An active ShinyHunters data theft and extortion campaign is targeting Oracle PeopleSoft customers, with claims of stolen data from 300 instances across more than 100 organizations. The operation spans cloud and on-premises deployments and appears to use old and zero-day vulnerabilities plus credential-spray tooling to gain access. Defenders are being urged to check for the listed infrastructure and treat affected PeopleSoft environments as potentially compromised.

Nottingham University data has been published on the ShinyHunters leak site, turning the theft into a confirmed public exposure and raising downstream misuse risk. The publication links the university to a broader ShinyHunters data-theft operation against Oracle PeopleSoft customers. Public leak-site exposure can accelerate credential abuse, resale, and secondary extortion. The university has also acknowledged a cybersecurity incident.

The JDY botnet has expanded to more than 1,500 compromised SOHO/IoT devices, making it a larger-scale reconnaissance scanner for exposed infrastructure and follow-on targeting. It now performs targeted scanning and service fingerprinting through a centrally controlled command structure, which increases its value as a discovery layer for attackers. The network’s growth from 650 bots in early January 2024 and its spread across the U.S., Brazil, Europe, and Asia broaden its reach and resilience. Its scan results feed downstream exploitation pipelines, giving operators timely targeting data after vulnerability disclosures.

A TikTok and Instagram Reels campaign is using fake free-software tutorials to push Vidar, turning social feeds into a high-reach malware delivery channel. The operation used two campaigns to game recommendation systems, with one clip drawing more than 100,000 views and another logging nearly 1700 saves. One path delivered a PowerShell command that fetched Vidar from msget[.]run, while another used comment bait and direct messages to steer viewers toward d4ug[.]site. The activity combines social engineering, platform engagement tricks, and lure-based download chains to drive installation attempts at scale.

Threat actors are using TikTok and Instagram Reels to deliver Vidar infostealer through fake free-software tutorials, putting viewers at risk of credential, financial-data, and token theft. One delivery path used an AI-voiced PowerShell lure that fetched the malware from msget[.]run. A second path used comments and direct messages to steer users to d4ug[.]site, although its final payload was not confirmed.

Enterprise browser-session hardening is being emphasized to reduce browser-based phishing and session-layer abuse across enterprise environments. The guidance targets a control gap where traditional defenses miss activity that happens inside the browser rather than a standalone app. It is aimed at organizations handling email, SaaS, collaboration, AI assistant, financial, and credential-management workflows in-browser.

The SilabRAT MaaS operation is now offering a session-hijacking remote access trojan that can drain cryptocurrency and bypass password and MFA checks, expanding the risk from stolen logins to direct wallet theft. It uses HVNC and browser-profile cloning so attackers can revive a victim's live session on another machine. Operators are spreading it with email spam and ClickFix lures. The toolkit also includes keylogging, clipboard capture, and TightVNC, making the malware useful for both account abuse and wallet draining.

Browser-based phishing is leaving enterprise users exposed, with one in five attacks going completely undetected across millions of active browser sessions from January 1 to March 31, 2026. The pattern shows attackers operating in the browser session layer, where legacy filtering and many enterprise security products lack visibility. ClickFix-style social engineering can push users to act inside the browser and bypass controls that are not watching for legitimate-looking user actions. The gap raises the risk of credential theft and unauthorized access in environments that now run email, SaaS, collaboration, AI, and finance workflows in the browser.

o1oo1 is selling SilabRAT as a $5000/month MaaS and bundling it with AsmCrypt, turning the malware into a packaged criminal service that lowers adoption barriers. The setup shows a monetized ecosystem around session-hijacking and crypto theft, not just a standalone payload. Buyers are meant to launch their own campaigns, which broadens distribution and increases the risk of repeated infections across dark web forums and spam-driven lures.

Fortinet, Ivanti, and SAP released security updates that address multiple critical vulnerabilities across FortiSandbox, Ivanti Sentry, and SAP products. The patches cover flaws that could lead to arbitrary code execution and information disclosure, including CVE-2026-25089 and two critical Ivanti Sentry issues. The release matters because the affected products include internet-facing and enterprise application components with high-impact exposure.

Langflow's CVE-2026-5027 is an unpatched path traversal vulnerability that is being actively exploited in the wild. The flaw lets an attacker write files to arbitrary locations and can lead to unauthenticated remote code execution. Exposure is especially concerning because unauthenticated auto-login is enabled by default and roughly 7,000 instances are publicly exposed.

The JDY botnet has expanded its reconnaissance and flaw-focused scanning, increasing the risk that exposed infrastructure will be rapidly identified and targeted. Researchers say it remains heavily focused on the United States, especially U.S. military and associated networks, while operating through compromised SOHO and IoT devices. The botnet's scanning workflow helps operators locate systems vulnerable to newly disclosed flaws and quickly operationalize the results. Its growth from January 2024 to today also shows the network is becoming a more capable discovery platform.

The Gentlemen ransomware group has become a high-volume RaaS operation, using a 90/10 affiliate split to attract operators and expand its reach. The group now ranks as the second most active ransomware gang by victim count, with 332 published victims since mid-2025 and more than 240 in 2026. Its operators focus on Internet-facing VPNs and firewalls and can encrypt whole networks within hours. Identity work also links the administrator to the Zeta88/Hastalamuerte handles, reinforcing the picture of a centralized ransomware business built for scale.

Microsoft issued immediate mitigation guidance for CVE-2026-42897, reducing risk for Exchange Server 2016, 2019, and Subscription Edition (SE) on-premises servers that are being targeted in attacks. EEMS can automatically apply interim protections, and administrators in air-gapped environments can use EOMT instead. The advisory matters because permanent patches are not yet available, so defenders need a stopgap now while waiting for updates. Microsoft also warned that servers older than March 2023 may not receive new mitigations through EM Service.

Microsoft released June 2026 Security Updates for Exchange Server 2016, Exchange Server 2019, and Exchange Server Subscription Edition (SE) to fix CVE-2026-42897, an actively exploited spoofing/XSS flaw affecting Outlook Web Access users. Administrators were told to deploy the updates as soon as possible and keep the temporary Exchange Emergency Mitigation Service (EEMS) protections in place. The release closes a high-severity browser-code-execution path while preserving mitigation coverage during rollout.

CISA issued Binding Operational Directive 26-04 to require federal civilian agencies to prioritize vulnerability remediation using Asset Exposure, KEV Status, Exploit Automation, and Post-Exploitation Technical Impact. The directive updates BOD 19-02 and BOD 22-01 so agencies focus patching on the highest-risk vulnerabilities and verify whether systems were already compromised before patching. It is a federal cybersecurity mandate meant to reduce risk and improve remediation efficiency across the civilian government enterprise.

Microsoft Windows Update is failing on a small percentage of upgraded Windows 11 PCs, blocking June 2026 cumulative updates and producing 0x80073712 or 0x800f0993 errors. The affected cohort includes devices that started on Windows 10 21H2/22H2 or Windows 11 23H2 and were later upgraded to Windows 11 24H2 or 25H2. Microsoft says a fix will reach unmanaged enterprise devices and Home PCs after a restart, while already-affected systems may need package removal or an in-place upgrade. The disruption matters because impacted devices cannot install monthly Windows updates until the issue is cleared.

Identity crime victims faced more overlapping incidents in 2025-2026, increasing the risk that one compromise would spread across multiple accounts and institutions. A dataset of over 6,000 reports found nearly 26% of victims dealt with two or more concurrent incidents, up from 24% the prior year. Unauthorized device/PC access rose sharply and became a major driver of compromise, while account takeovers remained the largest misuse category at 50%. The pattern points to more chained identity abuse and slower recovery for victims caught in multi-step fraud.

Microsoft's June 2026 Patch Tuesday fixed three Windows zero-days that could yield SYSTEM access or bypass BitLocker on vulnerable systems.

YellowKey is a Windows BitLocker security feature bypass tracked as CVE-2026-45585 that affects the Windows Recovery Environment (WinRE) path and can expose BitLocker-protected drives on Windows 11 and Windows Server 2022/2025 systems. Microsoft has issued mitigation guidance after the proof of concept was made public, including removing autofstx.exe from the BootExecute registry value and moving already encrypted devices from TPM-only to TPM+PIN. The disclosed technique uses crafted FsTx files on a USB drive or EFI partition to reach a shell with unrestricted access to the protected storage volume.

Windows BitLocker YellowKey (CVE-2026-45585) moved from interim mitigation to patch status after Microsoft fixed it in June 2026 Patch Tuesday. The Windows Recovery Environment (WinRE) backdoor can let attackers with physical access bypass BitLocker on unpatched Windows 11 and Windows Server 2022/2025 systems, and Microsoft also shared mitigation measures while a public proof-of-concept exploit circulated.

Microsoft shipped a record 206-vulnerability update for its software portfolio, including three publicly disclosed flaws. The release spans Critical and Important issues across Windows and related components, making it a large enterprise patching event. It also includes fixes for Chromium-related code in Edge and adds MaxHeadersCount mitigation for HTTP/2 and HTTP/3 header abuse.

Fortinet and Ivanti released patches on Tuesday for multiple product flaws, including critical OS command injection and authentication-bypass bugs that could enable remote compromise. The update spans FortiSandbox, FortiOS, FortiProxy, FortiPortal, Sentry, and Endpoint Manager Mobile (EPMM).

Microsoft released a record Patch Tuesday bundle for June 2026 that patches nearly 200 security holes across Windows operating systems and supported software, with nearly three dozen critical flaws and public exploit code already available for at least three weaknesses.

ServiceNow disclosed an unauthorized access incident affecting hosted customer instances, with evidence that attackers made successful queries of instance tables against a subset of customers. The company said it applied a security update on June 5, 2026 after a flaw could let unauthenticated users gain greater access than intended. Impacted customers were notified, and the issue affected systems on the Australia platform release or certain earlier configurations. The activity shows real compromise of instance data access rather than a purely theoretical risk.

ServiceNow hosted customer instances were exposed to an unauthenticated access flaw that let a user gain greater access than intended, and ServiceNow pushed a June 5, 2026 security update to restrict the endpoint to authenticated users. The issue had no CVE identifier at the time of disclosure. ServiceNow also reported anomalous activity and evidence of successful queries of instance tables against a subset of customers. The affected scope included customers on the Australia platform release and certain older-release configurations.

Ivanti Sentry has a critical OS command injection vulnerability, CVE-2026-10520, that can let remote attackers execute code with root privileges on the gateway appliance. Ivanti said it had no evidence of exploitation in the wild at disclosure. The company released fixed builds R10.5.2, R10.6.2, and R10.7.1 to address the flaw. Administrators should upgrade affected gateways to reduce exposure.

Ivanti released a patch bundle for Sentry after identifying two critical vulnerabilities in the secure mobile gateway appliance, including CVE-2026-10520 and CVE-2026-10523. The update addresses an OS command injection flaw that can lead to code execution as root and an authentication bypass that can let unauthenticated attackers create rogue admin accounts. Ivanti said it had no evidence of exploitation in the wild and urged administrators to upgrade to R10.5.2, R10.6.2, or R10.7.1.

Microsoft Defender zero-day RoguePlanet is a race-condition flaw affecting fully patched Windows 10 and Windows 11 systems. A public proof-of-concept exploit was released shortly after June 2026 Patch Tuesday and can spawn a SYSTEM-level command prompt or shell when exploitation succeeds. Later reporting added that the exploit was reproduced on fully patched Windows 11 with KB5094126 and that the issue was originally aimed at remote code execution over SMB-hosted files, though the released proof of concept is mainly described as local privilege escalation. The later disclosure also says the exploit has been tested on Windows 10 and Windows 11 with June 2026 updates and does not yet work on Windows Server without redesign.

BlueHammer, RedSun, and UnDefend are being exploited in the wild against Windows devices, creating active risk of SYSTEM or elevated administrator compromise. The activity had already started by April 10 for BlueHammer, and researchers later saw the other exploits used on a breached system. The wave shows leaked proof-of-concept code moving quickly into live abuse before all of the flaws were fully addressed.