The Latest

Here’s an overview of some of last week’s most interesting news, articles, interviews and videos:

Week in review

TeamPCP breached GitHub’s internal codebase via poisoned VS Code extension
Following TeamPCP’s claim that they’ve breached GitHub’s own private code repositories, the Microsoft-owned company launched an investigation and confirmed the compromise.

Earbud sensors can authenticate users by their heartbeat, study finds
Researchers built a continuous authentication system called AccLock that identifies a wearer by the tiny vibrations a heartbeat makes inside the ear canal.

Attackers are exploiting critical NGINX vulnerability (CVE-2026-42945)
A critical NGINX vulnerability (CVE-2026-42945) disclosed last week is being exploited by attackers, VulnCheck security researcher Patrick Garrity revealed on Saturday.

Communicating cyber risk in dollars boards understand
In this Help Net Security interview, Nick Nieuwenhuis, Cybersecurity Architect at Nedscaper, explains why cybersecurity has not delivered the resilience that decades of investment have promised.

Microsoft provides mitigation for “YellowKey” BitLocker bypass flaw (CVE-2026-45585)
Microsoft is working on a fix for CVE-2026-45585 (aka “Yellowkey”), a vulnerability that can be used by attackers to bypass protections offered by BitLocker, the full-disk encryption feature built into Windows, and access users’ data.

Why AI changed the threat model for travel technology
In this Help Net Security interview, Devon Bryan, SVP, Global CSO at Booking Holdings, reflects on his path from Air Force network security engineer to global CSO across financial services, hospitality, and travel technology.

Deleted Google API keys keep working for up to 23 minutes, researchers warn
Google API keys are credentials that let applications access Google services, from Maps to the Gemini AI. If a key is leaked, an attacker can use it to make API calls, rack up charges, and, if Gemini is enabled, access uploaded files and cached conversations. The assumed fix is simple: delete the key. But Aikido Security has found that deletion doesn’t actually work right away.

Microsoft open-sources tools for designing and testing AI agents
Microsoft has open-sourced two tools aimed at bringing security discipline to AI agent development: Clarity, a structured design review tool, and RAMPART, a continuous testing framework.

AI red teaming agents change how LLMs get tested
Adversarial probing of LLMs has piled up a sprawling toolkit over the past three years. Attack techniques with names like Tree of Attacks with Pruning, Crescendo, and Skeleton Key sit alongside hundreds of prompt transforms and scoring methods across open-source frameworks including Microsoft’s PyRIT, NVIDIA’s Garak, and Promptfoo.

GitHub, Grafana Labs breaches traced back to TanStack supply chain compromise
GitHub CISO Alexis Wales has named the malicious VS Code extension behind the breach they suffered at the hands of the threat group TeamPCP: Nx Console, a popular developer tool with 2.2 million installs.

Microsoft Defender vulnerabilities exploited in the wild (CVE-2026-41091, CVE-2026-45498)
Attackers are exploiting two Microsoft Defender vulnerabilities (CVE-2026-41091 and CVE-2026-45498), Microsoft acknowledged and CISA confirmed by adding them to its Known Exploited Vulnerabilities catalog.

Verizon DBIR: Vulnerability exploitation is the dominant initial access vector
Vulnerability exploitation has overtaken stolen credentials as the most common way attackers gain initial access to target networks, according to the 2026 Verizon Data Breach Investigations Report.

PureLogs infostealer is stealing credentials worldwide
A phishing campaign is smuggling the powerful PureLogs information stealer onto targets’ Windows machines by hiding encrypted malicious payloads inside cat photos, Fortinet researchers discovered.

New macOS infostealer impersonates Apple, Microsoft, and Google in a single attack chain
A SHub macOS infostealer variant called Reaper impersonates Apple, Microsoft, and Google to trick users into executing malicious code, then targets browser data, password managers, and cryptocurrency wallets while establishing persistence for continued access, SentinelOne found.

AI is drowning software maintainers in junk security reports
AI-assisted vulnerability research has exploded, unleashing a firehose of low-quality reports on overworked software maintainers who are wasting hours sifting through noise instead of fixing real problems.

Attackers accessed, downloaded code from Grafana Labs’ GitHub
A threat actor has managed to access Grafana Labs’ GitHub environment and download the company’s codebase, the open-source observability and data visualization firm announced on Sunday.

The end of unencrypted Discord calls is here
Discord has protected voice and video calls in DMs, group DMs, voice channels, and Go Live streams with end-to-end encryption (E2EE) by default.

The AI backdoor your security stack is not built to see
Enterprises deploying LLMs have spent the past two years building defenses around a reasonable assumption: malicious behavior leaves a trace in the input. Scan for suspicious tokens, filter unusual characters, watch for prompt injection patterns. New research from Microsoft and the Institute of Science Tokyo demonstrates that this defensive posture has a blind spot, and the cost of that blind spot could be measured in leaked proprietary data and regulatory exposure.

When ransomware hits, confidence doesn’t restore endpoints
Ransomware, supply chain vulnerabilities, insider threats, compliance failures, and software disruptions remain major concerns for security leaders, according to The Ransomware Reality: Zero Days to Recover report by Absolute Security.

AI shrinks vulnerability exploitation window to hours
Time has become organizations’ biggest vulnerability because the gap between vulnerability discovery and exploitation has narrowed to hours, according to Synack’s 2026 State of Vulnerabilities Report.

Most dark web activity revolves around a handful of topics
A six-year dataset covering more than 25,000 dark web sites tracked what people discussed in underground forums and marketplaces and how those discussions changed over time.

Public Instagram posts provide raw material for AI phishing campaigns
A handful of public Instagram posts can give attackers enough material to generate convincing phishing emails with GenAI. Research from the University of Texas at Arlington and Louisiana State University showed how public social media activity can be turned into phishing messages that appear personal and credible to human recipients.

CVE Lite CLI: Open-source dependency vulnerability scanner
Dependency vulnerability scanning in JavaScript and TypeScript projects has long sat at the end of the development pipeline. Pull requests get opened, continuous integration runs, and a security scanner returns a list of CVE identifiers that developers then have to triage hours or days after writing the code. CVE Lite CLI, now an officially recognized OWASP Incubator Project, moves that check to the developer’s terminal.

What happens when your identity provider becomes the kill chain
In this Help Net Security video, Colin Constable, CTO at Atsign, explains why your identity provider (IdP) has become the kill chain in cyberattacks. Attackers steal session cookies, tokens, or consent grants you’ve already issued and walk in behind you.

7 hard truths security pros should know: 2026 DevOps Threats Report
In 2025, trusted Git hosting platforms became a playground for cyber criminals. This is the main conclusion from the latest “DevOps Threat Unwrapped Report 2026” by GitProtect.

Product showcase: Bitdefender Mobile Security for iOS protects privacy where scams begin
Bitdefender Mobile Security for iOS is a security and privacy application for iPhone and iPad that helps protect against phishing attempts, online scams, unsafe websites, and account exposure.

Cybersecurity jobs available right now: May 19, 2026
We’ve scoured the market to bring you a selection of roles that span various skill levels within the cybersecurity field. Check out this weekly selection of cybersecurity jobs available right now.

New infosec products of the week: May 22, 2026
Here’s a look at the most interesting products from the past week, featuring releases from ASAPP, Babel Street, CTERA, Forward, Riverbed, and Trust3 AI.


from Help Net Security https://ift.tt/jG1lB7C

The South Pacific Regional Fisheries Management Organization (SPRFMO) needs to regulate squid fishing in the South Pacific.

As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.

Blog moderation policy.


from Schneier on Security https://ift.tt/KbWTijI

Vulnerability researchers have spent the past year arguing about whether AI agents can find real bugs at scale or whether they mostly generate noise. A pipeline built in three days by researchers from TrendAI and CHT Security supplies an answer, along with a price tag that the security industry will have to reckon with.

WordPress plugin vulnerabilities

The system, presented at Ekoparty Miami, pairs AI-driven static analysis with automated Docker provisioning and dynamic verification through Chrome DevTools MCP. It surfaced more than 300 critical zero-day vulnerabilities across the WordPress plugin ecosystem in 72 hours of scanning. Every finding was manually verified by the researchers and responsibly disclosed before publication.

The economics

The AgentForge orchestration dashboard logged roughly 222 million tokens consumed across 95 tasks during the campaign. Steven Yu, a threat research engineer at TrendAI, translated that to an average of about $20 per vulnerability discovered.

He qualified the number carefully. “This doesn’t mean you can easily find a vulnerability in any WordPress site for just $20,” Yu told Help Net Security. “It depends heavily on the security of the codebase. The WordPress ecosystem is extremely vast and complex, leading to highly variable code quality. In other frameworks or ecosystems, we might not see the same results at this cost threshold.”

The qualifier matters because WordPress plugins are an outlier. The ecosystem runs to more than a million plugins, many maintained by solo volunteers without security budgets, and the code quality reflects that. A hardened enterprise codebase would not surrender bugs at the same rate or at the same cost.
What is settled, by Yu’s account, is that the price floor is already crossed for someone willing to look. “We are already in a state where any motivated attacker with a credit card can execute this,” he said. “Both white-hat and black-hat actors are already implementing these types of actions at scale.”

Vulnerability classes the pipeline surfaced

The 300-plus findings span pre-authentication remote code execution, SQL injection hidden behind PHPCS annotations that mark vulnerable queries as safe, privilege escalation through the WordPress hook system, server-side request forgery, and a downgrade attack chain. One pre-auth RCE was identified in a plugin with more than 1,000 GitHub stars.

The downgrade chain was assembled by the AI without human guidance. The agent located a vulnerability that allowed it to roll a target plugin back to an earlier version, recognized that the earlier version carried its own exploitable flaws, and chained the two into a working attack. Yu confirmed no manual prompts or pre-taught patterns were involved. The same vulnerability class was identified through pattern hunting across OpenCart and Joomla codebases.

Disclosure infrastructure under strain

The pipeline addresses what the security industry has taken to calling “AI slop,” the wave of low-quality, AI-generated vulnerability reports that has pushed several major open-source projects to reject AI submissions outright. By requiring every AI-generated finding to pass dynamic verification before reaching the disclosure queue, the system eliminated more than 80% of false positives.

The downstream pressure remains. Yu said manual verification of each WordPress plugin vulnerability took his team between 30 and 60 minutes. He described the human review layer as the primary bottleneck.

“Organizations such as ZDI and NIST are currently struggling with massive backlogs due to the explosion of AI-assisted vulnerability reports,” Yu said. “When AI can scale discovery from a few findings per day to hundreds per second, the traditional human-centric triage model becomes unsustainable.”

His expectation for the next six months is a higher volume of disclosed vulnerabilities and a parallel rise in zero-day abuse by attackers running similar pipelines. He anticipates a structural shift in how disclosure programs accept submissions, with several vendors moving toward invite-only or membership-based models that prioritize researchers with established track records and ban accounts that submit AI-generated noise.

The longer-term answer Yu pointed to is more automation, applied at the receiving end. “The ultimate solution is to fight AI magic with AI magic,” he said. AI-assisted triage that automates environment setup and verification would let human experts concentrate on the most complex cases.

Where the AI still stops

Yu was direct about the ceiling. Drag-and-drop builders such as Elementor sit in the “computer use” category and will likely yield to the next wave of agent tooling within months. Other failure modes are harder. Exploits that need a working payment API key, a valid user account, or an SMS verification code stop the agent because the gap is in the environment, not in the model. Some calls require a human to define whether a feature is intended or malicious in the first place, a judgment that more training data will not resolve.

Download: Automating Pentest Delivery Guide


from Help Net Security https://ift.tt/qLvjZ8N

A group used Anthropic’s Mythos AI model to help find a kernel memory corruption vulnerability and exploit on Apple’s M5.

News article.


from Schneier on Security https://ift.tt/aY56edl

GitHub CISO Alexis Wales has named the malicious VS Code extension behind the breach they suffered at the hands of the threat group TeamPCP: Nx Console, a popular developer tool with 2.2 million installs.

A malicious version of the otherwise benign extension was used to steal secrets and developer credentials, which were then used to move through CI/CD pipelines and exfiltrate around 3,800 of GitHub’s private code repositories.

One missed token, many victims

The company confirmed the compromise on Wednesday, and promised to publish a fuller report once their investigation is complete.

Soon after, Wales publicly identified the poisoned VS Code extension that a GitHub employee installed and thus enabled the attackers to gain access to the repositories.

Nx Console maintainers have been sharing information surfaced by their own investigation into how a malicious version of the extension was published on both the Microsoft-owned Visual Studio Marketplace and the vendor-neutral registry Open VSX.

“One of our developers was compromised by a recent supply-chain compromise on TanStack, which leaked their GitHub credentials through the GitHub CLI (gh). This allowed the attacker to run workflows on our GitHub repository as a contributor,” they explained.

“According to Microsoft and OpenVSX, download numbers for the impacted 18.95.0 version were a low 28 and 41 respectively. However, according to our own internal analytics, we believe the impact to be two orders of magnitude higher, with thousands of affected users.”

One of the affected users turned out to be the GitHub employee. The compromised extension fetched an obfuscated payload, which was able to harvest victims’ credentials.

Among those were login tokens for the HashiCorp Vault secrets manager; credentials used authenticate via Kubernetes or AWS identity systems; authentication tokens used to publish packages to npm registries; GitHub personal access tokens, OAuth tokens, and app tokens; credentials stored in the victim’s 1Password vault; and Google Cloud Platform and Docker credentials.

“Harvested data was exfiltrated via HTTPS, the GitHub API, and DNS. On Linux it also attempted sudoers injection for persistence,” the Nx Console maintainers noted, and provided remediation advice, which includes rotating “every credential reachable from the machine.”

Grafana Labs, which similarly got its GitHub environment compromised and codebase stolen, also traced the compromise back to the TanStack npm supply chain attack.

“The incident originated from a TanStack npm supply chain attack via the Mini Shai-Hulud campaign. We detected the malicious activity on May 11 and immediately initiated our incident response plan,” shared Joe McManus, the Grafana Labs chief information security officer.

“We performed analysis and quickly rotated a significant number of GitHub workflow tokens, but a missed token led to the attackers gaining access to our GitHub repositories. A subsequent review confirmed that a specific GitHub workflow we originally deemed not impacted had, in fact, been compromised.”

The company has been contacted by the attackers, who demanded payment not to release or sell the stolen codebase, but Grafana Labs decided not to pay the ransom.

TeamPCP automated its way through the open source ecosystem

The TanStack supply chain compromise affected 42 of its npm packages. Malicious versions were made to include a credential-stealing JavaScript payload.

That compromise, like many others in the last weeks, was carried out via Mini Shai-Hulud, a self-replicating supply chain “worm” created and operated by TeamPCP.

The “worm” allows them to automate supply chain attacks by stealing CI/CD credentials and leveraging them to publish infected versions of more and more packages.

TeamPCP, a cybercrime group that specializes in supply chain attacks targeting open-source utilities and AI middleware, has claimed the GitHub hack and is likely behind Grafana’s, as well.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!


from Help Net Security https://ift.tt/S76k4Go

My fellow Lifehacker writer Beth Skwarecki is a weightlifter. I'm a marathon runner. Together, we make one reasonably competent Hyrox athlete—and in a little over one week, we're going to find out if that's enough. Beth and I are competing together in a Hyrox doubles race on May 29. It's something of a joint experiment to see just how little training you can get away with before showing up to one of these things. Hopefully, we will each bring our respective strengths to the competition, cover for the other's weaknesses, and survive. 

But before we're put to the test, let's take a look at what proper Hyrox prep looks like, and the bare minimum you can (probably) get away with if you want to show up to a competition without a ton of training.

What is Hyrox, exactly?

Beth goes into more depth elsewhere, but here’s a quick primer on Hyrox. In brief, it's a running race combined with functional workout stations, repeated eight times. You run 1 km, hit a workout station, run another 1 km, hit another station, and so on. The stations include activities like sled pushes, rowing, burpee broad jumps, walking lunges, and wall balls. While each station may sound manageable on its own, they become far more difficult when your legs have already been tired out through multiple rounds.

You can compete in Hyroc solo, in doubles, or as a relay team. Naturally, your strategy will depend on which format you’re attempting. For doubles specifically, both athletes run together, but you can split the functional movements however you want. That's where smart planning can make a real difference, and where Beth and I are currently scheming to the best of our ability. 

What does Hyrox training actually look like?

You can sign up for a Hyrox-style class at your local gym and get a great hybrid workout without ever joining an official race. "A regular Hyrox class gives you a taste of the format and builds general fitness for the event," says Elaine Cotter, head trainer and manager at an F45 gym in Brooklyn. "A dedicated training plan is more structured and performance-focused—including specific running workouts, both endurance and interval focused, strength progression, race simulations, pacing, and recovery. Taking some classes here and there means 'I want to be ready.' A dedicated training plan means 'I want to race this well.'"

If you're aiming to genuinely compete—that is, to push your time and finish strong—Cotter recommends starting at least 12 weeks out, and ideally, give yourself 16 weeks. That's enough runway to build a running base, develop muscular endurance across all the stations, and reduce injury risk. But what if you don't have 12 weeks? What if you have, say, one week?

Can you do Hyrox without training at all?

What’s the bare minimum of training a Hyrox athlete can hypothetically get away with? Well, in theory, "anyone with any running or strength training experience can complete a Hyrox," Cotter says. "Does that mean you may have to walk some of it or really take your time to recover in certain parts? Probably—but that's okay."

Unlike Crossfit (to which it is constantly compared), Hyrox is fundamentally a running race. "The run is the limiting factor for most people, and it takes up the most time in the race," Cotter says. "So at bare minimum, you should be able to confidently run an 8K [about five miles] without getting super winded. Even a 10K [6.2 miles]...will help simulate the general endurance needed." Strength matters too, and you should be familiar enough with the movements to perform them safely. But at the end of the day, the run is where most people lose time and hit their wall.

That said, Hyrox is far from a road race. You're doing things like heavy wall balls or sled pulls and then immediately going into a run. Running on such heavy legs is “the wildest feeling," Cotter says, "and it happens the entire time during the race." Practicing that sort of transition should be a priority leading up to race day.

Can you prepare for Hyrox with studio classes alone?

This one is relevant to Beth and me, since we've each taken about four or five Hyrox-specific classes in the lead-up to our race. Can our class attendance substitute for a dedicated 12-week training plan? Well, sort of—but only if you're also running.

"F45 classes and Hyrox-focused training are awesome for building the strength, endurance, and engine needed for the race," Cotter says, "but in a class setting, you aren't necessarily getting the running required. If you are just taking classes with no running outside of that, I fear you will find the race quite challenging."

Luckily, I was independently training for a half-marathon before we started this Hyrox journey, so I feel solid about my cardio. I know Beth has been prioritizing her runs the past few weeks, too. Anyone relying purely on studio classes without additional running should temper their expectations for race day.

How long should you taper before a Hyrox race?

I’m no stranger to taper madness. Especially if you know you've undertrained, the temptation is to keep cramming right up until race day. Unfortunately, that’s almost always a mistake. "The trap people fall into is thinking 'I'm underprepared, so I need to cram fitness until the last second,'" Cotter says. "But realistically, in the final week or two you're not building much new fitness—you're mostly deciding whether you show up tired or fresh."

Her recommendation for someone who started training late is to lean toward a shorter taper. The focus should be on maintaining confidence and rhythm, rather than gaining fitness. In the final days, aim for shorter sessions of 20–30 minutes with some intensity and running, but avoid anything that will leave your legs sore. "Showing up slightly undertrained but recovered is usually better than showing up technically fitter but cooked."

Her taper guidelines by length:

  • 7 days: Ideal for most recreational athletes. 

  • 4–5 days: Probably fine, if training volume wasn't super high. 

  • 2–3 days: Survivable, but she wouldn't recommend going shorter than this.

The bottom line

If you're starting from scratch and want to do Hyrox well, give yourself 12 to 16 weeks to train, and build up your running base first.  If you're doing a doubles race and already have some general fitness under your belt, you can probably survive on much less—provided you can handle an 8K and you know what you're getting into with the workout stations. (For Beth and me, there’s reason to hope that our complementary weaknesses and strengths will be well-suited to the doubles format. Beth will likely handle more of the heavy strength pieces—sled push, sled pull, lunges—while I keep us moving on the runs.)

The final piece of advice is to have a plan for how you'll split each station before you arrive. Reps of 10? Reps of 5? Splits of 150 meters? Figure it out ahead of time so you're not negotiating mid-station with burning legs—and have the stronger runner finish each station so the person who struggles more on the run can get a little extra rest before the next one. (Plus, sitting down and strategizing is a great hack to distract yourself from the temptation to sabotage your taper.) 

How will all this theory work out in practice? We'll report back soon.


from Lifehacker https://ift.tt/2OkpHLy

Netflix's June lineup has a little something for everyone: true crime docs, sports series, comedy films, reality TV, and more. First, the live-action fantasty series Avatar: The Last Airbender (June 25) returns for its second season at the end of the month. Netflix is also launching a Survivor-style competition show—Outlast: The Jungle (June 10) lands 16 players on a remote island to play for a $1 million prize.

Following its May slate of soccer content in the lead-up to the 2026 World Cup, the streamer is hosting The Hot Seat (June 3), a comedy roast featuring World Cup winners from France 1998 and France 2018 alongside stand-up comedians. The Rest is Football (June 10) is a daily series hosted by Gary Lineker, Alan Shearer, and Micah Richards with analysis from the 2026 tournament. And USA 94: Brazil's Return to Glory (June 7), a documentary originally scheduled for release in May, covers Brazil's 1994 World Cup run.

Other sports content includes the third season of AMERICA'S SWEETHEARTS: Dallas Cowboys Cheerleaders (June 16) and Chris & Martina: The Final Set (June 26), a documentary exploring Chris Evert and Martina Navratilova's friendship and dominance in tennis.

The film lineup for June includes Office Romance (June 5), a rom-com starring J.Lo and Brett Goldstein as an airline CEO and the corporate lawyer she falls for (relatable!), and Little Brother (June 26), also a comedy, with John Cena as a well-known real estate agent opposite Eric André as his "little brother."

Here's everything else coming to Netflix in June, and everything that's leaving.

What's coming to Netflix in June 2026

Available soon

Available June 1

  • Bee Movie

  • The Big Lebowski

  • The Chronicles of Riddick

  • Cinderella Man

  • Creed

  • Creed II

  • Creed III

  • Father of the Bride

  • Father of the Bride: Part II

  • The Fault in Our Stars

  • Four Weddings and a Funeral

  • Fried Green Tomatoes

  • The Girl on the Train

  • The Hand that Rocks the Cradle

  • Hawaii Five-0: Seasons 1-5

  • Hot Summer Nights

  • House on Haunted Hill

  • Identity Thief

  • Inside Man

  • Inside Man: Most Wanted

  • The Karate Kid

  • The Karate Kid

  • The Karate Kid Part II

  • The Karate Kid Part III

  • Little Miss Sunshine

  • Made of Honor

  • Miracle

  • Muriel's Wedding

  • My Best Friend's Wedding

  • Out of Africa

  • Pitch Black

  • Rachel Getting Married

  • Riddick

  • Rocky

  • Rocky Balboa

  • Rocky III

  • Rocky IV

  • Rocky V

  • Rookie of the Year

  • Rudy

  • Runaway Bride

  • Scooby-Doo

  • Scooby-Doo 2: Monsters Unleashed

  • Tyler Perry's The Family That Preys

  • The Wedding Date

  • The Wedding Planner

Available June 3

Available June 4

Available June 5

Available June 6

  • Grey's Anatomy: Season 22

  • Resident Alien: Season 4

Available June 7

Available June 8

Available June 9

Available June 10

Available June 11

Available June 12

Available June 13

  • Song Sung Blue

Available June 14

  • Piece by Piece

Available June 15

  • Drinking Buddies

  • Percy Jackson & the Olympians: The Lightning Thief

  • Percy Jackson: Sea of Monsters

Available June 16

Available June 17

  • André Is an Idiot

Available June 18

Available June 19

Available June 20

  • The Root Of The Game—Netflix Sports Series

Available June 22

Available June 23

  • Ryan Hamilton: This Just Hit Me—Netflix Comedy Special

Available June 24

Available June 25

Available June 26

Available June 27

  • Agent Kim Reactivated—Netflix Series

Available June 30

  • Sullivan's Crossing Season 4

What's leaving Netflix in June 2026

Leaving June 1

  • Fifty Shades of Grey

  • Fifty Shades Darker

  • Fifty Shades Freed

  • Glory

  • Jurassic World: Fallen Kingdom

  • The Lego Movie

  • Ray

Leaving June 2

  • Kim's Convenience: Seasons 1-5

Leaving June 3

  • Brockmire: Seasons 1-4

Leaving June 7

  • Blindspot: Seasons 1-5

  • Shiva Baby

Leaving June 9

  • A Lot Like Love

Leaving June 10

  • TURN: Washington's Spies: Seasons 1-4

Leaving June 16

  • Aquarius: Seasons 1-2

  • Unbroken

Leaving June 19

  • The Iron Claw

Leaving June 20

  • The Expendables

  • The Expendables 2

  • The Expendables 3

  • The Expendables 4

Leaving June 21

  • Zoey 101: Seasons 1-2

Leaving June 30

  • Sex and the City: Seasons 1-6


from Lifehacker https://ift.tt/1BrUbW4