Transport Hack Guilty, Tata Data Leaked, Bajaj Ransomware Attack
Quick Answer
The transport hack case ended with guilty pleas, while separate cyberattacks exposed confidential Tata Electronics data and hit Bajaj Auto with ransomware, highlighting the growing threat of sophisticated cybercrime targeting major organizations.
Here’s your weekly roundup of the biggest cybersecurity stories making waves right now — from one of the largest firewall credential heists in history to teenage hackers finally facing justice, and a wave of ransomware hitting India’s biggest manufacturers. Buckle up.
Scattered Spider Teens Plead Guilty on Day One of Trial Over London Transport Hack
Two young members of the notorious Scattered Spider cybercrime gang avoided a six-week trial by changing their pleas to guilty on the very first day of proceedings. Thalha Jubair (20) and Owen Flowers (18) breached the systems of London’s Transport for London (TfL) between August 31 and September 3, 2024, causing millions of pounds in losses.
The breach exposed customer information, affected around 10 million commuters, forced 28,000 employees to reset passwords, and resulted in roughly £29 million in damages and recovery costs.
Evidence recovered from Flowers’ personal devices made denying the charges impossible. Investigators found a laptop containing a screenshot showing connectivity to TfL infrastructure, evidence of access to a marketplace selling stolen credentials, and videos recorded by Flowers that allegedly showed Jubair accessing TfL systems during the attack.
Jubair is also wanted in the U.S. for alleged computer fraud, wire fraud, and money laundering involving 120 network intrusions against 47 U.S. entities, resulting in at least $115 million in ransom payments. Both defendants are due to be sentenced on July 16.

Tata Electronics Breached — Apple and Tesla Confidential Files Leaked Online
India’s Tata Electronics, a key supplier to Apple and Tesla, confirmed a major cybersecurity incident after ransomware group World Leaks published what they claimed was a haul of sensitive corporate data on the dark web. The leaked dataset reportedly includes over 200,000 files totaling 630 GB, containing proprietary documents from Apple and Tesla, as well as internal company records.
A 52-page document allegedly bore Apple proprietary markings and detailed quality inspection standards for iPhone circuit board components. The Tesla-related data reportedly included engineering drawings related to Project Highland, Tesla’s internal codename for the revamped Model 3 sedan.
Tata Electronics currently accounts for roughly a third of Apple’s iPhone production in India. Apple’s security team is reported to be working directly with Tata on near- and long-term security measures. The manufacturing operations were said to remain unaffected, though the data exposure has raised serious supply chain security concerns across the industry.
Bajaj Auto Hit by Ransomware Just Hours After Tata Electronics Breach
In an alarming one-two punch for Indian manufacturing, Bajaj Auto said a ransomware attack occurred on June 23 at around 8:00 AM IST, affecting company systems and those of Bajaj Auto Technology. The company immediately activated cybersecurity response protocols and reported the incident to India’s CERT-In.
Bajaj Auto is one of India’s largest vehicle manufacturers, producing motorcycles, scooters, and commercial vehicles, and is also the world’s largest manufacturer of three-wheelers. The company has not disclosed whether customer data was compromised or whether a ransom demand was received. The back-to-back incidents at two of India’s most prominent manufacturers have placed a sharp spotlight on the cybersecurity resilience of the country’s industrial sector.
Europol Smashes Amadey and StealC Infostealer Network — 27 Million Stolen Credentials Recovered
In a major win for international law enforcement, a coordinated international operation under Operation Endgame took down the infrastructure powering Amadey and StealC, two notorious information-stealing malware strains. The action resulted in €41 million ($46.5 million) of crypto assets identified and frozen, 27 million stolen login credentials recovered, and 326 servers seized alongside 142 domains.
In the first two weeks of May 2026, Amadey and StealC were linked to over 140,000 infected computers worldwide. Europol coordinated the operation alongside Germany’s Federal Criminal Police Office and a roster of private sector partners including Microsoft, Bitsight, ESET, IBM X-Force, and Proofpoint.
In a fascinating twist, Microsoft used AI, including Copilot, to analyze the malware, turning tasks that normally took hours or days into minutes — ultimately allowing investigators to treat both malware families as part of a single conspiracy. “Together, they form a critical link in the cybercrime supply chain,” noted Europol.
Cisco Unified CM Flaw Being Actively Exploited in the Wild — CISA Issues Emergency Deadline
A high-severity vulnerability in Cisco’s enterprise communications platform crossed from theoretical to actively exploited this week. The flaw, tracked as CVE-2026-20230, is a server-side request forgery (SSRF) in Cisco Unified Communications Manager that allows an unauthenticated, remote attacker to send a crafted HTTP request, write files to the underlying operating system, and ultimately escalate privileges to root.
CISA added CVE-2026-20230 to its Known Exploited Vulnerabilities catalog, setting an urgent June 28 remediation deadline for all federal agencies under Binding Operational Directive 26-04. Cisco had patched the issue on June 3, but exploitation began over the weekend of June 21–22, with active attacks observed from a single threat actor using PoC payloads. Organizations using Cisco Unified CM should patch to version 14SU6 or 15SU5 immediately.
Russia’s Turla Spy Group Deploys Brand-New STOCKSTAY Backdoor Against Ukraine
Google’s Threat Intelligence Group (GTIG) has pulled back the curtain on a previously undocumented cyberespionage tool deployed by Russia’s FSB-linked Turla group. The .NET backdoor, called STOCKSTAY, has been deployed against government and military organizations in Ukraine and entities with an interest in Italian foreign policy. It shares significant code and functional overlaps with Kazuar, a Turla staple implant in use since 2017.
STOCKSTAY runs only on weekdays between 9 AM and 6 PM, deliberately matching business hours to avoid detection. The malware was originally disguised as a stock market data viewer but has evolved: updated variants were found posing as PDF viewers and calculator utilities, showing how the group continuously adapts.
Initial infection vectors have included phishing emails with malicious RDP file attachments and RAR archives exploiting WinRAR vulnerabilities. GTIG has confirmed that affected Google account holders in Ukraine were notified directly.
24 Billion Usernames and Passwords Surface in Colossal Dark Web Data Leak
One of the largest credential dumps ever recorded emerged this week. A colossal data leak exposed 24 billion records, including usernames and passwords, sending shockwaves through the cybersecurity community. Security researchers have linked the compilation to aggregated data from multiple prior breaches, combined and uploaded to dark web forums where threat actors can purchase or freely download the credential sets.
The scale of the leak means that there is a high statistical probability that credentials for millions of everyday users — from email accounts to banking platforms — are now circulating in criminal marketplaces. Cybersecurity experts are urging individuals and organizations alike to immediately audit password reuse, enforce multi-factor authentication, and check their exposure through breach monitoring services. Strong email authentication policies including DMARC remain a critical first line of defense against attackers weaponizing exposed credentials for phishing and account takeover attacks.
Trump Signs Executive Order Setting 2030 Deadline for Post-Quantum Cryptography Migration
The White House moved decisively on the quantum computing threat this week. President Trump signed an executive order setting ambitious deadlines for how quickly federal agencies and government contractors must adopt quantum-resistant encryption algorithms, requiring key establishment to transition by December 31, 2030, and digital signatures by December 31, 2031.
The order is driven by the “harvest now, decrypt later” threat — where adversaries collect encrypted data today with the intent of decrypting it once quantum computers become capable enough. The Global Risk Institute’s 2025 Quantum Threat Timeline report shows that security specialists believe a cryptographically relevant quantum computer is likely to be available within 15 years. Organizations holding sensitive, long-lived data are advised not to wait for government mandates to begin their own post-quantum migration planning.
ShinyHunters Ransomware Goes on a College Rampage — Hundreds of Thousands of Student Records Stolen
The ShinyHunters ransomware group continued its aggressive campaign against educational institutions this week. Houston City College became a target of a ransomware attack orchestrated by ShinyHunters, with the group claiming to have stolen hundreds of thousands of student records, including full names, home addresses, phone numbers, email addresses, dates of birth, gender, ethnicity, enrollment status, GPA, major, and student ID across all campuses.
Illinois Central College was separately targeted, with ShinyHunters claiming to have stolen over 28 GB of sensitive HR and payroll data. Glendale Community College also became a victim in the same campaign. The pattern is clear: educational institutions with limited cybersecurity budgets are being systematically targeted. Institutions are urged to segment networks, enforce email authentication, and ensure student and employee data is encrypted at rest.
New “DirtyClone” Linux Kernel Flaw Lets Local Users Gain Root Privileges
A newly disclosed Linux kernel vulnerability is sending security teams scrambling to patch their systems. Dubbed DirtyClone and tracked as CVE-2026-43503 (CVSS 8.8), the flaw lets a local user corrupt file-backed memory through a cloned network packet and gain root. It works successfully on Debian, Ubuntu, and Fedora systems with default namespace configurations.
The vulnerability is part of the DirtyFrag family, and a working proof-of-concept exploit was publicly published on June 25. The flaw is particularly concerning in shared server environments and cloud containers where multiple users may share the same underlying kernel. Linux administrators should apply kernel patches without delay and monitor for any signs of local privilege escalation attempts.
WordPress Plugin Supply Chain Attack Backdoors Thousands of Sites
Multiple popular WordPress plugins were silently compromised this week in a significant supply chain attack. Multiple WordPress plugins from ShapedPlugin were compromised after unknown threat actors managed to tamper with the official release channels and push backdoor code into Pro plugin releases distributed through official licensed update channels. The attack targeted the vendor’s build and distribution pipeline rather than individual websites — meaning site owners who updated their legitimate, licensed plugins unknowingly installed the malicious code.
Wordfence disclosed the attack and urged all ShapedPlugin Pro plugin users to audit their installations and treat any affected site as potentially compromised. The incident highlights that even purchasing official software through legitimate channels does not guarantee safety, and underscores the need for integrity verification in software update pipelines.

Five Eyes Alliance Issues Urgent Warning: AI Will Transform Offensive Cyber Capability Within Months
The intelligence agencies of the US, UK, Canada, Australia, and New Zealand — collectively known as the Five Eyes — issued a rare joint public warning about the escalating role of artificial intelligence in offensive cyberattacks. The Five Eyes warned that frontier AI models could transform offensive cyber capability within months, increasing pressure on governments and companies to improve patching, exposure reduction, and defensive automation.
The agencies noted that AI is dramatically lowering the barrier to conducting sophisticated cyberattacks— enabling threat actors with limited technical expertise to execute complex intrusions, generate convincing phishing lures at scale, and identify zero-day vulnerabilities with speed that no human team could match. The warning comes as CERT-In in India separately noted that AI is enabling attackers to scan source code and create “chain exploits” connecting vulnerabilities across multiple platforms. Proactive defenses including strong email authentication and layered security controls have never been more critical.
General Manager
Founder and General Manager of DuoCircle. Product strategy and commercial lead for DMARC Report's 2,000+ customer base.
LinkedIn Profile →Take control of your DMARC reports
Turn raw XML into actionable dashboards. Start free - no credit card required.