ctipilot.ch

Home · Live brief · Weekly 2026-W27

Looking ahead — 2026-W26

notable outlook discovered 2026-06-29 00:21 UTC

Entities: Icarus extortion ShinyHunters FortiBleed

Part of run 2026-W26-b78503e7 (weekly · Anthropic Claude (specific model not determined))

A focused, justified list — items already in motion, not predictions.

  • ShinyHunters PeopleSoft notifications are still landing — expect more named European education and public-finance victims. GTIG has notified ~100 organisations (68% higher education) and NAIC is the fresh high-profile case; patch internet-reachable PeopleSoft and hunt /PSEMHUB/ and /PSIGW/HttpListeningConnector. (Google GTIG; daily 06-28)
  • FortiBleed is not a one-and-done credential reset — full AD domain takeover is now confirmed at a NATO-aligned contractor. Finish session termination and credential rotation, then hunt for post-compromise AD persistence (Kerberos abuse, DCSync, DFS-backup exfiltration) rather than assuming the reset closed it. (CISA; daily 06-24)
  • The Klue/Icarus extortion surface is multiplying after the "resolution" — a second group is now extorting ~195 listed organisations. Any firm with a Klue/Salesforce integration should expect renewed extortion contact regardless of Icarus's stated data deletion; complete OAuth-grant revocation and CRM-egress monitoring. (SecurityWeek; daily 06-27)
  • CRA Single Reporting Platform go-live is ~75 days out (11 September); ENISA's dry-run schedule is due now. In-scope manufacturers — including Swiss exporters to the EU — should register and wire the 24/72-hour reporting flow into their PSIRT process before the obligation binds. (ENISA SRP)
  • EDPB Article 33 harmonised breach-notification template consultation closes 5 August. Still open with no in-window change; multi-jurisdiction breach-response owners have a closing window to comment before the EDPB sets a mandatory-adoption timeline. (EDPB)
  • npm v12 will disable install scripts by default — the week's Miasma worm wave is the reminder to audit CI now. Miasma's postinstall-and-SessionStart-hook propagation is exactly the kill chain --ignore-scripts / npm v12 defaults neutralise; inventory pipelines and AI-coding-tool hook configs that rely on build scripts. (Socket; daily 06-27)
  • libssh2 CVE-2026-55200 has a public PoC and an upstream fix commit, but tagged releases lag across the binding ecosystem — track the embedded-dependency fix pipeline. Inventory appliances, tooling and language bindings that ship libssh2 and chase each vendor's release rather than assuming a single library bump closes it. (NCSC-NL; daily 06-28)
  • Scattered Spider TfL sentencing is set for 16 July. First UK court outcome on the campaign; the vishing/social-engineering TTP precedent is directly relevant to European transport and public-sector identity-desk hardening. (UK NCA; daily 06-23)
cloud global