💥 Major Breaches & Incidents - ShinyHunters goes after Salesforce Aura data, Ericsson discloses a third-party-linked breach

🛠️ Emerging Threats & Vulnerabilities - VMware Aria Operations lands in KEV, Cisco SD-WAN flaws are actively exploited, CISA flags more actively exploited bugs across SolarWinds, Ivanti, and Workspace One

🕵️ Privacy Watch - Odido customer data starts leaking after telecom hack

🌍 APTs and State Sponsored Attacks - Russia-linked targeting of Signal and WhatsApp accounts, MuddyWater hits U.S. sectors, Google disrupts a Chinese-linked campaign spanning 53 organizations

🤖 AI in Cyber - North Korean fake workers get an AI upgrade, OpenClaw exposes AI agents, cloned AI tool sites push malware

🔁 Story Follow-Ups - China suspected in FBI surveillance-network breach, Google tallies 90 exploited zero-days from last year

🧪 ShinyHunters claims ongoing Salesforce Aura data theft attacks
Salesforce warned that attackers are targeting Experience Cloud sites where guest-user exposure issues may leave sensitive data too easy to reach. ShinyHunters then decided subtlety was overrated and publicly claimed it is actively exploiting the issue for data theft. Because Salesforce environments are deeply wired into customer support, partner portals, and business workflows, this lands well beyond niche-admin-problem territory.
👉 Key takeaway: If your Salesforce footprint includes public-facing Experience Cloud components, this is not a “circle back next sprint” issue.

📡 Ericsson US discloses data breach after service provider hack
Ericsson said attackers stole data tied to more than 15,000 employees and customers after compromising a service provider, giving this story a very familiar third-party-risk flavor. The exposed information reportedly includes high-risk personal data, which raises both notification and downstream fraud concerns. Yet again, organizations are being reminded that vendors are not just part of the ecosystem - they are part of the blast radius.
👉 Key takeaway: Third-party access is still one of the fastest ways for someone else’s bad day to become your incident response problem.

🧱 CISA flags VMware Aria Operations RCE flaw as exploited in attacks
CISA added CVE-2026-22719 to the Known Exploited Vulnerabilities catalog after evidence of active exploitation. The flaw is an unauthenticated command-injection issue with remote code execution potential in VMware Aria Operations, which is exactly the kind of sentence infrastructure teams hate reading before coffee. Since Aria Operations touches enterprise visibility and management, the risk here is operational as much as technical.
👉 Key takeaway: If you run VMware management infrastructure, treat this as an urgent patching and exposure-review item.

🌐 Cisco flags more SD-WAN flaws as actively exploited in attacks
Cisco said two Catalyst SD-WAN Manager flaws are being actively exploited in the wild, pushing network defenders into immediate triage mode. SD-WAN tooling sits close to the center of branch connectivity and network orchestration, so exploitation risk here is not abstract. When the thing that helps run the network becomes the thing under attack, the margin for delay gets very small.
👉 Key takeaway: Actively exploited SD-WAN bugs deserve top-tier attention because they can turn management infrastructure into an attacker launchpad.

🚨 CISA Flags SolarWinds, Ivanti, and Workspace One Vulnerabilities as Actively Exploited
CISA added three more flaws to KEV involving SolarWinds, Ivanti, and Workspace One, underscoring that the actively exploited bug conveyor belt is still very much operational. The vendor spread makes this especially useful in a quick-hit recap because there is a decent chance at least one of these platforms lives somewhere in a large enterprise environment. It is also a tidy reminder that defenders are now managing risk across stacks, not single products.
👉 Key takeaway: KEV additions across multiple enterprise vendors mean patch prioritization needs to happen at portfolio level, not one dashboard at a time.

📉 Hacking group begins leaking customer data in Dutch telecom Odido hack
Reuters reported that data from about 6 million Odido customers began leaking online following the telecom hack. The exposed information includes names, contact details, birth dates, bank account numbers, and passport numbers - which is a deeply annoying amount of identity material to hand over to criminals. Telecom breaches already carry broad trust implications, and this one adds scale, sensitivity, and real-world fraud risk.
👉 Key takeaway: Large consumer-data leaks hit harder when the stolen dataset includes both identity and financial markers, not just contact info.

💬 Russia-backed hackers breach Signal, WhatsApp accounts of officials, journalists, Netherlands warns
Dutch intelligence agencies warned that Russia-backed hackers targeted Signal and WhatsApp accounts used by officials, military personnel, and journalists. The significance here is that the campaign appears to focus on account compromise and access around trusted messaging ecosystems rather than theatrically “breaking encryption.” That makes this story more practical and more dangerous, because users tend to confuse secure apps with magically secure account hygiene.
👉 Key takeaway: Secure messaging only stays secure if the account, device, and surrounding authentication layers are also locked down.

✈️ Iranian APT hacked US airport, bank, software company
SecurityWeek reported that the Iranian group MuddyWater compromised a U.S. airport, bank, software company, and other organizations. The cross-sector nature of the targeting gives the story added weight because it touches transportation, finance, and enterprise technology in one sweep. This is the kind of campaign that reminds defenders state-linked actors do not respect neat industry boundaries, even if compliance frameworks do.
👉 Key takeaway: Cross-sector targeting from a known APT means defenders should share detection lessons across industries, not treat incidents as isolated vertical problems.

🌏 Google disrupts Chinese-linked hackers that attacked 53 groups globally
Google told Reuters it disrupted a Chinese-linked hacking group that breached at least 53 organizations across 42 countries. The campaign’s global scope and relevance to telecom and government targets make it highly valuable, even if it is slightly older than some of this week’s freshest stories. Also, any time the phrase “53 groups globally” shows up in one sentence, that is generally a hint this was not a side quest.
👉 Key takeaway: Broad, multinational targeting by a state-linked actor is a signal to review both sector-specific risk and geopolitical exposure.

🪪 Microsoft warns North Korean threat groups are scaling up fake worker schemes with generative AI
Microsoft said North Korean operators are using generative AI to improve fake worker personas and make hiring-fraud operations more scalable and believable. That matters because these campaigns were already effective without AI, and now the adversary gets better written profiles, smoother interactions, and more convincing applicant material at scale. HR and security teams are officially sharing a problem whether they wanted to or not.
👉 Key takeaway: Generative AI is acting as a force multiplier for fraud operations that already exploit weak hiring verification and remote onboarding processes.

🤖 OpenClaw vulnerability allowed malicious websites to hijack AI agents
SecurityWeek reported that malicious websites could connect to the local OpenClaw gateway, brute-force passwords, and take control of AI agents. It is a useful story because it turns “AI agents” from buzzword wallpaper into a real attack-surface discussion with concrete exploitation mechanics. As organizations rush to deploy agentic tools, basic gateway and local-access security apparently remain optional in some corners of the internet, which is going great.
👉 Key takeaway: AI-agent infrastructure needs the same threat-modeling rigor as any other exposed service, not a pass because the interface sounds futuristic.

🧰 Cloned AI tool sites distribute malware in ‘InstallFix’ campaign
Attackers are cloning AI-tool installation pages and swapping legitimate commands with malicious ones to infect victims. The campaign works because demand for AI tooling is high, user urgency is high, and verifying install instructions is apparently still too much to ask of the internet at large. This lands squarely in the AI bucket because the lure is not generic software - it is the current AI adoption rush itself.
👉 Key takeaway: AI hype is now part of the phishing and malware-delivery toolkit, which means “move fast” continues to be a fantastic way to install regret.

Prep for meetings in seconds with full context from across your business

Know what’s happening across your entire pipeline instantly

Spot deals going sideways before they do

🏛️ US suspects China in breach of FBI surveillance network, WSJ reports
Reuters reported that U.S. investigators believe Chinese government-affiliated hackers were behind an intrusion into an internal FBI network tied to surveillance-order information. What makes this a useful follow-up is the added attribution, which shifts the conversation from suspicious network event to likely state-backed compromise. That change matters, because attribution affects both the strategic reading of the incident and the seriousness with which organizations interpret similar tradecraft.
👉 Key takeaway: Follow-up reporting that adds credible attribution can materially change the significance of an incident, even when the technical details look similar.

📊 Google says 90 zero-days were exploited in attacks last year
Google Threat Intelligence Group said it tracked 90 exploited zero-days in 2025, with many affecting enterprise software and appliances. That trendline helps explain why so many actively exploited infrastructure bugs are dominating security coverage right now: attackers keep going where the operational leverage is best. It is not exactly uplifting, but it is useful context for anyone still treating patch urgency as a theoretical management style.
👉 Key takeaway: The volume of exploited zero-days reinforces that enterprise-facing software and edge infrastructure remain premium targets for serious attackers.