Ticker feed

The ShinyHunters extortion gang exploited a critical zero-day vulnerability in Oracle's PeopleSoft software between May 27 and June 9, 2026, compromising more than 300 instances across 100+ organizations. The flaw, CVE-2026-35273 (CVSS 9.8), allowed unauthenticated remote code execution through PeopleSoft's Environment Management Hub service.

About 68% of targeted organizations were higher education institutions. The University of Nottingham confirmed a breach, with ShinyHunters claiming 40 GB of student records stolen. Oracle patched the vulnerability on June 10 after researchers flagged it. Organizations are urged to disable or block external access to the EMHub service immediately.

Source: Dark Reading

GitHub is overhauling npm with version 12, flipping three long-standing permissive defaults to fight software supply chain attacks. Starting July 2026, npm will block install scripts, Git dependencies, and remote URL packages by default — all requiring explicit developer opt-in. Developers can preview the changes now by upgrading to npm v11.16.0.

Security experts are cautiously supportive. Semgrep's Isaac Evans praised the structural approach but warned attackers will pivot to private repositories like Artifactory. Researcher Paul McCarty fears developers will blindly approve blocked scripts just to get builds working — potentially turning the update into security theatre.

Source: Infosecurity Magazine

South Korea has slapped e-commerce giant Coupang with a record $400 million fine after a data breach exposed personal information belonging to roughly 37.5 million users — more than half the country's population. Seoul's Personal Information Protection Commission found the company failed to properly manage authentication keys and access controls. Regulators added a separate penalty for collecting data without user consent.

Coupang says the breach likely started as early as June through a foreign server and initially affected 4,500 accounts before ballooning to nearly 34 million. The company's CEO resigned following the incident. Coupang plans to fight the ruling in court.

Source: BBC News

A researcher known as Nightmare-Eclipse has released yet another Microsoft zero-day exploit — this one called RoguePlanet — timed to drop right after Microsoft's June Patch Tuesday, which addressed a record 206 CVEs.

The new exploit targets Windows Defender via a race condition, potentially granting attackers full SYSTEM-level access on Windows 10 and 11. It's the latest salvo in a months-long feud that began in April with the BlueHammer exploit. Microsoft has since patched several of Nightmare-Eclipse's disclosures, but real-world exploitation has already occurred.

The researcher claims to have more vulnerabilities in Defender and other Windows components ready to go.

Source: Dark Reading

A malware attack has knocked out IT systems at Great Marlow School in Buckinghamshire, forcing a partial closure on Wednesday. The school can't contact parents via email, teachers can't set work, and internal exams for Years 10 and 12 have been postponed. Only Year 11 and 13 students are required in for external exams.

Headteacher Guy Pendlebury confirmed the school is working with cybersecurity professionals to restore systems, following guidance from the Department for Education and the National Cyber Security Centre. The school, famously attended by Olympic rower Steve Redgrave, says student safety remains its top priority.

Source: BBC News

Two Russia-linked hacker groups — Gamaredon and Shadow-Earth-066 — are actively exploiting a WinRAR vulnerability (CVE-2025-8088) that's been patched since July 2024, targeting Ukrainian military and government organizations through weaponized phishing emails.

The attacks differ in execution but share the same goal. Shadow-Earth-066 deploys the GiftedCrook stealer to harvest credentials and documents, while Gamaredon plants espionage malware via malicious HTA files. Both abuse WinRAR's path traversal flaw to drop payloads into Windows Startup folders.

The flaw stays dangerous because WinRAR doesn't auto-update and falls outside standard enterprise patching tools — leaving millions of endpoints exposed.

Source: Dark Reading

A 2020 cyberattack on South Staffordshire Water exposed the personal data of 633,887 people, with over 4.1 terabytes of information — including bank details and National Insurance numbers — ending up on the dark web. The breach went undetected for 20 months.

Victims like Chris Durham, 53, had phones fraudulently taken out in his name and spent months fighting to recover £60 monthly charges he never authorized. Another customer, Nigel Calladine, 75, had to change his email and bank accounts entirely after six months of phishing attacks.

The ICO fined South Staffordshire £963,900. Customers say the fine doesn't go far enough.

Source: BBC News

A self-replicating worm called Shai-Hulud has infected over 100 packages across NPM and PyPI since September 2025, with attacks sharply escalating in recent weeks. After hacking group TeamPCP released the worm's source code in mid-May, clones emerged fast.

The latest variants — Miasma and Hades — harvest credentials, API keys, and tokens, then spread by infecting packages the victim can access. Red Hat's Hybrid Cloud Console was among the targets, alongside SDKs like Vapi and Wrangler. In total, 471 malicious artifacts have been identified, including PyPI wheel files tied to the Hades branch.

Source: SecurityWeek

A threat group called Silent Ransom (also tracked as UNC3753, Luna Moth, and Chatty Spider) has been hitting US law, financial, and professional services firms with a slick social engineering campaign between January and May 2026, according to Google's Mandiant division.

The attacks start with a fake invoice email, followed by a phone call from someone pretending to be IT support. Victims are talked into screen-sharing sessions and downloading remote access tools. In some cases, attackers physically showed up at offices with USB drives to steal data directly.

Once inside, the group moves fast — sometimes from initial contact to extortion demand in under an hour. Ransom demands come with a three-day deadline and threats to notify clients, partners, and journalists if victims don't comply.

Source: Dark Reading

A ransomware attack has forced Evanston Township High School to close its campus, canceling summer school, sports camps, and all on-campus activities. The attack, discovered Sunday, knocked out phone lines, internet, computers, and even the school's emergency notification and PA systems.

The FBI is now investigating alongside cybersecurity attorneys and forensic experts. No ransom demand has been received yet. Staff were told to stay home Monday, and students and teachers won't have building access for at least two days. District spokesperson Reine Hanna noted the summer timing reduced the overall impact. Google passwords for employees have already been reset as a precaution.

Source: CBS News Chicago