Cyber Security News
ShinyHunters Weaponizes an Oracle PeopleSoft Zero-Day Against 100+ Organizations
ShinyHunters (tracked by Mandiant/GTIG as UNC6240) exploited CVE-2026-35273, a critical unauthenticated RCE in Oracle PeopleSoft Enterprise PeopleTools, as a zero-day between May 27 and June 9, breaching more than 100 organizations (roughly two-thirds in higher education) before Oracle shipped an out-of-band fix on June 11. CISA added the flaw to its KEV catalog with a compressed three-day remediation deadline, and attackers deployed stealth remote-access tooling (MeshCentral staging) and exfiltrated payroll, HR, and student data for double extortion. The multi-week gap between active exploitation and patch availability left every internet-facing PeopleSoft tenant exposed with no remediation path.
Why it matters: A missing-authentication flaw in the system that holds payroll, financial aid, and student PII has no credential barrier to bypass (only reachability), and the KEV listing arrived after compromise, not ahead of it.
Sources: SecurityAffairs | CyberScoop | BleepingComputer
The Canvas Breach Becomes the Largest EdTech Compromise on Record
ShinyHunters breached Instructure's Canvas LMS via stolen credentials beginning in late April, claiming 3.65 terabytes tied to roughly 275 million users across nearly 9,000 institutions, and redirected course pages to ransom notes; Instructure reportedly paid for deletion. The same campaign cluster swept up Infinite Campus (137,000 accounts leaked) and the University of Nottingham (450,000+ student records, tied to the PeopleSoft wave).
Why it matters: A single multi-tenant SaaS LMS compromise radiates to thousands of K-12 districts and universities at once, and a paid "deletion" ransom has never reliably prevented a later leak.
Sources: Shattered.io | TechNadu | BleepingComputer
ShinyHunters Expands From Education to Government, Sports, and Critical Infrastructure
Running parallel Salesforce- and PeopleSoft-based campaigns, ShinyHunters claimed 297GB and 429,000 files from the Council of Europe (HR and financial records on 10,000+ people), 26 million records from Madison Square Garden Sports Corp., and 5.2 million records from American Tower, the latter including plaintext physical gate codes and GPS coordinates for cell-tower sites tied to T-Mobile, Verizon, and US DHS.
Why it matters: Exposing plaintext physical access codes for national telecom infrastructure pushes data extortion from a privacy problem into a physical-security threat, and the breadth confirms ShinyHunters as the period's most prolific extortion actor.
Sources: IBTimes SG | DeXpose | Hendry Adrian
Qilin Turns a Check Point VPN Auth Bypass Into a Ransomware Gateway
A Qilin affiliate weaponized CVE-2026-50751 (CVSS 9.3), an authentication-bypass flaw in Check Point Remote Access and Mobile Access VPN that abuses deprecated IKEv1 certificate validation to open tunnels without a password. CISA confirmed active ransomware exploitation, added the flaw to KEV, and gave federal agencies a three-day patch window; WatchTowr Labs published full technical analysis on June 12. Why it matters: An unauthenticated VPN bypass hands attackers a credentialed-looking foothold inside the network, and the three-day KEV deadline is among the tightest CISA issues, signaling active, scaled exploitation rather than precaution. Sources: Cybersecurity News | SecPod
CISA Orders a Three-Day Patch Sprint for a Max-Severity Ivanti Sentry Flaw
Under new Binding Operational Directive 26-04, CISA gave agencies until June 14 to remediate CVE-2026-10520, a CVSS 10.0 OS command-injection bug in Ivanti Sentry granting unauthenticated root RCE. Shadowserver confirmed attackers were backdooring internet-exposed appliances less than 48 hours after patch and PoC release, with reporting suggesting the actors had pre-mapped Ivanti's asset landscape. Why it matters: The sub-48-hour gap between PoC and mass exploitation means patch windows for max-severity edge flaws are now measured in hours, and Ivanti Sentry sits directly between corporate back-ends and mobile traffic. Sources: BleepingComputer | SecurityWeek
China-Linked Velvet Ant Owned an Authentication Stack for a Decade
Sygnia disclosed "Operation Highland," a China-nexus intrusion in which Velvet Ant compromised an organization's authentication infrastructure and maintained covert persistence for roughly ten years, reaching an isolated network segment by quietly rewriting the software handling core operations. Every legitimate authentication event became attacker-visible. Why it matters: When an adversary owns the identity layer, standard detections that trust the auth system itself go blind, and a ten-year dwell time proves isolation is not containment: IdPs and auth middleware are crown-jewel assets needing independent, out-of-band integrity validation. Sources: BleepingComputer | IntelFusions
The Miasma Worm Weaponizes AI Coding Tools, Poisoning npm, PyPI, and Microsoft Repos
The self-replicating "Miasma" worm (an evolution of Shai-Hulud, requiring no C2 server and shipping a destructive dead-man switch) crossed into Microsoft's Azure/durabletask GitHub repo and disabled 73 repositories, then dropped 37 malicious wheels across 19 PyPI packages in a "Hades" wave abusing .pth startup hooks. Payloads execute the moment a developer opens an infected repo in Claude Code, Gemini CLI, or Cursor, harvesting credentials and surviving credential rotation; the toolkit was briefly open-sourced on June 9.
Why it matters: This is the first worm class explicitly engineered to weaponize agentic AI coding tools, it bypasses SCA/SBOM scanners because it exploits no product CVE, and open-sourcing sharply raises copycat risk through H2 2026.
Sources: Phoenix Security | The Next Web | HKLUG/The Hacker News
Atomic Arch Hijacks 400+ AUR Packages With a Rootkit and Stealer
More than 400 Arch Linux User Repository packages were hijacked to deploy a kernel-level rootkit alongside a credential stealer, with reporting stressing that removing the malicious packages does not remediate the underlying compromise. Attackers walked through the front door of one of Linux's most-trusted community repositories. Why it matters: A rootkit at install time means cleanup at the package level leaves persistence behind (affected hosts require rebuild, not disinfection), and the scale confirms community registries are being weaponized faster than their trust models can adapt. Sources: Eastern Herald | HEAL Security
Microsoft Ships a Record 206 Patches as Defender and Netlogon Zero-Days Are Actively Exploited
June Patch Tuesday addressed a record 206 vulnerabilities including three publicly disclosed zero-days, with researchers attributing the climbing volume to AI-accelerated bug discovery. Separately, attackers are exploiting CVE-2026-41089, a zero-click unauthenticated Netlogon RCE (CVSS 9.8) against domain controllers, plus two Microsoft Defender zero-days (CVE-2026-41091, CVE-2026-45498), while a public "RoguePlanet" PoC grants SYSTEM on fully patched Windows via a Defender race condition. Why it matters: Zero-days in the endpoint security agent itself blind defender telemetry before any pivot, and a zero-click Netlogon RCE means any unpatched DC should be treated as already breached, not merely vulnerable. Sources: PCWorld | Cyber Security News | Picus Security
The Gentlemen RaaS Hits 478 Victims With Worm-Like FortiGate Exploitation and a 90% Affiliate Cut
A roughly nine-person RaaS operation tracked by PRODAFT as Phantom Mantis (LARVA-368, doxxed by Krebs as a 36-year-old from Izhevsk) reached 478 victims in 66 countries in under a year, exploiting Fortinet FortiGate flaws for self-propagating, worm-like spread and luring affiliates with an unusually high 90% revenue share. A multi-platform Go encryptor hits Windows, Linux, ESXi, and NAS simultaneously. Why it matters: A 90% split plus AI-accelerated, worm-driven operations lets a tiny core team out-compete legacy RaaS brands and collapse the window between foothold and enterprise-wide encryption. Sources: The Hacker News | Krebs on Security | Security Affairs
APT28 Pairs Zero-Click Outlook Hash Theft With LLM-Driven Malware
Russia's GRU-linked APT28 weaponized an Outlook zero-click flaw to silently harvest Net-NTLMv2 hashes from NATO and defense targets while proxying operations through the MooBot botnet on compromised Ubiquiti EdgeRouters. Sekoia tied recent activity to LameHug, the first known malware to call a live LLM (Qwen2.5-Coder via the Hugging Face API) to generate attack commands at runtime. Why it matters: Zero-click hash theft removes the phishing-click dependency entirely, routing through hijacked consumer routers severs attribution, and runtime LLM-generated commands mean there are no hard-coded TTPs left to fingerprint. Sources: Cyberpress | Sekoia | SecuriTricks
Lazarus Drains $500M From DeFi as North Korea Adopts Agentic AI
North Korean actors siphoned more than $500 million from DeFi protocols Drift and Kelp in roughly two weeks and breached the Bitrefill crypto/gift-card platform (18,500 records) via a compromised employee laptop. South Korea's NCSC separately warned that DPRK groups are deploying autonomous "agentic AI" to scale phishing, malware authoring, and intrusion with minimal human intervention. Why it matters: Half a billion dollars in two weeks confirms DPRK crypto theft as a strategic state revenue engine, and agentic tooling would let Pyongyang's limited operator pool punch far above its headcount. Sources: SunVBM | Narinci | Let's Data Science
Iran-Linked Handala Claims California Water Utility Billing Systems
On June 12, the Iranian-linked group Handala claimed cyberattacks against water utility billing systems serving Bakersfield, Visalia, and Chico, California, following earlier claims against California Water Service that Dataminr assessed exposed admin credentials for an internal RTKBase NTRIP GPS-correction network across seven districts. Independent confirmation of operational impact remains limited. Why it matters: Billing platforms are softer, internet-facing entry points that yield customer PII and a foothold toward OT, and the targeting fits sustained Iranian interest in US water-sector infrastructure amid maximum-pressure geopolitics. Sources: Rescana | Dataminr
Ransomware Sets a Record at $1.1 Billion as a Conti Operative Pleads Guilty
New figures put 2025 ransomware at a record high, with 4,600+ organizations paying a combined $1.1 billion and hospitals, school districts, and municipalities forced onto paper for weeks. In a rare accountability milestone, Ukrainian national Oleksii Lytvynenko pleaded guilty in US federal court to wire-fraud conspiracy tied to Conti after extradition from Ireland. Why it matters: Every paid ransom underwrites the next campaign, and the guilty plea shows affiliates remain exposed to extradition and prosecution years after a group disbands: incremental deterrence against a self-funding, scaling economy. Sources: IsThisAScam | BleepingComputer
AI News
A US Export Order Forces Anthropic to Disable Fable 5 and Mythos 5
Anthropic confirmed on June 12 that both Claude Fable 5 and the more capable, restricted Mythos 5 were disabled for all customers following a US Commerce Department export-control directive. Fable 5, the guardrailed public counterpart sharing Mythos's base architecture, had shipped June 8; Mythos (described as a model good enough at vulnerability discovery to be treated as a controlled munition) was gated behind Project Glasswing vetting. Why it matters: A government-ordered shutdown of an already-shipped frontier model is a new category of event, proving export-control levers can reach deployed inference and that capability you provisioned can be revoked by a third party overnight. Sources: TechGenyz | TechCrunch
The Anthropic Recall Exposes Europe's AI Dependency and a Governance Vacuum
POLITICO framed the export order, which severed access for everyone and not just non-US citizens, as a wake-up call that the EU is heavily reliant on American foundation models. Domestically, Gary Marcus and Danielle Fong publicly disputed AI czar David Sacks's claim that LLM jailbreaks are "easily patched," arguing export controls premised on removable dangerous behavior rest on a flawed model of how these systems fail. Why it matters: Capability access is now a lever of statecraft, and if jailbreaks are not reliably patchable, the policy community is fracturing over whether capability restriction or behavioral patching is even the right safety instrument. Sources: POLITICO | Digg
Prompt Injection Graduates to a Host-Impact CVE Class
A mid-2026 research review reports prompt injection has shifted from a conceptual category into a formally tracked CVE class with host-level impact, meaning agent vulnerabilities are now logged and triaged like conventional software flaws as the three major vendors finalized their agent SDKs and MCP wired agents into databases at scale. Why it matters: Once injection carries CVE designations, agent security crosses from a model-behavior concern into a conventional vulnerability-management workload that security teams must patch, prioritize, and monitor across AI frameworks. Sources: SkilLab AI
ZhipuAI Ships GLM 5.2, a Fully Open MIT-Licensed Frontier Model, the Day Anthropic Went Dark
ZhipuAI released GLM 5.2 on June 13 (a 744B-parameter MoE with 40B active, a 1M-token context, and MIT-licensed weights), the same day US action took Anthropic's frontier models offline in affected markets. The economical MoE design makes it viable for self-hosted enterprise deployment. Why it matters: A genuinely open frontier-class model with permissive licensing narrows the closed/open gap at the exact moment Western access tightened: the clearest signal yet that the open-weights frontier is now a Chinese-led story that can't be revoked by a vendor or government. Sources: DEV Community
Google Makes Gemini 3.5 Flash the Default and Competes on the Agentic Axis
Google DeepMind made Gemini 3.5 Flash the default model in the Gemini app and the engine behind Search AI Mode, posting 83.6% on the agentic MCP Atlas benchmark (surpassing GPT-5.5) with 4x faster output, within a 1M-token window at $2.70/$16.20 per million tokens. Why it matters: Google is competing on tool-use throughput and speed-per-dollar rather than the frontier-coding summit, and pushing agentic inference into the default Search slot is a distribution play measured in billions of queries. Sources: NBot | AI Models Navi
OpenAI Declares a "Third Phase" and Files Confidentially for an IPO
Sam Altman and OpenAI's chief scientist announced the company is entering its "third phase" around AI abundance, accessibility, and safety, the same day OpenAI confidentially filed for an IPO. The company also reportedly plans roughly $50 billion in compute spending for 2026 alone. Why it matters: Pairing a strategy reframing with an IPO filing signals OpenAI is shifting from a research story to a capital-markets one, where compute scale becomes the moat and quarterly pressure rarely aligns with the "slow down" posture labs publicly advocate. Sources: AOL | BERNAMA
The Agent Control Plane Becomes the Contested Layer
Databricks open-sourced Omnigent, a "meta-harness" that makes the harness itself swappable and orchestrable across Claude Code, Codex, and Pi, while IBM recast watsonx Orchestrate as an "agentic control plane" to govern fleets of agents. Google's Logan Kilpatrick countered that the model will "eat the harness" within 12 months, betting durable advantage returns to the model and distribution surface. Why it matters: The enterprise center of gravity has moved from model selection to agent governance at scale, and two coherent, opposing theories of where lock-in accrues are now being funded simultaneously. Sources: Databricks Blog | Sentinel.ht | Sequoia Capital
MCP Crosses 10,000 Public Servers as the Enterprise Integration Layer
More than 10,000 public Model Context Protocol servers are now deployed, establishing MCP as the de facto standard for agents to call tools, query databases, and coordinate across vendor boundaries: the connective tissue that makes the control-plane and meta-harness products coherent. Why it matters: Standardization at this scale turns agents from demos into infrastructure, but a 10,000-server open ecosystem is precisely the sprawling attack surface that makes prompt injection a host-level threat. Sources: NDN Analytics
GPT-5.5 Beats Fable 5 on Long-Horizon Tasks as Benchmarks Hit a Reliability Crisis
On UC Berkeley's Agents' Last Exam (1,000+ economically valuable professional workflows), OpenAI's two-month-old GPT-5.5 beat the freshly released Claude Fable 5, despite Fable topping static coding leaderboards. A new eval also found frontier models stumble at grading grade-school math reasoning, undercutting the LLM-as-judge pipelines much of the agent stack depends on. Why it matters: A model can dominate static scorecards yet lose at the long-horizon execution that determines real agentic reliability, and a model that generates hard proofs cannot reliably verify a simple one: capability and self-evaluation are different axes. Sources: VentureBeat | Digg
Meta Superintelligence Labs Closes Its Weights, Ending the Open Llama Era
Meta Superintelligence Labs finished its next flagship and will keep the weights internal, replacing routine open-weight Llama releases with partner-only access, while shipping the tiered consumer model Muse Spark across Instagram, Facebook, WhatsApp, and Messenger. The move lands the same week Google pushes more capability into open weights via Gemma 4 and DiffusionGemma. Why it matters: The lab that anchored the open ecosystem is adopting the closed posture it once defined itself against, leaving developers built on downloadable Llama weights without a clear successor and diverging the two largest open-model patrons. Sources: Remio | Crypto Briefing
Google Open-Sources DiffusionGemma, an Architectural Fork From Autoregression
Google released DiffusionGemma (Apache 2.0), a 26B MoE with 3.8B active that generates text via block-level discrete diffusion (refining 256 tokens in parallel from noise), reaching ~1,000 tokens/second on an H100, roughly 4x faster than autoregressive decoding, fitting in 18GB of quantized VRAM. Why it matters: Shipping diffusion-based text generation as a runnable open artifact attacks the latency bottleneck every autoregressive LLM shares, and if quality holds at scale it is a genuine architectural fork, not a speed tweak. Sources: VentureBeat | Google Developers Blog
Washington Pivots to Frontier AI as a National-Security File
President Trump's June 2 executive order established a voluntary framework giving the government up to 30 days of pre-release access to "covered frontier models" plus an AI cybersecurity clearinghouse, while NSPM-11 directed defense and intelligence agencies to accelerate AI adoption and the bipartisan Great American AI Act proposed federal transparency in exchange for three-year preemption of state AI laws. The Mythos shutdown (executed via Commerce export authority, not the new review process) was the framework's first live test. Why it matters: US governance is consolidating around early visibility and state preemption, but "voluntary" leaves enforcement dependent on existing trade authority and lab goodwill, exposing a widening gap between capability and coherent governance. Sources: Axios | Punchbowl News | Small Wars Journal
Frontier Labs Jointly Warn on Bioweapon Uplift as Benchmarks Make the Risk Concrete
Leadership at OpenAI, Anthropic, Google DeepMind, and Microsoft AI jointly asked Congress to mandate synthetic DNA/RNA screening, citing AI-assisted bioweapon design risk, as SecureBio's ABC-Bench demonstrated frontier models can design DNA fragments that assemble into functional sequences, evade synthesis screening, and write code to run a liquid-handling robot. Why it matters: Four competitors aligning on a specific legislative ask signals biosecurity uplift is no longer hypothetical inside these labs, and reframes governance toward supply-chain controls on physical inputs rather than model-layer restrictions. Sources: NewsBytes | SecureBio
Active Exploitation Watchlist + Notable CVEs
| CVE | Product | Severity | Status | Action |
|---|---|---|---|---|
| CVE-2026-10520 | Ivanti Sentry (OS command injection) | 10.0 Critical | Actively Exploited | Patch Now |
| CVE-2026-35273 | Oracle PeopleSoft PeopleTools (RCE) | 9.8 Critical | Actively Exploited | Patch Now |
| CVE-2026-41089 | Windows Netlogon (zero-click RCE) | 9.8 Critical | Actively Exploited | Patch Now |
| CVE-2026-45247 | Mirasvit Full Page Cache Warmer / Magento (RCE) | 9.8 Critical | Actively Exploited | Patch Now |
| CVE-2026-50751 | Check Point Security Gateway VPN (auth bypass) | 9.3 Critical | Actively Exploited | Patch Now |
| CVE-2026-35616 | FortiClient EMS (auth bypass) | N/A Critical | Actively Exploited | Patch Now |
| CVE-2026-38204 | VMware ESXi OpenSLP (heap overflow RCE) | N/A Critical | Actively Exploited | Patch Now |
| CVE-2026-3300 | Everest Forms Pro / WordPress (unauth RCE) | N/A Critical | Actively Exploited | Patch Now |
| CVE-2026-0257 | Palo Alto PAN-OS GlobalProtect (auth bypass) | N/A Critical | Actively Exploited | Patch Now |
| CVE-2026-42897 | Microsoft Exchange Server (OWA spoofing) | N/A Critical | Actively Exploited | Patch Now |
| CVE-2026-41091 | Microsoft Defender (zero-day) | N/A Critical | Actively Exploited | Patch Now |
| CVE-2026-45498 | Microsoft Defender (zero-day) | N/A Critical | Actively Exploited | Patch Now |
| CVE-2026-6973 | Ivanti EPMM (zero-day) | N/A Critical | Actively Exploited | Patch Now |
| CVE-2025-8088 | WinRAR (path traversal / NTFS ADS) | 8.4 High | Actively Exploited | Patch Now |
| CVE-2026-20245 | Cisco Catalyst SD-WAN Manager (root RCE) | 7.8 High | Actively Exploited | Mitigate |
| CVE-2022-0492 | Linux Kernel cgroups (container escape) | 7.8 High | Actively Exploited | Patch Now |
| CVE-2024-21182 | Oracle WebLogic (T3/IIOP) | 7.5 High | Actively Exploited | Patch Now |
| CVE-2026-28318 | SolarWinds Serv-U (DoS) | 7.5 High | Actively Exploited | Patch Now |
| CVE-2026-7473 | Arista EOS (tunnel decapsulation) | N/A High | Actively Exploited | Mitigate |
| CVE-2026-11645 | Google Chrome V8 (OOB read/write) | N/A High | Actively Exploited | Patch Now |
| CVE-2026-31431 | Linux Kernel "CopyFail" (local priv-esc) | N/A High | Actively Exploited | Patch Now |
| CVE-2025-48595 | Android Framework (integer overflow) | N/A High | Actively Exploited | Patch Now |
| CVE-2026-41940 | cPanel / WHM (backdoor + cryptominer) | N/A High | Actively Exploited | Patch Now |
| CVE-2024-1708 | Sante PMS | N/A Medium | Actively Exploited | Patch Now |
| CVE-2026-32202 | Microsoft (KEV addition) | N/A Medium | Actively Exploited | Patch Now |
| CVE-2010-0249 | Microsoft (legacy, EPSS 90.1%) | N/A High | Actively Exploited | Patch Now |
The Edge
The perimeter didn't fall this fortnight. It was never the target. Look at what actually got owned: an ERP application that signs everyone's paychecks, a VPN appliance whose entire job is to authenticate, the endpoint security agent meant to watch the host, the package registries that feed every build, the GitHub repos a developer's AI assistant ingests on open, and an authentication stack that one China-nexus crew quietly rewrote and lived inside for ten years. None of these are the soft edge of the network. They are the trust anchors: the systems defenders point at the threat. The week's lesson is that attackers have stopped trying to get past your controls and started turning the controls themselves into the breach.
That convergence is what makes ShinyHunters' PeopleSoft spree and the Miasma worm the same story told in two registries. One weaponizes a zero-day in the software that holds the data; the other weaponizes the trust a developer places in a repo and an AI coding agent. Both skip the endpoint entirely. And the supply-chain worms are the more dangerous tell, because they exploit no product CVE: your SBOM is clean, your scanner is green, and the credential stealer fires the moment Claude Code or Cursor reads a poisoned file. The defensive playbook built around "patch the vuln, scan the dependency" is structurally blind to an attack that lives in trust rather than in code.
Here is the uncomfortable part for 2026. The same week the trust-anchor thesis crystallized on the offense side, it got validated by the US government on the policy side: Commerce reached in and switched off a deployed, already-shipped frontier model overnight. Whether you cheer or fear that action, the mechanism is identical: capability you provisioned, controlled by someone who is not you, revocable without your consent. Enterprises spent a year treating frontier models as utilities. They are licensed, gated, and now demonstrably killable. The AI dev toolchain Miasma is poisoning and the AI model Anthropic had to disable are two ends of one exposure: you do not own your trust relationships, you rent them.
So watch three things. Watch whether CISA's three-day KEV deadlines keep getting tighter: they are the clearest signal that the gap between disclosure and mass exploitation is now hours, not weeks, on anything internet-facing and identity-adjacent. Watch the AI coding agent become a first-class privileged execution path that needs egress controls and isolation, not just a productivity boost. And watch prompt injection's quiet promotion to a CVE class, because the moment your agent vulnerabilities get numbers, they get triaged, and the organizations still treating agent safety as a research curiosity will be the ones explaining, after the fact, why the system they trusted most was the one that let the attacker in.