sig9.ch

Hacker Wars - June 12, 2026

Your daily dose of infosec chaos

---

Friday's serving up a buffet of breaches, zero-days, and creative new ways to abuse government infrastructure. From ShinyHunters going after university data to someone gaming Maine's breach portal with fake disclosures, it's been a busy 24 hours. Oh, and a Japanese energy company literally lost a hard drive with 10.9 million customer records. Physical security, folks. It still matters.

---

ShinyHunters Exploits Oracle PeopleSoft Zero-Day to Breach Universities

The ShinyHunters extortion gang has been exploiting an unpatched Oracle PeopleSoft flaw (CVE-2026-35273) to break into enterprise systems and steal data, with universities bearing the brunt of the campaign. Google's Mandiant tracked the activity to a group they call UNC6240, dating attacks back several months. Oracle has quietly mitigated the issue but hasn't publicly confirmed in-the-wild exploitation.

**What to do:** If you run PeopleSoft, check Oracle's advisory immediately and apply mitigations. Monitor for unusual data exfiltration patterns and review access logs going back to early 2026.

---

Over 73,000 French Govt Employees Affected in Tchap Messenger Breach

The French government confirmed that its Tchap encrypted messaging platform was breached, exposing accounts of over 73,000 public sector employees. Tchap was designed as a secure alternative to consumer messaging apps for government communications, which makes this breach particularly ironic. The full scope of what was accessed is still being assessed.

**What to do:** If your organization uses custom or government-grade messaging platforms, audit their security posture and ensure end-to-end encryption is actually end-to-end. Assume metadata is always at risk.

---

Maine Breach Portal Abused to Publish Fake Data Breach Disclosures

In a creative twist on the misinformation playbook, someone submitted fraudulent data breach notifications to Maine's official breach disclosure portal. The fake entries were published before verification, forcing multiple companies to publicly deny breaches they never suffered. It's a new vector: weaponizing legitimate disclosure infrastructure to cause reputational damage.

**What to do:** Monitor breach disclosure portals relevant to your industry for unauthorized mentions of your organization. Have a communications plan ready for breach denial scenarios, even fake ones.

---

Europol Disrupts AudiA6 Crypto Laundering Service Used by Ransomware Gangs

Europol announced the takedown of AudiA6, a cryptocurrency laundering service that served as a key financial pipeline for ransomware groups and cybercriminal networks. The service allegedly helped wash hundreds of millions in illicit profits. This is another hit to the cybercrime-as-a-service ecosystem, though we all know another mixer will pop up by lunchtime.

**What to do:** If you're tracking threat actor infrastructure, update your IOCs. Organizations paying ransoms should note that crypto tracing capabilities are improving, which is yet another reason not to pay.

---

Japanese Energy Firm Loses Drive With Data of 10.9 Million Clients

Kyushu Electric Power Co. disclosed that a physical hard drive containing personal data of 10.9 million customers went missing. Not a sophisticated cyberattack, not a zero-day, just a lost drive. In 2026, one of Japan's largest energy providers managed to misplace a storage device with more records than some countries have people.

**What to do:** Encrypt everything at rest. If a drive walks out the door, the data should be useless without the key. Also, maybe track your hardware assets better.

---

Catch you tomorrow. In the meantime, go check your attack surface.

---

Brought to you by sig9 - http://sig9.ch | Protecting the unseen, securing the unknown

*This bulletin is provided for informational purposes. Contact us for tailored security analysis.*

Hacker Wars - June 11, 2026

Your daily dose of infosec chaos

---

Thursday is serving up the usual mix: a 450k-record university breach, two more actively exploited CVEs to patch before the weekend, and GitHub finally turning off the thing attackers love most about npm. Patch early, patch often.

---

GitHub Pulls The Plug On Npm Install Scripts

With Npm 12, GitHub is disabling install scripts by default because attackers keep abusing postinstall hooks to drop miners, stealers, and backdoors the moment you run npm install. This is a meaningful shift for the ecosystem, even if it is going to break a lot of perfectly innocent packages along the way. Supply chain defenders finally get a default that does not assume every maintainer is trustworthy.

**What to do:** Prepare for breakage in your builds, audit which of your dependencies rely on install scripts, and document any you explicitly need to re-enable.

---

Ivanti Sentry Max Severity Flaw Now Under Active Exploitation

Attackers are hitting a max-severity vulnerability in Ivanti Sentry, the secure mobile gateway product, giving them root-level code ex*****on on internet-exposed instances. Ivanti has shipped a patch but the exploitation window tells you everything you need to know about exposure. If you run Sentry on a public IP and have not patched yet, you are behind.

**What to do:** Patch Ivanti Sentry immediately, hunt for indicators of compromise on the appliance, and review any internet-facing management interfaces for signs of abuse.

---

Nottingham University Breach Leaks 450,000 Student Records

ShinyHunters has taken credit for a breach of the University of Nottingham, dumping more than 450,000 email addresses plus additional personal data from current students and alumni. Universities continue to be soft targets: large user bases, sprawling third-party integrations, and security budgets that would not cover a Zurich coffee budget. Expect a wave of credential-stuffing and phishing follow-on activity.

**What to do:** Rotate credentials for anyone with a university-affiliated account, enable MFA everywhere, and warn users to expect targeted phishing tied to their .ac.uk address.

---

Microsoft Finally Patches Exploited Exchange Server Zero Day

Microsoft has fixed CVE-2026-42897, an Exchange Server flaw that was disclosed as under active zero-day exploitation back on May 14. The "Patch Tuesday will catch up eventually" strategy is not a strategy, it is a coin flip, and this one landed attacker-favoured. Anyone running on-prem Exchange should be treating this as urgent and not waiting for the next cumulative update.

**What to do:** Apply the June update to all on-prem Exchange servers today, hunt for web shells and suspicious mailbox activity from the past 30 days, and consider moving the rest of your mail flow to a managed cloud provider.

---

Langflow Path Traversal Flaw Lets Attackers Write Files On Your Box

CVE-2026-5027, a high-severity path traversal bug in the AI development platform Langflow, is being actively exploited to drop arbitrary files on exposed servers. Langflow instances tend to live on developer laptops and internal hosts that are rarely hardened, which turns a file-write primitive into a much bigger problem very quickly. If your team is using Langflow to wire up LLM pipelines, assume your dev box is interesting to attackers.

**What to do:** Update Langflow to the patched version, restrict network access to the Langflow UI, and review exposed instances for unexpected files in the application directories.

---

Stay paranoid, stay patched, and have a good one.

---

Brought to you by sig9 - sig9.ch | Protecting the unseen, securing the unknown

*This bulletin is provided for informational purposes. Contact us for tailored security analysis.*

Hacker Wars - June 08, 2026

Your daily dose of infosec chaos

---

Monday kicks off with a bang: threat actors are showing up at your office door, SolarWinds is back in the spotlight (yes, again), and your VS Code extensions just got a speed bump. Grab your coffee and let's dive in.

---

Hacker Group Shows Up At Your Door And On The Phone

Google Mandiant just dropped details on UNC3753, a financially motivated crew that combines vishing with actual physical break-ins to steal data and extort U.S. organizations. They hit professional services, law firms, and financial companies between January and May 2026, proving that sometimes the threat model really does include a guy in a polo shirt talking his way past reception.

**What to do:** Train front desk staff on social engineering, verify all "vendor" and "IT support" visits, and include physical intrusion scenarios in your incident response playbook.

---

SolarWinds Serv-U Flaw Actively Exploited, No Patch Yet

SolarWinds disclosed a vulnerability in Serv-U that lets unauthenticated attackers crash the service with a crafted POST request. The flaw is already being exploited in the wild, and while SolarWinds is working on a fix, you are currently on your own. The good news: it is a DoS, not RCE. The bad news: if your file transfer service goes down at 3am, your SOC will not be having fun.

**What to do:** Monitor Serv-U logs for unusual POST requests, restrict network access to the service, and watch for the patch.

---

VS Code Now Delays Extension Updates By Two Hours

Microsoft is adding a mandatory two-hour delay before VS Code auto-updates extensions, a direct response to the wave of supply chain attacks targeting the extension marketplace. Attackers had been pushing malicious updates that would propagate instantly to millions of developers. The delay gives security teams a window to catch poisoned packages before they hit production dev machines.

**What to do:** Keep auto-updates enabled but review your installed extensions regularly. Consider pinning critical toolchain extensions to known-good versions.

---

OpenAI Adds Active Sessions And Lockdown Mode To ChatGPT

OpenAI is rolling out new account security features for ChatGPT, including active session management and a "Lockdown Mode" that restricts account recovery options. This comes after a string of account takeover incidents targeting users with sensitive conversations stored in their chat history. If your SOC team has been dumping threat intel into ChatGPT, this one is for you.

**What to do:** Enable Lockdown Mode if available, review active sessions, and remember that LLM chat history is a data loss vector.

---

C0XMO Botnet Targets DD-WRT Routers, Eliminates Competition

A new Gafgyt variant called C0XMO is spreading through vulnerabilities in DD-WRT router firmware, supporting multiple CPU architectures. What makes it interesting: it actively kills rival malware on infected devices, claiming exclusive ownership of compromised routers. The botnet operators are running a hostile takeover of your IoT fleet.

**What to do:** Update DD-WRT firmware to the latest version, change default credentials on all routers, and segment IoT devices from your main network.

---

That's the chaos for today. Stay sharp out there.

---

Brought to you by sig9 - sig9.ch | Protecting the unseen, securing the unknown

*This bulletin is provided for informational purposes. Contact us for tailored security analysis.*

Hacker Wars - May 26, 2026

Your daily dose of infosec chaos

---

Retail breaches, Iranian APTs still hunting after military strikes, and LMS zero-days getting exploited in the wild. Another Monday in infosec where "patch everything" is starting to sound less like advice and more like a survival strategy.

---

7-Eleven Breach Hits 185,000 Customers

ShinyHunters leaked data from 7-Eleven, exposing names, email addresses, physical addresses, and dates of birth of roughly 185,000 people. The breach came through a third-party partner repository, which is corporate-speak for "our vendor got popped and we inherited the mess." If you have a 7-Eleven account, assume your PII is out there.

**What to do:** Change passwords on any 7-Eleven linked accounts and watch for targeted phishing using your leaked personal details.

---

Iranian APT Nimbus Manticore Hits Aviation and Software

The Iranian threat group Nimbus Manticore has been quietly targeting aviation and software companies with refreshed tooling, and notably kept operating through and after the US military campaign against Iran. These folks don't take days off, apparently. The updated toolkit suggests they're investing in staying ahead of detection.

**What to do:** If you're in aviation or defense-adjacent software, review your network segmentation and check IOCs from recent Nimbus Manticore reports.

---

Microsoft Defender Gets Auto-Isolation for Compromised Endpoints

Microsoft is rolling out a feature in Defender for Endpoint that automatically isolates compromised machines from the network. The idea is to cut off lateral movement before attackers can pivot, essentially giving your SOC a robot that slams the network door shut without waiting for a human to approve the JIRA ticket.

**What to do:** Evaluate this capability in your Defender for Endpoint deployment and plan your isolation policies before enabling it in production.

---

KnowledgeDeliver Zero-Day Leads to Godzilla Web Shells

Attackers exploited a zero-day in KnowledgeDeliver LMS to deploy Godzilla web shells and Cobalt Strike beacons on vulnerable servers. LMS platforms are often overlooked in patch cycles because nobody thinks the training portal is interesting to attackers. Spoiler: they're wrong.

**What to do:** Audit your KnowledgeDeliver deployments immediately, check for unexpected web shells, and restrict internet-facing LMS instances.

---

Dutch Police Seize 800 Servers From Bulletproof Hosting Providers

Netherlands law enforcement arrested two administrators and seized 800 servers from a bulletproof hosting operation that had been providing infrastructure to Russian cybercriminal groups. The service was essentially an Airbnb for malware operators. This won't stop the threat actors, but it does mean they need to find new real estate.

**What to do:** Check if any of your threat intel feeds have updated blocklists with the seized infrastructure and update your defenses accordingly.

---

That's the chaos for today. Stay sharp out there.

---

Brought to you by sig9 - sig9.ch | Protecting the unseen, securing the unknown

*This bulletin is provided for informational purposes. Contact us for tailored security analysis.*

Hacker Wars - May 22, 2026

Your daily dose of infosec chaos

---

Zero-days, SQLi, and APTs, oh my. Today's roundup is a buffet of "patch it yesterday" moments, plus a nice law enforcement win to remind you that botmasters do eventually get caught. Grab your coffee and let's dive in.

---

Trend Micro Apex One Zero-Day Under Active Exploitation

Trend Micro confirmed that attackers are actively exploiting a zero-day vulnerability in their Apex One endpoint protection product on Windows. The flaw allows code ex*****on on affected systems, which is exactly what you don't want from your security software. Patches are out now, so stop reading and go apply them.

**What to do:** Update Apex One immediately. If you can't patch yet, check Trend Micro's advisory for interim mitigations and monitor for IOCs.

---

Drupal Sites Under Fire From Critical SQL Injection

Drupal dropped a "highly critical" SQL injection advisory earlier this week, and attackers are already scanning for vulnerable installations. SQLi in a CMS is classic but devastating, it can lead to full database dumps, admin account takeover, and lateral movement. If you're running Drupal and haven't patched, your site is probably already being probed.

**What to do:** Apply the Drupal security update now. Review your database logs for suspicious queries and audit any exposed admin accounts.

---

Ubiquiti Ships Emergency Patches For Three Max-Severity UniFi Flaws

Ubiquiti patched three vulnerabilities in UniFi OS that all carry the maximum CVSS score of 10.0. The best part? They're remotely exploitable with zero authentication. If you're running UniFi gear in your network, these are the kind of bugs that keep pe*******on testers up at night, and attackers up even later.

**What to do:** Update UniFi OS to the latest version immediately. If you can't patch, restrict management access to trusted networks only.

---

KimWolf Botmaster Busted In Joint U.S.-Canada Operation

Authorities in the U.S. and Canada arrested a 23-year-old Ottawa man accused of running the KimWolf IoT botnet, which enslaved nearly two million devices for DDoS attacks. The botnet allegedly powered some massive attacks over the past six months. Another reminder that operating a botnet is a career with excellent job security, if your definition of "job security" includes federal charges.

**What to do:** Review your network for IoT devices with default credentials. Segment IoT gear away from critical infrastructure.

---

China-Linked APT Targets EU Governments Via Discord and Microsoft Graph

A Chinese threat group dubbed Webworm has been hacking European government entities by abusing legitimate services like Discord and Microsoft Graph for command and control. They're also using SoftEther VPN and other tunneling tools to blend malicious traffic with normal network activity. Living off the land meets living off the cloud, and it's working.

**What to do:** Monitor for unusual traffic to cloud services like Discord API and Microsoft Graph from non-user endpoints. Review your egress filtering policies.

---

That's the chaos for today. Stay sharp out there.

---

Brought to you by sig9 - sig9.ch | Protecting the unseen, securing the unknown

*This bulletin is provided for informational purposes. Contact us for tailored security analysis.*