- Critical vulnerability in Oracle PeopleSoft PeopleTools exploited as zero-day in data theft attacks by ShinyHunters
ThreatNoir Morning Brief — June 30
Morning Review in IT Security — June 30, 2026
The threat landscape continues to evolve rapidly as attackers exploit critical vulnerabilities in widely-used enterprise and development tools. Today's briefing covers major incidents affecting automotive manufacturers, government networks, and developer environments, alongside emerging attack techniques targeting cloud-based services and remote management platforms.
Nissan Discloses Employee Data Breach Linked to Oracle Zero-Day Attacks
Nissan has disclosed a significant data breach affecting current and former employees following the exploitation of an Oracle PeopleSoft vulnerability by threat actors. The attackers leveraged CVE-2026-35273 to conduct data theft operations, with the breach linked to the ShinyHunters extortion group, which has previously conducted similar campaigns against other organizations. The incident underscores the critical risk posed by unpatched zero-day vulnerabilities in widely deployed human resources and payroll systems. Source: Nissan discloses employee data breach linked to Oracle zero-day attacks
Mustang Panda Uses Zoho WorkDrive as Command Channel in Indian Government Attacks
The China-aligned espionage group Mustang Panda has launched coordinated campaigns targeting the Indian government and hydropower sector, deploying multiple malware families including MINIRECON, SHARDLOADER, and ZOHOMURK. Researchers at the Acronis Threat Research Unit identified active compromises within Indian government networks, including systems used by senior administrative staff, with attackers ingeniously repurposing the legitimate Zoho WorkDrive cloud service as a command-and-control channel. The campaigns demonstrate sophisticated operational security techniques designed to evade detection by blending malicious traffic with legitimate cloud service communications. Source: Mustang Panda Uses Zoho WorkDrive as Command Channel in Indian Government Attacks
Researchers Demo New Claude Code Attack Using Harmless-Looking Repositories to Hijack Developer Machines
Security researchers have demonstrated a novel attack vector against Claude Code in which indirect prompts embedded within seemingly benign code repositories can trigger the execution of malicious commands on developer machines, including reverse shell spawning. The attack exploits the trust developers place in repository contents and Claude Code's ability to interpret and execute instructions from repository files. This supply-chain oriented technique represents a significant risk to development environments and highlights the need for enhanced scrutiny of third-party code and AI-assisted development tools. Source: Researchers Demo New Claude Code Attack Using Harmless-Looking Repositories to Hijack Developer Machines
Critical SimpleHelp Flaw Exploited to Deploy New Stealer Malware
Attackers are actively exploiting CVE-2026-48558, a critical authentication bypass vulnerability in SimpleHelp remote management software, to deploy Djinn Stealer and TaskWeaver malware. Djinn Stealer is a previously undocumented cross-platform information stealer capable of targeting Windows, macOS, and Linux systems, making it a significant threat to organizations relying on SimpleHelp for remote support operations. The exploitation of this vulnerability demonstrates how critical flaws in remote management tools can serve as effective entry points for deploying sophisticated credential-stealing malware. Source: Critical SimpleHelp flaw exploited to deploy new stealer malware
Organizations must prioritize patching critical vulnerabilities in Oracle PeopleSoft, SimpleHelp, and other widely deployed systems while implementing enhanced monitoring of cloud services for suspicious command-and-control activity. Additionally, development teams should exercise heightened caution when integrating AI-assisted coding tools and reviewing third-party repository contents.
Sources & IOCs
Source articles and extracted indicators (defanged where appropriate).
- PowerShell (implied by loader/implant activity)
- Ingress Tool Transfer (via cloud service)
- Web Protocols (HTTPS/WebSocket for C2)
- Encrypted Channel (HTTPS)
- Obfuscated Files or Information (hidden DLL)
- Malicious Link/Object (spear-phishing attachment)
- Process Injection (DLL sideloading)
- MINIRECONReworked Toneshell backdoor variant
- SHARDLOADERLoader malware
- ZOHOMURKNovel implant using Zoho WorkDrive for C2
couldinstallup[.]comCommand and Control domain
- Command and Scripting Interpreter - Shell execution via setup.sh
- Application Layer Protocol - Web Protocols used for reverse shell communication
- Data from Local System - Exfiltration of credentials, API keys, and tokens
- Application Layer Protocol - DNS for payload delivery via TXT records
- Critical authentication bypass vulnerability in SimpleHelp RMM platform allowing unauthenticated technician account creation
- Djinn StealerPreviously undocumented cross-platform information stealer targeting Windows, macOS, Linux; focuses on developer credentials and AI tooling
- TaskWeaverGeneric malware loader deployed via obfuscated JavaScript file 'jquery.js'; fingerprints devices and communicates with C2 infrastructure