Home / Episodes / Jun 12, 2026
Episode show notesJun 12's Top Cyber News NOW! - Ep 1152
At a glance
Fortinet patches critical sandbox RCE, npm disables install scripts by default to combat supply chain attacks, Shiny Hunters breaches University of Nottingham for 40GB of student data, China's fake job recruitment targeting US clearance holders gets shut down, and ransomware hits Australia's second-largest sugar producer mid-harvest season.
Stories covered
What critical vulnerability did Fortinet patch in its sandbox products?
What happened: Fortinet released security updates for vulnerabilities in FortiOS, FortiProxy, and FortiPortal, with the most severe being CVE-2024-21762 (CVSS 9.8)—an OS command injection flaw in FortiSandbox allowing remote unauthenticated attackers to execute arbitrary commands via specially crafted HTTP requests.
Why it matters: Unauthenticated remote code execution is a critical severity issue. However, EPSS scoring shows only a 2% likelihood of active exploitation in the next month, and the vulnerability is not yet on CISA's known exploited vulnerabilities list—meaning no active in-the-wild exploitation has been detected.
What to do: Patch immediately if you run Fortinet devices. If you operate these appliances, you likely already have a robust patching workflow; escalate this to your network engineering team today.
Why is npm disabling install scripts by default in version 12?
What happened: GitHub announced breaking changes to npm v12 that disable lifecycle install scripts by default, requiring explicit user approval before code execution during npm install. This targets the abuse of npm lifecycle hooks to trigger malicious code execution in supply chain attacks.
Why it matters: GitHub identified install-time lifecycle scripts as "the single largest code execution surface in the npm ecosystem." Supply chain attacks have surged dramatically; this change adds friction similar to AWS making S3 buckets private by default—a proven risk reduction technique.
What to do: Update your npm workflows and developer guidance. While this doesn't block packages with malware already baked in, it prevents attackers from pulling down and detonating secondary payloads during installation. Developers will need to consciously opt-in to allow scripts.
How did Shiny Hunters compromise University of Nottingham's student records?
What happened: The University of Nottingham confirmed a cyberattack on its student record system by Shiny Hunters, a threat actor group that exfiltrated approximately 40GB of data including billing records, credit card details, student finance data, and campus portal exports. The gang also compromised the university's Malaysia and China campuses.
Why it matters: Universities face endemic operational security challenges due to collaborative research requirements and large attack surfaces. Shiny Hunters is an equal-opportunity criminal group targeting any organization with accessible data; this represents a significant breach of sensitive PII at scale.
What to do: Monitor for now. If you work in higher education, assume similar exposure exists. Focus on identity and access management, data classification, and exfiltration detection—particularly targeting bulk data movements to external systems.
Why did the FBI shut down 13 Chinese recruitment websites targeting US security clearance holders?
What happened: The Justice Department announced seizure of 13 websites operating as part of a Chinese intelligence recruitment operation targeting current and former US government employees with access to classified information. The sites posed as legitimate consulting firms advertising jobs, offering cryptocurrency payments for sensitive information, and pressuring candidates to divulge nonpublic work details.
Why it matters: This is state-sponsored espionage masquerading as hiring scams. Multiple applicants recognized the suspicious tactics (crypto payments, unusual interview processes, pressure for sensitive data) and reported to the FBI, enabling law enforcement takedown before large-scale compromise.
What to do: Security practitioners with clearances should vet job opportunities carefully—legitimate employers don't request sensitive information during interviews or offer cryptocurrency payments. Report suspicious recruiter behavior to your security officer and the FBI immediately.
Why is ransomware hitting Australian sugar production mid-harvest?
What happened: Australia's second-largest sugar producer, Mackay Sugar, suffered a ransomware attack forcing two major mills to shut down during the critical start of the annual sugar crushing season, disrupting harvesting operations across one of the country's largest cane-growing regions.
Why it matters: Manufacturing and healthcare are top-tier ransomware targets because operational downtime directly translates to quantifiable financial loss. For 24/7 production facilities, attackers can demand millions based on per-hour revenue calculations. The threat actor remains unidentified but the impact is immediate and severe.
What to do: If you operate manufacturing or production environments, assume you are targeted. Implement OT/IT segmentation, offline backups, and detailed financial impact modeling so you can make rapid informed decisions if attacked. Mackay Sugar likely has a clear calculus on ransom vs. recovery costs given their production value.
What record fine did South Korea issue for Coupang's massive data breach?
What happened: South Korea's Personal Information Protection Commission fined e-commerce giant Coupang 624.6 billion won (approximately $49 million USD) for a data breach affecting 37+ million customers. A 43-year-old Chinese national who worked in Coupang's IT department between 2022 and 2024 is the primary suspect; he allegedly stole hard drives and a MacBook Air (which was recovered from a river after disposal).
Why it matters: This is the largest privacy fine in South Korean history and sets precedent for enforcement under PIPC regulations—comparable to GDPR enforcement in Europe. The fine encompasses insufficient access controls, failed security management, and obstruction of investigation.
What to do: If you handle South Korean citizen data, understand the PIPC regulatory framework now. Implement zero-trust privileged access management—if IT staff don't need access to production data or hardware, they shouldn't have it. Monitor for bulk data exfiltration, especially mass movements to personal cloud storage before departure.
Can automatic license plate readers now track individuals via phone and wearable Bluetooth signals?
What happened: Leonardo, a defense contractor, is seeking to augment automatic license plate readers (ALPRs) with a technology called SignalTrace that detects unique Bluetooth identifiers from phones, AirPods, smartwatches, and other wearables inside scanned vehicles, enabling law enforcement to identify specific drivers and passengers.
Why it matters: This transforms ALPRs from vehicle-tracking tools into comprehensive personal surveillance infrastructure. While marketed for law enforcement safety, the technology creates mass tracking capability and potential for abuse—political profiling, spousal surveillance, and targeting of organizing activities become trivial at scale.
What to do: Monitor this technology's deployment and regulatory treatment. Understand your exposure: if you carry Bluetooth-enabled devices, they can be passively tracked by this infrastructure. Advocate for transparency, logging, and judicial oversight requirements if your jurisdiction deploys SignalTrace.
Why do security teams struggle to engage in professional development despite budget increases?
What happened: ISC2 surveyed nearly 1,000 security leaders and found 73% report increased training budgets, yet 98% allow work-hour professional development—but 53% report operational barriers preventing actual participation. The report emphasizes continuous, bite-sized learning over bundled one-time training.
Why it matters: Security teams face a paradox: funding and policy support training, but operational demands prevent practitioners from stepping away. The defense posture requires constant wall presence; leaving for multi-week bootcamps creates coverage gaps that leadership won't tolerate.
What to do: Pursue continuous learning integrated into your daily workflow rather than off-site intensive training. Align skill development directly to business problems you're solving (e.g., building a detection use case while learning NIST CSF). Attend virtual summits during work hours, listen to threat briefings while monitoring, and frame learning as productivity multiplier rather than time away from work.
Key takeaways
- Fortinet's critical RCE in FortiSandbox is severe in theory but not yet actively exploited; EPSS scoring matters as much as CVSS for prioritization decisions.
- Supply chain attacks are reshaping open-source ecosystem defaults—npm's install script change mirrors S3 bucket precedent and will reduce but not eliminate attacks.
- Manufacturing ransomware hits are calculation-driven; a 24/7 facility losing $1M+ per day makes ransom math simple for attackers and defenders alike.
- State-sponsored recruitment scams (China targeting clearance holders) and insider threats (Coupang IT employee) remain brutally effective because they exploit human decision-making, not code.
- Mass surveillance technology (Leonardo's SignalTrace) will be deployed; understand your Bluetooth exposure and advocate now for oversight mechanisms.
Topics covered
Want the live experience? The Daily Cyber Threat Brief airs live every weekday at 5am PT / 8am ET on YouTube. 400+ practitioners join the chat in real time.