Article Read Time
1. ShinyHunters Exploit Oracle PeopleSoft Zero-Day to Breach Universities (CVE-2026-35273) A critical, unauthenticated remote code execution flaw (CVSS 9.8) in Oracle PeopleSoft PeopleTools was exploited in the wild as a zero-day between May 27 and June 9, roughly two weeks before Oracle’s out-of-band advisory. Mandiant attributed the campaign to the financially motivated group UNC6240 (ShinyHunters), and Google’s Threat Intelligence Group notified more than 100 organizations, with 68% of victims concentrated in higher education. CISA has since added the flaw to its Known Exploited Vulnerabilities catalog.
Source: The Hacker News — https://thehackernews.com/2026/06/shinyhunters-exploits-oracle-peoplesoft.html
2. France’s Sovereign Messenger Tchap Breached Through a Single Hijacked Account Attackers used social engineering to hijack a valid user account on Tchap, the French government’s encrypted messaging platform for civil servants, on June 7. Officials confirmed more than 73,000 accounts were affected, while an alleged hacker claimed to have scraped roughly 13.5GB of data including hundreds of thousands of messages and references to documents marked “Diffusion Restreinte.” The incident is a sharp reminder that even sovereign, Matrix-based infrastructure is only as strong as its weakest credential.
Source: BleepingComputer — https://www.bleepingcomputer.com/news/security/french-govt-says-tchap-breach-affected-over-73-000-accounts/
3. Microsoft Patches Roughly 200 Vulnerabilities in June Patch Tuesday Microsoft’s June 2026 update addressed approximately 200 flaws across its product line, making it one of the heaviest patch cycles of the year. The volume alone underscores the growing attack surface organizations must manage, and security teams should prioritize remotely exploitable and privilege-escalation bugs for immediate deployment.
Source: SecurityWeek — https://www.securityweek.com/microsoft-patches-200-vulnerabilities/
4. Critical Splunk Flaw Allows Unauthenticated File Manipulation (CVE-2026-20253) Splunk released security updates for a critical vulnerability rated CVSS 9.8 affecting Splunk Enterprise versions below 10.2.4 and 10.0.7. The flaw allows unauthenticated attackers to create or truncate arbitrary files, a serious risk for the very platforms many organizations rely on for security monitoring. Patching should not wait.
Source: The Hacker News — https://thehackernews.com/
5. Unsealed Lawsuit Alleges Chinese Hackers Breached IBM “Routinely” From 2013–2016 A lawsuit unsealed this week alleges that Chinese state-linked hackers repeatedly breached IBM and at least two subsidiaries between 2013 and 2016, and that the company allegedly worked to keep the intrusions quiet. Beyond the historical details, the case raises pointed questions about breach disclosure obligations and corporate accountability that remain very much alive today.
Source: TechCrunch — https://techcrunch.com/2026/06/07/the-worst-hacks-and-breaches-of-2026-so-far/