iRhythm Technologies, Jamf, ShapedPlugin, Tanium, Fortinet, Microsoft and Texas Parks and Wildlife Department: 22nd June – Threat Intelligence Report

iRhythm Technologies, Jamf, ShapedPlugin, Tanium, Fortinet, Microsoft and Texas Parks and Wildlife Department: 22nd June – Threat Intelligence Report

Cybersecurity Roundup: Major Breaches, AI Exploits, and Critical Vulnerabilities (Week of June 22)

This week’s cybersecurity landscape saw significant breaches, supply chain attacks, and emerging AI-driven threats, alongside critical vulnerabilities under active exploitation.

Major Breaches & Attacks

  • Texas Parks and Wildlife Department suffered a third-party breach via its license system vendor, exposing driver’s license details, passport numbers, emails, phone numbers, and addresses of 3.1 million hunting and fishing license customers. Social Security numbers and payment data remained unaffected.
  • ShapedPlugin, a WordPress plugin vendor, fell victim to a supply chain attack, delivering malicious updates for three paid plugins. The malware installed a hidden fake WooCommerce plugin to steal admin credentials, database access, and 2FA details, while modifying affected sites. The compromise stemmed from the vendor’s release infrastructure.
  • iRhythm Technologies, a U.S. digital health firm specializing in remote cardiac monitoring, confirmed a cyberattack where threat actors via a social engineering breach of third-party business applications stole protected health information, proprietary data, and personal records. Clinical systems were not impacted.
  • Klue, a market intelligence platform, disclosed a breach after attackers used compromised legacy integration credentials to steal OAuth tokens linked to customer Salesforce environments. The tokens enabled the theft of sales and customer data from clients, including Huntress, Recorded Future, Tanium, and Jamf. The Icarus extortion group claimed responsibility.

AI-Driven Threats

  • Microsoft researchers uncovered AutoJack, an exploit chain where malicious web pages turn AI browsing agents into remote code execution vectors by abusing localhost trust, missing authentication, and unsafe parameter handling in AutoGen Studio’s MCP WebSocket interface.
  • SearchLeak, a prompt injection technique in Microsoft 365 Copilot Search, was revealed to exfiltrate data including emails, authentication codes, and OneDrive/SharePoint files via crafted links abusing Bing image fetches. Microsoft patched the flaw as CVE-2026-42824.
  • Researchers analyzed OpenClaw AI agent flaws, demonstrating how hidden contacts and phishing emails could trigger prompt injections, code execution, and data leaks, exposing local tools, secrets, and enterprise data through trusted external interactions.

Critical Vulnerabilities & Exploits

  • Fortinet FortiSandbox vulnerabilities (CVE-2026-39813, CVE-2026-39808, CVE-2026-25089) are being exploited via unauthenticated API requests, enabling path traversal and root-level command execution, risking sandbox takeover and disruption of malware analysis and security workflows.
  • Microsoft confirmed CVE-2026-50656, a Defender zero-day allowing privilege escalation to SYSTEM via a race condition. A public proof-of-concept works on fully updated Windows 10 and 11, with a patch in development.
  • Cisco acknowledged active exploitation of CVE-2026-20262, an arbitrary file write flaw in Catalyst SD-WAN Manager. Authenticated attackers can overwrite system files and escalate to root, prompting patches for affected devices.
  • Splunk Enterprise’s CVE-2026-20253 is under active exploitation, allowing unauthenticated attackers to trigger file operations, potentially leading to remote code execution. Splunk confirmed limited attacks and released security updates.

Threat Intelligence Highlights

"id": "forshatanmicjamirhtex1782147825",
"linkid": "fortinet, shapedplugin, tanium, microsoft-security, jamf-software, irhythm-technologies-inc-, texas-medical-center",
"type": "Cyber Attack",
"date": "6/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"
{'affected_entities': [{'customers_affected': '3.1 million',
                        'industry': 'Public Sector',
                        'location': 'Texas, USA',
                        'name': 'Texas Parks and Wildlife Department',
                        'type': 'Government Agency'},
                       {'industry': 'Software (WordPress Plugins)',
                        'name': 'ShapedPlugin',
                        'type': 'Vendor'},
                       {'industry': 'Healthcare',
                        'location': 'USA',
                        'name': 'iRhythm Technologies',
                        'type': 'Digital Health Firm'},
                       {'industry': 'Technology',
                        'name': 'Klue',
                        'type': 'Market Intelligence Platform'},
                       {'industry': 'Cybersecurity',
                        'name': 'Huntress',
                        'type': 'Cybersecurity Firm'},
                       {'industry': 'Cybersecurity',
                        'name': 'Recorded Future',
                        'type': 'Cybersecurity Firm'},
                       {'industry': 'Cybersecurity',
                        'name': 'Tanium',
                        'type': 'Cybersecurity Firm'},
                       {'industry': 'Technology',
                        'name': 'Jamf',
                        'type': 'Device Management'},
                       {'industry': 'Cybersecurity',
                        'name': 'Fortinet',
                        'type': 'Cybersecurity Firm'},
                       {'industry': 'Technology',
                        'name': 'Microsoft',
                        'type': 'Technology Company'},
                       {'industry': 'Technology',
                        'name': 'Cisco',
                        'type': 'Technology Company'},
                       {'industry': 'Technology',
                        'name': 'Splunk',
                        'type': 'Technology Company'}],
 'attack_vector': ['Third-Party Breach',
                   'Social Engineering',
                   'Compromised Credentials',
                   'Malicious Updates',
                   'Prompt Injection',
                   'Exploit Chain'],
 'data_breach': {'data_exfiltration': ['Yes'],
                 'number_of_records_exposed': '3.1 million',
                 'personally_identifiable_information': ['Yes'],
                 'sensitivity_of_data': ['High'],
                 'type_of_data_compromised': ['Driver’s license details',
                                              'Passport numbers',
                                              'Emails',
                                              'Phone numbers',
                                              'Addresses',
                                              'Protected health information',
                                              'Proprietary data',
                                              'Personal records',
                                              'Sales data',
                                              'Customer data',
                                              'OAuth tokens',
                                              'Admin credentials',
                                              'Database access',
                                              '2FA details']},
 'date_publicly_disclosed': '2024-06-22',
 'description': 'This week’s cybersecurity landscape saw significant breaches, '
                'supply chain attacks, and emerging AI-driven threats, '
                'alongside critical vulnerabilities under active exploitation.',
 'impact': {'brand_reputation_impact': ['Yes'],
            'data_compromised': ['Driver’s license details',
                                 'Passport numbers',
                                 'Emails',
                                 'Phone numbers',
                                 'Addresses',
                                 'Protected health information',
                                 'Proprietary data',
                                 'Personal records',
                                 'Sales data',
                                 'Customer data',
                                 'OAuth tokens',
                                 'Admin credentials',
                                 'Database access',
                                 '2FA details',
                                 'Wallet addresses'],
            'identity_theft_risk': ['Yes'],
            'operational_impact': ['Disruption of malware analysis and '
                                   'security workflows',
                                   'Sandbox takeover',
                                   'Privilege escalation',
                                   'File operations leading to RCE'],
            'payment_information_risk': ['No'],
            'systems_affected': ['License system vendor',
                                 'WordPress plugins',
                                 'Third-party business applications',
                                 'Salesforce environments',
                                 'Fortinet FortiSandbox',
                                 'Microsoft Defender',
                                 'Cisco Catalyst SD-WAN Manager',
                                 'Splunk Enterprise']},
 'motivation': ['Data Theft',
                'Extortion',
                'Financial Gain',
                'Credential Harvesting',
                'Remote Code Execution'],
 'post_incident_analysis': {'corrective_actions': ['Patch management',
                                                   'Credential rotation',
                                                   'Enhanced monitoring',
                                                   'Security updates'],
                            'root_causes': ['Third-party breach',
                                            'Social engineering',
                                            'Compromised legacy credentials',
                                            'Malicious updates',
                                            'Unpatched vulnerabilities']},
 'references': [{'date_accessed': '2024-06-22',
                 'source': 'Cybersecurity Roundup (Week of June 22)'}],
 'response': {'remediation_measures': ['Security updates released']},
 'threat_actor': ['Icarus extortion group'],
 'title': 'Cybersecurity Roundup: Major Breaches, AI Exploits, and Critical '
          'Vulnerabilities (Week of June 22)',
 'type': ['Data Breach',
          'Supply Chain Attack',
          'Cyberattack',
          'AI-Driven Threat',
          'Vulnerability Exploitation'],
 'vulnerability_exploited': ['CVE-2026-39813',
                             'CVE-2026-39808',
                             'CVE-2026-25089',
                             'CVE-2026-50656',
                             'CVE-2026-20262',
                             'CVE-2026-20253',
                             'CVE-2026-42824']}
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.