Cybersecurity Roundup: Major Breaches, AI Exploits, and Critical Vulnerabilities (Week of June 22) This week’s cybersecurity landscape saw significant breaches, supply chain attacks, and emerging AI-driven threats, alongside critical vulnerabilities under active exploitation. ### Major Breaches & Attacks - Texas Parks and Wildlife Department suffered a third-party breach via its license system vendor, exposing driver’s license details, passport numbers, emails, phone numbers, and addresses of 3.1 million hunting and fishing license customers. Social Security numbers and payment data remained unaffected. - ShapedPlugin, a WordPress plugin vendor, fell victim to a supply chain attack, delivering malicious updates for three paid plugins. The malware installed a hidden fake WooCommerce plugin to steal admin credentials, database access, and 2FA details, while modifying affected sites. The compromise stemmed from the vendor’s release infrastructure. - iRhythm Technologies, a U.S. digital health firm specializing in remote cardiac monitoring, confirmed a cyberattack where threat actors via a social engineering breach of third-party business applications stole protected health information, proprietary data, and personal records. Clinical systems were not impacted. - Klue, a market intelligence platform, disclosed a breach after attackers used compromised legacy integration credentials to steal OAuth tokens linked to customer Salesforce environments. The tokens enabled the theft of sales and customer data from clients, including Huntress, Recorded Future, Tanium, and Jamf. The Icarus extortion group claimed responsibility. ### AI-Driven Threats - Microsoft researchers uncovered AutoJack, an exploit chain where malicious web pages turn AI browsing agents into remote code execution vectors by abusing localhost trust, missing authentication, and unsafe parameter handling in AutoGen Studio’s MCP WebSocket interface. - SearchLeak, a prompt injection technique in Microsoft 365 Copilot Search, was revealed to exfiltrate data including emails, authentication codes, and OneDrive/SharePoint files via crafted links abusing Bing image fetches. Microsoft patched the flaw as CVE-2026-42824. - Researchers analyzed OpenClaw AI agent flaws, demonstrating how hidden contacts and phishing emails could trigger prompt injections, code execution, and data leaks, exposing local tools, secrets, and enterprise data through trusted external interactions. ### Critical Vulnerabilities & Exploits - Fortinet FortiSandbox vulnerabilities (CVE-2026-39813, CVE-2026-39808, CVE-2026-25089) are being exploited via unauthenticated API requests, enabling path traversal and root-level command execution, risking sandbox takeover and disruption of malware analysis and security workflows. - Microsoft confirmed CVE-2026-50656, a Defender zero-day allowing privilege escalation to SYSTEM via a race condition. A public proof-of-concept works on fully updated Windows 10 and 11, with a patch in development. - Cisco acknowledged active exploitation of CVE-2026-20262, an arbitrary file write flaw in Catalyst SD-WAN Manager. Authenticated attackers can overwrite system files and escalate to root, prompting patches for affected devices. - Splunk Enterprise’s CVE-2026-20253 is under active exploitation, allowing unauthenticated attackers to trigger file operations, potentially leading to remote code execution. Splunk confirmed limited attacks and released security updates. ### Threat Intelligence Highlights - A crypto clipboard hijacker, written in Rust and targeting Windows and macOS, was distributed via phishing sites and amplified on GitHub, SourceForge, YouTube, and legitimate news platforms. The malware swaps copied wallet addresses to redirect funds to attacker-controlled wallets.

iRhythm Discloses Data Breach Involving Patient and Proprietary Information iRhythm Technologies (Nasdaq: IRTC), a manufacturer of long-term cardiac monitoring devices, revealed on June 8 that it detected unauthorized access to data stored on certain third-party-hosted business applications. The company immediately activated its cybersecurity response plan and engaged external experts to investigate and contain the threat. By June 9, a threat actor contacted iRhythm, claiming to have exfiltrated sensitive data including proprietary information and protected health information (PHI) and demanded payment to prevent public disclosure. The following day, iRhythm confirmed that data had been stolen and classified the incident as material due to the volume of potentially affected records. The breach, which resulted from social engineering tactics, did not impact iRhythm’s clinical or medical device systems, patient safety, manufacturing operations, or financial reporting. The company also confirmed that no financial account or payment card information was compromised. As of the latest filing, there is no evidence of ongoing unauthorized access, and iRhythm maintains that the incident is unlikely to have a material financial impact. The company holds cybersecurity insurance, though coverage for all potential losses is not guaranteed. This incident adds to a growing trend of cyberattacks targeting medical technology firms. Earlier this year, Stryker suffered a wiper attack by an Iranian-backed hacktivist group in retaliation for U.S. and Israeli actions against Iran. Intuitive Surgical and Medtronic also reported breaches in March and April, respectively, though there is no indication that these incidents are connected.