# Today's Top Stories

Oracle's PeopleSoft Suite contains CVE-2026-35273, a critical unauthenticated remote code execution zero-day being actively exploited by ShinyHunters in ongoing data theft campaigns targeting hundreds of organizations, including universities. Oracle has released a mitigation but has not publicly confirmed the vulnerability's in-the-wild exploitation status, leaving defenders in an uncertain patch posture. Security practitioners should treat this as a critical priority given Google's confirmation of active exploitation and the scope of affected institutions.

Attackers compromised over 400 Arch User Repository (AUR) packages this week, rewriting build scripts to drop a Rust-based credential stealer targeting developer secrets such as API keys and access tokens. When executed with root privileges, the malware also loads an eBPF rootkit to evade detection. Any Arch Linux developer who built AUR packages this week should audit their systems immediately for compromise.

Sygnia researchers revealed that China-nexus threat group Velvet Ant spent nearly a decade hidden inside a targeted network by backdooring Linux PAM and OpenSSH authentication components — the very mechanisms used to control login access. This persistence technique survived standard incident response cleanup efforts, underscoring the danger of compromising authentication infrastructure rather than user-space applications. Security teams should audit PAM and SSH configurations for unauthorized modifications as part of threat hunting activities.

Google filed suit against a Chinese cybercrime network operating a phishing-as-a-service kit called 'Outsider,' which weaponized Google's own Gemini AI agent to automate the generation of fraudulent smishing sites targeting hundreds of thousands of Americans. The FBI simultaneously announced a takedown of the same network, which caused $1.9 billion in losses through package, toll, and parking violation lure campaigns. This marks a significant escalation in AI-assisted fraud infrastructure and the use of civil litigation as a cybercrime deterrent.

Europol disrupted AudiA6, a cryptocurrency laundering service used by ransomware gangs and cybercriminal networks to wash more than €336 million (~$389 million) in illicit proceeds since its inception. The takedown cuts off a key financial pipeline used by multiple ransomware affiliate groups to cash out, potentially disrupting ongoing ransomware operations that relied on the service.

CISA issued Binding Operational Directive BOD 26-04, ordering federal agencies to patch an actively exploited Ivanti Sentry OS command injection vulnerability within three days of the directive — by Sunday. Exploitation attempts were already hitting honeypots within 24 hours of public disclosure, indicating rapid weaponization. The vulnerability allows unauthenticated root-level code execution, making it a critical remediation priority for all Ivanti Sentry deployments.

INTERPOL's Operation Ramz, conducted between October 2025 and February 2026 across 13 MENA-region countries, dismantled the decade-long Sniper Dz phishing-as-a-service platform and resulted in 201 arrests, including platform administrator 'Guedz.' Group-IB attributed the operation's success to coordinated intelligence sharing, demonstrating that long-running PhaaS infrastructure can be taken down through sustained multinational effort.

France's Tchap encrypted government messaging platform suffered a breach affecting over 73,000 public sector employees, exposing account data across the French civil service. The incident is particularly sensitive given Tchap's role as a secure communications tool for government staff, raising questions about whether message content or metadata beyond account credentials was accessed.

The Gentlemen ransomware operation has claimed 478 victims and features self-spreading worm capabilities, having operated as an affiliate leveraging RaaS platforms including LockBit (Tenacious Mantis), Qilin (Pestilent Mantis), and Medusa (Venomous Mantis) before establishing its own double-extortion infrastructure. The worm propagation capability significantly increases the potential blast radius of infections compared to standard ransomware deployments.

A proof-of-concept zero-day exploit dubbed 'GreatXML' bypasses Microsoft BitLocker by abusing Microsoft Defender's offline scan feature to spawn a SYSTEM-level shell when a target machine is rebooted into Recovery Mode. The technique requires physical or logical access to trigger a recovery reboot, but once triggered it fully circumvents BitLocker's disk encryption protections — a significant concern for endpoint security posture on Windows systems.