ShinyHunters colpisce le università americane con uno zero-day Oracle PeopleSoft: l’operazione UNC6240 analizzata da Mandiant

https://insicurezzadigitale.com/shinyhunters-colpisce-le-universita-americane-con-uno-zero-day-oracle-peoplesoft-loperazione-unc6240-analizzata-da-mandiant/

⚠️ ShinyHunters claims it hacked 100 orgs by exploiting an Oracle PeopleSoft 0-day

｢ A spokesperson for the cybercrime crew on Thursday told The Register that they exploited CVE-2026-35273 to break into the university’s PeopleSoft system and steal 40 GB of personal data and billing records belonging to hundreds of thousands of current and former students ｣

https://www.theregister.com/cyber-crime/2026/06/11/shinyhunters-claims-oracle-peoplesoft-0-day-hit-100-orgs/5254443

#ShinyHunters #PeopleSoft #oracle #CVE202635273

CVE-2026-35273 (CVSS 9.8) enables unauthenticated RCE in Oracle PeopleSoft Environment Management, affecting versions 8.61/8.62. ShinyHunters exploited this to extract 40GB from universities—student records, payroll, financial aid...

https://captechgroup.com/about-us/threat-intelligence-center/oracle-peoplesoft-zero-day-fuels-shinyhunters-exto-ed25c0?utm_source=mastodon&utm_medium=social&utm_campaign=threat_intel&utm_content=oracle-peoplesoft-zero-day-fuels-shinyhunters-extortion-spree

⚠️ CRITICAL: Oracle Addresses PeopleSoft Vulnerability Amid Reports of Zero-Day Attacks

Oracle released an emergency advisory for CVE-2026-35273, a critical unauthenticated RCE in PeopleSoft PeopleTools 8.61 and 8.62. ShinyHunters has reportedly exploited this vulnerability across 300+ instances at 100+ organizations. Oracle released mitigations only, not a full patch, and active expl…

https://threatnoir.com/focus

#infosec #cybersecurity

The ShinyHunters threat group has exploited a critical zero-day vulnerability (CVE-2026-35273) in Oracle PeopleSoft to target over 100 organizations, primarily in the higher education sector. Mandiant reports that attackers used this remote-code execution flaw to compromise systems and steal sensitive data for potential phishing and extortion.
https://www.cybersecuritydive.com/news/shinyhunters-exploitation-critical-flaw-oracle-peoplesoft/822796/

Recent reports indicate the UAE is unfreezing Iranian funds amid US ceasefire efforts, while Iran's foreign minister signals a deal is closer. In technology, Apple showcased deeper AI integration and iOS 27 features at WWDC 2026. Critical cybersecurity news includes Google suing a Chinese smishing network for using Gemini AI in phishing, and ShinyHunters exploiting an Oracle PeopleSoft zero-day (CVE-2026-35273) to breach universities.

#Cybersecurity #AI #Geopolitics

ShinyHunters vulnera universidades mediante exploit de día cero en Oracle PeopleSoft (CVE-2026-35273)

https://blog.elhacker.net/2026/06/shinyhunters-vulnera-universidades.html

⚠️ CRITICAL: Ivanti Sentry OS command injection (CVE-2026-10520) enables remote root execution via exposed mgmt port 8443. Only honeypot hits so far — patch versions 10.5.2, 10.6.2, 10.7.1+ ASAP & restrict access! https://radar.offseq.com/threat/ivanti-sentry-exploitation-attempts-hitting-honeyp-ce849175 #OffSeq #Ivanti #Vuln #Infosec

⚠️ CRITICAL: Max severity Ivanti Sentry vulnerability now exploited in attacks

Attackers are actively exploiting CVE-2026-10520, a maximum-severity OS command injection flaw in Ivanti Sentry security gateways. This vulnerability allows unauthenticated remote code execution with root privileges on internet-exposed instances. Many appliances were backdoored immediately after Iv…

https://threatnoir.com/focus

#infosec #cybersecurity

🚨 CRITICAL EDGE INFRASTRUCTURE ALERT: CVE-2026-10520 🚨The enterprise perimeter is facing an active, unauthenticated exploitation vector. A maximum severity CVSS 10.0 Pre-Auth Remote Code Execution (RCE) vulnerability in Ivanti Sentry has been added to the CISA Known Exploited Vulnerabilities (KEV) catalog. https://thecybermind.co/jbli

Checkpoint VPN Auth Bypass Exploited as Zero-Day

Wordfence Security News Clip | June 8, 2026

A Checkpoint VPN zero-day let attackers skip credentials entirely - exploited for a month before disclosure.

CISA added CVE-2026-50751 to its Known Exploited Vulnerabilities catalog a day before Checkpoint's advisory.

Apply the Checkpoint hotfix now, or disable IKEv1 and enforce machine certificate authentication.

Watch The Clip: https://youtube.com/shorts/nFV96YYkbS0

CISA has added CVE-2026-11645 (Chromium V8 Out-of-Bounds flaw) to its KEV catalog. The Cyber Mind Co™ has deployed a strategic corporate risk brief and 12-point endpoint hardening runbook to secure your perimeter. Review the threat vector architecture now: https://thecybermind.co/ycvy

🚨 CRITICAL ARCHITECTURAL COMPROMISE ADVISORY: CVE-2026-11645

The enterprise attack surface has officially expanded into our core automation and browsing infrastructure with CISA’s active cataloging of CVE-2026-11645. This critical, maximum-severity Chromium V8 zero-day allows unauthenticated adversaries to bypass standard execution boundaries and run arbitrary code directly at the memory layer via simple web interaction. https://thecybermind.co/k39m

Linux Sees Patches For "Critical" Vulnerability Affecting Many Arm CPUs #devopsish https://www.phoronix.com/news/Arm-CPU-Critical-CVE-2025-10263

This Week in Security: Microsoft on Microsoft, Register Your Domains, Linux on ARM, and FreeBSD Joins the File Cache Club

Supply chain attacks continue, with Microsoft’s own open source Azure repositories being automatically disabled by GitHub following a compromise of the packages by the Miasma worm.

OpenSourceMalware reports that the infection resulted in 73 Microsoft-related package repositories being flagged and taken offline in a little over a minute by the GitHub automated security system, with over 40 repositories being related to Azure and the rest distributed across the Microsoft organization.

The center of the infection appears to be the Microsoft Durabletask package, which was previously compromised in May and used to push infected packages to PyPi. Considering that all of the supply chain worms also steal credentials for every service they can find in the build or developer environment they infect, it seems likely that credentials stolen in the original attack were never properly disabled.

Disabling the repositories can help stem the infected packages and GitHub actions from spreading and infecting more organizations, but of course any build processes depending on those packages will not function. In May, the Durabletask package showed over 400,000 downloads per month.

The OpenSourceMalware report includes a full list of the impacted repositories.

Microsoft Fixes GitHub Token Exploit

Microsoft has finally fixed a bug in GitHub which could steal a GitHub authentication token with access to all of an accounts repositories via the embedded web-based VSCode editor which is part of GitHub itself.

Ammar Askar discovered the bug and discusses it on their blog; by manipulating the sandboxed VS Code into treating an embedded web view as user keyboard strokes, it is possible to to cause it to install a VS Code extension which is then used to exfiltrate the GitHub authentication tokens of the user using the embedded VS Code instance.

TP-Link Taeover via Unregistered Domain

Julian B demonstrates capturing traffic from TP-Link routers and access points thanks to an unregistered domain name in the firmware.

After finding an archive of the firmware releases for every TP-Link product, Julian simplified the list to the latest versions, and ran a custom scraper tool to extract domain names referenced in the firmware and search for matching domain names.

After registering an available domain, Julian began receiving requests from TP-Link devices checking in to a server which had lapsed, likely years ago. Fortunately, Julian reported the issue to TP-Link and was able to transfer the domain.

It’s unclear what the risks of the unregistered domain name were in the context of the TP-Link devices, however unregistered domain names can lead to all sorts of issues in the wrong situations.

A Pile of OpenSSL Vulns

The OpenSSL library has a new collection of vulnerabilities which range from low-severity flaws in message verification in functions which aren’t used in any of the OpenSSL implemented protocols to a high-severity use-after-free bug in PKCS7 handling which could be used to run arbitrary code.

Use-after-free bugs occur when a chunk of memory is dynamically allocated, then freed and returned to the memory pool, but a later piece of code re-uses the memory that is no longer claimed. In the meantime, this memory could have been assigned to another variable or otherwise restructured, leading to memory corruption. In the case of OpenSSL, the memory associated with a PKCS7 container (a certificate storage method) or a S/MIME message (usually used in secure email) can be manipulated into using freed memory.

The advisory warns that applications processing PKCS7 or S/MIME are affected; fortunately most uses of OpenSSL are unlikely to be directly impacted (neither of those functions are common in web servers or similar), but as always, update as soon as possible!

NightmareEclipse is Back

The researcher previously identified as NightmareEclipse, known for releasing advanced Windows vulnerabilities with working proof of concept code, has returned as MSNightmare releasing several new exploits after previously being removed from GitHub. Despite a strongly worded (and poorly received) public statement by Microsoft threatening criminal investigations, the researcher returns with the RoguePlanet vulnerability.

RoguePlanet exploits race conditions in Windows Defender under Windows 10 and Windows 11 to gain a system-level shell, a fairly common trend in the vulnerabilities found by this researcher.

Additionally, another BitLocker bypass has been released, called GreatXML, which unlocks BitLocker protected drives if a Windows Defender offline scan has ever been run.

Of course, these releases coincide with Patch Tuesday, so they’re unlikely to be addressed before the July patch day.

It appears Microsoft has backed down from their initial press release which appeared to claim that vulnerability research and development outside of the guidelines Microsoft decided would be treated as criminal behavior; this was not well received by much of the security industry. At the start of the modern security industry in the late 1990s, public release of vulnerabilities was common. Companies had no way to reach a security contact to get it fixed, simply did not care to fix it, or were actively hostile to researchers. Through years and decades of community programs, it is now normal to reach out to a company with security flaws and have an expectation they will be fixed, and often rewarded either monetarily through structured bounty programs like HackerOne or through public credit to the researchers who found the flaws (nobody wants to be paid in exposure, but security is now an industry, and having a well-known name and track record can be valuable.)

Unfortunately, recently, it seems Microsoft may have forgotten that while disclosure to the vendor has become the norm, it is simply a social contract. Having already publicly alienated one skilled researcher (NightmareEclipse), the company seems to be doing the best it can to alienate others by burning community good will. Expect more publicly released vulnerabilities in the wake.

Linux Arm Fixes

Phoronix reports that the Linux kernel has patched a critical-severity flaw on Arm CPUs in the memory allocation logic. The list of processors affected continues to grow, including some NVIDIA embedded platforms.

The flaw lies in specific ordering requirements for accessing memory via the TLB, or “Translation Lookaside Buffer”, a critical part of the virtual memory and memory protection system. The TLB is a cache of recently resolved lookups of physical memory locations, so any corruption of the TLB can cause invalid memory reads, leading to almost the same results as recent kernel vulnerabilities in the Linux page cache system which allowed binaries to be replaced in RAM.

The bug was found thanks to advisories from Arm themselves clarifying that additional protections were needed around modifications to the TLB cache on these chips. The real-world impact remains to be seen, but now that the bug and patches are public, I’d expect proof of concept code to follow soon after. It’s also safe to assume that this flaw affects other operating systems on Arm platforms, as well, but there is no public information yet.

FreeBSD Gets a Page-Cache Bug

FreeBSD racks up another kernel bug this week, the amusingly named Bumsrakete (“Bum Rocket” or “Bang Rocket”), complete with a well-crafted troll of an announcement, right down to the use of Comic Sans for the announcement site.

Beneath the crap-posting exterior lies a legitimate CVE (CVE-2026-45257) where any user with access to the PMAP_HAS_DMAP system (the standard configuration) can overwrite the disk page cache in memory. This is the FreeBSD flavor of the kernel cache flaws in Linux used by CopyFail, DirtyPipe, and friends, and even involves decryption primitives in the kernel similar to the original CopyFail process.

It’s not surprising that following the multiple disk cache corruption bugs in Linux disclosed this spring, other operating systems with similar functionality are being examined and new flaws showing up.

NPM to Block Auto Install Scripts

NPM is introducing major changes in NPM 12 to attempt to stem the flood of supply-chain vulnerabilities by removing the automatic execution of commands from the install phase of packages and disabling the use of remote URLs as dependencies.

Most of the NPM-based worms infecting packages at record rates use the install script process, hooking either pre-install, install, or post-install scripts to run commands automatically as a package dependency is included. Since the install script runs as the user (or build service) pulling the dependencies, it has direct access to any credentials or files that user and service has. Under the new model an infected package could still perform malicious actions inside a compiled application or site, but a major mechanism for automatic spreading of malicious packages will be addressed.

It’s good to see progress made towards addressing the underlying weaknesses in the package ecosystem which aid in spreading malicious packages.

Libinput Security Fix

The libinput library sees a pair of security fixes this week, centered around the handling of device names for uinput and uhid devices. Maliciously named devices could execute commands as root.

To be able to exploit this, a user needs to already be on the system and have the ability to create new uinput devices. This is normally restricted to root, however if steam-devices, antimicrox, or kdeconnectd packages are installed, the permissions to create a device are modified and any user logged into the system can create a uinput device.

Go forth, and update!

Mini Shai-Hulud Hides in Censorship

The Shai-Hulud, Mini Shai-Hulud, and Miasma worms have been prolifically infecting packages on NPM and PyPi as well as VS Code extensions and GitHub actions. Using a combination of captured worm code and publicly released versions of the worms, researchers have been reverse engineering the behavior of the worm using the decrypted payloads.

Amusingly, they have discovered that the Mini Shai-Hulud worm attempts to hide from automatic analysis and detection via AI prompt injection. The payload file executed during a NPM package install contains a block of comment text referencing biological and nuclear weapons, topics many AI models refuse to allow.

Interpreting the comment as a banned request, the AI models may immediately stop processing the rest of the file, either blocking further analysis by researchers or disabling AI-based malware detection tools scanning for malicious payloads.

Another Record Patch Tuesday

For the second time this year, Microsoft has a record-breaking number of fixes included in Patch Tuesday with more than 200 security fixes, including fixes for two vulnerabilities released by NightmareEcllipse in recent weeks, however none of the fixes specifically reference the conflict between Microsoft and the researcher.

Outside of the Patch Tuesday fixes, Microsoft also fixed 360 browser vulnerabilities.

With the increasing automatic bug finding via AI tools, this may become the new normal for Patch Tuesday fix counts.

Python Linter Blocks Shai-Hulud

Sometimes pedantry pays off. StepSecurity brings the tale of a supply chain infection of the popular Pythagoria-io GPT Pilot package, an AI coding assistant tool. After one of the developers was infected by the Miasma supply chain worm, the worm performed the typical trick of attempting to reversion and push compromised versions of all accessible packages.

This time, the commits containing the trojaned were rejected by the Python linter, Ruff, for not matching the style guidelines of the project. Linters analyze code for style, comments, and syntax (think the pretty printing in a code editor that highlights incorrect tabs and spaces or deprecated functions.)

The developer will still need to clean up their system and make sure to revoke all tokens the worm has access to, but the project itself was spared infection by a humble syntax styler.

Deep Dive into Miasma

Finally, we have a dive into the Miasma worm thanks to SafeDep.

The payload source for Miasma has been open sourced, apparently by some of the developers of the malware. Previously the payload was heavily encrypted, however progress was made in decoding it during the initial wave of attacks. By open sourcing the worm, the developers likely hope to muddy the waters by creating copy-cat worms using modified techniques and signatures.

SafeDep takes a deep look into the capabilities of the payload, noting several unusual abilities including disabling GitHub environment protections, a full list of the credential harvesting capabilities, and more. Be sure to check out the full write up for an extremely detailed breakdown of each major component of the worm and the actions it takes, if that sort of thing is interesting to you!

hackaday.com/2026/06/12/this-w…

CVE-2009-0014 was low severity, according to the GitHub Advisory Database.

"Folder Manager in Apple Mac OS X 10.5.6 uses insecure default permissions when recreating a Downloads folder after it has been deleted, which allows local users to bypass intended access restrictions and read the Downloads folder."

<https://github.com/advisories/GHSA-pv9g-rrhq-mpqc>

If I recall correctly: the bug was not limited to recreated folders – all users of Mac OS X Server could read each other's downloads folders.

#retro #retroapple #Apple #macosX #macOS #security #vulnerability

CVE-2026-50010 - High severity flaw in Netty's X509TrustManager wrapper. SSLEngine discarded in trust checks, potentially enabling MITM attacks. CVSS 7.5. No patch yet. Monitor & mitigate. #CVE #Netty #infosec

https://www.valtersit.com/cve/CVE-2026-50010/

🛑 CRITICAL: CVE-2026-39494 in WBW Plugins Product Filter (<=3.1.2) enables Blind SQL Injection — high risk to data & availability. No patch yet; monitor vendor advisories. https://radar.offseq.com/threat/cve-2026-39494-cwe-89-improper-neutralization-of-s-f3bdb0f7 #OffSeq #infosec #Vuln #SQLInjection

CVE-2026-10847 - Privilege Escalation in Check Point Identity Agent. Local authenticated user can execute code with SYSTEM privileges. CVSS 7.8. No patch available. Restrict access immediately. #CVE #CheckPoint #infosec

https://www.valtersit.com/cve/CVE-2026-10847/