this week in security — june 14 2026 edition
THIS WEEK, TL;DR
ShinyHunters breach 100+ companies by exploiting zero-day in Oracle PeopleSoft
Cyberscoop: The ShinyHunters hackers are back with a fresh zero-day in hand, this time exploiting Oracle's PeopleSoft software, a suite of apps that help businesses run their daily operations. The hackers claim to have breached over 100 organizations that rely on the software, with some two-thirds affecting schools and higher education institutions, per Mandiant. That includes the University of Nottingham, which became the first known victim after the hackers took credit on their leak site. Mandiant added that it's monitoring the mess, in part because the hackers appeared to leave some of their staging servers exposed, spilling some of their operations to the web. Researchers confirmed the use of a remotely exploitable zero-day bug (CVE-2026-35273), meaning the exploit works over the internet. No patches just yet, but Oracle said to apply mitigations to prevent exploitation. Oracle hasn't said much about the hacking campaign beyond its advisory, which isn't a surprise given it flubbed its handling of its last mass-hack.
More: Oracle | Bleeping Computer | SecurityWeek | CSO Online | BBC News | Mandiant | The Register | TechCrunch ($)
Lawmakers allow U.S. surveillance law to lapse after balking at Trump's controversial pick to lead spy agencies
The New York Times ($): For the first time since FISA was overhauled in 2008, the U.S. warrantless surveillance law has lapsed because more than a dozen Republicans lawmakers voted against its reauthorization, guaranteeing the law would expire by Friday. The lawmakers joined Democrats in protesting Trump's appointment of federal housing director Bill Pulte to oversee the intelligence community as U.S. chief spy. Pulte has no intelligence… experience, but promised to gut the spy agencies and go after Trump's critics if confirmed by the Senate. By the time that Trump realized he lost the vote and instead moved to replace Pulte's nomination with former SEC chair Jay Clayton, most lawmakers had already left Washington for the week. FISA expiring isn't great but is largely symbolic of the political deadlock today, given that this Pulte thing was a huge distraction that hasn't helped resolve any of the bipartisan underlying concerns with the warrantless spy law to begin with. The U.S. government's classified spy programs have already been certified for the year, so they won't fall off a cliff until at least March 2027, giving lawmakers many more months to spin their wheels.
More: TechCrunch ($) | Politico ($) | Reuters ($) | NPR | @lizagoitein
Microsoft open source tools hacked to steal passwords of AI developers
TechCrunch ($): Microsoft cut off access to around 70 of its popular open source tools hosted on GitHub after hackers broke in and planted password-stealing malware in the repos. The affected open source tools allow developers to write code with AI coding apps like Claude Code and Gemini CLI. Once the developer opens the malicious code in these apps, the code would steal the developer's credentials and spread to other victims. Microsoft is the latest to get hit by a supply chain attack on its open source code in recent months; twice, in fact, as researchers suspect that Microsoft's latest repo hack may be a re-compromise from an earlier breach that wasn't fully remediated. Microsoft didn't say (when I asked) how many of its customers had been compromised as a result of downloading its tools, but admitted it was a "small number." Given Microsoft's massive global reach, that could still be a lot of companies. (Disclosure alert: I wrote this story!)
More: Cloudsmith | OpenSourceMalware | Ars Technica | The Register | 404 Media ($)
Flock faces fresh fiascos after new search security lapse and cop users getting busted
404 Media ($): Flock, everyone's favorite surveillance company to hate, gave us two new reasons to add to the pile. 404 Media ($) reported that cops around the country keep getting arrested for misusing their access to Flock (which arguably wouldn't be an issue if there wasn't a system to abuse to begin with) to snoop on and stalk people. These cases not only reveal more police abuses but that these systems can also be used to track people down. The license plate reader maker and tracker also exposed fresh data, following previous security lapses, after 404 Media and privacy researchers found search engines were somehow exposing Flock searches, such as justifications for police searches and the occasional license plate under investigation. Flock didn't immediately seem to know how this happened. Also check out Wired ($), which has a new feature mapping out all of the Flock plate readers near to World Cup stadiums around the U.S. For paid subscribers ($): I have a new blog diving into the sneaky ways governments tap into your private data. License plate readers are a big one!
More: 404 Media ($) | Wired ($) | WISN
~ ~
~this week in security~ is my weekly cybersecurity newsletter supported by readers like you. Please consider signing up for a paying subscription starting at $10/month for access to exclusive articles, analysis, and more.
Or, you can submit a one-time tip to show your support!
Check out my recent articles, such as:
The sneaky ways that governments get your private data
Oura says it gets government demands for user data. Will it share how many?
The most dangerous threats to the internet in 2026
Why your doctor's AI recorder can be bad for your health (and privacy)
~ ~
THE STUFF YOU MIGHT'VE MISSED
French government's Tchap encrypted app breached, data stolen
The Register: The French government's homegrown encrypted messaging app Tchap was compromised after attackers hijacked an account and accessed public chat rooms. Officials said encrypted chats weren't affected, but The Register said that the hacker may have accessed over 643,000 messages. Bleeping Computer has more good reporting.
FCC wants to kill burner phones by requiring registration data
404 Media ($): U.S. telecoms regulator FCC is proposing to legally force phone companies to collect new and renewing customers' government IDs and physical addresses, which would make it near-impossible to buy a burner (think: anonymous) phone. The idea is to combat scammers, but that's still a terrible idea — and phone companies are notoriously bad with security. Last year, the FCC voted to scrap cyber requirements at phone companies, and now it's doing this… so, yikes.
CISA shortens deadline for agencies to patch critical bugs
Reuters ($): Government officials now have just three days to patch the most severe bugs under active attack, or remove the products from service. That's the new directive from CISA, which says this aims to help get agencies ahead of the growing influx of bugs discovered by AI.
Journalist gets rare first-hand inside a North Korean hiring scheme
Indicator ($): Indicator founder Craig Silverman stumbled upon — or rather, North Koreans stumbled upon him — and tried to get him hooked into a fake job interview with the aim of getting him to plant malware on his computer. Silverman went along for the ride and documented the effort, including new techniques. The investigation is paywalled but provides the IOCs publicly for defenders. Meanwhile: CrowdStrike's annual threat report [PDF] put North Koreans as behind 47% of all hands-on hacks targeting the tech industry during April '25-March '26, showing how big of a threat the North Koreans pose. (via Forbes ($))
67 million Thais had data compromised thanks to security lapse
Bangkok Post: A civil society group urged a Thai parliamentary committee to investigate a suspected data exposure at a government agency for state benefits, claiming a spill of data affecting 67 million people. The leaked data allegedly appeared on a hacker forum, the group claimed. More via DataBreaches.net.
Meta catches NSO targeting WhatsApp users in violation of court ban
TechCrunch ($): Meta said it caught spyware maker NSO Group hacking victims using WhatsApp's again, even though a court years earlier banned NSO from using WhatsApp's platform to deliver its Pegasus spyware. Now, Meta is asking a court to hold NSO in contempt of court. Meta allegedly caught NSO testing its spyware by — I kid you not — taking a photo of a cup of soup on a mousemat with NSO's logo. Opsec fail hard.
~ ~
OTHER NEWSY NUGGETS
Three Microsoft zero-days under attack: Microsoft fixed over 200 bugs across its product line this week, including three under attack as zero-days. Microsoft said that the significant rise was due to — guess what, say it with me now — AI. Thanks, I hate it. (via Krebs on Security, Microsoft)
U.S. seizes spy hire sites: The FBI said it seized 13 websites backed by alleged Chinese spies who attempted to lure U.S. clearance holders into divulging potential secret information for cash for various clients. These websites posed as consultancy and advisory gigs, but probably started to seem a little sketchy when HR started asking about nuclear schematics in between onboarding tasks. (via Nextgov, Justice Department, @ddimolfetta)
When a hack wasn't a hack, ServiceNow edition: A slew of notifications to ServiceNow customers about suspected data access was related to security researchers who found a security flaw, rather than a malicious compromise, the company claims. The flaw was an unauthenticated bug, which meant ServiceNow was exposing reams of customers' data to the web. Whoops. (via TechCrunch ($), /r/servicenow, @zackwhittaker)
Coupang's billion won breach bomb: U.S.-headquartered online retail giant Coupang, which happens to be extremely popular in South Korea, was fined a massive $409 million ($624 billion won) for a data breach last year that exposed the personal data and order details of some 33 million people in Korea. (via Bloomberg ($), BBC News ($), WSJ ($))
Google security layoffs: Several employees across Google's security divisions, including Mandiant and its threat intelligence group, were reportedly laid off. Google hasn't confirmed the exact number. (via SecurityWeek, Business Insider)
U.S. cuts off Mythos: Late Friday, the U.S. Dept. of Commerce issued an export control rule against Anthropic, effectively barring any foreign national, even those in the U.S. and Anthropic's own employees, from accessing its latest Mythos or Fable models, which the company claims is too dangerous to cybersecurity to release properly. WSJ ($) reports that Amazon security researchers figured out a way to jailbreak the models, prompting the ban. Anthropic pulled the models entirely as a way to comply with the ban. It's a very messy situation, but seems to suggest that the U.S. government can theoretically do this to any company. (via Axios ($), Washington Post ($))
~ ~
THE HAPPY CORNER
Ahhhh(!)-nnnd breathe out. That's the week in news, but this, my friends, is the happy corner.
First of all, please take with you a very secure Wi-Fi password. You'll never know when you'll need a spare one. Or better yet, give one to a friend.
Here's a sentence I didn't think I'd ever mutter: Conan O'Brien does deepfake awareness training.
ICYMI: The FBI has built its own replica town on its Huntsville, Alabama campus dubbed the Kinetic Cyber Range, featuring a court house, a datacenter, a hospital, an arcade, and a gas station — along with furnished homes, roads, and traffic lights. The idea is to help investigators test real-world devices as part of cyberattack simulations, like ransomware attacks.
Meanwhile, the Pope is said to be a computer nerd and his brother still calls him at the Vatican for computer advice, leading to this incredible exchange:
Before you go, and for a good cause: My partner Jordan and I are involved with a nonprofit called Project Sunshine, which raises funds to bring much-needed playtime to kids experiencing medical challenges, something that's really important to the health and wellbeing of kids and their parents. We've seen first-hand how much happiness that playtime brings to kids who need normal fun kid-things to do, and we're raising some funds for Project Sunshine's annual drive. Please consider dropping a few bucks to Project Sunshine's Play-A-Thon. For anyone donating $100 or above, I'll throw in an annual subscription for this newsletter to say thanks.
Got good news to share? Get in touch! this@weekinsecurity.com.
~ ~
CYBER CATS & FRIENDS
This is Stevie, who can be seen here tailgating into a facility in the hood of a human's jacket. Thanks so much to Kyle B. for sending in!
🐈 Send in your cyber cats! 🐈⬛ Got a cat or a non-feline friend? Send me an email with their photo and name and they will be featured in a later newsletter!
~ ~
SUGGESTION BOX
That's all there is for this week's edition — thank you as always so much for reading, I hope you enjoyed this one as much as I loved writing it. Have a great rest of your Sunday. We'll do this all over again next week!
Like this newsletter? Feel free to share it! And if you have anything you want to share with me for the newsletter, I love to hear from you — reach out at any time (especially if there's a cybercat attached!).
Later gators,
@zackwhittaker