This Week in Cybersecurity: The First Fully AI-Run Ransomware Attack, 3.8-Million-Record Breach, and a Device Proxy Botnet Goes Dark
By Mollie Horne
The skill floor for running a ransomware attack just dropped to whatever it costs to rent an AI agent.
This week, researchers at Sysdig disclosed the first documented ransomware operation run start to finish by a large language model with no human at the keyboard — an agent that broke into an exposed server, stole credentials, moved laterally, and encrypted a production database using a key it never bothered to save, making the data unrecoverable even if the victim pays. That wasn't the only story about attackers turning trust into leverage: Medtronic began notifying 3.8 million people that ShinyHunters walked out with their personal and medical information back in April, a Fortinet credential-harvesting campaign we first flagged in June turned out to be feeding two active ransomware gangs, a critical SharePoint flaw Microsoft called "less likely" to be exploited is now on CISA's must-patch list after attackers proved otherwise, and DHS confirmed hackers sat undetected for weeks inside a federal information-sharing network that's currently supporting World Cup security planning.
The common thread this week is automation cutting both ways. Attackers are using AI agents and purpose-built tools to compress attack timelines from weeks to minutes, while defenders and law enforcement scored a real win by dismantling a 2-million-device proxy network that criminal groups had been renting by the hour to hide their tracks. Here's what you need to know.
Explore this content with AI:
ChatGPT | Perplexity | Claude | Google AI Mode
JADEPUFFER: Sysdig documents the first fully agentic ransomware attack... and the victim can't pay their way out
On July 1, 2026, the Sysdig Threat Research Team published details of what they assess to be the first documented case of agentic ransomware — an extortion operation driven end-to-end by an AI agent with no human operator directing individual steps. The campaign, dubbed JADEPUFFER, gained initial access through an exposed Langflow AI-workflow server via CVE-2025-3248, then an autonomous agent handled reconnaissance, credential theft, lateral movement, persistence, and privilege escalation on its own, adapting in real time when steps failed. In one recorded sequence, the agent went from a failed login attempt to a working exploit in 31 seconds. Once it reached the target's production database server, the agent encrypted 1,342 Nacos service configuration items using MySQL's AES_ENCRYPT function, deleted the original tables, and dropped an extortion note into a new table containing a ransom demand, a Bitcoin address, and a Proton Mail contact.
There's a twist that makes this more than a proof of concept: the AES encryption key was generated essentially at random, printed once to the agent's console output, and never saved or transmitted anywhere. That means the victim cannot recover the encrypted data even if they pay the ransom — the agent destroyed the only copy of the key required to reverse its own attack.
Why it matters: This isn't a theoretical AI-security exercise — it's a working demonstration that the technical skill required to run a full ransomware operation has collapsed to "whatever it costs to run an agent." The target here was neglected: internet-facing infrastructure, which is exactly the kind of asset most organizations underinvest in monitoring. Inventory and patch any internet-facing AI workflow or orchestration tooling (Langflow and similar platforms) now, and treat "nobody would bother attacking this obscure service" as an assumption you can no longer afford to make.
Read more at BleepingComputer
Medtronic notifies 3.8 million people after ShinyHunters breach, part of a campaign that has now hit more than 40 organizations
Medtronic has begun notifying more than 3.8 million individuals that their personal and medical information was exposed in a breach the medical device maker first detected on April 15, 2026, after an unauthorized party accessed corporate IT systems between April 13 and April 19. The extortion group ShinyHunters claimed responsibility and alleged that more than 9 million records were taken, a figure Medtronic has not confirmed. Exposed data includes names, contact details, and dates of birth; Medtronic says its medical devices themselves were not affected and remain safe to use. Affected individuals are being offered 24 months of credit monitoring and identity theft protection.
The Medtronic breach is one entry in a much larger campaign: ShinyHunters has used three recurring playbooks — voice-phishing for SSO credentials, Salesforce Experience Cloud misconfigurations, and OAuth supply chain attacks — to breach more than 40 organizations in 2026, a tally that includes Canvas/Instructure (275 million student records), Carnival (6 million passengers), ADT (5.5 million customers), and a separate zero-day campaign against Oracle PeopleSoft systems that has reportedly hit more than 100 organizations, including the National Association of Insurance Commissioners.
Why it matters: ShinyHunters isn't slowing down, and the group's success has come almost entirely from abusing legitimate access paths — SSO, OAuth tokens, misconfigured cloud platforms — rather than novel exploits. If your organization uses Salesforce, Oracle PeopleSoft, or SSO-based vendor support desks, this is a good week to audit OAuth token scopes, review recent access logs for anomalous exports, and confirm your help desk has a verification process that can't be talked around with a phone call.
Read more at HIPAA Journal
FortiBleed credential-theft campaign we covered in June is now confirmed to be feeding the INC and Lynx ransomware gangs
We first covered the FortiBleed campaign in our June 23 post, when it appeared to be a large-scale credential-harvesting operation targeting Fortinet devices. New research published this week shows it's bigger and more dangerous than first understood: the initial access broker behind FortiBleed built a custom Golang tool called FortigateSniffer that abuses FortiOS's native diagnose sniffer packet command to passively intercept authentication traffic across two dozen protocols. Researchers now assess the campaign targeted roughly 430,000 FortiGate firewalls globally and gathered more than 110 million credentials, with the sniffer tool installed on an estimated 12,000 devices. Scanning activity hit approximately 11,250 FortiGate portals in more than 150 countries, resulting in confirmed admin-level access on 409 targets and a completed attack chain on 354 of them.
The new and more urgent detail: an operator with access to FortiBleed's infrastructure was found logged into the negotiation panels of both the INC Ransom and Lynx ransomware operations, and victims listed by INC Ransom overlap with data collected in the credential campaign. At least 12 ransomware deployments have already resulted from this access, encrypting hundreds of endpoints.
Why it matters: FortiBleed is a clear example of the initial-access-broker economy at work — credential theft and ransomware deployment are now separate businesses that transact with each other, sometimes within days. If your organization runs internet-facing FortiGate devices, treat this as confirmation that stolen credentials are being actively resold for ransomware access: rotate all Fortinet admin credentials, confirm MFA is enforced, and audit for the "diagnose sniffer packet" command being run against your own gear.
Read more at SecurityWeek
SharePoint RCE Microsoft called "less likely" to be exploited lands on CISA's must-patch list after attackers proved otherwise
On July 1, 2026, CISA added CVE-2026-45659, a deserialization remote code execution flaw in Microsoft SharePoint Server (CVSS 8.8), to its Known Exploited Vulnerabilities catalog after confirming active exploitation, giving federal agencies until July 4 to patch. The bug affects SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016, all of which Microsoft patched in an out-of-band update in May. An authenticated attacker with only Site Member–level permissions can send a crafted request containing a malicious serialized payload to achieve code execution in the context of the SharePoint service — Microsoft's own advisory had rated exploitation as "less likely," a characterization the KEV listing has now undercut. Observed post-exploitation activity includes attackers deploying Velociraptor, Cloudflare Tunnels, Zoho Assist, and SSH access via Visual Studio Code to maintain persistence and move laterally.
Why it matters: A patch shipping in May and a KEV listing in July mean organizations had roughly six weeks between "fix available" and "attackers are using it," which is a familiar and shrinking window. Low privilege requirements make this an easy target for anyone who already has a foothold, including a compromised low-level account. Confirm that the May out-of-band update has been applied to every on-premises SharePoint instance, and verify the specific post-exploitation tooling named above rather than relying on patch status alone as proof of a clean environment.
Read more at The Hacker News
FBI and Google dismantle NetNut, a 2-million-device residential proxy network rented out by criminal and espionage groups
On July 2, 2026, the FBI seized domains tied to NetNut — also tracked as Popa — a residential proxy service run through the publicly traded Israeli company Alarum Technologies, in a coordinated takedown with Google's Threat Intelligence Group (GTIG). GTIG estimates the network spanned at least 2 million devices worldwide, including smart TVs and streaming boxes, routing paying customers' traffic through unsuspecting homeowners' internet connections. In a single week in June, GTIG counted 316 distinct threat clusters — a mix of cybercriminal and espionage groups — using suspected NetNut exit nodes to mask their location while running password-guessing attacks against other targets. The FBI, working with Lumen Technologies, the Shadowserver Foundation, and the IRS Criminal Investigation division, seized netnut.com and sister domains proxyjet.io and divinetworks.com. Google disabled accounts tied to NetNut's control infrastructure and flagged its SDK in Play Protect. Alarum says it is cooperating with the investigation.
Why it matters: Residential proxy networks are the infrastructure layer that makes many other attacks — credential stuffing, geofencing bypass, botnet command-and-control — harder to detect because the traffic appears to come from an ordinary home connection rather than a data center. Taking one of the largest such networks offline is a genuine disruption, but the underlying business model (renting access to compromised or SDK-bundled consumer devices) isn't going away. If your fraud or detection tooling relies on IP reputation, expect a temporary dip in evasive traffic followed by migration to competing proxy services.
Read more at The Register
DHS confirms hackers breached the Homeland Security Information Network, undetected for weeks
The Department of Homeland Security has confirmed that hackers breached the Homeland Security Information Network (HSIN), the platform federal, state, local, and private-sector partners use to share sensitive — though unclassified — intelligence, including systems currently supporting World Cup security planning. The intrusion is believed to have occurred between late May and early June and went undetected for weeks; attackers also reached a SharePoint system HSIN partners use for collaboration. DHS says classified networks were not affected and that it has isolated the impacted systems, but has not attributed the breach to any actor, and it remains unclear whether documents were taken. Sen. Mark Warner, ranking member of the Senate Intelligence Committee, has publicly warned that the exposure "risks national security" despite the data's unclassified status.
Why it matters: An unattributed, multi-week dwell time within a platform that many agencies rely on for coordination is a reminder that "unclassified" doesn't mean low-value — HSIN's whole purpose is to aggregate sensitive operational detail across organizations that wouldn't otherwise share it. If your organization exchanges intelligence or coordination data with DHS or state/local partners through HSIN, watch for official guidance on whether any of your shared data was exposed.
Read more at BleepingComputer
Final thoughts
This week cuts both ways on automation. JADEPUFFER shows that an AI agent can now run a complete ransomware operation against neglected infrastructure without human direction — and do so in a way that makes recovery impossible, even for a paying victim. FortiBleed shows the human side of that same economy still thriving: credential theft and ransomware deployment functioning as separate, transacting businesses. Meanwhile, ShinyHunters keeps proving that the fastest way into an organization is rarely a novel exploit — it's SSO, OAuth, and a help desk that can be talked into resetting the wrong thing. And DHS's own information-sharing platform sat compromised for weeks before anyone noticed, a reminder that even the agencies coordinating everyone else's defense aren't exempt from dwell time.
The one piece of good news is that disruption is still possible at scale: the NetNut takedown pulled a two-million-device proxy network offline in a single coordinated action. That's a reminder that the infrastructure attackers depend on — proxy networks, initial-access marketplaces, negotiation panels — is itself a target, and it can be dismantled when defenders and law enforcement move together.
Check back next Tuesday for the next installment of This Week in Cybersecurity.
Ready to see how OpenVPN can help protect your organization from attacks?
Try the self-hosted Access Server solution or managed CloudConnexa service for free — no credit card required.
See Which One is Right for You