Welcome to our weekly newsletter where we share some of the major developments on the future of cybersecurity that you need to know about. Make sure to follow my LinkedIn page as well as Echelon’s LinkedIn page to receive updates on the future of cybersecurity!

To receive these and other curated updates to your inbox on a regular basis, please sign up for our email list here: https://echeloncyber.com/ciw-subscribe

Partner Spotlight - CrowdStrike AIDR

AI is already inside your organization.

Whether you planned for it or not.

The question isn’t:

“Should we secure AI?”

It’s, “How quickly can we?”

CrowdStrike's Falcon AIDR gives you:

• Visibility
• Control
• Real-time protection

Across your entire AI ecosystem.

Echelon helps you:

• Stand it up
• Operationalize it
• Scale it

If AI is on your roadmap…

AI security should be too.

Let’s talk.

https://echeloncyber.com/services/defensive-security/crowdstrike-platform-services

Echelon Events & Thought Leadership Highlight

The attacker is already inside. Part 2 of Echelon's Purple Team simulation picks up mid-intrusion with lateral movement, cloud compromise, and data exfiltration, showing exactly what defenders see on the backend in real time.

Join experts Matt Donato, Devin Jones, and Bryce Hayes as they walk both sides of the attack chain and share recurring findings from real-world purple team engagements.

Register here: https://lnkd.in/e_R9J5p2

Missed Part 1?

Catch up on demand first. https://lnkd.in/eka9ieQb

Away we go!

1. ShinyHunters Exploits Oracle PeopleSoft Zero Day, Universities Become Primary Targets

A newly disclosed Oracle PeopleSoft vulnerability is at the center of an active cybercrime campaign that has already impacted universities and organizations across the globe. Researchers from Mandiant and Google Threat Intelligence Group report that the ShinyHunters cybercriminal group has been exploiting an unpatched flaw, tracked as CVE-2026-35273, since at least late May. The vulnerability allows unauthenticated attackers to execute remote code and potentially gain complete control of affected PeopleSoft servers. While Oracle has acknowledged the issue and released mitigation guidance, a security patch remains unavailable, leaving many organizations exposed.

The campaign appears to be heavily focused on higher education institutions, which account for a significant percentage of the vulnerable systems identified so far. According to threat intelligence researchers, more than 100 organizations may have been targeted, with universities representing nearly 70 percent of the potential victim pool. One confirmed victim, the University of Nottingham, publicly acknowledged a breach involving the theft of student data after ShinyHunters began leaking information online. Researchers indicate that extortion efforts are still ongoing, with threat actors continuing to contact victims and demand payment in exchange for withholding stolen data.

What makes this incident particularly concerning is the timeline. Attackers were actively exploiting the vulnerability for weeks before Oracle publicly disclosed the issue. This gave threat actors a substantial head start while defenders were unaware of the exposure. The flaw impacts Oracle PeopleSoft PeopleTools, a widely deployed platform used by organizations for human resources, finance, payroll, and customer relationship management functions. Because these systems often contain large volumes of sensitive employee, student, and financial information, they present highly attractive targets for financially motivated cybercriminals.

This latest campaign serves as another reminder of the growing risk posed by enterprise software vulnerabilities, particularly when no patch is immediately available. Organizations running Oracle PeopleSoft should urgently review Oracle's mitigation guidance, identify internet-facing PeopleSoft instances, monitor for indicators of compromise, and prepare for rapid patch deployment once updates become available. Security teams should also assume that attackers may already have established footholds in vulnerable environments and conduct proactive threat hunting accordingly. As seen in previous large-scale exploitation campaigns, the period between disclosure and patch availability is increasingly becoming the most dangerous window for defenders.

OpenAI Supply Chain Incident Highlights Growing Risk in Cloud Development Ecosystems

One of the most important cloud security stories this month involves OpenAI's disclosure that two employee devices were compromised during the widespread TanStack npm supply chain attack known as "Mini Shai-Hulud." Attackers inserted malicious code into trusted open-source software packages, allowing them to steal credentials and gain access to developer environments. OpenAI confirmed that a limited amount of internal credential material was exposed, forcing the company to rotate signing certificates for several desktop products. Fortunately, there was no evidence that customer data, production environments, or deployed software were compromised.

This incident serves as a reminder that cloud security is no longer just about securing cloud infrastructure. Modern organizations depend on thousands of open-source packages, APIs, CI/CD pipelines, and third-party integrations that create an increasingly complex software supply chain. Attackers are shifting their focus toward these trusted relationships because compromising a single package can provide downstream access to thousands of organizations.

What organizations should do now:

• Review software bill of materials (SBOM) practices and dependency inventories.
• Enable package signing verification and artifact integrity controls.
• Harden CI/CD environments and restrict developer credential exposure.
• Rotate credentials immediately if any potentially affected packages were installed.
• Implement behavioral monitoring for developer workstations and build systems.

Real-World Takeaway: The next major cloud breach may not start with a firewall vulnerability or misconfigured storage bucket. It may begin with a simple "npm install" command. Security leaders should treat software supply chain security as a core cloud security discipline rather than a development problem.

2. Microsoft Open Source Repositories Compromised in Credential Theft Campaign Targeting AI Developers

A sophisticated software supply chain attack has once again highlighted the growing risks facing organizations that rely on open source software and AI development tools. Microsoft recently disabled dozens of GitHub repositories after discovering that attackers had compromised several open source projects and injected credential-stealing malware into code used by developers around the world. Many of the affected repositories were tied to Azure services and developer tooling commonly used alongside artificial intelligence platforms such as Claude Code, Gemini CLI, and Visual Studio Code.

According to security researchers who first identified the compromise, the malicious code was designed to harvest passwords, authentication tokens, cloud credentials, and other sensitive information from developers who downloaded and executed the affected software. Microsoft has confirmed that it temporarily removed impacted repositories while conducting an investigation and has already notified a limited number of customers who may have downloaded compromised content. While the full scope of the incident remains under investigation, the attack demonstrates how threat actors are increasingly targeting software development ecosystems rather than attacking organizations directly.

What makes this incident particularly noteworthy is that Microsoft itself became the victim. Supply chain attacks have traditionally focused on smaller open source maintainers with limited resources, but attackers are now demonstrating the ability to compromise even some of the largest and most security-conscious technology providers in the world. Researchers believe this latest campaign may be connected to an ongoing operation known as "Mini Shai-Hulud," a credential theft campaign targeting npm packages, CI/CD pipelines, GitHub workflows, and developer infrastructure. The compromise also appears related to an earlier breach involving Microsoft's Durable Task project, raising questions about whether attackers maintained persistence or successfully re-entered the environment after remediation efforts were completed.

For security leaders, the lesson is becoming increasingly clear: the software supply chain is now one of the most attractive attack surfaces in modern computing. Organizations should review their dependency management processes, strengthen code signing verification, monitor developer environments for unusual credential access, and implement stronger controls around build pipelines and open source package consumption. As AI-assisted development continues to accelerate software creation, attackers are following the same trend, looking for opportunities to compromise the tools developers trust most. The next major breach may not begin with a phishing email or firewall exploit. It may begin with a seemingly legitimate software update downloaded from a trusted source.

Anthropic Expands Mythos AI as Security Teams Prepare for the AI Vulnerability Era

Anthropic announced a major expansion of Project Glasswing, providing approximately 150 additional organizations across more than 15 countries access to its advanced cybersecurity-focused AI model, Claude Mythos Preview. The expansion now includes critical infrastructure operators in power, healthcare, telecommunications, water, and other sectors where cyberattacks could have national security implications. Anthropic reports that early participants have already identified more than 10,000 high and critical severity vulnerabilities using the technology.

The significance extends beyond vulnerability discovery. Anthropic and other AI developers are signaling that AI-assisted vulnerability research is accelerating dramatically. Models such as Mythos can reportedly identify, analyze, and help develop remediation guidance for software weaknesses at a pace that traditional security teams cannot easily match. This creates both opportunity and risk. Defenders gain powerful new tools, but attackers are expected to gain access to similar capabilities within the next year.

What organizations should do now:

• Prepare for significantly shorter vulnerability remediation timelines.
• Incorporate AI-assisted code review and vulnerability scanning into development pipelines.
• Prioritize patch management for internet-facing applications and critical infrastructure.
• Establish governance controls around employee use of generative AI tools.
• Develop an AI security strategy before AI-enabled threats become mainstream.

Real-World Takeaway: The cybersecurity industry is approaching a pivotal moment. AI is no longer simply generating phishing emails and chatbot responses. It is increasingly capable of identifying vulnerabilities, accelerating exploit development, and helping defenders discover weaknesses before attackers do. Organizations that embrace AI-assisted security today will likely be better positioned to withstand the next generation of cyber threats.

3. Microsoft's Largest Patch Tuesday Ever Signals the Arrival of AI-Powered Vulnerability Discovery

Microsoft's June 2026 Patch Tuesday may mark a turning point in cybersecurity. The company released fixes for more than 200 vulnerabilities across its product portfolio, making it the largest Patch Tuesday in Microsoft's history. Of those vulnerabilities, 38 were rated critical, and several were already publicly known before patches became available. Among the most notable was an actively exploited Microsoft Exchange Server vulnerability that attackers had already begun targeting in real-world environments. For many security teams, the sheer volume of fixes was overwhelming. Yet the story behind the numbers may be even more important than the vulnerabilities themselves.

Microsoft acknowledged that artificial intelligence played a significant role in discovering many of the flaws addressed this month. According to the company, its AI-powered vulnerability research initiatives and multi-model scanning technologies are uncovering security weaknesses at a pace never before possible. External researchers leveraging AI-assisted techniques also contributed to the record-breaking volume of findings. In practical terms, AI is helping move vulnerabilities from the "unknown" category into the "known and fixable" category much faster than traditional manual testing methods.

The implications for defenders are profound. Organizations have long operated under the assumption that vulnerability discovery occurred at a manageable pace. That assumption is rapidly changing. Advanced AI systems can analyze millions of lines of code, identify subtle security flaws, and help generate proof-of-concept exploit paths in a fraction of the time previously required. While this benefits software vendors seeking to improve security, it also raises concerns that threat actors may eventually gain access to similar capabilities. Security teams should expect vulnerability disclosures, patch releases, and remediation cycles to continue accelerating throughout the coming years.

For security leaders, the message is clear: patch management can no longer be viewed as a monthly administrative task. It is becoming a continuous operational discipline. Organizations should prioritize risk-based vulnerability management, shorten remediation timelines for internet-facing systems, automate patch testing wherever possible, and ensure that critical assets are continuously monitored for emerging threats. June's record-setting Patch Tuesday may not be an anomaly. It may simply be the first glimpse into an AI-driven future where software vulnerabilities are discovered faster than ever before.

Thanks for reading!

About us: Echelon is a full-service cybersecurity consultancy that offers wholistic cybersecurity program building through vCISO or more specific solutions like penetration testing, red teaming, security engineering, cybersecurity compliance, and much more! Learn more about Echelon here: https://echeloncyber.com/about