1 minute read

A single Oracle PeopleSoft zero-day exploited by the ShinyHunters extortion group has now touched more than 100 organizations, and Nissan and the National Association of Insurance Commissioners were the latest to confirm it this week. Nissan says the breach exposed Social Security numbers, banking details, and tax records for current and former employees across four countries. NAIC pushed back hard on the attackers’ initial claims, saying the stolen data was mostly public filings and stale logs, not the regulatory platforms ShinyHunters bragged about. That gap between what a threat actor claims and what actually left the building matters. I’ve watched incident responders spend more time managing the narrative than the containment, because early leak-site claims set expectations executives can’t walk back later. Get your own forensic timeline before you respond to theirs.

Patch management failures are still doing the heavy lifting for ransomware crews. CISA confirmed this week that ransomware gangs are now exploiting BlueHammer (CVE-2026-33825), a Microsoft Defender privilege escalation flaw Microsoft patched back in April. The bug reached local SYSTEM access through the SAM database, and it sat in the Known Exploited Vulnerabilities catalog for two months before ransomware operators picked it up. Two months is not a grace period. It’s the exact window attackers use to build tooling around a disclosed flaw while defenders wait for the “critical” ransomware headline to justify the patch cycle.

Subsidiaries keep being the soft entry point. Aflac disclosed a second breach in as many years, this time through its Japan subsidiary, exposing policy and bank account data. Blackfield ransomware hit Nidec’s Taiwan subsidiary for the second time in two years, demanding $2 million. Attackers never touched either parent company’s core systems. If your risk register treats subsidiaries as a footnote instead of a full attack surface, these are your two data points.

On the AI side, LayerX researchers got six agentic browsers, including Claude’s Chrome extension, to leak credentials by wrapping the request in a fictional game. Only OpenAI shipped a real fix. If you’re piloting agentic browsers for anything touching credentials, don’t wait on vendor guardrails. Scope what the agent can reach before you scope what it’s allowed to say.

Action item: pull your subsidiary and M&A entities into the same patching and monitoring cadence as your core environment this quarter. That’s where the next breach notification is coming from.