A brutal week for defenders: record Patch Tuesday, fresh zero-days and a renewed supply-chain assault

If June felt like an exhausting month to work in cybersecurity, that is because it was. In the space of a single week, defenders absorbed the largest Microsoft Patch Tuesday on record, a freshly exploited Chrome flaw, a delayed disclosure of an API breach at ServiceNow and a renewed wave of supply-chain attacks hitting more than 100 software packages across the npm and PyPI ecosystems.

Individually, each event would have been a notable headache. Arriving together, they amounted to one of the most concentrated bursts of operational risk security teams have faced in years, and a reminder of how fragile the software supply chain remains even after a decade of warnings.

The pile-up also reflects a broader trend that has defined 2026: attackers increasingly target the shared infrastructure that everyone depends on, from operating systems to open-source package registries, rather than picking off individual organisations one at a time.

The most patch-dense month in Microsoft's history

June's Patch Tuesday was, by Microsoft's own measure, the most patch-dense in the company's history, addressing roughly 200 vulnerabilities in a single release. Among them were 33 rated critical and six zero-days, five of which had been publicly disclosed before any fix existed, leaving systems exposed in the window between disclosure and patching.

For administrators, the sheer volume is its own kind of risk. Testing and deploying 200 fixes without breaking production systems is a major undertaking, and every day of delay widens the window in which attackers can strike. A separate, unpatched Windows Defender zero-day surfaced during the same week, compounding the pressure.

“When you ship 200 fixes at once, the bottleneck is no longer finding the patch, it is testing and deploying it before someone weaponises the ones that were already public.”

— a security researcher

Browsers and APIs under fire

Google confirmed that a flaw tracked as CVE-2026-11645, an out-of-bounds memory access bug in Chrome's V8 JavaScript engine, was being exploited in the wild, the fifth actively exploited Chrome zero-day of the year. Given Chrome's vast install base, such bugs are prized by attackers because a single one can reach an enormous population of users.

ServiceNow, meanwhile, dealt with an API incident that drew criticism for a four-day notification delay. The company ultimately attributed the observed activity to security researchers or customers conducting their own testing after a report arrived through its bug bounty programme on 7 June, but the slow disclosure underscored how hard it can be to distinguish benign research from genuine compromise in real time.

Shai-Hulud returns to the supply chain

Perhaps the most worrying development was a new wave of the Shai-Hulud supply-chain campaign, which infected more than 100 packages across the npm and PyPI registries. By poisoning widely used open-source components, such attacks can reach thousands of downstream projects that never knew they were exposed.

• Around 200 vulnerabilities patched in a single Microsoft release, including 33 critical and six zero-days
• A new unpatched Windows Defender zero-day disclosed in the same week
• Chrome's fifth actively exploited zero-day of 2026, CVE-2026-11645 in the V8 engine
• A ServiceNow API incident disclosed four days after it was reported
• More than 100 npm and PyPI packages hit by a renewed Shai-Hulud campaign

The Shai-Hulud resurgence fits a grim 2026 pattern. Earlier in the year, compromises of trusted security tools cascaded into breaches at downstream organisations, and education platform Canvas suffered a breach affecting more than 30 million students and staff. When the components everyone trusts are turned against them, the blast radius is enormous.

“Supply-chain attacks work because trust is transitive. You vet your own code, but you cannot realistically vet every dependency of every dependency, and attackers know it.”

— an analyst

Background

Supply-chain attacks have moved from a niche concern to a defining threat of the decade, accelerated by the open-source ecosystem's deep webs of shared dependencies. Patch Tuesday, Microsoft's monthly security release, has likewise grown heavier year on year as both researchers and attackers probe ever more software, leaving defenders in a permanent race to keep up.

What happens next: organisations are being urged to prioritise the publicly disclosed zero-days, audit their software dependencies and tighten how they vet third-party packages. But the structural problem, an internet built on layers of shared, under-resourced open-source code, will not be patched in a single Tuesday. June was a stress test, and the systems that held will be the ones that had already invested in resilience before the bad week arrived.