This website uses cookies

Read our Privacy policy and Terms of use for more information.

In partnership with

Over the last several days, the threat pattern is clustering around access infrastructure: VPNs, file-transfer servers, domain controllers, web platforms, developer packages, and password vault workflows.

Attackers are not wasting time on exotic paths when trusted systems are handing them leverage with a bow on top.

This is a week for shrinking exposure, validating patches, rotating credentials, and remembering that “we think it’s updated” is not a control.

AI Agents Are Reading Your Docs. Are You Ready?

Last month, 48% of visitors to documentation sites across Mintlify were AI agents, not humans.

Claude Code, Cursor, and other coding agents are becoming the actual customers reading your docs. And they read everything.

This changes what good documentation means. Humans skim and forgive gaps. Agents methodically check every endpoint, read every guide, and compare you against alternatives with zero fatigue.

Your docs aren't just helping users anymore. They're your product's first interview with the machines deciding whether to recommend you.

That means: clear schema markup so agents can parse your content, real benchmarks instead of marketing fluff, open endpoints agents can actually test, and honest comparisons that emphasize strengths without hype.

Mintlify powers documentation for over 20,000 companies, reaching 100M+ people every year. We just raised a $45M Series B led by @a16z and @SalesforceVC to build the knowledge layer for the agent era.

📈 Risk Forecast – The Week Ahead 📉

Trend (Macro)

Likelihood

Direction

Signal for the Week

VPN and remote-access exploitation

84%

🔺 Rising

Check Point VPN zero-day activity tied to Qilin keeps remote access at the top of the risk stack.

File-transfer service exploitation

78%

🔺 Rising

SolarWinds Serv-U exploitation shows attackers still love operational choke points.

Public web/CMS takeover

76%

🔺 Rising

Everest Forms Pro exploitation gives attackers a clean path to WordPress admin control and webshells.

Domain controller privilege escalation

74%

🔺 Rising

Netlogon exploitation against Windows Server DCs turns one weakness into domain-wide risk.

CI/CD and developer supply-chain compromise

80%

🔺 Rising

Red Hat npm package compromise shows trusted publishing workflows can become malware distribution.

Password vault / identity workflow abuse

68%

➡ Stable

Dashlane brute-force activity proves MFA workflows still need monitoring and rate limits.

🔎 Key Watchlist Items 🔍
  1. Check Point VPN zero-day activity linked to Qilin ransomware — Check Point tied recent exploitation activity to Qilin operators, which makes VPN access the first place to look if your remote-access surface is still exposed, under-patched, or treated like “just firewall stuff.”

  2. SolarWinds Serv-U flaw added to KEV after active exploitation — CISA added CVE-2026-28318 to the exploited list after evidence of real-world abuse, so treat Serv-U exposure as file-transfer service disruption risk, not a low-drama availability ticket.

  3. Everest Forms Pro WordPress flaw exploited for site takeover — Attackers are exploiting CVE-2026-3300 to inject PHP, create admin accounts, and take over vulnerable sites, making WordPress takeover a brand, trust, and malware-staging issue in one ugly package.

  4. Windows Server domain controller vulnerability exploited in the wild — CVE-2026-41089 can allow system-level compromise or denial of service through malformed Netlogon traffic, making domain-controller risk a Tier-0 priority instead of a normal server patch.

  5. Red Hat npm packages hit by Miasma credential-stealing worm — Microsoft reported malicious versions across the @redhat-cloud-services namespace that targeted GitHub, npm, AWS, Azure, GCP, Vault, Kubernetes, SSH keys, and CI runner secrets, making Miasma a supply-chain incident with real cloud blast radius.

  6. Dashlane brute-force attack led to limited encrypted vault downloads — Dashlane said attackers brute-forced some account workflows and downloaded encrypted vaults for fewer than 20 personal users, which makes vault access a reminder that password managers still need device-registration controls, alerting, and strong master-password hygiene.

How Pricing Models Are Rewriting Finance Team Rules

Usage-based pricing is transforming B2B revenue—but finance teams are struggling to keep up. Join Tabs and PwC on June 10th for a live breakdown of what it takes to scale modern pricing models. Save your spot now.

📊 Emerging Patterns 📊

Remote access remains the ransomware front porch. VPN zero-days do not need broad exploitation to matter. One exposed gateway can become the whole incident.

Operational services are high-leverage targets. File-transfer platforms, domain controllers, and CMS systems create disruption, data exposure, or persistence with very little attacker creativity required.

Supply-chain compromise is getting better at looking legitimate. Miasma abused trusted publishing workflows and provenance signals, which means “signed” and “safe” are not the same word.

Public websites are still attacker infrastructure waiting to happen. WordPress takeover creates phishing pages, malware redirects, fake login prompts, and brand damage before leadership even knows the plugin exists.

Identity workflows need security engineering, not optimism. Brute-force pressure against device-registration or MFA flows should be treated like authentication infrastructure abuse.

⏰ Call to Action ⏰
  • VPN containment: Patch affected Check Point environments, restrict remote-access exposure, review VPN logs for abnormal session creation, and look for Qilin-linked post-access behavior.

  • File-transfer hardening: Patch SolarWinds Serv-U to the fixed release, restrict access to trusted networks, and monitor for crash loops, crafted POST activity, and suspicious file-transfer service restarts.

  • WordPress integrity review: Update Everest Forms Pro, hunt for unauthorized admin accounts, inspect plugin/theme files for PHP injection, and verify no new webshell-like artifacts exist.

  • Domain controller patch proof: Confirm Windows Server DC patch status through telemetry, prioritize Netlogon-related exposure, and monitor for LSASS crashes, abnormal Kerberos activity, or unexpected privileged account creation.

  • Supply-chain containment: Identify affected @redhat-cloud-services packages, rotate CI/CD and cloud credentials, review GitHub Actions logs, pin known-good versions, and disable install scripts where feasible.

  • Vault and MFA workflow review: Audit new device registrations, enforce phishing-resistant MFA where possible, strengthen rate limits, and alert on repeated failed verification attempts.

⚡ Monday Motivation ⚡

The good news: defenders are getting better at forcing sunlight into ugly places. Microsoft’s Miasma write-up gave teams package names, behavior details, and mitigation steps fast enough to turn “supply-chain mystery” into an actionable response plan.

That matters. Every clear advisory, every fast package removal, every forced token rotation makes criminal automation less profitable.

The bad guys scale on trust. Defenders win when trust gets verified.

This week’s theme is simple: attackers are not breaking into “systems.” They are breaking into trust relationships. Verify the trust, or eventually explain the breach.

J.W.

(P.S. Check out our partners! It goes a long way to support this newsletter!)

The New Rules of Revenue: Pricing, Usage, and AI

Usage-based and hybrid pricing unlock serious revenue potential—but they're complex to operationalize. On June 10th, Tabs and PwC break down how leading B2B finance teams are making it work. Walk away with frameworks you can actually use. Count me in.

Keep reading