☕ Good Morning Security Gang,

Today’s episode exposed a harsh reality many security teams are struggling to accept:

Today’s show featured two critical enterprise vulnerabilities with CVSS scores of 9.8 affecting platforms organizations rely on every day. Oracle’s PeopleSoft environments continue to be actively targeted by ShinyHunters, while Splunk Enterprise faces a pre-authentication remote code execution vulnerability that strikes at the heart of security operations infrastructure.

At the same time, Iranian hacktivists claimed responsibility for breaching a major California water utility, more than 400 Arch Linux packages were discovered distributing malware to developer environments, and a Chinese APT quietly maintained access to an air-gapped network for a decade.

If there was a single lesson from today’s show, it’s this: access remains the most valuable asset in cybersecurity. The question isn’t whether attackers can get in, it’s how quickly organizations can detect them before that access turns into impact.

Double espresso in hand. Coffee cup cheers, gang. Let’s get into it.

🧭 Executive Summary

Today’s threat landscape highlights three critical trends shaping cybersecurity in 2026.

First, enterprise software vendors continue struggling with timely vulnerability disclosure. Oracle’s PeopleSoft customers were exposed for two weeks before receiving official guidance, while Splunk customers are rushing to patch a vulnerability affecting the very platform used to monitor threats.

Second, attackers increasingly target identity and authentication systems because controlling access provides far more value than compromising individual endpoints.

Finally, supply chain attacks continue moving deeper into developer ecosystems, while geopolitical tensions increasingly influence cyber operations against critical infrastructure.

The result is a threat environment where defenders must assume attackers are already exploiting newly disclosed vulnerabilities long before patches become widely deployed.

📰 Top Stories & Deep Dive Analysis

🏛️ ShinyHunters Exploits PeopleSoft Zero-Day Across More Than 100 Organizations

Oracle released an emergency out-of-band patch for CVE-2026-44712, a critical 9.8-rated remote code execution vulnerability affecting PeopleSoft Update Environment Management Hub. The flaw allows unauthenticated attackers to execute code over HTTP without credentials or user interaction.

The concern is not simply the vulnerability itself, it’s the timeline.

Threat intelligence researchers confirmed active exploitation began on May 27, yet Oracle’s advisory did not arrive until June 10, providing attackers with a fourteen-day head start. During that period, ShinyHunters reportedly compromised more than 300 PeopleSoft instances spanning over 100 organizations.

Nearly seventy percent of confirmed victims are higher education institutions. The University of Nottingham publicly acknowledged a breach after student and alumni records appeared on ShinyHunters’ leak site.

PeopleSoft environments frequently contain payroll information, financial aid records, employee data, student records, and other highly sensitive information. Researchers also identified evidence of outbound SMB traffic from compromised servers, suggesting attackers may be capturing NetNTLM hashes for credential relay attacks and lateral movement.

This incident reinforces a difficult truth for organizations operating large ERP platforms: vendor disclosure timelines rarely align with attacker timelines.

Organizations should assume compromise if their PeopleSoft instances were exposed between May 27 and June 10 and immediately begin incident response activities.

🚨 Splunk Enterprise Faces Critical Pre-Authentication Remote Code Execution

Splunk disclosed CVE-2026-44787, a critical vulnerability with a CVSS score of 9.8 that allows unauthenticated remote code execution through exposed backup and recovery endpoints.

Researchers demonstrated that attackers can abuse PostgreSQL sidecar services to perform arbitrary file operations and overwrite Python scripts executed by Splunk itself, transforming a file write capability into full server compromise.

Affected versions include Splunk Enterprise 10.0.0 through 10.0.6 and 10.2.0 through 10.2.3.

The irony is difficult to ignore.

Splunk serves as the security monitoring platform for countless organizations. A successful compromise could allow attackers to disable logging, tamper with detections, erase evidence, or use the platform as a pivot point into additional environments.

Organizations running AWS-hosted Splunk Enterprise deployments face elevated risk because the PostgreSQL sidecar service is enabled by default.

This vulnerability highlights an ongoing challenge across cybersecurity: the tools organizations rely on for defense increasingly represent high-value targets themselves.

Immediate patching should be considered mandatory.

💧 Iran-Linked Handala Claims Breach of California Water Utility

The Iran-linked hacktivist group Handala claimed responsibility for breaching California Water Service, one of the largest investor-owned water utilities in the United States, serving approximately two million customers.

The group published approximately five gigabytes of allegedly stolen data and framed the attack as retaliation for recent geopolitical developments involving Iran and the United States.

Analysis of the leaked material suggests attackers accessed customer billing databases and internal RTK base systems used for centimeter-level GPS positioning by field crews.

The leaked data reportedly includes customer names, addresses, account numbers, payment histories, administrative credentials, and GPS correction infrastructure information.

Importantly, researchers found no evidence that operational technology or industrial control systems were compromised.

Handala claims it could have disrupted water services but intentionally chose not to. While there is currently no evidence supporting those claims, the incident demonstrates how critical infrastructure operators continue facing elevated risk from ideologically motivated threat actors.

The greater concern may not be service disruption but rather the exposure of operational information that could facilitate future targeting efforts.

🐧 More Than 400 Arch Linux Packages Distribute Malware

Researchers discovered that more than 400 packages in the Arch User Repository were compromised to distribute Linux rootkits and credential-stealing malware.

The Arch User Repository remains one of the most popular community-driven package ecosystems for developers, researchers, and security practitioners.

The malware includes rootkits designed for persistence and infostealers targeting:

• Cloud credentials

• Session tokens

• Source code repositories

• CI/CD environments

• Developer authentication secrets

Developer workstations have become increasingly attractive targets because they provide access to production environments, cloud infrastructure, and software supply chains.

Compromising a developer endpoint often delivers significantly more value than compromising a traditional user workstation.

Organizations should treat any credentials recently used on affected Arch Linux systems as compromised and immediately rotate associated secrets.

⚡ Need to Know

🇨🇳 Velvet Ant Maintained Access to Air-Gapped Networks for Ten Years

Researchers disclosed that Chinese threat actor Velvet Ant maintained access to an organization’s authentication infrastructure for more than a decade, providing visibility into administrative activity across isolated environments. The case demonstrates that air gaps alone do not provide meaningful security without monitoring and authentication integrity controls.

🎣 FBI Dismantles Massive AI-Powered Phishing Platform

The FBI, working alongside Google and Black Lotus Labs, disrupted “LabHost,” a phishing-as-a-service operation responsible for more than one million malicious URLs and thousands of credential theft sites. The platform leveraged AI to accelerate phishing infrastructure deployment at scale.

💉 Novo Nordisk Discloses Clinical Trial Data Breach

Pharmaceutical giant Novo Nordisk confirmed attackers accessed systems containing pseudonymized patient data related to clinical trials. Exposed information includes patient identifiers, participation details, biomarkers, and lifestyle information. Core business operations remain unaffected.

🇰🇷 South Korea Issues Record Privacy Fine

South Korea’s privacy regulator imposed a record $409 million fine against e-commerce platform Coupang after a former employee allegedly stole authentication signing keys, exposing the personal information of more than 33 million individuals.

📝 Maine Breach Reporting Portal Abused

Maine’s public breach notification database was temporarily taken offline after unknown actors submitted fabricated breach reports falsely attributing incidents to major platforms. The incident raises concerns regarding the integrity of public breach reporting systems.

🤖 U.S. Restricts Access to Advanced AI Models

The U.S. government directed Anthropic to suspend access to its advanced Fable 5 and Mythos 5 models for certain foreign nationals due to national security and jailbreak concerns. The move reflects a broader trend toward treating frontier AI models as controlled technologies.

⚽ FBI Warns of World Cup Ticket Scams

With the FIFA World Cup underway, the FBI warned of increased activity involving fake ticket websites, fraudulent domains, and employment scams targeting fans and job seekers. Officials recommend purchasing tickets exclusively through FIFA’s official application.

🎯 Key Takeaway

Today’s episode wasn’t fundamentally about vulnerabilities.

It was about access.

Who has access.
Who shouldn’t.
How long attackers maintain that access.
And how quickly defenders can identify the difference.

Whether it was ShinyHunters exploiting PeopleSoft, Velvet Ant compromising authentication infrastructure, or Handala stealing utility credentials, the common thread remains unchanged.

Access without visibility becomes persistence.
Persistence without detection becomes impact.

🧠 James Azar’s CISOs Take

What stood out to me today is how consistently attackers focused on identity, authentication, and administrative control. ShinyHunters captured credentials through outbound SMB traffic. Velvet Ant compromised authentication systems directly. Handala targeted administrative access to utility infrastructure. Even the Arch Linux compromise focused on stealing developer credentials and session tokens. The lesson is clear: attackers increasingly care less about individual endpoints and more about the systems controlling trust.

The second takeaway is that organizations can no longer afford to operate on vendor timelines. Oracle’s delayed disclosure gave attackers a two-week advantage. Splunk customers are now rushing to patch the very platforms responsible for monitoring threats. AI models are becoming matters of national security, and supply chain attacks continue targeting developer ecosystems. Security teams must prioritize proactive threat hunting, independent validation, and rapid response capabilities because waiting for official guidance is increasingly becoming a losing strategy.

Leave a comment

🛠️ Action Items

• Immediately patch Oracle PeopleSoft CVE-2026-44712

• Hunt for indicators of compromise dating back to May 27

• Review outbound SMB traffic from PeopleSoft environments

• Upgrade Splunk Enterprise to supported fixed versions

• Restrict network access to Splunk management interfaces

• Rotate credentials associated with affected Arch Linux systems

• Audit authentication infrastructure for unauthorized persistence

• Validate phishing-resistant MFA deployment across critical systems

• Review segmentation between IT and OT environments

• Monitor World Cup-related phishing and fraud campaigns

• Assess AI governance policies for emerging export control requirements

🔥 Stay Cyber Safe.