TL;DR
Oracle PeopleSoft zero-day breached Nissan and NAIC via ShinyHunters group. A malicious Chrome extension masquerading as Perplexity AI intercepted and logged all user searches and address bar input. Mustang Panda leveraged Zoho WorkDrive as a command channel in attacks on Indian government and hydropower entities.
Executive Summary
- Oracle PeopleSoft zero-day actively exploited by ShinyHunters extortion group to breach Nissan and the National Association of Insurance Commissioners (NAIC), stealing employee data and configuration files.
- Microsoft researchers discovered a malicious Chrome extension posing as Perplexity AI that logged searches and every keystroke in the address bar, routing them through an attacker-controlled server before displaying real results.
- Mustang Panda, a China-aligned espionage group, deployed new malware and weaponized legitimate Zoho WorkDrive cloud service as a command channel in active compromises of Indian government and hydropower targets.
- Microsoft released approximately 200 security fixes in June 2026 Patch Tuesday, including nearly 36 critical-rated vulnerabilities. ⚠
- CVE-2026-48558, a critical authentication bypass in SimpleHelp, is being exploited to deliver the Djinn infostealer targeting cloud and AI development credentials.
Top Threats Today
1. Oracle PeopleSoft Zero-Day Exploited in Nissan and NAIC Breaches
Severity: HIGH Affected: Finance
Nissan disclosed a data breach affecting current and former employees after threat actors exploited an Oracle PeopleSoft vulnerability in attacks previously linked to the ShinyHunters extortion group [1]. The National Association of Insurance Commissioners (NAIC) also confirmed compromise of its Oracle PeopleSoft server by the same group, with ShinyHunters stealing ⚠ publicly available data, outdated logs, and configuration files totaling 3.1 TB of data [2]. Both breaches involved exploitation of the same zero-day vulnerability, demonstrating active, widespread use in the wild against high-value targets.
Sources:[1] BleepingComputer[2] BleepingComputer
Recommended Action
- Conduct immediate vulnerability scan of all Oracle PeopleSoft instances; prioritize patching or isolation of internet-exposed servers.
- Review audit logs and access records for suspicious activity on affected PeopleSoft systems; assess scope of data exposure.
- Implement network segmentation to restrict PeopleSoft server access to authorized administrative networks only.
- Monitor for indicators of compromise (IOCs) associated with ShinyHunters extortion group communications.
2. Malicious Chrome Extension Steals Searches and Address Bar Input
Severity: HIGH Affected: Technology
Microsoft discovered a malicious Chrome extension posing as the Perplexity AI search engine that quietly logged every search query and every character typed into the address bar, routing the collected data through an attacker-controlled server before redirecting users to legitimate results [1]. The extension's ability to transparently intercept and exfiltrate sensitive user input—including credentials, URLs, and search intent—before showing real results poses a significant credential-theft and reconnaissance risk.
Sources:[1] The Hacker News
Recommended Action
- Search Chrome Web Store and installed extensions for any variant named “Perplexity” or similar; remove immediately if found.
- Audit browser extension permissions across your organization; disable extensions with broad data-capture capabilities unless explicitly justified.
- Enforce Chrome extension allowlist policies via managed device policies; restrict installation to vetted, organization-approved extensions.
- Monitor for suspicious outbound traffic to unknown domains from Chrome processes; correlate with timeline of extension installation.
3. Mustang Panda Weaponizes Zoho WorkDrive as Command Channel in Indian Targets
Severity: HIGH Affected: Government
The China-aligned espionage group Mustang Panda is running two active campaigns against Indian government and hydropower targets, deploying new malware and turning the legitimate Zoho WorkDrive cloud service into a command-and-control channel [1]. The abuse of a legitimate cloud service as C2 infrastructure allows the attacker to blend malicious traffic with legitimate cloud activity, complicating detection and increasing dwell time.
Sources:[1] The Hacker News
Recommended Action
- Audit user access and activity logs in Zoho WorkDrive for suspicious file uploads, sharing, or access patterns; focus on government and critical infrastructure accounts.
- Implement strict access controls and MFA on all cloud storage accounts; disable legacy authentication and legacy sync protocols.
- Monitor egress traffic from government and OT networks to cloud storage services; flag unusual data volumes or timing patterns.
- Coordinate with cloud providers to identify and block known malware command-and-control infrastructure abusing their platform.
4. SimpleHelp Authentication Bypass Delivers Djinn Cloud-Credential Stealer
Severity: HIGH Affected: Technology
CVE-2026-48558, a critical authentication bypass vulnerability in SimpleHelp, is being exploited to deliver the Djinn infostealer, which targets cloud and AI development credentials, linking development and admin environments to wider enterprise systems [1]. The ability to steal credentials linking dev environments to production infrastructure represents a significant supply-chain and lateral-movement risk.
Sources:[1] Dark Reading
Recommended Action
- Identify and inventory all SimpleHelp instances in your environment; check for patches or vendor guidance on CVE-2026-48558 mitigation.
- Scan endpoints running SimpleHelp for Djinn infostealer signatures; review process execution logs for suspicious activity around SimpleHelp service start time.
- Enforce credential isolation: ensure dev environment credentials cannot access production systems; rotate all API keys and cloud service credentials across dev, staging, and production.
- Monitor for exfiltration of .env files, cloud configuration files, and SSH keys from development systems.
5. Scattered Spider Members Plead Guilty for 2024 Transport for London Attack
Severity: MEDIUM Affected: Transportation
Two members of the prolific Scattered Spider cybercrime group pleaded guilty in the United Kingdom to criminal charges stemming from an August 2024 cyberattack that crippled Transport for London, the entity responsible for the Greater London public transport network [1]. The guilty pleas represent a legal enforcement milestone but do not address ongoing operational activity by the broader group.
Sources:[1] Krebs on Security
Recommended Action
- Review your organization's prior incident logs for any Scattered Spider indicators of compromise (IOCs); assess exposure timeline and scope.
- Ensure MFA and passwordless authentication are enforced across all remote access points; monitor for anomalous authentication patterns.
- Conduct tabletop exercise simulating ransomware deployment following network compromise; validate incident response procedures and recovery capabilities.
Today’s Action Checklist
- ☐ URGENT: Scan all Oracle PeopleSoft systems for vulnerability; isolate internet-facing instances pending patch availability or vendor guidance.
- ☐ URGENT: Remove any installed Chrome extension matching “Perplexity” or suspicious lookalikes; audit remaining extension permissions.
- ☐ URGENT: Review Zoho WorkDrive access logs and file activity for government, critical infrastructure, and high-value targets; check for data exfiltration.
- ☐ HIGH: Assess SimpleHelp deployment; apply CVE-2026-48558 patch or vendor mitigation upon availability; scan for Djinn infostealer indicators.
- ☐ HIGH: Apply Microsoft Patch Tuesday updates released June 2026, prioritizing critical-rated CVEs in your deployed software portfolio.
- ☐ MEDIUM: Review and rotate cloud and development environment credentials; enforce credential isolation between dev and production.