[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fi4aakahJRklm3ZTjup-5mkqOKXjP1xfAsm8lotUhJ-c":3},{"roundup":4},{"id":5,"week_label":6,"slug":7,"date_from":8,"date_to":9,"tldr":10,"full_brief":11,"top_iocs":12,"social_linkedin":62,"social_x":63,"article_count":64,"awareness_links":65,"status":125,"published_at":126,"created_at":127,"updated_at":127,"mastodon_posted_at":128,"executive_summary":129,"tagline":130,"cover_image_url":131},"2ae1f700-a26a-4bd2-9c75-3dac61c06263","2026-W24","2026-w24","2026-06-08","2026-06-14","🎯 Chinese hackers ran decade-long espionage using backdoored Linux authentication\n🏫 Oracle zero-day CVE-2026-35273 exploited by ShinyHunters to ransack universities worldwide\n🐧 400+ Arch Linux packages hijacked to deliver rootkit and credential stealer via npm typosquat\n🤖 US government forces Anthropic to disable advanced AI models over national security concerns\n📱 FBI dismantles massive Chinese phishing network causing $1.9B in losses\n⚖️ Ukrainian Conti ransomware member pleads guilty, faces 20 years for $150M extortion campaign","## Vulnerabilities & Exploits\n\n**[ShinyHunters exploits Oracle PeopleSoft zero-day to target 100+ universities](https:\u002F\u002Fcyberscoop.com\u002Foracle-peoplesoft-zero-day-vulnerability-shinyhunters-extortion\u002F)**. CVE-2026-35273 allows remote code execution and has been actively exploited since late May to exfiltrate sensitive academic data.\n\n**[Critical Ivanti Sentry flaw added to CISA KEV catalog](https:\u002F\u002Fwww.cisa.gov\u002Fnews-events\u002Falerts\u002F2026\u002F06\u002F12\u002Fcisa-adds-one-known-exploited-vulnerability-catalog)**. CVE-2026-10520 enables OS command injection and is being exploited to backdoor exposed gateways.\n\n**[Chrome 149 patches 28 vulnerabilities including 5 critical flaws](https:\u002F\u002Fwww.securityweek.com\u002Fchrome-149-update-patches-28-vulnerabilities\u002F)**. Majority are use-after-free memory bugs that could enable remote code execution.\n\n**[Browser sandbox escape vulnerability disclosed](https:\u002F\u002Fvoidsec.com\u002Fcve-2026-40369-browser-sandbox-escape\u002F)**. CVE-2026-40369 allows attackers to escape browser sandboxes with just 12 bytes and achieve SYSTEM privileges on Windows.\n\n### Key Takeaway\nPatch Oracle PeopleSoft, Ivanti Sentry, and Chrome immediately - these are seeing active exploitation.\n\n## Supply Chain & Package Repositories\n\n**[Over 400 Arch Linux AUR packages compromised](https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fover-400-arch-linux-packages-compromised-to-push-rootkit-infostealer\u002F)**. Attackers took over abandoned packages, injecting malicious npm dependency 'atomic-lockfile' to deploy Rust-based credential stealer and eBPF rootkit.\n\n**[152 Chrome wallpaper extensions tracked users despite privacy claims](https:\u002F\u002Fsocket.dev\u002Fblog\u002F152-chrome-live-wallpaper-extensions-hid-ad-tracking?utm_medium=feed)**. Extensions built from single codebase logged user data, shared with ad partners, and faked Google search traffic across 38 publisher accounts.\n\n**[NPM 12 will block dependency scripts by default](https:\u002F\u002Fwww.securityweek.com\u002Fnpm-12-will-change-script-execution-behavior-to-prevent-supply-chain-attacks\u002F)**. July release prevents automatic script execution from dependencies to stop supply chain attacks like the recent Shai-Hulud worm.\n\n**[PyPI typosquat 'pylogxo' delivered Sirkeira Stealer](https:\u002F\u002Fx.com\u002Fnextronresearch\u002Fstatus\u002F2065351311403475258)**. Malicious package impersonated 'pylogx' to harvest browser credentials, Discord tokens, and Roblox accounts.\n\n### Key Takeaway\nAudit your package dependencies and enable stricter controls on automated script execution.\n\n## APT & Nation-State Activity\n\n**[Chinese Velvet Ant group ran decade-long espionage campaign](https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fchinese-hackers-hijack-auth-flow-spy-on-isolated-network-for-a-decade\u002F)**. Attackers compromised isolated infrastructure by backdooring PAM modules and OpenSSH components starting in 2016.\n\n**[Iranian Handala group claims California Water Service hack](https:\u002F\u002Fwww.securityweek.com\u002Firanian-cyber-group-handala-claims-cal-water-hack\u002F)**. Group exfiltrated 5GB of customer data and gained access to RTKBase platform and billing systems.\n\n**[Iran and Russia create fake maritime registries to evade sanctions](https:\u002F\u002Fx.com\u002FRecordedFuture\u002Fstatus\u002F2065500429002190906)**. Shadow fleets use 36+ inauthentic websites impersonating maritime organizations to generate fraudulent compliance documents.\n\n### Key Takeaway\nHarden authentication systems and monitor for unusual access patterns in critical infrastructure.\n\n## Ransomware & Breaches\n\n**[Ukrainian Conti ransomware member pleads guilty](https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fukrainian-national-pleads-guilty-to-role-in-conti-ransomware-operation\u002F)**. Oleksii Lytvynenko admitted to wire fraud conspiracy in operation that extorted $150M from 1,000+ victims.\n\n**[Novo Nordisk discloses clinical trial data breach](https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fpharmaceutical-giant-novo-nordisk-discloses-security-breach\u002F)**. Attackers copied pseudonymized patient data and healthcare professional PII from internal systems.\n\n**[ShinyHunters adds major infrastructure companies to leak site](https:\u002F\u002Fx.com\u002FDarkWebInformer\u002Fstatus\u002F2065449946799600088)**. Group lists Zayo Group, Allstream, and American Tower on dark web portal following Oracle exploitation campaign.\n\n### Key Takeaway\nSegment sensitive data systems and prepare incident response plans for healthcare and infrastructure sectors.\n\n## Regulatory & AI Governance\n\n**[US government forces Anthropic to disable advanced AI models](https:\u002F\u002Fcyberscoop.com\u002Fus-government-anthropic-fable-5-mythos-5-export-controls\u002F)**. Commerce Department ordered suspension of Fable 5 and Mythos 5 models for foreign nationals citing national security concerns over jailbreak capabilities.\n\n**[Spanish DPA fines delivery company €205,000 for GDPR violations](https:\u002F\u002Fgdprhub.eu\u002Findex.php?title=AEPD_(Spain)_-_PS-00248-2024&diff=51868&oldid=51867)**. SEUR GEOPOST failed to establish proper data processing agreement with parcel locker provider.\n\n**[Lithuanian doctor fined €1,153 for unlawful patient data access](https:\u002F\u002Fgdprhub.eu\u002Findex.php?title=VDAI_(Lithuania)_-_3R-1040&diff=51865&oldid=0)**. Used patient information to invite 1,200+ patients to new medical institution without legal basis.\n\n### Key Takeaway\nReview AI model access controls and ensure third-party data processing agreements comply with GDPR requirements.\n\n## Law Enforcement Operations\n\n**[FBI dismantles massive Chinese phishing network causing $1.9B losses](https:\u002F\u002Fcyberscoop.com\u002Foutsider-cybercrime-network-takedown-china-fbi-google-lumen\u002F)**. Operation Ghost Hook disrupted Outsider PhaaS platform operating across 55 countries with AI-generated lures.\n\n**[International operation shuts down AudiA6 crypto laundering service](https:\u002F\u002Fhackread.com\u002Ffeds-seize-audia6-dark2web-crypto-laundering-case\u002F)**. US Secret Service and IRS-CI arrested two suspects for laundering $389M in ransomware and dark web proceeds.\n\n**[INTERPOL takedown of Sniper Dz phishing platform results in 201 arrests](https:\u002F\u002Fthehackernews.com\u002F2026\u002F06\u002Finterpol-takes-down-sniper-dz-phishing.html)**. Decade-old PhaaS platform collected 45,000+ victim records across MENA region.\n\n### Key Takeaway\nCoordinated international enforcement is disrupting major cybercrime infrastructure - update threat intelligence accordingly.\n\n## References\n- [CVE-2026-35273 Oracle PeopleSoft Exploitation](https:\u002F\u002Fcyberscoop.com\u002Foracle-peoplesoft-zero-day-vulnerability-shinyhunters-extortion\u002F)\n- [400+ Arch Linux Packages Compromised](https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fover-400-arch-linux-packages-compromised-to-push-rootkit-infostealer\u002F)\n- [Chinese Decade-Long Espionage Campaign](https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fchinese-hackers-hijack-auth-flow-spy-on-isolated-network-for-a-decade\u002F)\n- [US Forces Anthropic AI Model Suspension](https:\u002F\u002Fcyberscoop.com\u002Fus-government-anthropic-fable-5-mythos-5-export-controls\u002F)\n- [FBI Disrupts $1.9B Chinese Phishing Network](https:\u002F\u002Fcyberscoop.com\u002Foutsider-cybercrime-network-takedown-china-fbi-google-lumen\u002F)\n- [Ukrainian Conti Member Guilty Plea](https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fukrainian-national-pleads-guilty-to-role-in-conti-ransomware-operation\u002F)\n- [CISA Adds Ivanti Sentry to KEV Catalog](https:\u002F\u002Fwww.cisa.gov\u002Fnews-events\u002Falerts\u002F2026\u002F06\u002F12\u002Fcisa-adds-one-known-exploited-vulnerability-catalog)",[13,17,20,24,27,31,34,38,41,44,48,51,54,57,60],{"type":14,"value":15,"context":16},"cve","CVE-2026-35273","Oracle PeopleSoft zero-day vulnerability",{"type":14,"value":18,"context":19},"CVE-2026-10520","Critical OS command injection vulnerability in Ivanti Sentry",{"type":21,"value":22,"context":23},"malware","Conti","Ransomware operation linked to the guilty plea.",{"type":21,"value":25,"context":26},"atomic-lockfile","Malicious npm package used to distribute the rootkit and infostealer.",{"type":28,"value":29,"context":30},"domain","lapsus[.]bz","New clearnet domain associated with LAPSUS$ group",{"type":14,"value":32,"context":33},"CVE-2026-40369","Browser sandbox escape vulnerability",{"type":35,"value":36,"context":37},"mitre_attack","T1071.001","Application Layer Protocol: Web Protocols",{"type":14,"value":39,"context":40},"CVE-2026-1600","Vulnerability allowing price manipulation",{"type":21,"value":42,"context":43},"PowerShell script","Leaked hardcoded LDAP credentials via a PowerShell script.",{"type":45,"value":46,"context":47},"url","https:\u002F\u002Ft.co\u002F2ZaHonqedY","Link to GitHub repository",{"type":45,"value":49,"context":50},"https:\u002F\u002Ft.co\u002FrcEsND2ayd","Link to malicious DocusignSetup.exe sample",{"type":28,"value":52,"context":53},"69.164.245.166","IP address used by the malicious package to download the stealer payload.",{"type":21,"value":55,"context":56},"Sirkeira Stealer","Name of the stealer malware dropped by the typosquat package.",{"type":28,"value":58,"context":59},"smplfy.inlett.email","AudiA6\u002FDark2Web domain seized by law enforcement",{"type":28,"value":61,"context":59},"trayo.app","🚨 This week in cybersecurity: Chinese hackers maintained decade-long access while supply chains faced coordinated attacks.\n\n• Oracle zero-day exploited to breach 100+ universities\n• 400+ Linux packages hijacked via npm typosquat\n• Chinese espionage campaign ran undetected for 10 years\n• US forces AI company to disable models over security concerns\n• FBI disrupts $1.9B phishing network\n\nFull roundup: https:\u002F\u002Fthreatnoir.com\u002Fweekly\u002F2026-w24\n\n#cybersecurity #threathunting #infosec #supplychainsecurity #ransomware","🎯 Week in cyber: Chinese hackers persisted 10 years, ShinyHunters hit 100+ universities via Oracle zero-day, 400+ Linux packages hijacked, US forces AI model shutdown. Supply chains under siege.\n\nFull brief: https:\u002F\u002Fthreatnoir.com\u002Fweekly\u002F2026-w24",80,[66,69,72,75,78,81,84,87,90,93,96,99,101,104,107,110,113,116,119,122],{"slug":67,"title":68},"critical-gap-between-vulnerability-disclosure-and-exploitation","Critical Gap Between Vulnerability Disclosure and Exploitation",{"slug":70,"title":71},"conti-ransomware-members-guilty-plea-highlights-need-for-robust-defense","Conti Ransomware Member's Guilty Plea Highlights Need for Robust Defense",{"slug":73,"title":74},"french-government-messaging-platform-compromised-through-account-breach","French Government Messaging Platform Compromised Through Account Breach",{"slug":76,"title":77},"malicious-software-distribution-through-trusted-repositories","Malicious Software Distribution Through Trusted Repositories",{"slug":79,"title":80},"typosquatting-attack-highlights-supply-chain-security-risks","Typosquatting Attack Highlights Supply Chain Security Risks",{"slug":82,"title":83},"international-crypto-laundering-operation-dismantled-through-cross-border-enforcement","International Crypto Laundering Operation Dismantled Through Cross-Border Enforcement",{"slug":85,"title":86},"critical-vulnerability-chain-in-langgraph-framework-enables-remote-code-execution","Critical Vulnerability Chain in LangGraph Framework Enables Remote Code Execution",{"slug":88,"title":89},"critical-ivanti-sentry-vulnerability-actively-exploited","Critical Ivanti Sentry Vulnerability Actively Exploited",{"slug":91,"title":92},"doctor-fined-1153-for-unauthorized-patient-data-access","Doctor Fined €1,153 for Unauthorized Patient Data Access",{"slug":94,"title":95},"chrome-browser-vulnerabilities-highlight-critical-need-for-timely-patching","Chrome Browser Vulnerabilities Highlight Critical Need for Timely Patching",{"slug":97,"title":98},"major-phishing-as-a-service-platform-dismantled-after-decade-of-operations","Major Phishing-as-a-Service Platform Dismantled After Decade of Operations",{"slug":100,"title":89},"critical-ivanti-sentry-vulnerability-actively-exploited-1781259675427",{"slug":102,"title":103},"malware-disguised-as-legitimate-docusign-installer","Malware Disguised as Legitimate DocuSign Installer",{"slug":105,"title":106},"federal-cybersecurity-workforce-faces-ai-skills-gap-and-budget-constraints","Federal Cybersecurity Workforce Faces AI Skills Gap and Budget Constraints",{"slug":108,"title":109},"windows-update-installation-failures-due-to-wusa-bug","Windows Update Installation Failures Due to WUSA Bug",{"slug":111,"title":112},"iranian-group-breaches-water-utility-through-poor-system-isolation","Iranian Group Breaches Water Utility Through Poor System Isolation",{"slug":114,"title":115},"spanish-delivery-company-fined-205000-for-gdpr-violations-in-third-party-data-processing","Spanish Delivery Company Fined €205,000 for GDPR Violations in Third-Party Data Processing",{"slug":117,"title":118},"mdr-alert-overload-creates-security-blind-spots","MDR Alert Overload Creates Security Blind Spots",{"slug":120,"title":121},"clinical-trial-data-breach-exposes-patient-and-healthcare-professional-information","Clinical Trial Data Breach Exposes Patient and Healthcare Professional Information",{"slug":123,"title":124},"gdpr-violation-improper-third-party-data-processing-agreement","GDPR Violation: Improper Third-Party Data Processing Agreement","published","2026-06-14T05:00:02.893+00:00","2026-06-14T05:01:33.746047+00:00","2026-06-14T05:15:02.618+00:00","### The week in one line\nChinese espionage persisted for a decade while supply chains cracked under coordinated attacks.\n\n### What happened\nThe cybersecurity landscape saw sustained nation-state campaigns and supply chain compromises dominating threat activity. Law enforcement operations disrupted major criminal infrastructure while new AI governance concerns emerged.\n\n- Chinese Velvet Ant group ran undetected espionage for nearly 10 years using backdoored Linux authentication\n- ShinyHunters exploited Oracle PeopleSoft zero-day CVE-2026-35273 to breach 100+ universities globally\n- Attackers compromised 400+ Arch Linux packages via npm typosquat, deploying rootkit and credential stealer\n- US government ordered Anthropic to disable advanced AI models over national security jailbreak concerns\n- FBI dismantled Chinese phishing network causing $1.9 billion in losses across 55 countries\n\n### Why it matters for defenders and leaders\nThis week highlighted the persistence of advanced threats and the vulnerability of trusted software ecosystems. The combination of decade-long espionage campaigns and rapid supply chain compromises shows attackers operating across multiple timescales simultaneously.\n\n- Legacy authentication systems remain deeply compromised by nation-state actors with years of persistence\n- Package repositories and software supply chains are under active, sophisticated attack\n- AI model governance is becoming a national security issue requiring immediate policy responses\n- Educational institutions face concentrated targeting due to valuable research data and weaker security postures\n\n### What to do this week\n- Patch Oracle PeopleSoft CVE-2026-35273 and Ivanti Sentry CVE-2026-10520 immediately\n- Audit Linux PAM modules and OpenSSH configurations for unauthorized modifications\n- Review package dependencies in AUR, npm, and PyPI for suspicious recent updates\n- Enable stricter controls on automated script execution from package managers\n- Assess AI model access policies and export control compliance requirements","The week persistence met supply chain chaos","https:\u002F\u002Fcdn.threatnoir.com\u002Fweekly\u002F2026-w24-cover.png"]