# Today's Top Stories

ShinyHunters (tracked by Mandiant as UNC6240) exploited CVE-2026-35273, a critical unauthenticated RCE zero-day in Oracle PeopleSoft, between May 27 and June 9 — a full two weeks before Oracle published its advisory on June 10. Universities were the primary targets, with the University of Nottingham confirming a breach affecting over 450,000 student and alumni records. Security teams running PeopleSoft should apply Oracle's emergency patch immediately given active exploitation and the group's history of large-scale extortion campaigns.

CISA's new Binding Operational Directive 26-04 significantly tightens federal patching timelines, requiring Federal Civilian Executive Branch agencies to remediate the most critical exploited vulnerabilities within just 3 days — down from previous 14-day windows. The directive ties prioritization to the KEV catalog and gives agencies 180 days to update their vulnerability management policies. This sets a new benchmark that private-sector security programs will likely be pressured to emulate.

A max-severity vulnerability in Ivanti Sentry — the company's secure mobile gateway — was actively exploited in the wild within 24 hours of public disclosure, enabling remote unauthenticated code execution with root privileges. Ivanti also patched a second critical flaw in the same product. Organizations with internet-exposed Sentry appliances should treat this as an emergency patch given Ivanti's repeated history of rapid post-disclosure exploitation.

Microsoft patched CVE-2026-42897, a zero-day vulnerability in Exchange Server that had been under active attack since at least May 14 when Microsoft first warned customers. The June 2026 Patch Tuesday was reported as Microsoft's largest on record, with the company attributing increased vulnerability discovery volume in part to AI-assisted research. Exchange Server administrators should prioritize this patch given the server's role as a high-value target.

Denis Obrezko, 36, appeared in federal court in Boston after extradition from Thailand, where he was arrested in November 2025, charged with orchestrating cyberattacks attributed to the Kremlin-linked Void Blizzard espionage group that compromised at least 11 U.S. companies. This is a significant law enforcement action against a nation-state-affiliated threat actor, providing rare attribution and accountability in the Russian cyber-espionage space.

GitHub announced that npm v12 — expected next month — will disable install scripts by default, directly blocking a primary supply chain attack vector where malicious code executes via npm lifecycle hooks during 'npm install'. This is a breaking change affecting many packages that rely on postinstall scripts, meaning developers will need to audit dependencies before upgrading. The move comes amid ongoing supply chain attacks including the brief GitHub leak of the Miasma credential-stealing framework source code.

Security researcher Chaotic Eclipse (aka Nightmare-Eclipse/MSNightmare) released GreatXML, a Windows BitLocker bypass that exploits malicious XML files in the recovery partition via Microsoft Defender's offline scan feature to spawn a SYSTEM shell during Recovery Mode reboot — reportedly discovered accidentally in 4 hours. This follows the researcher's separate release of RoguePlanet, a Windows Defender local privilege escalation exploit abusing a race condition, indicating an ongoing campaign of uncoordinated vulnerability disclosure against Microsoft products.

ServiceNow patched a vulnerability on June 5, 2026 that allowed unauthenticated users to gain deeper unauthorized access to hosted customer instances — a flaw the company reportedly had known about since April 7. Threat actors actively exploited the vulnerability against some customers before the patch was applied, making this a confirmed zero-day exploitation window of approximately two months. Organizations using ServiceNow should audit access logs from April 7 onward for signs of unauthorized activity.

Lumen researchers identified a resurgence of the JDY botnet, a China-nexus reconnaissance infrastructure now comprising over 1,500 compromised SOHO and IoT devices used to continuously scan, fingerprint, and map exposed internet services at scale. The botnet operates as a centrally controlled high-performance scanner, consistent with pre-intrusion targeting behavior seen in Chinese state-sponsored campaigns like Salt Typhoon. Network defenders should review firewall logs for JDY scanning signatures, particularly on edge devices.

South Korea's Personal Information Protection Commission issued a record 624.6 billion won ($409 million) fine against e-commerce giant Coupang following a data breach affecting more than 37 million customers. This is the largest data protection fine ever issued in South Korea and signals aggressive regulatory enforcement in the Asia-Pacific region that parallels GDPR-scale accountability in Europe. Security and compliance teams at large consumer platforms should note the precedent for breach notification and data handling obligations.