an actively exploited Exchange Server vulnerability affecting Exchange Server 2016, Exchange Server 2019, and Exchange Server Subscription Edition. The issue is a high-severity spoofing vulnerability tied to Outlook Web Access and cross-site scripting conditions.

The plain-English risk is that a crafted email opened in Outlook Web Access could allow arbitrary JavaScript to run in the user’s browser context under certain interaction conditions. That is not the same as a classic “remote code execution on the server” bug, but it is still serious because Exchange mailboxes contain business communications, attachments, invoices, contracts, password-reset emails, HR details, and customer conversations.

Microsoft had already described temporary mitigation through the Exchange Emergency Mitigation Service, and BleepingComputer notes that Microsoft recommends installing the June 2026 Exchange security updates as soon as possible while leaving the mitigation in place for added defense. This is the part some organizations miss: temporary mitigation is not a reason to skip the real update. It buys time. It does not replace patching.

If your business uses Microsoft 365 Exchange Online only, this specific on-premises server maintenance burden is different. If you still host Exchange locally, run hybrid Exchange, or have an old Exchange server left behind for management, you need to know exactly what is installed and whether it is exposed. Old Exchange servers often stay around longer than people remember.

The IT Guys takeaway: if you have on-premises Exchange, verify version, patch status, EEMS status, and external exposure. If you are not sure whether an old Exchange server still exists, check before assuming it was removed.

3. Ivanti Sentry Has Critical Gateway Fixes

Ivanti published security guidance for Ivanti Sentry CVE-2026-10520 and CVE-2026-10523. The advisory describes an OS command-injection vulnerability in Ivanti Sentry before fixed versions R10.5.2, R10.6.2, and R10.7.1. Canada’s Cyber Centre also issued AV26-567 on June 9, encouraging administrators to review Ivanti’s links and apply the necessary updates for Ivanti Sentry and Endpoint Manager Mobile.

This matters because secure mobile gateways are not ordinary desktop apps. They commonly sit between mobile devices and internal services such as mail, identity, app delivery, and device management. If a gateway is exposed to the internet and attackers can run commands or gain administrative control, that can become a direct path into sensitive business systems.

For smaller organizations, the practical question is usually: “Do we even have Ivanti?” Many do not. But businesses that inherited mobile-device-management infrastructure, healthcare organizations, government contractors, schools, and larger distributed offices may have appliances or virtual gateways that are easy to forget. The riskiest systems are the ones that are internet-facing, business-critical, and maintained only when something visibly breaks.

The IT Guys takeaway: if you use Ivanti Sentry, check the exact version today, apply the vendor-supported update path, review logs for suspicious access, and reduce internet exposure where possible. If you do not use Ivanti, this is still a good reminder to inventory every remote-access and mobile-management gateway.

4. GitHub’s npm v12 Changes Are Good News For Supply-Chain Security

There was also constructive security news today for developers and businesses that depend on custom software. GitHub announced upcoming breaking changes for npm v12, expected in July 2026. The important shift is that several behaviors tied to npm install will move from automatic to explicit opt-in. GitHub says the security-related default changes are already available behind warnings in npm 11.16.0 or newer, giving teams time to prepare.

This is a meaningful change because install-time scripts are one of the easiest ways for a malicious or compromised package to run code on a developer laptop or CI server. A single dependency buried several layers deep can trigger code execution during installation. That is convenient when a package legitimately needs setup work, but dangerous when attackers compromise a package, hijack a maintainer account, or trick a developer into installing a malicious dependency.

For a small business, this may sound like developer-only housekeeping. It is more than that. Websites, appointment systems, payment integrations, customer portals, inventory tools, and automation scripts often depend on npm packages somewhere in the chain. A safer default in the package manager can reduce the chance that a routine install becomes a credential theft event. It does not remove the need for code review, secret scanning, dependency pinning, and token rotation, but it helps.

The IT Guys takeaway: if you maintain JavaScript or Node.js projects, test with npm 11.16.0 warnings now, document which packages truly need install scripts, and make sure CI tokens are limited. If you hire developers, ask how they manage dependency risk and deployment secrets.

5. Oracle PeopleSoft Customers Should Watch The ShinyHunters Reports

BleepingComputer reported on June 10 that Oracle PeopleSoft servers are being targeted in ongoing data-theft attacks claimed by the ShinyHunters extortion gang. The report says ShinyHunters claimed data theft from 300 instances across more than 100 organizations, with many affected organizations reportedly in education. BleepingComputer also notes that Oracle had not publicly disclosed details at the time of that report.

PeopleSoft is not something most home users will recognize, but it is exactly the kind of enterprise system that stores sensitive data: human resources, payroll, finance, procurement, student administration, and other operational records. That makes it attractive for extortion. Attackers do not need to encrypt every laptop if they can steal a large database that contains payroll, employee, student, or vendor information.

The practical response is not to assume every PeopleSoft instance is compromised. It is to treat the report as a prompt for exposure review: confirm internet-facing services, review authentication, check logs for known indicators, confirm patch status, verify backups, and prepare an incident-response path. Schools, universities, local governments, and large organizations with older ERP deployments should pay attention.

The IT Guys takeaway: business software that “just runs in the background” can become the most important security asset in the building. If it contains payroll, HR, school, finance, or customer records, it deserves active monitoring and patch ownership.

6. Windows 11’s June Update Also Brings Practical Improvements

It is not all bad news. Alongside the security urgency, Windows 11 users are also getting practical improvements. Windows Latest’s June 9 testing highlights KB5094126 for Windows 11 versions 25H2 and 24H2, including faster app launches and shell experiences, Secure Boot certificate updates, Shared Audio for supported Bluetooth LE Audio devices, Task Manager NPU columns, Multi-App Camera support, USB reliability fixes, Microsoft Store download improvements, and a fix for some 0x800f0922 update failures tied to limited EFI System Partition space.

For everyday users, the most visible benefit may be that Windows feels a little faster when opening apps, Start, Search, and Action Center. For businesses, the Secure Boot certificate work matters more. Secure Boot helps make sure trusted software runs during startup, and certificate transitions are the kind of background security plumbing that can become painful if ignored until it breaks.

The catch is that many Windows features now roll out gradually. Installing the update does not guarantee that every new feature appears immediately. That is normal. The security fixes matter right away; some feature changes may arrive over time. Users should avoid forcing hidden feature flags on business machines unless there is a real support reason.

The IT Guys takeaway: install the June Windows updates with a plan, then verify that important devices boot cleanly, BitLocker is healthy, Windows Security reports hardware security correctly, and business apps still behave normally.

7. Apple WWDC Follow-Up: Useful AI, But Wait For Business Details

Apple’s WWDC 2026 announcements continued to shape the technology conversation today. TechCrunch’s WWDC roundup describes Apple Intelligence updates across apps, including Safari tab management, one-tap password updating, cross-app context awareness, Messages reply suggestions, and Phone app context pulled from Mail and Messages during calls. It also notes Apple’s collaboration with Google and Gemini-family models for the next generation of Apple Foundation Models powering integrated Apple Intelligence experiences.

For home users, this sounds useful if the features ship cleanly and respect privacy expectations. For businesses, the key question is governance. If an assistant can read context across apps, summarize messages, help on calls, and process personal data, then businesses need written rules for what information may be used. Customer records, medical information, legal documents, financial data, passwords, and HR material should not become casual AI test data.

The right approach is patient: wait for final compatibility lists, mobile-device-management options, regional availability, privacy documentation, and app-vendor support. Apple’s AI direction may become helpful, but a demo is not a deployment plan.

The IT Guys takeaway: Apple AI may help with everyday productivity, but businesses should decide policy before employees start using new assistant features with sensitive company or customer data.

What To Do Before Friday

  • Install Microsoft’s June security updates on home PCs after saving work and restarting fully.
  • For businesses, patch a pilot group first, confirm backups, then schedule the wider rollout.
  • If you run on-premises Exchange, apply the June 2026 Exchange security updates and verify EEMS/mitigation status.
  • Check whether any Ivanti Sentry or Endpoint Manager Mobile systems exist in your environment and update affected versions.
  • Make sure Chrome, Edge, Brave, and other Chromium browsers were updated and relaunched after this week’s zero-day fix.
  • For software teams, test npm 11.16.0 warnings before npm v12 changes arrive in July.
  • Inventory business systems that store payroll, HR, finance, student, or customer records, especially if they are internet-accessible.
  • Hold off on Apple AI policy changes until final iOS 27, macOS 27, MDM, privacy, and device-compatibility details are clear.

FAQ

Should I pause Windows updates because this month is so large?

For most home users, no. Install the updates, restart, and keep an eye on normal operation afterward. For businesses, do not blindly pause for weeks. Use a short pilot period, verify backups and BitLocker keys, then roll the updates out on a schedule.

Do I need to care about the Exchange issue if I use Microsoft 365?

If you only use Exchange Online, the on-premises patching workflow is different. But many businesses still have hybrid or leftover Exchange servers. If there is any chance one exists, verify it. Old mail servers are common forgotten risk points.

What is npm, and why does it matter to non-developers?

npm is a major package manager used in JavaScript and Node.js development. Even if you never touch it directly, your website, portal, app, or automation may rely on software built with npm packages. Safer defaults reduce the chance that a compromised package runs unwanted code during installation.

What should I do if a business system may contain sensitive records?

Identify who owns it, whether it is exposed to the internet, how it is patched, how logs are reviewed, and how backups are restored. Sensitive records need active security ownership, not just a vendor login someone uses once a year.

Need Help Turning Today’s News Into A Checklist?

If you want help with Windows patch planning, Exchange review, browser updates, gateway inventory, backup checks, or software supply-chain questions, contact The IT Guys. We can help turn the headlines into a practical plan for your home or business.

Related reading from The IT Guys: June 2026 Patch Tuesday: Windows Security Updates, KB Numbers, and What To Check First, Back Up Your Device Encryption Recovery Key, and Important Tech News Roundup: June 9, 2026.

Sources

Cybersecurity, Small Business IT, Tech News
 |  Tags: , , , , , , , , skt-it-consultant