ShinyHunters Targets Kodak, Operation Endgame Success, One Medical Breach – Cybersecurity News [June 15, 2026]
Quick Answer
What were the biggest cybersecurity stories of June 15, 2026? Key events included ShinyHunters' threats against Kodak and One Medical, Operation Endgame's SocGholish takedown, Fortinet compromises, and critical vulnerabilities affecting Microsoft, Apple, Joomla, and WordPress.
Here’s your weekly roundup of the most important cybersecurity stories from the past week, highlighting data breaches, threat actor activity, newly discovered vulnerabilities, and major law enforcement actions shaping the cybersecurity landscape.
ShinyHunters Threatens Kodak with Data Leak of 2.2 Million Records
Kodak confirmed a data breach after ShinyHunters claimed it stole over 2.2 million records and threatened a major data leak by June 18, 2026. Kodak said an outside party gained temporary access to a limited amount of information. The company has engaged cybersecurity experts and law enforcement while maintaining that its operations remain unaffected. The group has been linked to breaches at numerous organizations this year and claims to have attacked hundreds of Salesforce customers, stealing more than 1.5 billion records through Salesforce Aura and Salesloft Drift campaigns. Kodak customers and business partners face elevated risks of phishing and business email compromise from any stolen data. Organizations should strengthen email authentication to reduce the risk of spoofed messages. DMARC combines SPF and DKIM to prevent domain spoofing and improve email security.
Operation Endgame Takes Down SocGholish Botnet“ 15,000 Infected Websites Cleaned
On June 18, 2026, international law enforcement agencies including the Netherlands National High-Tech Crime Unit, the Royal Canadian Mounted Police, the US FBI, and Germany’s Federal Criminal Police Office, with support from Europol, announced the successful disruption of TA569, the group responsible for the SocGholish malware framework. Law enforcement took down over 106 C2 servers and cleaned nearly 15,000 infected websites. SocGholish, also known as FakeUpdates, has been active since at least 2017 and is best known for abusing hacked WordPress sites to push fake browser updates to unsuspecting visitors, which open backdoors used by ransomware groups. This is considered one of the most impactful crackdowns in the ongoing Operation Endgame campaign.

ShinyHunters Sets Deadline for Amazon’s One Medical“ 8.8TB of Data at Stake
Extortion group ShinyHunters claims it stole 8.8TB of data from One Medical, a healthcare network serving more than 830,000 patients across over 250 clinics in the US. The group posted the claim on its dark web leak site and issued a “final warning,” giving One Medical until June 22nd to begin negotiations before allegedly publishing the stolen information. ShinyHunters has expanded its leak infrastructure and vowed stolen data will stay online forever. Researchers from Cato Networks note the group has evolved beyond a single hacking crew into a cybercrime brand capable of “surviving arrests, infrastructure seizures, and operator turnover.” If the claim is confirmed, the exposed information could include highly sensitive medical records and PII, a gold mine for identity thieves. CybernewsCybernews
FortiBleed: Russian-Speaking Threat Actors Compromise 86,644 Fortinet Devices
CISA urged Fortinet customers with FortiGate appliances to secure their devices against an ongoing malicious campaign believed to be the work of Russian-speaking threat actors, codenamed “FortiBleed.” The number of compromised devices stood at 86,644 as of June 19, 2026. According to SOCRadar, generic admin accounts (35%) and built-in Fortinet system accounts (28.3%) together make up the majority of compromised credentials. SOCRadar noted this “points directly to a widespread failure to rename default accounts or rotate factory credentials, giving the attacker a highly reliable target list before any brute force was even needed.” Organizations running FortiGate firewalls should immediately audit their credential hygiene.
Microsoft Defender RoguePlanet Zero-Day Grants Attackers Full PC Control
Microsoft formally disclosed that it is working on a patch to address a Defender zero-day codenamed “RoguePlanet.” The vulnerability has been assigned CVE-2026-50656 with a CVSS score of 7.8 and is described as a privilege escalation flaw in the Microsoft Malware Protection Engine. No patch was available at the time of disclosure, leaving Windows users relying on Defender at potential risk until a fix is released. This is particularly alarming given how ubiquitous Microsoft Defender is as the default antivirus solution across enterprise and consumer environments. Western Illinois University

Apple Patches Beats Studio Buds Flaw That Could Turn Earbuds into a Wiretap
Apple shipped firmware update 1B211 for Beats Studio Buds on June 16, 2026, patching CVE-2025-20701, a high-severity Bluetooth vulnerability rooted in Airoha’s unauthenticated RACE debug protocol. The flaw affects approximately 29 products from 10 brands including Sony, Bose, JBL, and Marshall. The vulnerability allows an attacker within Bluetooth range to potentially listen through a device’s microphone before it is paired. Apple’s advisory notes the flaw was rooted in open source code and that Apple software was among the affected projects. Users can confirm their firmware version by checking Settings’ Bluetooth’ tapping the info icon next to their Beats Studio Buds.
Novo Nordisk (Ozempic Maker) Discloses Breach of Clinical Trial Data
Pharmaceutical giant Novo Nordisk disclosed a cybersecurity incident involving unauthorized access to a limited number of internal IT systems, including ones that stored personal data related to patients participating in some of its clinical trials. The company stated the information is not directly linked to patients by name, but accessing underlying records could allow identification. Dark Reading noted the Novo Nordisk breach exposes significant software development pipeline risk, raising wider concerns about how pharmaceutical companies protect sensitive research and patient data in their development environments.
Joomla JCE Critical Flaw (CVSS 10.0) Added to CISA’s Known Exploited Vulnerabilities
CISA added a maximum-severity flaw impacting Widget Factory Joomla Content Editor (JCE) to its Known Exploited Vulnerabilities catalog on June 17, 2026. Tracked as CVE-2026-48907 with a CVSS score of 10.0, the flaw is an improper access control vulnerability that allows unauthenticated users to upload and execute arbitrary PHP code by creating new editor profiles. Federal civilian agencies were directed to apply mitigations in accordance with vendor instructions. Any organization running Joomla with the JCE editor plugin should apply the available patch immediately given active exploitation is confirmed.
145 Mastra npm Packages Compromised in Supply Chain Attack
As many as 145 npm packages associated with the Mastra namespace, a popular open-source JavaScript and TypeScript framework for building AI applications, were compromised as part of a software supply chain attack codenamed “easy-day-js.” A single npm account was hijacked, allowing malicious code to be injected across all associated packages. On June 17th, an attacker compromised 141 Mastra npm packages, infecting them with malware. This incident underscores the growing risk of single-point-of-failure vulnerabilities in widely used open-source AI development frameworks. Western Illinois UniversityCybernews
INC Ransomware Thrives in 2026, Claims 830+ Victims
Cybersecurity researchers charted the evolution of INC from a nascent ransomware-as-a-service operation to one of the most prolific cybercrime groups of 2026, claiming no fewer than 830 victims since August 2023. The disruption of LockBit and the shutdown of BlackCat created opportunities for INC to expand as affiliates migrated. US organizations account for more than 65% of listed victims, with legal services, manufacturing, construction, technology, and healthcare among the most targeted sectors. INC’s Windows and Linux/ESXi encryptors have also been rewritten in Rust to better resist reverse engineering efforts, making detection and defense significantly harder.

Microsoft AutoJack Exploit Turns AI Browsing Agent into Remote Code Execution Vehicle
Microsoft researchers detailed an exploit chain named AutoJack that turns an AI browsing agent into a delivery vehicle for remote code execution. Steering the agent to load an attacker’s web page allows that page’s JavaScript to reach a privileged local service on the same machine and spawn a process on the host” with no credentials, no sign-in screen, and no further user interaction once the agent loads the page. The flaw resides in AutoGen Studio, Microsoft Research’s open-source prototyping interface for multi-agent AI frameworks. This discovery highlights a new and growing attack surface created by agentic AI deployments.
Apple iPhone XS, XR, and iPhone 11 Hit by Critical Unfixable BootROM Exploit
Security researchers at Paradigm Shift published a working exploit dubbed “usbliter8” that achieves arbitrary code execution inside the SecureROM of Apple’s A12 and A13 chips ” code burned into the silicon at manufacture that no software update can reach. Affected devices will carry this flaw for as long as they stay in use. The exploit is not remote” it requires physical possession of the device in DFU mode connected via USB to a dedicated microcontroller board, and finishes in under two seconds before Apple’s signed boot chain loads. The full technical write-up and working proof of concept went public on June 18, 2026. While the physical requirement limits mass exploitation, it poses real risks for high-value targets such as journalists and activists.
ClickFix Campaigns Surge with Three New Malware Loaders
Cybersecurity researchers flagged multiple ClickFix campaigns delivering three malware loaders called BabaDeda Loader, Lorem Ipsum Loader, and Potemkin. Attacks involving BabaDeda Loader, observed in April 2026, have targeted education and financial organizations. ClickFix attacks typically trick users into manually executing malicious commands by presenting fake error messages or CAPTCHA challenges. The emergence of three distinct loaders deployed simultaneously suggests a well-resourced threat actor diversifying delivery mechanisms to evade detection across different security environments.
FIFA World Cup Streaming Bug Exposed to Remote Takeover
A FIFA bug was discovered that exposes World Cup streams to remote takeover, according to a report published by Dark Reading on June 18, 2026. With the global audience tuning in to one of the world’s most-watched sporting events, this vulnerability represented a high-profile and high-impact target for threat actors seeking disruption, misinformation distribution, or financial gain through fraudulent streaming platforms. The incident is a timely reminder that major live events create concentrated cybersecurity risks across broadcast and digital infrastructure.
Gravity SMTP WordPress Plugin Vulnerability Exposes API Keys on 100,000 Sites
Threat actors began exploiting a recently patched flaw in Gravity SMTP, a WordPress plugin installed on about 100,000 sites. The vulnerability, tracked as CVE-2026-4020 with a CVSS score of 5.3, is a medium-severity information disclosure flaw that allows unauthenticated attackers to extract sensitive configuration data, API keys, secrets, and OAuth tokens configured for the plugin’s email integrations through an exposed and unprotected REST API endpoint. Website owners running this plugin should update to the latest version immediately and audit their email integration secrets for any potential compromise.

China-Linked UNC6508 Targets Servers for Backdoor Deployment
Servers are being regularly targeted by China-linked threat group UNC6508 for initial access and backdoor deployment, according to SecurityWeek reporting on June 18, 2026. UNC6508’s activity is part of a broader pattern of Chinese state-linked cyber-espionage campaigns targeting enterprise infrastructure to establish persistent long-term footholds. Organizations running exposed server infrastructure should prioritize patching and implement strict network segmentation and monitoring to detect lateral movement early.
New Android Trojan Rokarolla Targets 217 Banking and Crypto Apps
Security researchers at Zimperium’s zLabs documented a new Android banking trojan called Rokarolla that targets 217 banking and cryptocurrency apps and packs 137 remote commands. Together, they give an operator near-total control of an infected phone: it lifts lock-screen PINs, reads and sends SMS, rewrites the clipboard to redirect crypto payments, and switches off Google Play Protect. The malware represents a significant threat to mobile banking users, especially given its ability to silently intercept two-factor authentication messages and reroute cryptocurrency transactions without the user’s knowledge.
General Manager
General Manager at DuoCircle. Product strategy and commercial lead across the email security portfolio.
Secure your email infrastructure
Protect, authenticate, and deliver. Contact our team to find the right solution.