Attackers are turning everyday workflows into high-stakes security risks, as seen in the latest spear-phishing campaign that leverages healthcare-themed lures to breach Thailand’s medical sector. Cyware highlights how a single malicious attachment can trigger a chain of PowerShell scripts and Python stealers, with evidence of local staging and a campaign window stretching from April to June 2026.

A single overlooked bug can expose sensitive data at scale, as demonstrated by the Squid Proxy vulnerability that leaks passwords and API keys through a heap buffer overread. With over 100 organizations targeted in a stealthy Oracle PeopleSoft attack and Splunk servers already compromised in the wild, defenders face urgent patching decisions to protect business-critical infrastructure.

Supply chain attacks are reshaping the threat landscape, with groups like Icarus and TeamPCP exploiting OAuth tokens and poisoning open-source pipelines to steal data and undermine trust. Thousands of e-commerce sites and over 1,000 software packages have been compromised, forcing organizations to rethink how they monitor third-party integrations and respond to extortion.

Top Malware Reported in the Last 24 Hours

Spear-phishers hit Thailand healthcare with stealers

A spear-phishing campaign targeting Thailand’s healthcare sector uses healthcare-themed lures disguised as official medical equipment approval paperwork. The campaign relies on a RAR-to-batch-to-payload chain, where an obfuscated batch script triggers PowerShell commands to download and execute additional stages, including a persistence script named WindowSecuryt.bat and a Python information stealer called sim[.]py. The stealer harvests credentials and session cookies, exfiltrates data via Telegram, and disrupts users by terminating browsers to access stored data. Infection occurs through document-themed phishing emails, with the payload chain staged locally in Thailand. The campaign ran from April 7, 2026, to June 3, 2026, with Seqrite confirming in-country infrastructure and sample uploads.

OXLOADER malvertising pushes CASTLESTEALER in US

OXLOADER is a newly identified malware loader that delivers the CASTLESTEALER infostealer through malicious Google Ads impersonating Node.js. OXLOADER uses a redirect chain leading to a Storj-hosted batch script that downloads and runs the loader. OXLOADER employs heavy obfuscation, including control-flow flattening, mixed Boolean-Arithmetic, and opaque predicates, and implements anti-VM checks such as emulation detection, CPU count, RAM size, display refresh rate, and geographic region validation. OXLOADER avoids execution on CIS-region and Russian-language systems to evade scrutiny. Elastic reported that Google removed the malicious ads on May 14, 2026.

ShapedPlugin update hack backdoors WordPress sites

ShapedPlugin suffered a supply-chain compromise of its update system, injecting a backdoor into three paid WordPress plugins: Product Slider Pro, Real Testimonials Pro, and Smart Post Show Pro. The malicious loader activates when an administrator opens the WordPress admin panel, contacts a C2 server, and installs a backdoor disguised as a fake plugin impersonating WooCommerce components. The backdoor steals credentials, 2FA secrets, database credentials, and WooCommerce order data, then self-deletes to reduce evidence. Infection occurs via routine plugin updates, with the breach confirmed by researchers on June 12, 2026, and acknowledged by the publisher on June 16, 2026. The potential impact extends to over 400,000 active installations of the vendor’s free products.

Top Vulnerabilities Reported in Last 24 hours

Squid Proxy bug leaks passwords and keys (CVE-2026-47729)

CVE-2026-47729 is a critical heap buffer overread vulnerability in Squid Proxy (dubbed Squidbleed) with a CVSS score not specified in the alert. Successful exploitation can leak internal memory and expose sensitive HTTP requests, including passwords and API keys, in Squid’s default configuration. Attackers can exploit CVE-2026-47729 by controlling an FTP server reachable from the proxy, using a technique that sprays FTP directory listing requests to reclaim freed buffers and leak Authorization headers from other proxy users. Calif[.]io researcher Lam Jun Rong initially reported the bug, with an independent report by Youssef Awad. A fix is available in Squid v7.6, and organizations using Squid for interception or monitoring should update immediately to prevent credential leakage.

Splunk Enterprise RCE exploited in the wild (CVE-2026-20253)

CVE-2026-20253 is a critical remote code execution vulnerability in Splunk Enterprise that allows unauthenticated attackers to execute arbitrary code and take control of affected servers. Successful exploitation enables attackers to create a malicious database, load it onto the Splunk server, obtain a shell, and perform actions such as creating or deleting arbitrary files. CVE-2026-20253 is already being exploited in the wild, according to Splunk’s Product Security Incident Response Team (PSIRT) and CISA. Researchers at watchTowr published a proof-of-concept and technical analysis. A fix is available via Splunk security updates, and organizations should patch immediately to prevent compromised visibility and incident response.

PeopleSoft servers hit by stealthy pre-auth RCE (CVE-2026-35273)

CVE-2026-35273 is a critical pre-auth remote code execution vulnerability in Oracle PeopleSoft PeopleTools that allows unauthenticated attackers to run code inside the application server’s Java virtual machine (JVM). Successful exploitation enables quiet, hard-to-detect compromise through a six-step attack chain involving SSRF, bypassing IP allow-lists, staging attacker-controlled content, planting an XML object for persistence, and triggering deserialization-based execution. CVE-2026-35273 is already being exploited, with Trend Micro attributing activity to SHADOW-AETHER-015 (ShinyHunters), targeting over 100 organizations from May 27 through June 9, 2026. Trend Micro’s TrendAI team discovered and reported the vulnerability, and Oracle released an out-of-band patch. Higher-education environments and other targets should apply the patch to prevent persistent access to sensitive systems.

Top Threat Actors Reported in Last 24 hours

Icarus steals Salesforce data via Klue

Icarus is a cybercriminal group suspected to operate behind the Klue OAuth breach, with a primary motive of data theft and extortion. Icarus compromised Klue’s backend using a dormant credential to ship a malicious code update that siphoned OAuth tokens, then used those tokens to access customer Salesforce environments. Icarus conducted reconnaissance using Salesforce’s API, including queries to the /services/data/v59.0/sobjects endpoint, before rapidly exfiltrating data with nearly a thousand queries in a short window. Icarus targeted multiple organizations, stealing business contacts, sales communications, and competitive intelligence. The campaign involved extortion demands following data theft via OAuth token abuse. ReliaQuest and Huntress confirmed the activity, with monitoring IPs including 138[.]226[.]246[.]94, 212[.]86[.]125[.]24, 213[.]111[.]148[.]90, and 94[.]154[.]32[.]160.

TeamPCP poisons open-source software pipeline

TeamPCP is a South Africa-traced cybercriminal group suspected of targeting open-source software supply chains for financial gain. TeamPCP injected malicious code into over 1,000 packages across ecosystems and platforms including Kubernetes, AWS, and GitHub, creating downstream exposure for teams that automatically pull dependencies. TeamPCP abused automated CI/CD workflows and leveraged AI reliance to spread malware through routine build-and-deploy processes. TeamPCP targeted developers and businesses shipping software at speed, resulting in credential theft and data loss across many environments. The campaign distributed payloads built in JavaScript and Python via compromised CI/CD pipelines.

SmartApeSG booby-traps Okendo Reviews widget

SmartApeSG is a threat actor suspected of orchestrating a supply chain campaign against the Okendo Reviews widget, with a primary motive of malware delivery and credential theft. SmartApeSG embedded obfuscated, staged JavaScript into the widget, filtered execution to desktop users, and limited repeat runs using browser storage controls to avoid detection. SmartApeSG targeted thousands of e-commerce sites, turning compromised storefronts into malware delivery points for remote access trojans and information stealers. The campaign leveraged third-party widget supply chains to reach high-traffic websites. ThreatLabz identified the activity on May 14, 2026, highlighting the exposure risk for online retailers using the widget.

Frequently Asked Questions

1. What is OXLOADER? OXLOADER is a newly identified malware loader that delivers the CASTLESTEALER infostealer through malicious Google Ads impersonating Node.js, with campaigns observed against US-based victims. After a user clicks the ad, the redirect chain leads to a malicious landing page and then a Storj-hosted batch script that downloads and runs the loader.

2. What is ShapedPlugin? ShapedPlugin suffered a supply-chain compromise of its update system that injected a backdoor into three paid WordPress plugins: Product Slider Pro, Real Testimonials Pro, and Smart Post Show Pro. The malicious loader activates when an administrator opens the WordPress admin panel, then contacts a C2 server and installs a backdoor disguised as a fake plugin that impersonates WooCommerce components.

3. What is CVE-2026-47729? A critical Squid Proxy vulnerability dubbed Squidbleed (CVE-2026-47729) can leak internal memory and expose sensitive HTTP requests, including passwords and API keys, in Squid’s default configuration. The issue traces back to a long-standing bug in Squid’s FTP directory listing parser where incorrect use of strchr and a null terminator can trigger a heap buffer overread, causing prior request data to be disclosed.

4. What is CVE-2026-20253? A critical flaw in Splunk Enterprise (CVE-2026-20253) allows unauthenticated attackers to execute arbitrary code and take control of affected servers. In reported demonstrations, an attacker can create a malicious database and load it onto the Splunk server, ultimately obtaining a shell and enabling actions like creating or deleting arbitrary files.

5. What is CVE-2026-35273? A critical pre-auth remote code execution vulnerability in Oracle PeopleSoft PeopleTools (CVE-2026-35273) lets unauthenticated attackers run code inside the application server’s Java virtual machine (JVM), raising the risk of quiet, hard-to-detect compromise. Trend Micro described a six-step attack chain that starts with SSRF through the PeopleSoft Integration Gateway (PSIGW), bypasses an IP-based allow-list, stages attacker-controlled content on disk, plants an XML object for persistence, and then triggers deserialization-based execution on a web-tier restart, with post-exploitation options including a JSP web shell and coerced outbound SMB/445.

6. What is Icarus? Icarus, a cybercriminal group behind the Klue OAuth breach, is using stolen access tokens to pull sensitive Salesforce CRM data from multiple organizations and then push extortion demands. They began by compromising Klue’s backend and using a dormant credential to ship a malicious code update that siphoned OAuth tokens, which were then used to enter customer Salesforce environments.

7. What is TeamPCP? TeamPCP, a South Africa-traced cybercriminal group, has moved fast to undermine trust in open-source software by compromising over 1,000 packages in a short period. They injected malicious code into repositories tied to widely used ecosystems and platforms including Kubernetes, AWS, and GitHub, creating downstream exposure for teams that automatically pull dependencies.

8. What is SmartApeSG? SmartApeSG, a threat actor behind a supply chain campaign against the Okendo Reviews widget, has used malicious JavaScript to turn thousands of e-commerce sites into potential delivery points for malware such as remote access trojans and information stealers. They embedded obfuscated, staged scripts into the widget, then filtered execution (including desktop-focused targeting) and limited repeat runs using browser storage controls to avoid easy detection.