Weekly Threat Intelligence Roundup: ShinyHunters, Novo Nordisk, and Critical Patches Dominate June 15 Report
Check Point Research's weekly bulletin covers multiple incidents, including a ShinyHunters breach at the University of Nottingham, a Novo Nordisk data leak, and critical patches for LangGraph and Check Point VPN.
Check Point Research released its weekly threat intelligence bulletin on June 15, 2026, detailing a series of significant cybersecurity incidents and vulnerabilities. The report highlights a data breach at the University of Nottingham, where the ShinyHunters group exploited a critical zero-day vulnerability in Oracle PeopleSoft (CVE-2026-35273) to access the records of approximately 454,600 current and former students. Exposed data includes contact details, passport numbers, enrollment information, and fee payment records. This attack is part of a broader wave of ShinyHunters operations targeting over 100 organizations using the same PeopleSoft flaw, which Check Point IPS now protects against.
In a separate incident, Danish pharmaceutical giant Novo Nordisk disclosed a breach where attackers accessed internal IT systems and copied pseudonymized clinical trial data. The stolen information includes patient IDs, trial participation details, limited health data, and contact information for some healthcare professionals. The breach underscores the ongoing threat to sensitive research data in the pharmaceutical sector.
On the vulnerability front, Check Point Research demonstrated exploitable flaws in LangGraph, an open-source framework for stateful AI agents. Researchers chained SQL injection (CVE-2026-27022) and unsafe deserialization issues to achieve remote code execution. Patches have been issued for the affected SQLite, core, and Redis checkpointer components. Additionally, researchers warned about prompt-injection attacks against Anthropic's Claude Code GitHub Action, which could leak CI/CD workflow secrets by instructing the agent to read environment variables and expose API keys.
Active exploitation of CVE-2026-50751, a critical authentication bypass vulnerability in Check Point Remote Access VPN and Mobile Access deployments using the deprecated IKEv1 protocol, was linked to Qilin ransomware activity. Attacks began in May and increased in early June, affecting a limited number of organizations. Check Point IPS provides protection against this threat.
Microsoft's June Patch Tuesday was the largest to date, addressing over 200 vulnerabilities. Key fixes include CVE-2026-45657, a critical Windows flaw with a CVSS score of 9.8 that could enable network-based propagation, and CVE-2026-41091, which has been actively exploited to gain full system control. Veeam also released security updates for a critical flaw in Backup & Replication that allows authenticated domain users to execute code remotely on backup servers.
The bulletin also covers a supply-chain compromise in the Arch User Repository, where attackers seized hundreds of packages and modified build scripts to install credential-stealing malware, including an eBPF rootkit. Additionally, researchers analyzed a Brazilian phishing campaign abusing the legitimate NinjaOne remote management agent to gain access to company computers, and ongoing exploitation of WinRAR flaw CVE-2025-8088 by Russia-linked groups targeting Ukrainian military and government organizations.
Check Point Research's May 2026 attack trends report found that organizations experienced an average of 2,055 weekly attacks, down 7% month over month, while ransomware incidents increased 48% year over year. The report also highlights continued GenAI exposure across enterprise environments, including risks linked to business-related prompts.