Alex: Good morning. It's Friday, June 12th, 2026. This is Cleartext. I'm Alex Chen.

Jordan: And I'm Jordan Reeves.

Alex: We've got a packed Friday show. A PeopleSoft zero-day that ShinyHunters exploited across a hundred-plus organizations before Oracle even had a patch. A record-shattering four-hundred-nine-million-dollar fine out of South Korea. Two major geopolitical operations — one Russian, one Chinese — with direct implications for your threat model and your insider threat program. CISA's new three-day patching mandate that's going to ripple well beyond the federal space. France's sovereign messaging platform gets breached. Novo Nordisk loses clinical trial data. A ransomware money laundering network goes down. And a new startup betting thirty-seven million dollars that weaponized AI needs its own defensive category. Let's get into it.

Jordan: So let's start where the pain is most immediate. If you run Oracle PeopleSoft anywhere in your environment — HR, finance, ERP — stop what you're doing and read the advisory. CVE-2026-35273 is an unauthenticated remote code execution zero-day. No credentials needed. ShinyHunters, tracked by Mandiant as UNC6240, exploited this from May 27th through June 9th. That's nearly two weeks of active exploitation before Oracle published guidance on June 10th. Mandiant has already notified more than a hundred organizations with potentially exposed servers. There are confirmed data exfiltration and extortion demands.

Alex: And the timing here is brutal. This wasn't a case where a patch dropped and people were slow to apply it. There was no patch. Your PeopleSoft instances were vulnerable and actively targeted, and the only question is whether you were in the blast radius. If you haven't already, validate your PeopleSoft exposure today. Check for indicators of compromise against the Mandiant advisory. And if you're running internet-facing PeopleSoft — which frankly, too many organizations still are — that's a conversation you need to escalate immediately.

Jordan: And while we're on the patching emergency theme, CISA slapped a three-day deadline on federal agencies to patch an actively exploited Ivanti Sentry vulnerability. Max severity. Exploited within twenty-four hours of public disclosure, which strongly suggests pre-positioned reconnaissance by the attackers. This is the first real test case for Binding Operational Directive 26-04.

Alex: Right, and BOD 26-04 is worth understanding on its own terms even if you're not a federal agency. CISA explicitly motivated this directive by citing AI-accelerated exploitation timelines. The old fourteen and twenty-one day windows are now considered dangerously slow. The new standard for critical actively exploited flaws is three days. And here's what matters for the private sector: this standard will propagate. Expect it in sector-specific regulatory guidance. Expect it in cyber insurance questionnaires. If you're a government contractor, expect it in your SLAs. Three days is the new benchmark. If your vulnerability management program can't hit that for critical exploited flaws, you have a gap that needs executive attention and probably budget.

Jordan: And the Ivanti angle specifically — this is not the first time, not the second time. Ivanti's recurring vulnerability cadence makes this a strategic vendor-risk question, not just a tactical patching question. If you're an Ivanti shop, your board should understand the risk posture that comes with that dependency.

Alex: Let's shift to the geopolitical stories, because we've got two significant ones today. Jordan, the Void Blizzard indictment.

Jordan: Denis Obrezko, thirty-six years old, Russian national, charged by DOJ for orchestrating cyberattacks attributed to Void Blizzard. This is a Kremlin-linked espionage group that compromised at least eleven U.S. companies. Obrezko was arrested in Thailand back in November 2025 and has been transferred to U.S. custody. Two things matter here for CISOs. First, the TTPs associated with Void Blizzard are now well-documented through this indictment. Use them. Update your threat models. This group has a broad enterprise targeting profile — it's not just defense and government. Second, the arrest in Thailand signals that U.S. law enforcement reach continues to extend. That's a deterrent signal, but it's a slow-acting one. Russian state-sponsored espionage targeting enterprise networks is not going to diminish because of one arrest.

Alex: And the second geopolitical story is arguably more unsettling for a different reason. DOJ and FBI seized thirteen domains tied to an alleged Chinese intelligence gathering operation. But here's the thing — this wasn't a technical intrusion. This was human targeting. Fake recruiting firms. Deceptive job offers. Aimed at current and former U.S. government employees and security clearance holders.

Jordan: This is classic intelligence tradecraft adapted for the digital age, and it should make every CISO with cleared personnel or former government employees on staff deeply uncomfortable. Your insider threat program needs to account for foreign intelligence elicitation. This isn't about someone hacking your network. It's about someone approaching your people through a LinkedIn message or a plausible job offer on a professional-looking website and extracting information through conversation. Your cleared employees, your contractors, your recently departed staff who still know your architecture — they're all targets. If your security awareness training doesn't cover this scenario specifically, it has a blind spot.

Alex: Let's move to the enforcement story that I think will dominate boardroom conversations for the next quarter. South Korea's Personal Information Protection Commission fined Coupang six-hundred-twenty-four-point-six billion won — that's roughly four hundred nine million dollars — for a breach affecting thirty-seven million customers. This is the largest data protection fine in Korean history.

Jordan: To put that in context, that rivals the biggest GDPR penalties we've seen in Europe. This is not a rounding error. This is a signal from Asia-Pacific regulators that enforcement is reaching parity with European standards.

Alex: And that's exactly the framing CISOs need to bring to their boards. If your organization operates in APAC markets, your data protection liability exposure just got repriced. South Korea, Japan, Singapore, Australia — we're seeing a convergence of enforcement posture globally. The days of treating APAC data protection regimes as softer than GDPR are over. If you need a single data point to justify increased investment in data protection controls for your APAC operations, this is it. Four hundred nine million dollars. Put that on the slide.

Jordan: Now let's talk about the Tchap breach in France. Over seventy-three thousand French public sector employee accounts compromised on France's own sovereign encrypted messaging platform. This is the tool France built specifically to avoid dependence on commercial platforms like Signal or WhatsApp for government communications.

Alex: And this is directly relevant to any enterprise CISO who's been evaluating sovereign or self-hosted messaging alternatives. The security promise of sovereign infrastructure is only as good as the engineering and operational security behind it. Building your own doesn't automatically mean building it better. If France, with significant state resources, couldn't keep Tchap secure, that should inform your risk calculus when evaluating whether to build, self-host, or rely on commercial platforms that have been battle-tested by the global threat landscape at scale.

Jordan: Speaking of breaches, Novo Nordisk — the world's largest insulin producer — disclosed a breach of clinical trial patient data. Clinical trials data is uniquely sensitive. You've got patient privacy obligations across multiple jurisdictions, competitive intellectual property value, and the regulatory burden that comes with both. The pharmaceutical sector has been under sustained targeting by both state actors and criminal groups, and this is exactly the kind of data that sits at the intersection of both motivations.

Alex: For life sciences CISOs, this is a reminder that your clinical data environments need the same defensive rigor as your crown jewel IP. And for everyone else, it's a reminder that regulatory and reputational consequences compound when the data involved is health-related. The jurisdictional complexity alone can be crippling.

Jordan: Alright, let's hit the ransomware financial infrastructure story. FBI, Europol, and international partners dismantled AudiA6, a dark web crypto laundering service that processed over three hundred thirty-six million euros — roughly three hundred eighty-nine million dollars — in illicit funds between 2022 and 2025. Multiple ransomware groups used this as a primary financial pipeline.

Alex: This is one of the largest ransomware financial infrastructure takedowns we've seen. And the strategic logic here matters. Law enforcement is increasingly focused on severing the money flows rather than just playing whack-a-mole with threat actors. If you make it harder to monetize ransomware, you change the economics of the whole operation.

Jordan: Agreed, but there's a near-term risk I want to flag. When you disrupt a major cash-out channel, you can create desperation among threat actors who have victims in the pipeline but suddenly can't monetize. That can lead to more aggressive extortion tactics, retaliatory targeting, or a temporary surge in activity as groups scramble to find alternative laundering channels. So maintain your readiness posture.

Alex: Quick hit on the funding story. A Security, founded by former Sygnia executive Yossi Torati, emerged from stealth with thirty-seven million from Lightspeed Venture Partners. Their thesis is that AI-automated exploitation of agentic systems is a sufficiently distinct threat category to require purpose-built defensive tooling.

Jordan: Interesting bet. The agentic AI attack surface is real and growing. Whether this specific company delivers or not, the market is telling you something. VCs are putting real money behind the idea that your existing security stack won't be sufficient against AI-driven autonomous exploitation. Worth tracking as you plan your architecture for autonomous systems.

Alex: Alright, outlook. Jordan, what's the thread you're pulling on as we head into next week?

Jordan: Compression. Everything is compressing. Exploitation timelines are compressing — twenty-four hours from disclosure to exploitation on Ivanti, two weeks of zero-day exploitation on PeopleSoft before anyone had a fix. Regulatory response times are compressing — CISA is now demanding three days. And the financial consequences are compressing into larger, more immediate penalties. Four hundred nine million dollars in Korea. The environment is demanding faster detection, faster response, faster patching, and the penalties for falling behind are getting steeper on every axis simultaneously.

Alex: I'd add that the human layer is getting more attention, not less. The Chinese recruitment operation isn't a technical story. It's a people story. And as we invest more in AI-driven defenses and automated patching and all the technology solutions, don't lose sight of the fact that your adversaries are still very much interested in your people. Your insider threat program, your security culture, your offboarding processes — those are every bit as critical as your patching SLA.

Jordan: Well said.

Alex: That's our show for Friday. Thanks for spending part of your morning with us. Show notes and links to every story we covered today are at cleartext.fm. Have a good weekend. Stay sharp.

Jordan: See you Monday.