PurpleOps

If you defend a network, your day starts with noise: leak-site dumps, fresh exploits, threat-actor chatter. We cut it to the few moves that actually matter, with the operational context to act on them, ahead of the news cycle. Follow for the signal.

ClickFix keeps working because it hijacks a habit users already have - click to prove you are human. No detection rule fixes a person pasting a command they were told to paste. The durable controls are process, not signature: standard users do not need Win+R, and powershell.exe spawned by explorer.exe right after a clipboard copy is a clean EDR trigger. Kill the paste-to-run path and the lure has nowhere to land.

> fake security check > copied PowerShell command > then the malware starts Researchers say ClickFix attacks are now delivering BabaDeda, Lorem Ipsum, and Potemkin loaders to deploy stealers, RATs, and #ransomware-linked payloads. You think they’re fixing a problem... but you're running the attack. Read the full story ➝ thehackernews.com/2026/06/clickf…

We flagged Mackay on The Gentlemen's leak site yesterday, part of a 10-victim burst. The mill shutdown is the operational half a leak-site listing never shows: the data post is the threat, the stopped mills are the pressure that makes a victim pay. For a sugar producer, downtime during processing is the whole negotiation.

Ransomware Attack Shuts Down Mills of Australia’s Second-Largest Sugar Producer securityweek.com/ransomware-att…

Scattered Lapsus$ Hunters is working through higher education now: it listed four US colleges overnight - Illinois Central, Moody Bible Institute, Glendale Community College and Houston Community College - days after adding Sysco and Kodak. Student and staff records are the draw, the same higher-ed targeting we saw in the ShinyHunters PeopleSoft campaign. Claim only, nothing published yet.

Scattered Lapsus$ Hunters just listed its largest target yet: Sysco, the world's biggest food distributor at $83B revenue, alongside Kodak and Houston Community College. SLSH's US-heavy extortion run, already through Charter, Nexstar and Ralph Lauren this month, is now reaching Fortune 500 scale. Sysco has drawn ransomware claims before, so treat attribution with care - this listing is unconfirmed and nothing is published yet.

The Gentlemen dumped 10 victims on its leak site inside half an hour, and the standout is a national government - Croatia's Ministry of Health. The rest span six countries: an Australian sugar producer with around $300M revenue, US medical and contracting firms, a German tax advisory, a Thai electronics maker. A wide, fast burst from a crew that was already last week's second-most-active group. Nothing published yet, claim only.

Full breakdown: purple-ops.io/blog/simplehel…

A remote-support tool that trusts any login token it is handed is a skeleton key to every machine it manages. SimpleHelp's OIDC bypass (CVE-2026-48558, CVSS 10.0) accepts identity tokens without checking their signature, so an attacker forges a technician session and walks straight past MFA. Actively exploited, roughly 14,000 instances exposed online. Patch is out, apply it now.

LockBit just listed Eternal Beauty Holdings, the largest perfume retailer in China, Hong Kong and Macau and the distributor behind 70+ luxury brands including Hermes and Chopard (FY2025 revenue CNY 2.08B). Notable for one reason: this is the brand that survived Operation Cronos. Eighteen months after the takedown, LockBit 5.0 is still landing marquee names. Deadline set for 21 June, nothing published yet.

Scattered Lapsus$ Hunters - 11 victims claimed in 30 days, 10 in the US. The full board, tracked as it happened.

Full write-up: labs.watchtowr.com/why-use-app-le…

Splunk's new pre-auth RCE never touches the app login - it walks in through the database. CVE-2026-20253 (9.8): an unauthenticated PostgreSQL sidecar endpoint accepts a database name that can secretly be a full connection string. Inject hostaddr, point pg_restore at an attacker-controlled DB, and malicious SQL writes a Python file into the Splunk app directory - code execution as the splunk user. Default-exploitable on AWS, and watchTowr published a working PoC.

Update on the ShadowByt3$ Nintendo listing: analysis of the published sample points away from Nintendo infrastructure. The data appears to come from a Nintendo USA tenant on TINYpulse, the employee-feedback platform now under WebMD Health Services. Employee survey responses and engagement comments - sensitive for the people in them, but the scope is a third-party SaaS tenant, not Nintendo's network. Exactly why a listing is not a breach until the data says so

ShadowByt3$ claims Nintendo - fresh leak-site listing plus a forum extortion thread today. Before this spreads, the group's record: - serial unverified mega-claims since Oct 2025: Starbucks, Univ of Georgia, Syngenta, Stride - dead download links on past leaks - BTC wallet with no real payments - basic Go encryptor, no anti-debug, no lateral movement Nintendo's only confirmed incident is Crimson Collective, Oct 2025, minor per the company. Until samples land, this is a listing, not a breach

DragonForce listed 6 victims in one burst today - every single one in the Gulf or Hong Kong Claimed on the leak site: - Corniche Hotel Abu Dhabi - 130GB - Cheoy Lee Shipyards, HK - 63GB, a 150-year-old shipbuilder - The DRM, Bahrain - 51GB - Al Ishrak Contracting, UAE - 43GB - Al Shafar GRC, UAE - A. Liberty Engineering, HK Same day, the site opened public registration to its RaaS affiliate program. Nothing victim-confirmed yet, but that regional clustering is not random

Scattered Lapsus$ Hunters just listed the NY Knicks' parent, JCPenney, American Tower, and a fiber backbone operator - 4 claims in about an hour Today's listings: - Madison Square Garden Sports (Knicks, Rangers) - JCPenney + Catalyst Brands subs - Aeropostale, Brooks Brothers, Eddie Bauer (1,800 stores, 60M customers claimed) - American Tower - Zayo + Allstream Already on the board: - Nexstar - claims 1M+ Salesforce records, 14 Jun deadline - Ralph Lauren - claims 220GB+, 14 Jun deadline - Charter, BCD Travel, Baker Distributing, Nottingham Uni Our 30-day tally: 11 victims, 10 US

Full breakdown: purple-ops.io/blog/shinyhunt…

ShinyHunters turned a single PeopleSoft endpoint into a university extortion run: CVE-2026-35273, a 9.8 unauth RCE in the Environment Management Hub, exploited before Oracle's June 10 advisory. Student finance data is already on their leak site. Full breakdown of the kill chain and the PSEMHUB mitigations on the blog

The headline buries the actor: this is ShinyHunters exploiting CVE-2026-35273, a 9.8 unauth RCE in PeopleSoft's Environment Management Hub, as a zero-day before Oracle's June 10 advisory. Education sector hit, student finance data already on their leak site. If you run PeopleSoft: disable PSEMHUB and inspect web-tier JSP files now.

Oracle Addresses PeopleSoft Vulnerability Amid Reports of Zero-Day Attacks securityweek.com/oracle-address…

SLSH has added Ralph Lauren to its leak site, claiming more than 220GB including customer PII, purchase and transaction data, and unreleased product material dated 2027 and beyond. The roadmap-leak angle is unusual for a fashion brand. Final warning with a 14 June deadline, nothing published yet.

SLSH has listed Nexstar on its leak site, claiming over a million Salesforce records and internal corporate data from the largest local-TV operator in the US. It is the same Salesforce data-theft thread running through the group's recent targets, Charter, BCD Travel and Cushman among them. A final warning with a 14 June deadline, no data published yet.