PurpleOps

DragonForce listed 6 victims in one burst today - every single one in the Gulf or Hong Kong Claimed on the leak site: - Corniche Hotel Abu Dhabi - 130GB - Cheoy Lee Shipyards, HK - 63GB, a 150-year-old shipbuilder - The DRM, Bahrain - 51GB - Al Ishrak Contracting, UAE - 43GB - Al Shafar GRC, UAE - A. Liberty Engineering, HK Same day, the site opened public registration to its RaaS affiliate program. Nothing victim-confirmed yet, but that regional clustering is not random

Scattered Lapsus$ Hunters just listed the NY Knicks' parent, JCPenney, American Tower, and a fiber backbone operator - 4 claims in about an hour Today's listings: - Madison Square Garden Sports (Knicks, Rangers) - JCPenney + Catalyst Brands subs - Aeropostale, Brooks Brothers, Eddie Bauer (1,800 stores, 60M customers claimed) - American Tower - Zayo + Allstream Already on the board: - Nexstar - claims 1M+ Salesforce records, 14 Jun deadline - Ralph Lauren - claims 220GB+, 14 Jun deadline - Charter, BCD Travel, Baker Distributing, Nottingham Uni Our 30-day tally: 11 victims, 10 US

ShinyHunters turned a single PeopleSoft endpoint into a university extortion run: CVE-2026-35273, a 9.8 unauth RCE in the Environment Management Hub, exploited before Oracle's June 10 advisory. Student finance data is already on their leak site. Full breakdown of the kill chain and the PSEMHUB mitigations on the blog

The headline buries the actor: this is ShinyHunters exploiting CVE-2026-35273, a 9.8 unauth RCE in PeopleSoft's Environment Management Hub, as a zero-day before Oracle's June 10 advisory. Education sector hit, student finance data already on their leak site. If you run PeopleSoft: disable PSEMHUB and inspect web-tier JSP files now.

SLSH has added Ralph Lauren to its leak site, claiming more than 220GB including customer PII, purchase and transaction data, and unreleased product material dated 2027 and beyond. The roadmap-leak angle is unusual for a fashion brand. Final warning with a 14 June deadline, nothing published yet.

SLSH has listed Nexstar on its leak site, claiming over a million Salesforce records and internal corporate data from the largest local-TV operator in the US. It is the same Salesforce data-theft thread running through the group's recent targets, Charter, BCD Travel and Cushman among them. A final warning with a 14 June deadline, no data published yet.

If you run Langflow, assume it is exploitable right now. Its default auto-login hands a valid session to anyone with no credentials, and a path-traversal flaw in the file-upload endpoint lets that unauthenticated request write files anywhere, including a cron job that runs as root. It is being exploited in the wild. Patch or pull it off the internet today.

World Leaks has listed Reliance Group on its leak site, the Anil Ambani conglomerate spanning power, infrastructure and financial services. It is the group's fourth Indian victim in the past few days, after Tata Electronics, Apollo Pipes and the RBI-licensed TReDS platform M1xchange. A clear India burst from a crew that mostly hits the US and Europe.

The reconnaissance half is the part defenders should sit up for. JDY, the rebuilt Volt Typhoon botnet now spanning 1,500+ SOHO and IoT boxes, is a scanning engine that fingerprints exposed edge devices and starts hitting newly disclosed CVEs within hours of publication. Your patch window for an internet-facing Fortinet or DrayTek is measured in hours now, not the weekend.

This closes the door the self-propagating npm worms walked through: preinstall and postinstall scripts that auto-run the second you install. Two caveats. It is a v12 default landing in July, not live today, and the worms are already routing around lifecycle scripts with Python .pth and Bun startup hooks. Floor raised, door still open.

The Gentlemen's latest run spans five countries and spares no sector: Scenic Hudson, a US environmental nonprofit; a German volunteer emergency service in Allensbach; UITM Holdings in Malaysia; plus a Brazilian machinery maker and a Japanese firm, all newly listed on its leak site.

Three critical RCEs worth dropping everything for this week: Ivanti Sentry, CVE-2026-10520 (CVSS 10): unauthenticated, root-level command injection. Public PoC is already out. Patch 10.5.2 / 10.6.2 / 10.7.1. Veeam Backup & Replication, CVE-2026-44963 (CVSS 9.4): any authenticated domain user gets RCE on a domain-joined backup server. Backups are the ransomware target, so this jumps the queue. Fixed in 12.3.2.4854 (v12 affected, v13 not). Chrome, CVE-2026-11645: actively exploited in the wild, added to CISA's KEV catalog today. If you run any of the three, today is a patching day.

Hours after June Patch Tuesday closed two Defender zero-days, a third surfaced. RoguePlanet is a public PoC abusing a race condition in Microsoft Defender to escalate an ordinary user to SYSTEM on fully patched Windows 10 and 11. Unpatched, no advisory yet, and it is a race so hit or miss.