Cybercrime , Fraud Management & Cybercrime , Incident & Breach Response

Every week, ISMG rounds up cybersecurity incidents and breaches around the world. This week, extortion gang ShinyHunters published alleged Madison Square Garden data. U.S. Sen. Mark Warner questioned whether staffing cuts are weakening CISA's support for state and local governments. A sprawling supply-chain attack compromised more than 1,500 Arch Linux packages, Australian sugar producer Mackay Sugar advanced recovery efforts after a ransomware attack and Microsoft faced scrutiny after a certificate lapse disrupted a key Microsoft 365 diagnostic site. Estonia will quarantine Russian emails while Novo Nordisk grappled with competing data theft claims from two cybercrime groups. Belarus-linked hackers targeted personal Gmail accounts in Poland, CISA ordered agencies to patch an actively exploited Joomla flaw and Kodak investigated a data breach claim. Researchers exposed the infrastructure behind a large-scale phishing operation.

See Also: Know Thy Enemy: Threats to Cyber Resilience

Digital extortion gang ShinyHunters published what it claims is stolen Madison Square Garden Entertainment data after the organization allegedly declined to pay ransom.

The group claimed MSG - home of New York Knicks, which just won its first NBA championship in 53 years - "failed to reach an agreement" despite "all the chances and offers we made," according to a posting on its leak site. The leak went public one day after the June 15 negotiation deadline expired.

The leaked dataset purportedly contains more than 26 million records, including ticketing operations, customer account details, and internal corporate documents tied to both the Knicks and New York Rangers hockey franchise. ShinyHunters said the intrusion occurred on June 5.

The group posted more than 42 gigabytes of data on its leak site Tuesday. Files referencing Knicks-related personalities alongside internal categorization fields includes address, claim to fame, cost of talent and direct contact information for those individuals or their representatives. Files indicate that actor Ben Stiller is categorized as "low risk" by MSG, while rapper A Boogie wit da Hoodie is categorized as "high risk."

A lawsuit filed Tuesday alleges that hackers accessed sensitive visitor data through MSG's surveillance and facial recognition systems. Plaintiff Carlos Avalos claims his personal information was collected when he attended a concert at MSG in September 2025 and alleges the company has not yet notified those affected.

ShinyHunters, active since at least 2019, is linked to multiple high-profile data breaches, including incidents affecting Okta, AT&T and Tokopedia. Its typical approach involves stealing sensitive data and using so-called "pay-or-leak" extortion tactics to pressure victims into paying.

The latest disclosure is the second major security incident to affect MSG in under a year. In 2025, the Cl0p ransomware group exploited an Oracle E-Business Suite vulnerability, exposing names and Social Security numbers for at least 38,393 individuals and ultimately leaking more than 210GB of archived MSG files after the organization declined to pay.

Sen. Mark Warner, D-Va., is pressing the U.S. Cybersecurity and Infrastructure Security Agency for details on staffing cuts and vacancies, warning that workforce reductions may be weakening cyber support for state and local governments.

In a Tuesday letter to Acting CISA Director Nick Andersen, Warner requested data on vacancies, employee departures, regional office staffing and service delivery metrics for CISA headquarters and regional offices.

Cuts enacted to the agency since the start of the Trump administration, as well as the White House's decision to yank funding from the Multi-State Information Sharing and Analysis Center, demonstrate "a dangerous underestimation of the threats facing our nation from adversaries and criminals who seek to destabilize our national security, economy, public health and safety," Warner wrote.

Half of the agency's 10 regional directors are serving in acting roles, Warner noted. He asked CISA to disclose whether staff reductions have affected vulnerability scans, incident response, risk assessment, response times and service requests.

In separate letters to Homeland Security Secretary Markwayne Mullin and U.S. governors, Warner said many local governments cannot afford to pay MS-ISAC subscription fees. He said the change weakens cyber defenses at a time when state and local organizations remain frequent ransomware targets.

A large-scale software supply-chain attack compromised more than 1,500 packages in the Arch User Repository, with attackers hijacking abandoned projects and modifying them to install malicious npm dependencies that deploy credential-stealing malware, security researchers at Sonatype found.

In the campaign dubbed "Atomic Arch," attackers targeted orphaned AUR packages, taking over legitimate but unmaintained projects and altering their pkgbuild files to fetch a malicious npm package called atomic-lockfile during installation. Analysis showed the payload included capabilities for credential theft, stealth, anti-debugging and potential data exfiltration. A second wave of attacks later shifted to Bun-based installation paths using additional malicious packages.

Arch Linux said it experienced a surge of malicious package adoptions and updates in the repository and urged users to carefully review pkgbuild and install script changes before updating packages. The project temporarily restricted several repository functions, including new account registrations, while maintainers investigated and removed malicious commits.

Researchers said the malware was designed to harvest credentials and developer secrets, with some analyses indicating support for eBPF-based functionality that could help attackers evade detection or establish persistence on infected Linux systems.

Australian sugar producer Mackay Sugar said Wednesday it was making significant progress restoring systems and preparing for staged restart of crushing operations following a cyberattack that disrupted milling activities and halted cane harvesting across its Queensland operations.

Ransomware group "The Gentlemen" claimed responsibility for the attack on the company, Australia's second-largest sugar producer. The group posted the company on its leak site, but no stolen data had been published yet. The attack caused many of the 1,300 farms that supply Mackay Sugar to pause harvesting," reported Australian public broadcaster ABC.

Microsoft's connectivity testing portal for Microsoft 365 began throwing browser security warnings after a TLS certificate expired and went unrenewed for more than a day.

The affected site, connectivity.office.com, is used by IT professionals and network administrators to test and troubleshoot network connectivity to Microsoft's 365 services and verify that firewalls are not blocking access to Microsoft's cloud infrastructure. Visitors to the site were met with browser alerts flagging an invalid security certificate after the certificate expired on June 14. The issue reportedly persisted for roughly 35 hours before being addressed.

The lapse disrupted access to a diagnostic tool that administrators rely on to investigate connectivity issues, confirm firewall configurations and run network health checks.

Estonia will begin routing emails sent from Russian .ru domains into quarantine before they reach public-sector inboxes, local media ERR reported. The measure takes effect Aug. 31.

Justice and Digital Affairs Minister Liisa Pakosta said the decision follows a continuous increase in malicious emails arriving through Russian servers since 2022. Legitimate messages will still be delivered but may require additional verification, introducing delays while reducing exposure to phishing and malware threats.

The Estonian Information System Authority warned in 2022 that Russian email services are frequently used in phishing campaigns and malware distribution. Pakosta said communications sent through Russian-hosted services could be accessible to Russian authorities.

Danish pharmaceutical maker Novo Nordisk is dealing with a double dose of serious breach headaches.

Less than 24 hours after cybercrime gang FulcrumSec began on Tuesday leaking data from what it claims is a 1.3 terabyte trove of stolen Novo Nordisk proprietary data, a second group - dubbed TheUSERS007, told Databreaches.net that it too recently stole a set of "crown jewel" data from the Danish drug maker (see: Ozempic Drug Maker Loses Clinical Trial Data in Hack).

TheUSERS007 claimed it gained access to Novo Nordisk's IT systems between June 5 and June 7 and used "venomware," which the gang described as "a self-learning, adaptive artificial intelligence engine" to surgically extract the drug company's intellectual property.

The threat actor told Databreaches.net that it demanded Novo Nordisk pay a $50 million ransom for the data the group allegedly stole, including 16.7GB of trained AI weights, full source code, SSH host keys, a 500-MB proprietary dataset and more.

Novo Nordisk on Tuesday told ISMG that it was aware of claims that data copied externally from its systems without authorization has been published online.

Poland's national computer emergency response team warned that the Belarus-linked hacking group GhostWriter is targeting personal Gmail accounts belonging to public figures and their families.

Attackers have launched phishing campaigns since March aimed at government officials, journalists, researchers, public administration and law enforcement personnel and their social circles.

CERT Polska said GhostWriter is one of the most active state-sponsored threat groups targeting Poland. Researchers said they have observed new phishing domains appearing almost daily in recent weeks.

The phishing operations are designed to steal login credentials and two-factor authentication codes, enabling attackers to access victims' email accounts. Once inside, the hackers search for sensitive documents, contact networks and linked online accounts that can be used to identify additional targets or hijack social media profiles.

Also tracked as UNC1151 and Storm-0257, GhostWriter is linked to Belarusian intelligence services and has conducted cyberespionage and influence operations targeting Poland, Ukraine and Belarusian opposition groups.

The U.S. Cybersecurity and Infrastructure Security Agency ordered federal agencies to patch a critical vulnerability in the Joomla Content Editor plugin after confirming active exploitation in the wild.

The flaw, tracked as CVE-2026-48907, enables unauthenticated attackers to upload and execute malicious PHP code through improperly secured editor profiles. The vulnerability affects Joomla sites running the JCE WYSIWYG editor plugin and can be exploited using low-complexity attacks.

The issue was patched earlier this month in JCE Pro 2.9.99.6. The JCE security team urged users to update immediately, warning that public exploit code is available and attacks are being automated.

Researchers also cautioned that installing the update only blocks further exploitation and does not remove malware or backdoors already deployed on compromised systems.

Kodak is investigating a cybersecurity incident after an unauthorized third party gained temporary access to a limited amount of company data, Kodak said.

The Rochester, New York-based imaging and printing firm said it has engaged external cybersecurity experts to determine what information was accessed or copied and is working with law enforcement. "We are confident the incident was limited in scope and has been contained and that there is no threat to our systems or operations as a result of the incident," it said in a prepared statement.

The company has not attributed the breach or disclosed how attackers gained access. The ShinyHunters extortion group claimed responsibility. On its darkweb leak site, the group alleged it stole more than 2.2 million records containing customers' personally identifiable information and internal corporate data, threatening to publish the data if its demands are not met.

Researchers at Cato CTRL found the workings of a cybercriminal operation dubbed "Operation Poisson" after discovering an exposed server that provided access to the threat actor's infrastructure and operational data.

According to the firm, the server contained phishing kits, credential logs, configuration files, victim information and communications related to the operation. Analysis of the data showed that the actor primarily targeted users through phishing campaigns designed to steal account credentials and session data.

Researchers identified infrastructure used to host phishing pages, manage compromised accounts and collect stolen information. The operation relied on automation to process harvested credentials and track victims. Logs recovered from the server revealed thousands of credential theft attempts and provided visibility into how victims were funneled through phishing workflows.

The exposed data also included details about domains, hosting infrastructure and backend management systems used to support the campaigns. Researchers said the operator maintained organized records of stolen credentials and victim activity, suggesting a structured approach to managing the operation.

Other Stories From This Week

• Cyberspace Locked in a Nation-State Contest, Says NCSC CEO
• Heart Monitoring Firm Tells SEC Hackers Stole Sensitive Data
• Rokarolla Android Banking Trojan Enables Device Takeover
• Chinese Espionage Actor Abuses Email Rules to Steal Research Data
• ShinyHunters Hits Universities Via Oracle Zero-Day

With reporting from ISMG's Anviksha More in Mumbai and Marianne Kolbasuk McGee in the Boston exurbs.