Published by Jennifer Hudsen for The IT Guys at the June 20, 2026 5 PM recap window. Today’s roundup is security-heavy, with a few practical hardware and developer-platform notes for home users, small businesses, and anyone responsible for keeping systems patched, backed up, and sane.
Here is the short version: ransomware crews are still tuning attacks around business disruption, developer supply-chain attacks are still going after credentials and wallets, Salesforce-connected OAuth tokens are the new “check this now” item for many businesses, and WordPress sites need another plugin audit. The good news is that npm is moving toward safer defaults, x86 chip vendors are still improving local AI performance, and smart buyers can find useful PC hardware deals if they verify parts and sellers carefully.
1. New Prinz Eugen ransomware focuses on recently changed files
The bad news: BleepingComputer reported today that a newer ransomware operation called Prinz Eugen prioritizes recently modified files for encryption and does not leave the usual ransom note on the system. Threatdown’s research says the operators use hands-on-keyboard methods, legitimate remote monitoring and management tools, and living-off-the-land utilities. That matters because recently changed files are often the working documents, spreadsheets, databases, exports, and customer files a business needs most urgently.
For small businesses, this is a reminder that “we have backups” is not enough by itself. The useful question is whether the backups are isolated, recent, tested, and fast enough to restore the files people actually need to work tomorrow morning. If ransomware is targeting newly modified files first, then daily file-level backups, version history, immutable backup snapshots, and offline copies matter more than a single old image backup sitting on the same network.
- Home users: turn on cloud version history where available, keep an external backup that is not always plugged in, and do not ignore suspicious remote-support popups.
- Small businesses: review RMM access, remove stale remote tools, require MFA for admin and support accounts, and test restoring a few recently changed files before you need to do it under pressure.
- IT takeaway: monitor for unusual RMM use, new services, unexpected PowerShell activity, and bulk file changes. A backup plan that has never been tested is still a theory.
2. Microsoft tied the Mastra AI npm supply-chain attack to North Korean hackers
The developer risk: Microsoft attributed the recent Mastra AI package compromise to Sapphire Sleet, also known as BlueNoroff, a North Korean state actor. BleepingComputer summarized Microsoft’s finding that more than 140 npm packages in the @mastra scope were compromised after an npm maintainer account was hijacked. The malicious updates pulled in a typosquatted dependency named easy-day-js, which ran a post-install hook and attempted to steal sensitive data including credentials, API keys, authentication tokens, and cryptocurrency wallets.
This is not just a developer problem. Many businesses now depend on web apps, automations, dashboards, AI tools, and internal scripts that quietly pull open-source packages. If a compromised package lands on a developer workstation or build server, the attacker may get access to cloud tokens, source code, private repositories, deployment keys, payment systems, or customer data.
The good news: GitHub has already announced security-focused changes coming with npm v12. The important shift is that install-time scripts and certain non-registry dependency behavior will require explicit approval instead of silently running by default. That will not erase supply-chain attacks, but it moves the ecosystem in the right direction because automatic code execution during dependency installation has been a favorite attacker path.
- Developers should rotate any exposed tokens, review recent installs, and check package-lock changes around the affected timeframe.
- Businesses should separate developer machines from production credentials wherever possible.
- For internal software, require dependency review before production builds and consider using a package mirror or allowlist for sensitive environments.
3. Salesforce-connected OAuth token incidents are growing
The SaaS warning: BleepingComputer reported late Friday that Klue confirmed an incident involving a compromised legacy credential tied to integration infrastructure. Attackers obtained OAuth tokens used to connect Klue with third-party platforms including Salesforce, and the Icarus extortion group has publicly claimed the attack. Multiple affected companies have disclosed Salesforce data exposure tied to the integration path.
The practical lesson is simple: connected apps deserve the same respect as user accounts. A Salesforce, Microsoft 365, Google Workspace, accounting, CRM, help desk, or marketing integration can carry broad access even when no one types a password. Old integrations, abandoned trial apps, and “temporary” vendor connections can sit around long after anyone remembers why they were approved.
- Review connected apps and OAuth grants in Salesforce and other major SaaS platforms.
- Remove integrations that are no longer needed, especially legacy marketing and sales tools.
- For critical platforms, document who approved each integration, what data it can read, and when it should be reviewed again.
- If a vendor reports an integration breach, revoke tokens first, then reconnect only after confirming the vendor’s remediation steps.
4. WordPress site owners should patch Gravity SMTP and audit Avada Builder
The website risk: Attackers are exploiting CVE-2026-4020 in Gravity SMTP, a WordPress plugin installed on roughly 100,000 sites. The bug affects version 2.1.4 and older and was fixed in version 2.1.5. The exposed REST API endpoint can leak a system report that may include email API keys, OAuth tokens, plugin/theme versions, WordPress configuration details, and database information.
That is bad because email-service credentials are useful for spam, phishing, password resets, and follow-on account abuse. Even though the vulnerability is rated medium severity, unauthenticated exposure of live credentials can become a much bigger incident if the site uses connected mail services for contact forms, order notifications, or customer communication.
Wordfence also warned about a separate Avada Builder file-deletion flaw, CVE-2026-8713, fixed in version 3.15.4. BleepingComputer noted that no active exploitation had been observed at publication time, but the exposure is still worth handling quickly because Avada is widely used.
- Update Gravity SMTP to at least 2.1.5 and Avada Builder to at least 3.15.4 if installed.
- Rotate email API keys if Gravity SMTP was exposed and connected to a mail provider.
- Check admin users, new plugins, and recent file changes after patching.
- Use a staging copy for major theme/plugin changes, but do not let staging delay emergency security fixes for internet-facing sites.
If you are not sure which plugins are installed on your business site, The IT Guys can help with a practical WordPress security review through our contact page.
5. CISA’s current exploited-vulnerability list still has urgent patch deadlines
CISA’s Known Exploited Vulnerabilities catalog still shows several June items with tight federal remediation deadlines, including Splunk Enterprise CVE-2026-20253 added June 18 with a June 21 due date, Joomla Content Editor CVE-2026-48907 added June 16, Cisco Catalyst SD-WAN Manager CVE-2026-20262 added June 15, and Google Chromium V8 CVE-2026-11645 added June 9. Even if you are not a federal agency, the list is a useful “patch this before routine maintenance” signal because it tracks vulnerabilities seen exploited in the wild.
For most small businesses, this means keeping a short emergency patch list separate from normal monthly patching. Browsers, firewalls, VPNs, remote-access tools, WordPress plugins, CRM integrations, and heavily exposed admin portals should move faster than ordinary workstation updates.
6. Hardware note: AI work on ordinary PCs keeps getting more practical
The useful good news: Tom’s Hardware covered new Intel and AMD ACE CPU extensions aimed at making matrix-heavy AI workloads more power- and density-efficient on x86 CPUs. This is early hardware-platform news, not something home users need to buy today, but it fits the larger trend: more AI work is moving toward local devices instead of only cloud services.
That matters for privacy, cost, and reliability. Local AI features can reduce cloud dependency for tasks like search, transcription, document help, image sorting, and office automation. The catch is that businesses still need policies. A faster local AI feature is useful only if employees know what data they can put into it, how results are checked, and whether the tool stores or syncs prompts somewhere else.
7. Deal note: gaming-PC bundles are tempting, but verify the whole platform
Tom’s Hardware also highlighted a Micro Center bundle now available through Amazon with a Ryzen 7 9800X3D, 32 GB of DDR5 memory, and an MSI B850 Wi-Fi 7 motherboard. The customer-friendly part is that bundles can reduce compatibility mistakes for DIY builders. The caution is that prices move quickly, and a bundle is only a good buy if the motherboard features, RAM speed, return policy, seller, warranty, and total build plan make sense.
For business machines, do not chase gaming deals unless the workload actually benefits from the parts. For a front desk, office workstation, or QuickBooks-style machine, reliability, warranty support, storage health, backup setup, and quiet operation usually matter more than a top gaming CPU. For a creator, CAD, lab, or AI-testing workstation, the bundle could be more interesting, but the GPU, power supply, case airflow, and backup plan still decide whether the build is practical.
Today’s practical checklist
- Confirm your most important files have versioned, tested backups.
- Remove old remote-access tools and unused admin accounts.
- Review OAuth/connected-app access in Salesforce, Microsoft 365, Google Workspace, and major business platforms.
- Patch WordPress plugins, especially Gravity SMTP and Avada Builder if installed.
- Developers should check recent npm installs, rotate exposed tokens, and prepare for npm v12’s safer defaults.
- Keep emergency patching separate from routine monthly maintenance for exploited vulnerabilities.
Sources
- BleepingComputer: New Prinz Eugen ransomware prioritizes recent files for encryption
- BleepingComputer: Microsoft links Mastra AI supply-chain attack to North Korean hackers
- Microsoft Security: Postinstall payload inside Mastra npm supply-chain compromise
- BleepingComputer: Klue OAuth breach victim list grows as Icarus hackers claim attack
- BleepingComputer: Gravity SMTP WordPress plugin exploitation
- CISA Known Exploited Vulnerabilities Catalog
- BleepingComputer: GitHub announces npm security changes
- Tom’s Hardware: Intel and AMD ACE CPU extensions for AI workloads
- Tom’s Hardware: Micro Center Ryzen 7 9800X3D bundle now available on Amazon