Cybersecurity Daily: News & Threats

ShinyHunters' Kodak Deadline, 24B Credential Dump & Vertex AI Patch

(00:00:00) ShinyHunters' Kodak Deadline, 24B Credential Dump & Vertex AI Patch (00:01:01) Kodak ShinyHunters June Deadline (00:01:58) 24 Billion Record Mega-Dump (00:02:44) ICAI Exam Portal Allegations (00:03:30) Key Watchpoints Going Forward Three high-stakes cybersecurity stories dominate today's briefing — and one of them is on a countdown clock. ShinyHunters has set a June 18 deadline for Kodak to make contact or face publication of 2.2 million customer records. Kodak has confirmed unauthorised access but characterises it as limited, while ShinyHunters has yet to release a proof sample. That ambiguity is deliberate. The group has followed through on publication threats before — most recently after 7-Eleven negotiations stalled — and with 64% of organisations now refusing ransom payment, Kodak's response will serve as a live benchmark for corporate extortion posture. Separately, researchers uncovered an exposed Elasticsearch cluster containing roughly 24 billion credentials aggregated from 36 sources. The alarming detail is composition: a substantial portion originates from fresh infostealer logs harvesting plaintext passwords and session tokens from active infections today — not just historical breach archives. The cluster has been taken offline, but the data's onward movement is likely already in progress. On the vulnerability side, Google patched a race-condition flaw in the Vertex AI SDK (version 1.148.0, released April 15) that allowed attackers to intercept ML models mid-upload via predictable staging bucket names. The exploit window was approximately 2.5 seconds — enough to swap in pickle- or joblib-serialised payloads and harvest cross-tenant OAuth tokens. This is the second predictable-bucket-name flaw patched in Vertex AI this year, suggesting a systemic design pattern rather than an isolated bug. Finally, unverified social media claims allege a threat actor obtained superadmin access to India's ICAI chartered accountancy exam portal hours before results were due. No technical evidence has been published. Track it — don't act on it yet. A YesWee production. This episode includes AI-generated content.

PeopleSoft CVE-2026-35273 Exploited, Healthcare Costs Hit $11M & Ransomware at 44%

(00:00:00) PeopleSoft CVE-2026-35273 Exploited, Healthcare Costs Hit $11M & Ransomware at 44% (00:00:57) University of Nottingham Breach Confirmed (00:01:53) Healthcare Breach Costs Hit Record (00:02:37) Ransomware Now 44% of All Breaches (00:03:05) North Korean Developer Supply Chain Campaign (00:03:36) Samsung Patch and CISA Restructure (00:04:15) What to Watch Next A CVSS 9.8 zero-day in Oracle PeopleSoft — CVE-2026-35273 — is being actively exploited with no permanent patch in sight, making it one of the most urgent enterprise vulnerabilities in circulation right now. The ShinyHunters threat group claims 300 compromised instances; independent verification puts confirmed victims above 100, with federal agencies already past their remediation deadline. Oracle's emergency mitigation guidance is all organizations have to work with for now. Among the confirmed victims, the University of Nottingham has disclosed a breach affecting 454,600 student records — personal data, academic records, billing, and financial aid. The university declined the ransom demand, triggering public disclosure. It's the right call structurally, even if costly: 80% of organizations that pay are attacked again within 12 months. The broader breach landscape is shifting. Ransomware now accounts for 44% of all data breaches, up from 32% the prior year. Double extortion is standard practice. Meanwhile, healthcare breach costs have reached a record $11.2 million per incident — 2.5 times the global average — driven by high-value medical records, HIPAA penalties, and legacy system exposure windows averaging 241 days. Elsewhere, a North Korean-linked supply chain campaign is targeting developers via fake LinkedIn recruiters and malicious npm packages with post-install backdoors. Samsung's June update patches 45 vulnerabilities across Galaxy devices. And CISA has appointed Scott Breor to lead its Infrastructure Security Division as the agency enters a workforce expansion phase. Key watchpoints: Oracle's patch timeline for CVE-2026-35273, and whether the ShinyHunters victim count climbs as forensic reviews complete. This episode includes AI-generated content.

4 Zero-Days Live: Chrome V8, RoguePlanet, UniFi Root Chain & Splunk RCE

(00:00:00) 4 Zero-Days Live: Chrome V8, RoguePlanet, UniFi Root Chain & Splunk RCE (00:00:48) Microsoft Defender RoguePlanet Zero-Day (00:01:34) UniFi OS Three-CVE Root Access Chain (00:02:17) Splunk Enterprise Unauthenticated Code Execution (00:02:43) Arch Linux AUR Supply Chain Compromise (00:03:15) Breach Costs and AI Attack Adoption (00:04:05) Closing Watchpoints Four critical zero-days are being exploited in the wild at the same time — and today's briefing breaks down every one of them. Chrome's CVE-2026-11645 lives in the V8 JavaScript engine and enables code execution in the browser process. Active exploitation is confirmed. Microsoft's Defender carries a privilege-escalation zero-day dubbed RoguePlanet, granting SYSTEM-level access on fully patched Windows machines — a sobering failure of the last defensive layer. Three chained vulnerabilities in UniFi OS (CVE-2026-34908, 34909, 34910) deliver unauthenticated root access across enterprise networking hardware, with confirmed malware deployments already in the wild. And Splunk Enterprise, the backbone of many security operations centres, has an unauthenticated remote code execution flaw — CVE-2026-20253 — turning threat-detection infrastructure into an attack surface. Elsewhere, over 400 packages in the Arch Linux AUR were hijacked to push infostealer malware and an eBPF rootkit into developer environments, extending a supply-chain attack trend that has doubled year-over-year. The economic picture sharpens the urgency. US data breach costs have hit an all-time high of $10.22 million on average — more than double the global figure. AI-generated phishing is now involved in 37% of breaches. Organisations using AI for detection close the gap in 51 days versus the global average of 241, a difference worth $1.9 million per incident. Patching is not optional today. Prioritise Chrome, Defender, UniFi, and Splunk — in any order, as fast as your change windows allow. This episode includes AI-generated content.

5 Zero-Days Live, Wormable RDP & AUR Supply-Chain Compromise

(00:00:00) 5 Zero-Days Live, Wormable RDP & AUR Supply-Chain Compromise (00:00:49) AI Features Introduce New Zero-Days (00:01:32) Patch Overload and Regression Risk (00:02:07) BitLocker Under Pressure (00:02:48) Atomic Arch AUR Supply-Chain Attack (00:03:38) Supply-Chain Trust as the Real Target Microsoft has shipped the largest Patch Tuesday in its history: roughly 200 security fixes in a single cycle, five of them already under active exploitation at the moment of disclosure. Today's episode breaks down what actually matters in this release and what enterprises need to act on first. The two critical vulnerabilities demanding immediate attention are CVE-2026-4341, a no-auth, no-interaction remote code execution flaw in the Common Log File System spreadable via malicious SMB shares, and CVE-2026-4245, a wormable unauthenticated RDP vulnerability capable of cross-domain propagation. Both are precisely the primitives ransomware operators weaponise at scale. Two of June's zero-days trace not to legacy code but to Microsoft Copilot and Recall — AI features that introduced new kernel interfaces shipped under competitive pressure and without full hardening cycles. This pattern signals an expanding attack surface with every AI feature release. The sheer volume of 200 fixes also creates regression risk. Documented side effects this cycle include Intel 12th and 13th-gen performance drops, EDR false positives, and BitLocker recovery loops on Surface devices. Separately, CVE-2026-4402 confirms a physical-access BitLocker key extraction via TPM, requiring TPM firmware updates and full drive re-encryption across fleets. Finally, a Sonatype-tracked supply-chain campaign dubbed Atomic Arch has compromised over 400 Arch Linux AUR packages by hijacking the legitimate orphaned-package adoption process, injecting malicious build scripts, and deploying an eBPF rootkit that evades standard process inspection tools. Targeted credentials include GitHub tokens, npm tokens, and Slack session data exfiltrated via Tor. A YesWee production. Built using AI technology. This episode includes AI-generated content.

Record 206-Patch Tuesday, The Gentlemen RaaS & OnyxC2 MaaS

(00:00:00) Record 206-Patch Tuesday, The Gentlemen RaaS & OnyxC2 MaaS (00:00:43) RaaS Structure and Capabilities (00:01:34) Microsoft 206-Patch Record Release (00:02:25) AI Exploit Scale and OnyxC2 Threat (00:03:27) BitLocker and AI Agent Risks (00:04:04) Watchpoints and Closing Microsoft has released a single-day record of 206 security patches, including 39 critical vulnerabilities across Windows Kernel, HTTP.sys, and the DHCP Client — three of which were publicly disclosed before fixes were available. For enterprise defenders, the DHCP flaw represents the most urgent lateral-movement risk, while three separate BitLocker bypass vulnerabilities round out a dense patching workload. Meanwhile, The Gentlemen, a new Russian-linked ransomware-as-a-service group, has confirmed 478 victims and is aggressively recruiting affiliates with a 90% profit-share — one of the highest splits in the RaaS market. The group traces back to a $48,000 payment dispute with the Qilin platform and deploys self-spreading malware targeting Windows, Linux, and ESXi environments. On the AI threat front, Anthropic research shows modern AI models can identify over 10,000 critical flaws per month, a structural shift in how fast vulnerabilities move from discovery to active exploitation. DeFi platforms lost $580 million in April alone, partly linked to AI-accelerated scanning. A new malware-as-a-service tool, OnyxC2, priced at €230 per month, targets over 210 applications including 2FA extensions and password managers — and is currently evading detection on major platforms. Researchers also demonstrated that the AI agent OpenClaw can be manipulated via prompt injection to leak AWS credentials, highlighting a growing class of risk in agentic AI deployments. This podcast was built using AI technology. A YesWee production. This episode includes AI-generated content.