[GLOBAL] Researchers showed that a clean-looking GitHub repository could trick AI coding agents into running malware during automated clone-and-setup workflows. Investigators should preserve repository history, agent prompts, dependency manifests, shell execution logs, local environment variables, generated files and model-action traces to prove whether malicious execution came from human review failure or autonomous tooling behaviour (Source: BleepingComputer, 27-06-2026).

[APAC] Reuters reported that Tata Electronics tightened internal controls after the data breach involving claimed Apple, Tesla and supplier-related manufacturing material. The follow-on investigation should preserve forensic audit outputs, internal access restrictions, remote-work tool records, client security communications, file-provenance findings and dark-web evidence showing whether exposed material came from active systems, archives or partner workflows (Source: Reuters, 26-06-2026).

[APAC] Security researchers reported that investment-scam operators are abusing the Chinese Uni-App framework to build templates powering more than 200,000 suspicious websites. Investigators should correlate domain registrations, template reuse, hosting infrastructure, payment redirection, JavaScript artefacts, language localisation and victim-journey evidence to distinguish copycat fraud sites from a coordinated service-provider ecosystem (Source: SecurityWeek, 27-06-2026).

[GLOBAL] SecurityWeek reported that more victims had been identified in the Klue-Salesforce incident, with attackers claiming data was stolen from roughly two dozen organisations. Investigation teams should retain Salesforce audit logs, OAuth authorisations, connected-app permissions, tenant boundaries, actor leak material, customer notification records and evidence showing whether compromise arose from Klue integration abuse rather than direct customer-network intrusion (Source: SecurityWeek, 27-06-2026).

[AMER] The Financial Times reported that the National Association of Insurance Commissioners suspended investment risk designations after a ShinyHunters-linked cyberattack affected data sharing with credit-rating agencies. Investigators should preserve NAIC system logs, Oracle PeopleSoft evidence, rating-agency transfer records, suspension decisions, FBI engagement, stolen-data samples and downstream market-impact documentation showing how cyber compromise affected regulatory operations (Source: Financial Times, 28-06-2026).

[AMER] TechRadar reported that NAIC confirmed a breach after ShinyHunters claimed 3.1TB of data was stolen through an Oracle PeopleSoft zero-day attack. Evidence collection should focus on PeopleSoft patch timing, compromised credentials, lateral movement, internal document access, dark-web leak contents, cloud configuration exposure and reconciliation between NAIC statements and actor claims (Source: TechRadar, 27-06-2026).

[APAC] CERT-In updated its Cisco Catalyst SD-WAN vulnerability note, keeping critical-risk exposure visible for Indian organisations using Cisco controller and management products. Investigators should retain SD-WAN manager versions, controller logs, configuration changes, management-plane access records, administrator activity and patch evidence so suspected exploitation can be tested against the updated advisory baseline (Source: CERT-In, 27-06-2026).

[AMER] CISA’s latest Known Exploited Vulnerabilities catalogue activity continued to push rapid remediation for flaws with evidence of exploitation in the wild. Investigators should capture vulnerability-management tickets, exposed-asset lists, compensating controls, exploitation indicators, emergency-change approvals and validation artefacts before patching or reconfiguration removes records needed to prove whether compromise preceded mitigation (Source: CISA, 25-06-2026).

[EMEA] Europol said Operation Endgame disrupted SocGholish, Amadey and StealC malware networks through a coordinated global strike against criminal infrastructure. Investigators should preserve seized servers, malware configuration files, command-and-control panels, loader-to-victim mappings, credential-theft artefacts, hosting records and legal-process documentation linking infrastructure operators to downstream ransomware and fraud activity (Source: Europol, 25-06-2026).

[AMER] The U.S. Justice Department announced the seizure of a cloud-computing account allegedly used by Huione Group subsidiaries to support cryptocurrency scams and laundering. The case creates evidence trails across cloud metadata, hosted infrastructure, domain mappings, wallet identifiers, payment flows, customer records and links between Southeast Asian scam operations and money-laundering services (Source: U.S. Department of Justice, 23-06-2026).

[APAC] CERT-In continued listing new cyber security guidelines for smart city infrastructure and space systems, reflecting India’s expanding policy focus on connected public-sector environments. For investigative readiness, the guidance points to stronger asset ownership, telemetry retention, supplier accountability, platform dependency mapping and sector-specific incident records when critical infrastructure evidence must be preserved (Source: CERT-In, 27-06-2026).

[AMER] Dark Reading reported that third-party breaches are teaching the education sector costly lessons in vendor risk as software platforms concentrate exposure across many institutions. The governance implication is that schools need clearer supplier logging obligations, contractual notification duties, data-flow records, access-control evidence and breach-response playbooks before one platform compromise becomes a multi-institution evidential problem (Source: Dark Reading, 27-06-2026).