Published by Jennifer Hudsen for The IT Guys at the June 21, 2026 5 PM recap window. Today is a Sunday, so the news cycle is lighter than a normal business day, but there are still several items worth acting on before Monday morning.
Quick Take
Today’s practical technology picture is mixed. The good news: law enforcement and security partners cleaned nearly 15,000 infected WordPress sites in the SocGholish disruption, and Apple’s upcoming iOS 27 features point toward AI that fixes ordinary annoyances such as breached passwords and messy bill splitting. The bad news: credential theft and connected-app abuse remain the immediate small-business risk, with Fortinet/FortiGate credentials, Klue-to-Salesforce OAuth tokens, npm package compromise, and a newly added exploited Splunk flaw all reinforcing the same lesson.
If you manage a small office, the Monday checklist is simple: rotate exposed remote-access credentials, review connected apps in Salesforce and Microsoft 365, confirm browser and Windows updates are current, check developer dependencies if you build software, and make sure backups are actually restorable.
1. Anthropic Access Restrictions Keep The AI Policy Fight In The Headlines
What happened: TechCrunch reported today that the U.S. government’s restrictions on Anthropic’s newest AI models, Fable 5 and Mythos 5, are still driving debate over AI export controls, cybersecurity usefulness, and which competitors benefit when a major model provider has to limit access. Earlier TechCrunch reporting said Anthropic took the two models offline after an export-control directive, while cybersecurity experts argued the move could remove powerful defensive tools from researchers.
Why customers should care: Most small businesses are not buying frontier AI models directly, but this story matters because it shows how quickly cloud AI availability can change. If your workflow depends on one AI vendor, model, or plugin, a policy shift, security concern, or vendor dispute can interrupt that workflow with little warning.
The IT Guys takeaway: Use AI, but do not build a business process where only one model can perform a critical job. Keep exports of important prompts, document workflows, and verify that sensitive data is not being pasted into consumer AI tools without a policy.
2. Apple’s iOS 27 AI Features Look More Practical Than Flashy
What happened: TechCrunch highlighted several iOS 27 AI features today that are less about a chatbot and more about useful actions inside everyday apps. Apple’s own newsroom pages describe Apple Intelligence improvements including automatic help with weak or compromised passwords, Visual Intelligence features such as Apple Cash bill splitting, and broader Siri AI improvements coming with the 2027 software releases this fall.
The good news: Automatic password repair is the kind of AI feature ordinary users may actually benefit from. Apple’s description says Passwords can identify weak or compromised passwords and use Safari to help upgrade them to stronger passwords. That reduces the friction that usually keeps people from fixing leaked credentials.
The caution: Beta features are not a replacement for a password manager policy, MFA, device backups, and employee training. Businesses should also avoid assuming every iPhone in the office will receive every new feature on day one. Hardware, region, language, and beta status can all matter.
3. FortiBleed Credential Exposure Keeps Remote Access In The Danger Zone
What happened: BleepingComputer, Help Net Security, and Huntress coverage from the last few days continued to track the FortiBleed disclosure: a large exposed archive reportedly included credentials associated with 73,932 Fortinet and FortiGate firewall URLs. Fortinet has said the data appears likely connected to older incidents and emphasized patching, credential rotation, and MFA, but defenders still have to treat exposed remote-access credentials as urgent.
Customer impact: Firewalls and VPN portals are high-value targets because they sit at the front door of the network. If a password has leaked, it does not matter that the firewall is expensive or “business grade.” Attackers can use valid credentials to enter quietly, create persistence, harvest configuration data, or pivot into servers and cloud accounts.
What to do: Fortinet customers should rotate VPN and administrator passwords, disable unused accounts, require MFA, review admin login history, update FortiOS, look for unknown administrators or VPN users, and check whether any firewall management interface is exposed unnecessarily to the internet.
4. Klue/Salesforce OAuth Abuse Shows Why Connected Apps Need Review
What happened: BleepingComputer reported that the Klue OAuth breach victim list grew as Icarus-linked attackers claimed involvement. Huntress and ReliaQuest observed attackers using stolen OAuth credentials connected to Klue integrations to access Salesforce environments and query data through APIs. The Hacker News also reported that Salesforce disabled the Klue Battlecards integration after token abuse.
Why it matters: OAuth tokens often bypass the mental model people have for passwords. A user may change their password and still leave a connected app authorized. If a third-party platform is compromised, the attacker may use the app’s token rather than logging in as the user through the normal front door.
Small-business action: Review connected apps in Salesforce, Microsoft 365, Google Workspace, and accounting platforms. Remove integrations no one owns, rotate tokens for critical apps, check API activity, and make sure someone is responsible for vendor security notices.
5. Microsoft Links Mastra npm Supply-Chain Attack To North Korean Hackers
What happened: BleepingComputer reported June 20 that Microsoft attributed the Mastra AI npm supply-chain attack to North Korean group Sapphire Sleet, also known as BlueNoroff. Microsoft’s own security blog said it observed a large-scale npm attack affecting more than 140 packages across the mastra and @mastra scopes, and that malicious access was removed after coordination with npm.
Why it matters: This is not just a developer problem. Many business tools are assembled from open-source packages. A compromised dependency can steal credentials from developer machines, poison builds, or create persistence in environments that later ship to customers.
What developers and IT teams should do: Audit whether any Mastra packages were installed during the affected window, rotate tokens that were present on developer machines or CI systems, rebuild from clean environments, and consider package-lock review plus software bill of materials tracking for customer-facing applications.
6. CISA’s KEV List Added Splunk Enterprise Exploitation Pressure
What happened: CISA’s Known Exploited Vulnerabilities catalog currently lists CVE-2026-20253, a Splunk Enterprise missing-authentication vulnerability, added on June 18 with a due date of June 21 for federal remediation. Help Net Security also flagged unauthenticated Splunk Enterprise RCE under active attack.
Who should care: Any organization running Splunk, especially internet-facing Splunk Enterprise or poorly segmented logging systems. Logging platforms often collect sensitive data, API keys, hostnames, usernames, and incident evidence. If the logging system is compromised, attackers gain both data and situational awareness.
Practical response: Confirm Splunk version and exposure, apply the vendor fix or mitigation, restrict access to management interfaces, review recent admin activity, and treat the logging system as sensitive infrastructure rather than just a reporting tool.
7. Good News: SocGholish Takedown Cleaned Thousands Of WordPress Sites
What happened: The Dutch police, with international partners, announced a SocGholish disruption tied to Operation Endgame. SecurityWeek, The Hacker News, Malwarebytes, Help Net Security, and Shadowserver all reported the key numbers: 106 command-and-control servers or domains disrupted and 14,971 compromised WordPress sites remediated.
Why it matters locally: SocGholish, also known as FakeUpdates, tricks visitors with fake browser or software update prompts and has been used as an entry point for broader malware activity. This takedown is good news, but it also reminds every WordPress site owner that an infected website can hurt customers even if the business itself is not the final target.
Website owner checklist: Keep WordPress core, plugins, and themes updated; remove abandoned plugins; use MFA for admin accounts; check for unknown users; monitor file changes; back up offsite; and use a security plugin or managed maintenance plan if nobody is actively watching the site.
8. Windows And Browser Updates Still Belong On This Week’s List
What happened: Microsoft’s June 9 Windows 11 cumulative update remains the current security baseline for Windows 11 24H2 and 25H2, while Microsoft also posted June 19 Windows Insider notes for 26H2 preview builds. On the browser side, The Hacker News covered a Chrome V8 flaw, CVE-2026-11645, that CISA added to KEV earlier this month.
What to do: Home users should restart and complete pending updates. Businesses should pilot Windows updates on a small group first, then roll them broadly once line-of-business apps look healthy. For browsers, check Chrome, Edge, Brave, and other Chromium-based browsers because they may share underlying engine risk even when the product name is different.
Monday Morning IT Checklist
- Remote access: Rotate Fortinet/FortiGate VPN and admin credentials if exposure is possible, then enforce MFA.
- Connected apps: Review OAuth integrations in Salesforce, Microsoft 365, Google Workspace, and accounting tools.
- Developer systems: Check for affected Mastra npm packages and rotate CI/developer secrets if needed.
- Security platforms: Patch Splunk Enterprise and restrict management access.
- Websites: Update WordPress and remove unused plugins after the SocGholish cleanup reminder.
- Endpoints: Finish Windows and browser updates, then verify backups still restore.
If you want help reviewing VPN exposure, Microsoft 365 connected apps, WordPress maintenance, or backup restore testing, contact The IT Guys. These are exactly the small, boring checks that prevent expensive Monday problems.
Sources
- TechCrunch: When the Trump administration cracks down on Anthropic, who benefits?
- TechCrunch: Practical AI features coming to iOS 27
- Apple: Apple Intelligence brings powerful AI capabilities into everyday experiences
- Apple: New features and intelligence experiences across services
- BleepingComputer: FortiBleed leak exposes Fortinet VPN credentials
- Help Net Security: 74,000 Fortinet firewall credentials exposed
- Huntress: 2026 June Fortibleed credential exposure
- BleepingComputer: Klue OAuth breach victim list grows
- Huntress: Cybercrime breaches Klue, Salesforce data impacted
- The Hacker News: Salesforce disables Klue app integration
- BleepingComputer: Microsoft links Mastra AI supply-chain attack to North Korean hackers
- Microsoft Security: Inside the Mastra npm supply-chain compromise
- CISA: Known Exploited Vulnerabilities catalog
- SecurityWeek: 15,000 WordPress websites cleaned in SocGholish takedown
- Dutch Police: International law enforcement hunt on SocGholish
- Shadowserver: SocGholish compromised WordPress sites special report
- Microsoft Support: June 9, 2026 Windows 11 update KB5094126
- Windows Insider Blog: June 19 Windows 11 26H2 builds
- The Hacker News: Chrome V8 CVE-2026-11645 exploited in the wild