ShinyHunters Burns a PeopleSoft Zero-Day Through Higher Ed as Copilot "SearchLeak" Shows AI Is the New Exfil Channel

A heavy day for offensive practitioners: an actively exploited Oracle PeopleSoft RCE chain, a watchTowr-detailed pre-auth Splunk RCE, and a Defender zero-day with public PoC dominate the vuln front, while a string of AI-layer attacks — Copilot one-click exfil, Vertex AI cross-tenant RCE, and the AI-model theft in the Novo Nordisk breach — show the agentic stack is now squarely in scope.

Vulnerabilities & Exploits

Oracle PeopleSoft CVE-2026-35273 unauthenticated RCE is under active exploitation by ShinyHunters (aka Bling Libra), with the education sector hit hardest since at least late May. Horizon3 confirmed exploitation predating disclosure, and Unit 42 corroborates the campaign against universities. watchTowr warns that “vibecoded” PoCs circulating are only the first-stage SSRF, not the full chain — treat public exploits skeptically (watchTowr).
Splunk Enterprise CVE-2026-20253 (CVSS 9.8) is a pre-auth RCE: an arbitrary file write in the bundled PostgreSQL sidecar that watchTowr turned into code execution by abusing database-level auth. Fixed in 10.0.7+ / 10.2.4+ (watchTowr Labs, Horizon3).
Microsoft Defender “RoguePlanet” (CVE-2026-50656) zero-day remains unpatched, with Microsoft confirming a patch is in development. Public PoC exploits a race condition in the Malware Protection Engine to spawn a SYSTEM shell (SecurityWeek, BleepingComputer).
Joomla JCE plugin CVE-2026-48907 (CVSS 10.0), a pre-auth profile-import-to-PHP-execution flaw, is actively exploited and now in CISA KEV with a Friday federal deadline (BleepingComputer, The Hacker News).
Fortinet FortiSandbox is under active attack via three critical bugs — CVE-2026-39813, CVE-2026-39808, CVE-2026-25089 (path traversal + privesc, CVSS 9.1) — with CERT.dk flagging the attacks for Nordic defenders. Upgrade immediately (The Register).
Cisco Catalyst SD-WAN Manager CVE-2026-20262 (authenticated arbitrary file write → privesc) is exploited in the wild; CISA mandate to remediate by June 29 (SecurityWeek).
Check Point Remote Access VPN CVE-2026-50751, an IKEv1 cert-validation auth bypass, is actively exploited for initial access; watchTowr has the technical writeup (watchTowr Labs, Horizon3).
SimpleHelp CVE-2026-48558 OIDC auth bypass lets attackers create rogue Technician accounts and reach managed endpoints; Horizon3 has published IOCs (Horizon3).
21 zero-days disclosed in FFmpeg — relevant given how widely the library is embedded in media-processing and cloud pipelines (depthfirst).
CERT-EU advisory batch flags several exploited-in-the-wild flaws worth hunting: Windows Netlogon (unauth DC RCE, actively exploited), PAN-OS (root RCE, limited exploitation), and SharePoint RCE now in CISA KEV (CERT-EU 2026-007).

AI & Model Security

Microsoft 365 Copilot “SearchLeak” (CVE-2026-42824) chained prompt injection, a race condition, and a CSP bypass into one-click exfil of emails, calendar, indexed files, and MFA codes — all from a legitimate microsoft.com link that defeated URL filtering. Now patched by Varonis disclosure (The Hacker News, Dark Reading).
Google Vertex AI SDK “Pickle in the Middle” — Unit 42 found that predictable staging buckets in google-cloud-aiplatform 1.139.0/1.140.0 let an unrelated attacker hijack a victim’s model upload and gain cross-tenant RCE inside Google’s serving infra. Fixed in v1.148.0 via randomized buckets and ownership checks (Unit 42).
LiteLLM AI gateway can be fully taken over by chaining three bugs from a default low-privilege account, exposing every provider key the proxy brokers (The Hacker News).
“Agentjacking” (Tenet Security) tricks AI coding agents into running arbitrary code on dev machines via a crafted Sentry error report — a clean illustration of tool-using agents trusting untrusted telemetry (The Hacker News).
Unit 42 and Mandiant both published red-team lessons on agentic systems: third-party agent “skills” with privileged access frequently deviate from declared behavior, and the real risk is multi-stage chains, not single mismatches (Unit 42, Mandiant).
Firefox AI chatbot features were vulnerable to prompt injection from attacker-controlled page content, enabling email theft via a broken trust boundary; Mozilla has limited prompt lengths (Insinuator).
15 malicious JetBrains Marketplace plugins, all posing as DeepSeek-based AI coding assistants, exfiltrated developers’ AI provider API keys — paired with Chrome extensions capturing chatbot conversations (BleepingComputer, Aikido).

Data Breaches (Nordic emphasis)

Novo Nordisk (Danish pharma giant) confirmed a breach in which FulcrumSec claims 1.3TB exfiltrated and a $25M ransom — notably including the company’s internal AI assets: a 16GB trained model checkpoint, proprietary training data, full pipeline source (modeling_novopert.py), 113 training-run logs, and HPC/Slurm/SSH infrastructure maps. A concrete example of AI model/IP theft as an extortion payload (SecurityWeek, vx-underground).
Kodak confirmed a data breach claimed by ShinyHunters, working with external responders; scope not yet verified (BleepingComputer, SecurityWeek).

Threat Activity & Ransomware

FortiBleed — SOCRadar uncovered an industrialized credential-harvesting operation against Fortinet firewalls/VPNs: ~30,791 compromised devices, 8,316 organizations, across 194 countries, with attacker tooling, automation, and a verified-credential database recovered. Notably not a new zero-day — it’s reused/leaked credential abuse at scale, so rotate creds and audit admin access (BleepingComputer, Dark Reading).
SprySOCKS — ESET attributes two undocumented Windows variants (WIN_PLUS, WIN_DRV) of the previously Linux-only backdoor to China-nexus FishMonger (Earth Lusca). WIN_DRV weaponizes a kernel driver to redirect traffic to a hidden passive TCP backdoor, with possible UEFI bootkit involvement. IOCs published (WeLiveSecurity, The Hacker News).
UNC6508 (PRC-nexus) lurked in North American medical, academic, and defense research networks for over a year, backdooring vulnerable REDCap servers with InfiniteRed malware and abusing the victims’ own Google Workspace mail rules to silently copy outbound research and defense email (Mandiant/GTIG, The Hacker News).
GhostTree — Varonis details how recursive NTFS junctions generate vast valid path trees that can stall Defender folder scans indefinitely, hiding malware. Requires only write access; hunt for abnormal junction creation (BleepingComputer).
KRYBIT ransomware emerged fast — 49 victims across 20+ countries since April, double-extortion, with YARA overlap heavily on the leaked Babuk codebase per Nextron (Nextron).
The Gentleman ransomware continues rapid growth (~500 claimed victims), now listing a European national healthcare org and “one of Scandinavia’s most recognized national museums” — a Nordic angle worth tracking (DarkFeed).
LockBit shows comeback signals with a 15+ victim wave across multiple continents; now the 6th most active group of 2026 (DarkFeed).
ScarCruft (APT37) delivered NarwhalRAT via spear-phishing impersonating Microsoft account security alerts, using Korean sites and pCloud for C2 (The Hacker News).
SideCopy (APT36 / Transparent Tribe) continues its double-extension LNK → PowerShell → CrimsonRAT chain against Indian defense, swapping lures between fake PowerPoint briefings and Word “Minutes of Meeting” docs; staged components barely register at delivery. IOCs via Nextron (Nextron).
ClickFix campaigns expanded with three new loaders — BabaDeda, Lorem Ipsum, and Potemkin — via fake update lures and compromised WordPress sites, one cluster possibly linked to Vice Society (The Hacker News).
Rokarolla Android trojan targets 217 banking/crypto apps with 137 commands for near-total device control, spread via fake TikTok and Chrome downloads (BleepingComputer).
Steam Workshop / Wallpaper Engine abused to distribute account-stealing malware, alongside 152 trojanized Chrome wallpaper extensions (105K installs) faking ad traffic (Securelist, The Hacker News).

Supply Chain

Atomic Arch — attackers hijacked 1,500+ orphaned Arch Linux AUR packages, lacing PKGBUILD install hooks to deploy a Rust infostealer and an eBPF rootkit; Arch suspended new AUR registrations. Nextron published YARA for the malicious PKGBUILD/.install/ALPM hooks (SecurityWeek, Nextron).
Mastra npm org (AI-app framework, 28M+ monthly downloads) — a single hijacked maintainer account (ehindero) trojanized up to 144 @mastra/* packages in 27 minutes, each pulling a remote payload via the easy-day-js typosquat dependency (Endor Labs, The Hacker News).
DPRK-linked PolinRider continues evolving — tailwind-color-shades typosquat uses a blockchain dead-drop loader chain (TRON→Aptos→BSC→XOR→eval) to deliver Beavertail → InvisibleFerret, with a new XOR key and obfuscator build (Nextron).
More npm typosquats (twcompose-utils, classbreeze-utils) impersonate @tailwindcss/typography, fetching OS-specific native second stages and persisting as fake GoogleUpdateService / WpnUserSvc.exe (Nextron).

Industry & Policy

Anthropic was ordered by the U.S. government to abruptly suspend access to its top Claude Fable 5 and Mythos 5 models for all foreign nationals, citing national security — a notable precedent for export-style controls on frontier models (The Hacker News).
UK will require ID upload or facial age-scan to create social media accounts (under-16 ban, spring 2027), with experts warning of easy circumvention, fresh breach surface, and device-level enforcement that defeats VPNs (BleepingComputer, Dark Reading).
Estonia introduced quarantine of .ru email to government agencies, per CERT.dk — a concrete Nordic/Baltic posture shift worth noting for regional threat models (CERT.dk).
OpenAI is reportedly testing a “ChatGPT for Science” subscription tier (BleepingComputer).