☕ Good Morning Security Gang,
Today’s episode reinforced a trend we’ve been discussing for months:
Attackers are industrializing the gap between disclosure, patching, and remediation faster than defenders can close it.
Today’s show featured four major stories demanding immediate attention before lunch. ShinyHunters is actively exploiting Oracle PeopleSoft environments through a sophisticated zero-day chain affecting more than 100 organizations. The researcher known as Nightmare Eclipse has released yet another Windows privilege escalation zero-day called Rogue Planet that works on fully patched Windows systems. CISA expanded its Known Exploited Vulnerabilities catalog with active Cisco, Chrome, and Arista vulnerabilities, while attackers continue exploiting vulnerable Langflow AI deployments exposed to the internet.
Layered on top of those developments were emerging threats targeting AI platforms, critical infrastructure systems, developer ecosystems, and remote hiring processes. If yesterday’s theme was concentration of risk, today’s theme is operational tempo. Attackers are moving faster, exploiting faster, and scaling their operations faster than many organizations are prepared to respond.
Double espresso in hand. Coffee cup cheers, gang. Let’s get into it.
🧭 Executive Summary
Today’s threat landscape revealed a cybersecurity ecosystem under sustained pressure from both criminal and nation-state actors.
ShinyHunters continues expanding its campaign against Oracle PeopleSoft environments using chained zero-days and legitimate administration tools. Meanwhile, Microsoft’s ongoing public dispute with security researcher Nightmare Eclipse has produced yet another publicly released Windows zero-day with no available patch. Organizations are also facing active exploitation of AI development platforms, growing reconnaissance activity from Chinese botnets, and an increasing number of situations where vendors are telling customers that no patch is currently available.
The challenge facing security teams is no longer simply identifying vulnerabilities. It is managing an environment where attackers are often weaponizing flaws before defenders have practical remediation options.
📰 Top Stories & Deep Dive Analysis
🏛️ ShinyHunters Launches Large-Scale PeopleSoft Data Theft Campaign
The biggest story of the day involves the ShinyHunters extortion group actively targeting Oracle PeopleSoft environments through a sophisticated chain of old and new vulnerabilities. Researchers report attacks affecting more than 300 PeopleSoft instances across over 100 organizations globally.
PeopleSoft remains one of the most widely deployed enterprise resource planning platforms in the world, supporting human resources, payroll, finance, procurement, and student administration systems. In many organizations, PeopleSoft contains some of the most sensitive data available, including employee records, payroll information, tax data, and financial operations.
Researchers discovered evidence suggesting attackers are leveraging multiple vulnerabilities combined with exposed administrative credentials and configuration weaknesses rather than relying on a single flaw. Evidence recovered from exposed attacker infrastructure revealed MeshCentral remote management tools, credential spraying scripts, and automated shell scripts targeting common administrative accounts such as PSOFT, Oracle, and Linux administration accounts.
Several educational institutions appear to be among the victims, with Nottingham University publicly acknowledging an incident after its data appeared on ShinyHunters’ leak site.
The broader concern here is persistence. These attackers are not simply stealing data and leaving. They are establishing remote access, maintaining footholds, and creating long-term operational access into business-critical ERP environments.
Organizations should immediately review published indicators of compromise, audit administrative accounts, search for unauthorized MeshCentral installations, and remove unnecessary internet exposure from PeopleSoft environments.
🚨 Rogue Planet Gives Attackers SYSTEM Access on Fully Patched Windows Machines
Security researcher Nightmare Eclipse released a new proof-of-concept exploit known as Rogue Planet that enables local privilege escalation to SYSTEM privileges on fully patched Windows 10 and Windows 11 systems.
The vulnerability exploits a race condition involving Microsoft Defender and remains effective even after organizations deployed Microsoft’s June 2026 Patch Tuesday updates. Multiple independent researchers have reportedly validated successful exploitation.
What makes this disclosure particularly significant is the context surrounding it. Rogue Planet follows a series of highly publicized disclosures from Nightmare Eclipse, including Green Plasma, Yellow Key, Red Sun, Blue Hammer, and Undefend. Several of those vulnerabilities were later observed in active exploitation campaigns.
At the center of the controversy is an increasingly public disagreement between Microsoft and the researcher regarding vulnerability disclosure processes. Microsoft previously suspended the researcher’s GitHub account, only to see the exploit quickly reappear elsewhere.
For defenders, the practical challenge remains straightforward. There is currently no patch available.
Organizations should assume any successful local code execution could potentially become full SYSTEM-level compromise and adjust endpoint detection and response monitoring accordingly.
📋 CISA Adds Cisco, Chrome, and Arista Vulnerabilities to KEV Catalog
CISA added three actively exploited vulnerabilities to the Known Exploited Vulnerabilities catalog, highlighting continued attacker focus on browsers and network infrastructure.
The first vulnerability affects Cisco Catalyst SD-WAN Manager and allows authenticated attackers to execute arbitrary commands as root through crafted file uploads. The second is Chrome’s recently disclosed V8 out-of-bounds memory vulnerability, which allows arbitrary code execution through malicious web content.
The third vulnerability may be the most operationally challenging. Affecting Arista EOS deployments configured as tunnel endpoints, the flaw allows unexpected tunneled traffic to bypass intended protocol validation controls. Arista’s mitigation guidance relies entirely on access control lists because no patch is currently planned.
This story reinforces an uncomfortable trend emerging throughout 2026. Increasingly, organizations are being told to rely on mitigations because patches either do not exist or may never arrive.
Security leaders should ensure KEV remediation timelines receive executive-level visibility because attackers continue prioritizing vulnerabilities after they are added to the catalog.
🤖 Attackers Actively Exploiting Langflow AI Platform
Langflow, the popular open-source platform used to build AI agents and Retrieval Augmented Generation workflows, is now under active attack. Researchers observed exploitation of CVE-2026-5027, a path traversal vulnerability allowing arbitrary file writes to vulnerable servers.
The vulnerability stems from improper filename sanitization within Langflow’s file upload functionality. Combined with the platform’s default unauthenticated auto-login behavior, attackers can obtain valid session tokens and begin exploitation without authentication.
Security researchers identified approximately 7,000 internet-accessible Langflow instances during the past year, creating a substantial attack surface for adversaries.
The risk extends beyond simple file manipulation. Langflow deployments frequently contain:
AI model credentials
API tokens
Cloud service access
Development secrets
Workflow data
Proprietary business logic
As organizations rush to deploy AI tooling, many continue doing so outside traditional security governance processes. That creates exactly the type of environment attackers prefer.
Organizations should upgrade immediately, disable auto-login, implement authentication controls, and determine whether development teams are running unauthorized AI infrastructure.
⚡ Need to Know
🔄 ServiceNow Revises Its Earlier Security Incident Narrative
ServiceNow updated its position regarding recently disclosed customer data access concerns. The company now attributes observed activity to security researchers participating in bug bounty activities rather than malicious attackers, though questions remain regarding disclosure timelines and communication practices. Organizations should still review logs and understand their exposure.
🏭 Critical Data Center Infrastructure Vulnerabilities Disclosed
Researchers identified critical vulnerabilities affecting Vertiv UPS network management cards and Trane HVAC management systems commonly deployed in data centers. The vulnerabilities include authentication bypass and remote code execution capabilities. Organizations should remember that operational technology and facilities systems remain part of the cyber attack surface.
🇨🇳 Chinese JDY Botnet Doubles in Size
A China-linked botnet known as JDY has expanded from roughly 650 compromised devices to more than 1,500. The botnet targets Ubiquiti, Hikvision, DrayTek, Linksys, and other internet-connected infrastructure, rapidly scanning newly disclosed vulnerabilities and feeding reconnaissance information to threat actors including groups linked to Chinese intelligence operations.
📦 npm Tightens Supply Chain Security
Upcoming npm version 12 will disable automatic execution of install scripts and restrict remote dependency resolution by default. These changes would have significantly reduced the effectiveness of recent Shai-Hulud supply chain campaigns. Organizations should begin testing compatibility now.
🤖 Anthropic’s Claude Faces Another Jailbreak
Researchers successfully bypassed safety controls in Anthropic’s Claude Fable 5 model using multi-agent decomposition techniques, Unicode manipulation, and narrative framing approaches. The attack exposed significant portions of the model’s system instructions and generated exploit-related content.
🍬 Australian Sugar Producer Hit by Cyberattack
Mackay Sugar, Australia’s second-largest sugar producer, suffered a cyber incident that disrupted harvesting operations and impacted production facilities. While ransomware has not been confirmed, the event demonstrates the immediate operational consequences cyber incidents can have within industrial environments.
🇰🇵 North Korea Responsible for Nearly Half of Technology Intrusions
CrowdStrike’s latest threat report attributes 47% of state-sponsored hands-on-keyboard intrusions against the technology sector to North Korean operators. Many campaigns involve fake remote workers using deepfakes, stolen identities, and forged documentation to secure employment while collecting data and generating revenue for the regime.
🎯 Key Takeaway
Today’s episode highlighted a reality that many security teams are already experiencing.
The traditional sequence of disclosure, patch development, testing, deployment, and remediation is increasingly being compressed or bypassed entirely. Attackers are exploiting vulnerabilities before patches exist, targeting platforms where mitigations are the only available option, and scaling operations through automation and supply chain compromise.
Defenders are increasingly operating on attacker timelines rather than vendor timelines.
🧠 James Azar’s CISOs Take
What stood out to me today is how often we heard the phrase “no patch available.” Whether it was Rogue Planet, the Arista EOS issue, or the broader challenges around AI infrastructure, organizations are increasingly being asked to rely on monitoring, segmentation, hardening, and compensating controls rather than traditional patching. That’s a significant shift in defensive strategy. For years we’ve taught security teams that patching is the answer. Increasingly, patching isn’t immediately available, forcing organizations to mature operational security disciplines that many have historically neglected.
The second takeaway is the growing industrialization of cyber operations. ShinyHunters isn’t manually targeting organizations one at a time. Chinese reconnaissance infrastructure isn’t casually scanning the internet. North Korean operators aren’t running isolated campaigns. These are highly organized, repeatable, scalable operations designed to identify opportunities and exploit them at speed. Defenders must begin thinking at the same scale because the attackers already are.
🛠️ Action Items
Review PeopleSoft environments for published indicators of compromise
Audit administrative credentials and remove unnecessary PeopleSoft internet exposure
Increase monitoring for SYSTEM-level process creation on Windows endpoints
Patch Chrome immediately and review Cisco SD-WAN exposure
Apply Arista mitigation guidance where applicable
Upgrade Langflow deployments and disable auto-login functionality
Review ServiceNow advisory information and instance logs
Patch Vertiv and Trane management infrastructure
Inventory internet-facing IoT and edge devices
Prepare development teams for upcoming npm security changes
Review hiring controls for remote technical positions and contractor onboarding
🔥 Stay Cyber Safe.
