2026-06-22 · view entry permalink →
Looking ahead — 2026-W25
notable outlook discovered 2026-06-22 00:15 UTC
A focused, justified list — items already in motion, not predictions.
- RoguePlanet (CVE-2026-50656) has no patch and a PoC that works on June builds — watch MSRC for an out-of-band fix. Microsoft says a fix is "in development" with no timeline; the researcher warns mitigations are not reliable. Decide now whether to hold for July Patch Tuesday or push application allowlisting as an interim control. (MSRC; daily 06-19)
- FortiBleed credential resets are not a one-and-done — expect more named victims and AD-persistence findings. CISA confirmed full AD domain takeover at multiple organisations; finish session termination, credential rotation and PBKDF2 migration, then hunt for post-compromise persistence rather than assuming the reset closed it. (SecurityWeek; daily 06-20)
- ShinyHunters PeopleSoft notifications are still landing — more European victims are likely. Google GTIG has notified 100+ organisations (68% higher education); EU universities are a probable next-named class. Patch internet-reachable PeopleSoft and hunt the
/PSEMHUB/and/PSIGW/HttpListeningConnectorpaths. (daily 06-16) - CRA Single Reporting Platform go-live is ~82 days out (11 September). ENISA's access manual and a dry-run window are due now; in-scope manufacturers (including Swiss exporters to the EU) should register and wire the 24/72-hour reporting flow into their PSIRT process before the obligation binds. (ENISA SRP)
- EDPB Article 33 harmonised-template consultation closes 5 August. Multi-jurisdiction breach-response owners have a window to review and comment before the EDPB sets a mandatory-adoption timeline. (EDPB)
- npm v12 will disable install scripts by default — the Mastra compromise is this week's reminder to audit CI before the change. Sapphire Sleet's
postinstalldropper is exactly the kill chain--ignore-scripts/ npm v12 defaults neutralise; inventory pipelines that rely on build scripts now. (Microsoft; daily 06-21) - France's NIS2 transposition remains unresolved into late 2026. Organisations with French counterparts should track the next parliamentary session; NIS2-derived notification flows from French partners are not yet enforceable. (Viktoria Compliance)