TL;DR

• [Exploitation] ShinyHunters (UNC6240) weaponized Oracle PeopleSoft CVE-2026-35273 as a zero-day in an extortion campaign, heavily impacting higher education via exposed PSEMHUB endpoints and demonstrating how a single ERP web tier can drive org-wide data theft.
• [Espionage] PRC-nexus UNC6508 targeted North American AI/cyber/medical/defense research using compromised REDCap infrastructure, custom INFINITERED malware, and cloud email content-compliance rule abuse for low-friction, tenant-level persistence and exfiltration.
• [Vulnerabilities] CISA’s BOD 26-04 and new KEV entries (Cisco SD-WAN Manager CVE-2026-20262, LiteSpeed cPanel Plugin CVE-2026-54420, Splunk sidecar CVE-2026-20253, Check Point IKEv1 CVE-2026-50751, Rockwell FLEX I/O CVE-2026-0646/0647) concentrate near-term risk on exposed management, VPN, logging, and OT control planes.

AlphaHunt

Stop doomscrolling, start decisioning. We chewed through the muck so your team doesn’t have to. → Subscribe!

Like this? Forward this to a friend!

(Have feedback? Did something resonate with you? Did something annoy you? Just hit reply! :))

Current Stories

TL;DR

• [Exploitation] Oracle PeopleSoft (CVE-2026-35273) was exploited as a zero-day in an extortion campaign attributed to UNC6240 (ShinyHunters), heavily impacting higher education and prompting rapid perimeter hardening around PSEMHUB endpoints.
  Why it matters: One exposed ERP web tier can cascade into org-wide data loss.

• [Geopolitics / Espionage] PRC-nexus UNC6508 targeted North American medical and defense research via REDCap compromises and bespoke INFINITERED malware, then used cloud email content compliance-rule abuse for stealthy, persistent exfiltration.
  Why it matters: Cloud-native persistence can survive endpoint “cleanup.”