Skip to dossier
Archived issue · 06-19-2026
View latest issue
fruition.net
verified 1w ago
The Perimeter · Issue 06-19-2026

Zero-days in PeopleSoft, Ivanti, and PAN-OS collide with a new npm worm wave

Three actively-exploited zero-days dominated the week: Oracle PeopleSoft (CVE-2026-35273) being weaponized by ShinyHunters against universities before the vendor advisory shipped, Ivanti Sentry (CVE-2026-10520) hit within 24 hours of disclosure, and PAN-OS (CVE-2026-0257) confirmed under active exploitation by Unit 42. All three are perimeter appliances or ERP systems your clients almost certainly run. On the supply chain, the Shai-Hulud worm returned with a node-gyp variant that abuses binding.gyp to bypass lifecycle script defenses, while a parallel AUR/npm "Atomic Arch" campaign expanded to 300+ packages. WordPress operators get a critical UpdraftPlus auth bypass affecting sites previously connected to UpdraftCentral, and TYPO3 shipped a coordinated batch of access-control fixes including PHP object injection and SQL injection in the Form Framework. If you run PeopleSoft, Ivanti Sentry, PAN-OS GlobalProtect, or UpdraftPlus-connected WordPress, treat this week as patch-or-isolate. Recalculate which of your appliances are internet-reachable and whether your npm install pipelines execute native build scripts unsupervised.
Published
Friday, June 19, 2026
Entries
12
Cadence
Weekly · Sundays
Curator
Brad Anderson
Wire
cisa.gov New addition to the Known Exploited Vulnerabilities catalog ·
github.com GHSA: critical npm package compromise affecting CI pipelines ·
wordfence.com WordPress plugin vulnerability with active exploitation ·
drupal.org Highly critical core security advisory published ·
aws.amazon.com AWS security bulletin: IAM policy evaluation update ·
unit42.paloaltonetworks.com Threat actor expands toolkit targeting public-facing PHP apps ·
krebsonsecurity.com Breach disclosure with named victim and confirmed initial vector ·
snyk.io Composer dependency advisory affecting production framework versions ·
cisa.gov New addition to the Known Exploited Vulnerabilities catalog ·
github.com GHSA: critical npm package compromise affecting CI pipelines ·
wordfence.com WordPress plugin vulnerability with active exploitation ·
drupal.org Highly critical core security advisory published ·
aws.amazon.com AWS security bulletin: IAM policy evaluation update ·
unit42.paloaltonetworks.com Threat actor expands toolkit targeting public-facing PHP apps ·
krebsonsecurity.com Breach disclosure with named victim and confirmed initial vector ·
snyk.io Composer dependency advisory affecting production framework versions ·
01

Web Application

frameworks · browsers · authentication flows

no entries this week

02

Supply Chain

packages · build systems · dependency attacks

sonatype.com 2w

Shai-Hulud Miasma wave hits 304 npm packages

Sonatype identified a new Shai-Hulud variant compromising 304 npm components as of June 5, expanding from initial reports. The campaign continues to harvest secrets from CI runners and propagate through maintainer takeovers. Combined with the concurrent Atomic Arch AUR/npm campaign (atomic-lockfile, js-digest, lockfile-js), npm install paths remain the most active supply-chain attack surface.

npm
Fruition take

Check your lockfiles against Sonatype's published component list. If anything matches, rotate all CI secrets and review GitHub for unfamiliar repos pushed under your maintainer accounts.

snyk.io 2w

Self-propagating npm worm hides in binding.gyp to bypass lifecycle script blocks

Snyk documented a new Shai-Hulud-lineage npm worm that triggers execution via node-gyp during install by abusing binding.gyp, sidestepping `--ignore-scripts` defenses that block postinstall hooks. The malware harvests credentials, persists via attacker-controlled GitHub repos, and self-propagates by republishing under any maintainer it captures. Sonatype tracked 304 affected components in a parallel wave.

npm node-gyp
Fruition take

`--ignore-scripts` is no longer sufficient. Audit CI builds for native modules that invoke node-gyp and pin/mirror them through a registry proxy. Rotate any npm or GitHub tokens used by build agents that ran fresh installs in the past two weeks.

03

Infrastructure

kubernetes · cloud · network · ingress

nvd.nist.gov 1w KEV

Check Point Security Gateway IKEv1 auth bypass added to KEV

CVE-2026-50751 in Check Point Security Gateway allows an unauthenticated remote attacker to bypass user authentication and establish a remote-access VPN session without a valid password, via flawed IKEv1 key exchange. CISA added it to KEV on June 8, indicating observed exploitation.

CVE-2026-50751 Check Point Security Gateway
Fruition take

If any client perimeter is Check Point with IKEv1 remote-access enabled, patch and force a credential rotation for VPN users; disable IKEv1 where IKEv2 is viable.

04

PHP & CMS

wordpress · drupal · plugins · php frameworks

wordfence.com 1w
▲ headline

Critical unauthenticated auth bypass in UpdraftPlus (3M installs)

Wordfence disclosed an unauthenticated authentication bypass in UpdraftPlus, the WordPress backup plugin with 3M+ installs. Exploitation requires the site to have been previously connected to UpdraftCentral, the plugin's remote management dashboard — once that link exists, attackers can log in as any user including admins. A patch is available.

UpdraftPlus WordPress
Fruition take

For every managed WordPress site, check if UpdraftPlus is installed and whether UpdraftCentral was ever connected — if yes, update immediately and audit users/sessions created since the disclosure. Don't assume a disconnected key is safe.

github.com 1w

TYPO3 ships coordinated 15-advisory batch including PHP object injection and Form Framework SQLi

TYPO3 released fixes across 10.4.57 ELTS through 14.3.3 LTS addressing 15 advisories. Highlights: insecure deserialization in VariableFrontend and Registry (CVE-2026-49740) enabling object-injection RCE when storage is writable; SQL injection and privilege escalation via the Form Framework (CVE-2026-49741, CVE-2026-11607, CVE-2026-47346) allowing admin account creation; broken access control in DataHandler, Media, and File Abstraction Layer.

CVE-2026-49740 CVE-2026-49741 CVE-2026-11607 +1 more TYPO3 CMS
Fruition take

Schedule TYPO3 upgrades to 13.4.31 / 14.3.3 this sprint. The Form Framework chain is the highest-risk path — any editor with form access can escalate to admin.

nvd.nist.gov 2w KEV

Mirasvit Magento cache plugin: unauthenticated PHP deserialization RCE added to KEV

CISA added CVE-2026-45247 to KEV — an unauthenticated PHP object deserialization in Mirasvit Full Page Cache Warmer for Magento, triggered via the CacheWarmer cookie, yielding remote code execution. Active exploitation confirmed.

CVE-2026-45247 Mirasvit Full Page Cache Warmer Magento
Fruition take

For any Magento sites carrying Mirasvit cache extensions, treat as compromised until reviewed: pull access logs for CacheWarmer cookie anomalies and patch or disable the extension immediately.

wordfence.com 2w

Kirki WordPress plugin: unauthenticated privilege escalation via password reset

Wordfence disclosed an unauthenticated privilege escalation in the Kirki plugin introduced in the 6.0 release. The flaw lets attackers take over arbitrary accounts including admins by abusing the plugin's password reset flow. Roughly 150,000 of the 500K+ installs are on the vulnerable version range.

Kirki WordPress
Fruition take

If any client site is on Kirki >= 6.0, push the patched release this week and check user_meta for unexpected password reset tokens issued in the disclosure window.

05

Identity & Auth

oauth · saml · iam · session attacks

no entries this week

06

Threat Intel

active exploitation · breaches · ransomware

darkreading.com 1w KEV
▲ headline

Ivanti Sentry RCE exploited within 24 hours of disclosure

CVE-2026-10520, an unauthenticated OS command injection in Ivanti Sentry (formerly MobileIron Sentry) giving root RCE, was exploited in the wild within a day of Ivanti's advisory and added to CISA KEV on June 11. Attackers appear to have pre-mapped exposed Sentry appliances. Sentry instances in unmanaged state with externally-reachable endpoints are at risk; mTLS with EPMM or restricted HTTPS via Neurons MDM blocks the path.

CVE-2026-10520 Ivanti Sentry MobileIron Sentry
Fruition take

If you operate or inherit Sentry appliances for any client, patch now and verify mTLS/EPMM enforcement is on. Check /var/log for unexpected child processes off the management interface back to June 10.

cloud.google.com 1w KEV CVSS 9.8
▲ headline

ShinyHunters exploited Oracle PeopleSoft zero-day against universities for weeks before patch

Mandiant/GTIG attributed an extortion campaign against higher-ed PeopleSoft tenants to UNC6240 (ShinyHunters), exploiting CVE-2026-35273 (CVSS 9.8) in the Environment Management Hub from May 27 through Oracle's June 10 advisory. The flaw is missing authentication on a critical function, allowing unauthenticated takeover. CISA added it to KEV on June 12. Activity targeted PSEMHUB endpoints; over 100 organizations were notified.

CVE-2026-35273 Oracle PeopleSoft Enterprise PeopleTools
Fruition take

If any client touches PeopleSoft — patch this week and assume PSEMHUB-exposed instances were already accessed. Pull authentication and outbound logs back to May 27 and look for data staging in /tmp.

krebsonsecurity.com 1w

Microsoft Patch Tuesday hits record 206 CVEs with three public zero-days

June 2026 Patch Tuesday addressed nearly 200 flaws — Microsoft's largest single cycle — including roughly three dozen critical-rated bugs and three with publicly available exploit code. CrowdStrike's analysis flags multiple Windows kernel and Defender issues. Volume reflects AI-assisted discovery as much as a true spike in severity.

Microsoft Windows
Fruition take

Don't drown in the volume — triage on the three publicly-exploited items and any privilege-escalation bugs reachable from the helpdesk-tier user role. The rest can wait for normal monthly cycles.

unit42.paloaltonetworks.com 1w

PAN-OS CVE-2026-0257 under active exploitation

Unit 42 confirmed in-the-wild exploitation of CVE-2026-0257 in PAN-OS and published IoCs and mitigations. The advisory follows the pattern of perimeter-appliance zero-days that defined the week. Affected configurations should be patched and inspected for post-exploitation activity per Palo Alto's guidance.

CVE-2026-0257 Palo Alto Networks PAN-OS
Fruition take

Anyone running PAN-OS GlobalProtect or management interfaces reachable from the internet should patch and pull Unit 42's IoCs into detection this week.

cloud.google.com 2w

UNC3753 (Luna Moth) vishing campaign targets US legal and financial firms

Mandiant documented a Jan–May 2026 extortion campaign by UNC3753 (Luna Moth / Silent Ransom Group) against dozens of US legal, financial, and professional services firms. Initial access is voice phishing — operators pose as IT support, get targets to share screens and install RMM tools, then exfiltrate data for extortion. No ransomware encryption; pure data theft.

Fruition take

Allowlist approved RMM tools (ScreenConnect, AnyDesk, Splashtop) at the EDR level for any enterprise client and alert on first-time execution. Brief help desks that legitimate IT will never request screen-share installs by phone.