This week’s threat intelligence shows attacker operations scaling faster than defenders can absorb patches. Check Point Research’s 15 June weekly bulletin covers a zero-day that let ShinyHunters hit more than 100 organizations, exploitable flaws in LangGraph’s AI agent framework, and a Patch Tuesday addressing more than 200 Windows vulnerabilities.
- ShinyHunters exploited CVE-2026-35273, a critical Oracle PeopleSoft remote code execution zero-day, across 100+ organizations including the University of Nottingham (454,600 students affected)
- Check Point Research found remote code execution in LangGraph via chained SQL injection and unsafe deserialization; patches issued for SQLite, core, and Redis components
- Microsoft’s largest-ever Patch Tuesday: 200+ CVEs including CVE-2026-45657 (CVSS 9.8, network-based propagation) and CVE-2026-41091 (actively exploited for full system control)
- Ransomware incidents up 48% year over year through May 2026 per Check Point’s monthly attack trends report
ShinyHunters Breaches 100 Organizations via CVE-2026-35273: This Week’s Threat Intelligence Top Story
ShinyHunters, the extortion group behind a string of SSO and helpdesk social-engineering campaigns, pivoted this week to a zero-day exploit. CVE-2026-35273, a critical Oracle PeopleSoft flaw allowing remote code execution, gave the group access to the student records system at the University of Nottingham, a UK research university. The breach exposed contact details, passport numbers, enrollment information, and fee payment records for 454,600 current and former students. Analysts linked the Nottingham breach to a broader ShinyHunters campaign targeting more than 100 organizations on the same vulnerability.
Two other significant breaches in this ransomware and breach reporting context: Mackay Sugar, Australia’s second-largest sugar producer, suffered a cyberattack that halted its Farleigh and Racecourse mills in Queensland. Novo Nordisk disclosed that attackers accessed internal IT systems and copied pseudonymized clinical trial data including patient IDs, trial participation details, and limited health information. Both incidents add to the 48% year-over-year rise in ransomware incidents Check Point tracked through May 2026.
The bulletin also documented a supply-chain compromise in the Arch User Repository. Attackers seized hundreds of packages, modified build scripts, and deployed a Rust credential-stealing payload. On systems where the attacker had administrative privileges, they installed an eBPF rootkit — a persistence mechanism that operates below the OS detection layer available to most endpoint detection and response (EDR) tools.
LangGraph Deserialization Flaw and Outsider Phishing Network: This Week’s AI Threat Intelligence Findings
Check Point Research demonstrated that LangGraph, an open-source framework for building stateful large language model (LLM) agents, contains exploitable flaws. Researchers chained a SQL injection issue with unsafe deserialization to achieve remote code execution on affected deployments. Patches have been issued for SQLite, core, and Redis checkpointer components. A compromise of the checkpointing layer exposes all intermediate state an agent persists across sessions — credentials, in-flight workflow data, and accumulated context from multi-turn tasks.
Researchers identified Outsider, a China-based phishing-as-a-service network, using Google’s Gemini model to generate fake websites supporting SMS phishing campaigns. Google filed a lawsuit after linking the operation to more than 1,500 phishing sites and 1.5 million URLs. The bulletin also warned that prompt-injection attacks against Claude Code’s GitHub Action can leak CI/CD workflow secrets. Malicious text in issues or pull requests can instruct the agent to read environment variables and expose API keys. Read prior coverage of prompt injection detection gaps in AI security stacks for the broader context on this attack class.
Patch Tuesday, Veeam, and Check Point VPN: The Week’s Critical Vulnerability Threat Intelligence
Microsoft’s largest Patch Tuesday to date addressed more than 200 Windows and Defender vulnerabilities. Three require immediate prioritization: CVE-2026-45657 (CVSS 9.8, network-based propagation), CVE-2026-41091 (actively exploited for full system control), and CVE-2026-50507 (BitLocker bypass, compromises encryption at rest). Veeam released updates for a critical flaw in Backup and Replication — an authenticated domain user can execute code remotely on a domain-joined backup server. Check Point flagged active exploitation of CVE-2026-50751, an authentication bypass in Remote Access VPN and Mobile Access deployments using the deprecated IKEv1 key exchange protocol, with one confirmed case tied to Qilin ransomware.
The operational picture from this week’s threat intelligence is consistent. ShinyHunters’ CVE-2026-35273 campaign hit 100+ organizations before patches could contain it. Patch Tuesday’s 200+ CVE count suggests AI-assisted vulnerability discovery is producing more research than patch cycles can absorb. Two responses give security teams the most leverage this week: pre-deployment behavioral integrity checks for AI agent tools (per the LangGraph finding), and compressed patch SLAs for network-propagation CVEs in the CVSS 9.8 tier.
Join our LinkedIn group Information Security Community!
