Welcome to our weekly newsletter where we share some of the major developments on the future of cybersecurity that you need to know about. Make sure to follow my LinkedIn page as well as Echelon’s LinkedIn page to receive updates on the future of cybersecurity!
To receive these and other curated updates to your inbox on a regular basis, please sign up for our email list here: https://echeloncyber.com/ciw-subscribe
Echelon Events & Thought Leadership Highlight
Most organizations find out their detections are misconfigured when they read about it in a report. By then, the engagement is over and the team that needed to understand the attack wasn't in the room when it happened.
A purple team exercise changes that. Red and blue work in parallel, with the client present, so detection gaps get surfaced and addressed while the simulation is still running.
We walked through what that looks like in practice: covering endpoint infiltration, persistence, network reconnaissance, and privilege escalation. Each phase shows what attackers are looking for and exactly where defenders need to catch them.
Read the full breakdown: https://lnkd.in/ecgptnua

Away we go!
1. Accenture Confirms Cybersecurity Incident After Stolen Source Code Allegedly Put Up for Sale
Global consulting and technology firm Accenture has confirmed that it recently experienced a cybersecurity incident after a threat actor began advertising what they claim is 35 GB of stolen company data for sale on a well-known cybercrime forum. Although Accenture described the event as an isolated incident that has since been remediated, the company has not disclosed how the attackers gained access or whether any customer information was affected. According to the individual selling the data, the alleged haul includes source code, configuration files, cryptographic keys, Azure credentials, and other sensitive development assets that could be valuable to both cybercriminals and nation-state actors.
While the full scope of the breach has not yet been independently verified, the claims are concerning because development environments often contain the digital keys to an organization's infrastructure. Source code alone may not be damaging, but when paired with exposed SSH keys, RSA certificates, Azure Personal Access Tokens, or cloud storage credentials, attackers can potentially accelerate future attacks, move laterally through environments, or impersonate trusted systems. Screenshots published by the threat actor appear to show access to an Azure DevOps repository associated with Accenture, lending some credibility to the claims, though the company has not confirmed the authenticity of the stolen files.
This incident serves as another reminder that protecting software development environments has become just as important as defending production systems. Modern attacks increasingly target developer workstations, CI/CD pipelines, cloud repositories, and identity platforms because compromising the software supply chain can provide a path into hundreds or even thousands of downstream organizations. Organizations should ensure that development credentials are regularly rotated, privileged access is tightly controlled, secrets are stored in secure vaults rather than code repositories, and all access to development environments is protected with phishing-resistant multifactor authentication and continuous monitoring.
For cybersecurity leaders, the Accenture breach highlights an uncomfortable reality: even some of the world's largest cybersecurity and consulting firms remain attractive targets. Every incident reinforces the importance of adopting a zero trust approach to software development, implementing strong identity governance, continuously scanning repositories for exposed secrets, and maintaining an incident response plan that includes rapid credential revocation. As threat actors increasingly focus on cloud development platforms rather than traditional endpoints, securing the software development lifecycle has become a business imperative rather than simply a developer responsibility.

Accenture Breach Highlights the Growing Risk to Cloud Development Environments
One of this week's most significant cloud security stories came from Accenture, which confirmed a security incident after a threat actor began selling what they claimed were 35 GB of stolen source code, Azure credentials, SSH keys, RSA keys, and configuration files on a cybercrime marketplace. While Accenture stated there has been no impact to customer operations or service delivery, the incident underscores a rapidly growing trend: attackers are increasingly targeting cloud-native development environments rather than production systems directly.
Today's cloud infrastructure depends heavily on platforms like Azure DevOps, GitHub, GitLab, and CI/CD pipelines. If attackers can obtain developer credentials or Personal Access Tokens (PATs), they may be able to move laterally, access source code, inject malicious updates, or compromise downstream software supply chains. This is exactly why developer identities have become one of the highest-value targets for modern threat actors.
Recommended Actions
- Rotate all Azure DevOps, GitHub, GitLab, and cloud access tokens regularly.
- Replace long-lived credentials with short-lived or federated identities whenever possible.
- Enable phishing-resistant MFA for all privileged developer accounts.
- Continuously scan repositories for exposed secrets using tools such as GitHub Secret Scanning, Microsoft Defender for DevOps, or similar solutions.
- Monitor unusual repository cloning activity and privileged access events.
Takeaway: The perimeter has shifted. Your software development environment is now one of your most critical cloud assets. Protecting developer identities and securing CI/CD pipelines has become just as important as protecting production workloads.

2. Oracle E-Business Suite Under Active Attack as Critical Vulnerability Faces Widespread Exploitation
A critical vulnerability in Oracle E-Business Suite (EBS) has moved from theoretical risk to active exploitation, putting organizations that have not applied Oracle's May Critical Patch Update (CPU) at immediate risk. The flaw, tracked as CVE-2026-46817, affects the Oracle Payments module and allows an unauthenticated attacker to remotely compromise vulnerable systems over HTTP. Security researchers have confirmed that attackers began exploiting the vulnerability in the wild shortly after patches became available, highlighting how quickly threat actors are operationalizing newly disclosed enterprise software vulnerabilities.
The vulnerability is particularly concerning because it combines several dangerous weaknesses, including improper authentication, missing authentication for critical functions, and inadequate privilege management. Together, these flaws create a pathway for attackers to access sensitive payment-related functionality without valid credentials. Threat intelligence firm Defused observed multiple real-world exploitation attempts against its internet-facing honeypots within just a two-hour period, suggesting that automated scanning and opportunistic attacks are already well underway. Even more concerning, researchers believe exploitation may have begun before any public proof-of-concept exploit code was released, indicating that attackers either independently discovered the flaw or gained early knowledge of its capabilities.
For organizations running Oracle E-Business Suite, the priority should be verifying that the May 2026 Critical Patch Update has been fully deployed across every environment, including production, disaster recovery, and development systems that may still be internet accessible. Security teams should also evaluate whether Oracle EBS applications, particularly Oracle Payments, truly require direct internet exposure. If external access is unavoidable, organizations should implement layered protections such as web application firewalls (WAFs), network segmentation, continuous monitoring, and multifactor authentication for administrative access. Equally important is confirming that defensive technologies are actively enforcing security policies rather than operating in monitoring or learning mode.
This latest campaign reinforces a familiar lesson for security leaders: enterprise business applications remain among the most valuable targets for attackers because they often contain financial data, sensitive customer information, and privileged business workflows. In today's threat landscape, patch management alone is no longer sufficient. Organizations must combine rapid vulnerability remediation with strong network architecture, continuous threat monitoring, and proactive security validation to reduce the likelihood that a newly disclosed vulnerability becomes the next major breach.

Anthropic Restores Global Access to Fable 5 While Expanding AI Security Safeguards
Anthropic restored worldwide access to its Fable 5 cybersecurity-focused AI model this week after the U.S. government lifted temporary export restrictions that had blocked foreign access. During negotiations with federal regulators, Anthropic introduced several new security measures designed to reduce the risk of offensive AI misuse while preserving the model's defensive capabilities.
Among the most significant enhancements is a new AI safety classifier that reportedly blocks more than 99% of known jailbreak techniques used to bypass security controls. Anthropic also committed to expanding pre-release testing with government agencies, launching a HackerOne bug bounty focused on AI jailbreaks, and working with industry partners to establish common standards for evaluating AI model safety.
For defenders, the news is encouraging because these frontier models continue to demonstrate tremendous value in vulnerability discovery, secure coding, patch development, and security testing. The challenge going forward will be ensuring these powerful capabilities remain available to defenders without making offensive cyber operations easier for attackers.
Recommended Actions
- Establish governance around which AI models employees are permitted to use.
- Monitor AI-generated code using the same secure development lifecycle and code review standards as human-written code.
- Test enterprise AI applications against prompt injection, jailbreak, and data leakage scenarios.
- Update AI governance programs to align with emerging frameworks such as NIST AI RMF and ISO/IEC 42001.
- Train developers on securely integrating AI coding assistants into existing software development workflows.
Takeaway: AI is rapidly becoming a force multiplier for both attackers and defenders. Organizations that combine strong AI governance with traditional cybersecurity fundamentals will be far better positioned as these technologies continue to mature.

3. JadePuffer Signals the Arrival of AI Assisted Ransomware
Cybersecurity researchers have documented what may be the first real-world example of an AI-assisted, agentic ransomware operation capable of executing nearly every stage of an attack with minimal human intervention. The campaign, dubbed JadePuffer, was uncovered by Sysdig's Threat Research Team after investigators observed a large language model directing reconnaissance, privilege escalation, credential harvesting, lateral movement, data theft, and ransomware deployment against a production database server. While a human operator still selected the victim and provisioned the supporting infrastructure, the AI handled much of the technical execution, dramatically increasing the speed and efficiency of the attack.
The attackers exploited two previously disclosed vulnerabilities, CVE-2025-3248 in Langflow and CVE-2021-29441 in Nacos, to establish access before allowing the AI-driven workflow to take over. Unlike traditional ransomware campaigns, the malware exhibited characteristics rarely seen in human-written code, including detailed natural language reasoning, extensive annotations, and automated prioritization of high-value assets. Researchers found that the AI persistently searched for every available credential, access token, and privilege escalation opportunity rather than stopping after obtaining an initial foothold, demonstrating how large language models can significantly amplify an attacker's capabilities.
Despite the headlines, this was not a completely autonomous cyberattack. Human operators still determined the target, built the command-and-control infrastructure, and initiated the campaign. However, the findings represent an important shift in the threat landscape. Rather than replacing attackers, AI is acting as a force multiplier that enables cybercriminals to execute complex operations faster, more consistently, and at greater scale. As these capabilities mature, defenders should expect attack timelines to shrink from days or hours to minutes, leaving organizations with increasingly narrow windows to detect and contain malicious activity.
For defenders, the lessons are clear. Organizations should immediately remediate known vulnerabilities, eliminate unnecessary internet exposure for administrative services and database systems, enforce least privilege access, implement outbound network controls to limit data exfiltration, and invest in runtime threat detection capable of identifying suspicious behavior in real time. Perhaps most importantly, security teams should begin preparing for a future where AI is embedded throughout the cyber kill chain. The organizations best positioned to withstand this next generation of threats will be those that combine strong cybersecurity fundamentals with AI-powered detection, automation, and rapid incident response.
Thanks for reading!
About us: Echelon is a full-service cybersecurity consultancy that offers wholistic cybersecurity program building through vCISO or more specific solutions like penetration testing, red teaming, security engineering, cybersecurity compliance, and much more! Learn more about Echelon here: https://echeloncyber.com/about