This episode covers emergency patches for a critical Check Point VPN zero-day that's been exploited by ransomware groups since early May, plus a Python supply-chain attack that compromised nineteen packages on PyPI. Adrian breaks down why patching isn't enough when attackers have already had weeks inside networks, and how developer trust becomes the vulnerability in these campaigns.

Stories covered:

- Check Point VPN Flaw Exploited Since Early May (Dark Reading) - https://www.darkreading.com/vulnerabilities-threats/check-point-vpn-flaw-exploited-early-may

- Check Point links VPN zero-day attacks to Qilin ransomware gang (BleepingComputer) - https://www.bleepingcomputer.com/news/security/check-point-links-vpn-zero-day-attacks-to-qilin-ransomware-gang/

- New Shai-Hulud attack trojanizes 19 science-focused PyPI packages (BleepingComputer) - https://www.bleepingcomputer.com/news/security/new-shai-hulud-attack-trojanizes-19-science-focused-pypi-packages/

- UNC3753 Used Vishing and Physical Intrusions in U.S. Data Theft Extortion Campaign (The Hacker News) - https://thehackernews.com/2026/06/unc3753-used-vishing-and-physical.html

- ‘I’m a 75-Year-Old Grandmother of Six and Just Ran a 3:57 Marathon. This Is How I Train’ (Runner's World) - https://www.runnersworld.com/training/a71523801/penny-jarvis-runner/

- Surveillance Is Not Safety: A statement on the UK's latest threat to privacy [pdf] (Hacker News) - https://signal.org/blog/pdfs/2026-06-08-uk-surveillance-is-not-safety.pdf