Summary5 min read

Risky Bulletin: Arch Linux Supply Chain Attack Hits 1,900 Packages – Episode Summary

Podcast: Risky Bulletin (Risky Business Media)
Date: June 15, 2026
Host: Catalyn Kim Panu (prepared), Claire Airdrop (read)
Episode Focus: The episode highlights the major supply chain attack on Arch Linux packages, alongside an array of other significant cybersecurity events and breaches worldwide.

Episode Overview

This episode delivers a comprehensive roundup of recent cybersecurity incidents, with a primary focus on a sweeping malware infection campaign targeting nearly 2,000 Arch Linux packages. The podcast also explores expired US surveillance powers, a high-profile AI export control measure, ongoing ransomware and extortion cases, a widespread WordPress plugin compromise, and global law enforcement actions against various cybercrime operations.

Key Discussion Points & Insights

1. Arch Linux Supply Chain Attack (00:05)

Incident: More than 1,900 packages in the Arch Linux ecosystem’s AUR have been compromised with malware, specifically Rootkit and Infostealer components.
Method: Attackers targeted abandoned AUR packages that were up for new maintainers, leveraging this process to inject malicious code.
Progression: The attacks occurred in waves over several days and remain active.
Attribution: Researchers have not yet identified the attacker.

"More than 1,900 arch Linux ecosystem packages have been hijacked to distribute Rootkit and Infostealer. The attacker targeted AUR packages that had been abandoned and were open for new maintainers." (00:05)

2. Expiration of US FISA Section 702 Surveillance Powers (00:48)

Event: For the first time since 2008, FISA foreign surveillance powers have expired as Congress failed to extend them.
Political Context: Controversy over President Trump's appointment of Bill Pulte as acting Director of National Intelligence without clear qualifications.
Outcome: A three-year extension failed to pass the Senate, leading to the lapse.

3. AI Export Control: Anthropic (01:20)

US Government Action: The US ordered Anthropic to block non-US citizens from accessing Claude Fable 5 and Claude Mythos 5 under new export control laws.
Reason: Amazon discovered a jailbreak circumvention on Anthropic’s latest models, prompting security concerns and White House intervention.

4. US Pressure on NATO Allies: Ban Huawei (01:55)

US Position: Push for NATO allies (notably Spain and Germany) to replace Huawei infrastructure due to security risks.
Background: US bans on Huawei gear since 2020, while certain European allies continue using Huawei equipment.

5. Corporate Data Breaches & Ransomware

Novo Nordisk Hack (02:21)

Details: Hackers breached the pharma giant's internal network, exfiltrating sensitive patient data (PII).
Response: Systems offline, active incident response.
Company Note: Novo Nordisk is famous for OZEMPIC and Wegovy.

Global Schools Group (02:46)

Scope: Hackers extorted the group after stealing terabytes of data, including children's and parents' records, and leaked the data post failed ransom talks.
Scale: Manages 65 campuses in 9 countries.

6. Data Breach and Leak Incidents

Maine Attorney General Portal Misuse (03:33): Fake breaches were posted due to a lack of verification, prompting a site shutdown for reworking procedures.
Shiny Hunters Group (03:54): Published new victim list, including high-profile organizations, and exploited a zero-day in Oracle PeopleSoft.
Nintendo Supplier Hack (04:20): Shadow Bytes extortion group stole nearly 1GB of business data, demanding a $2 million ransom.

7. Major Crypto & Platform Attacks

Humanity Protocol Heist (04:42): $36 million in crypto stolen after attacker accessed developer keys.
WordPress Ecosystem Attack (06:39): Over 1.2 million websites compromised through malicious code in JavaScript files of three Awesome Motive plugins.

"When an admin logs in, the malicious code creates its own admin account and then installs a hidden backdoor plugin to maintain access." (06:56)

8. International Cybercrime and Legal Updates

Phishing as a Service (Outsider Enterprise) Takedown (05:12): US and partners dismantle Chinese-based operation responsible for billions in thefts.
Non-Consensual Deepfake Platform Takedown (07:18): US, French, and Italian authorities arrest operator, seize domains—the first use of the US "Take It Down Act."
GlobalSign Certificate Revocations (08:12): Mass revocation of Russian SSL certificates in compliance with new CAB forum rules and sanctions.
Smart TV Tracking Investigations (08:50): UK and Texas crack down on hidden trackers used by device manufacturers, focusing on consent and children’s privacy.

9. Key Vulnerabilities & Technical Developments

Linux VM Escape Bug "itscape" (10:09): Vulnerability allows root code execution on KVM (ARM64) multi-tenant clouds; since patched.
Ziggo Safe Online Wipe (10:48): Dutch ISP's password manager app suffered a malfunction, wiping users’ vaults.

10. Industry Updates

Microsoft Edge Release Cadence (11:20): Edge will shift to a 2-week release schedule to match Chrome, improving patch frequency and security.

Notable Quotes & Moments

"More than 1,900 arch Linux ecosystem packages have been hijacked to distribute Rootkit and Infostealer." (Claire Airdrop, 00:05)
"Pfizer section 702 Foreign surveillance powers expired on Friday for the first time since they were granted in 2008." (00:48)
"The Humanity token lost almost 90% of its value following the hack." (04:53)
"More than 1.2 million websites have been backdoored following a security incident at awesom motive, a WordPress plugin developer." (06:39)
"The platform's administrator was arrested in Nice, former France. The service allegedly hosted thousands of photos and videos of female politicians, first ladies, movie stars and athletes." (07:27)
"Edge will sync with Chrome's new release cycle, which is also set to switch to two weeks in September. The change from four weeks is intended to reduce the patch gap in its open source components and deliver security updates faster." (11:30)

Timestamps for Important Segments

Arch Linux supply chain malware: 00:05
FISA/Surveillance powers lapse: 00:48
AI export controls (Anthropic/Claude): 01:20
Huawei/NATO security policy: 01:55
Novo Nordisk hack: 02:21
Global Schools Group breach: 02:46
Maine AG's fake breach portal incident: 03:33
Shiny Hunters mass extortion: 03:54
Nintendo supplier/Shadow Bytes ransom: 04:20
Humanity Protocol crypto theft: 04:42
Outsider Enterprise phishing takedown: 05:12
Awesome Motive/WordPress plugin backdoor: 06:39
Deepfake site legal action: 07:18
SSL cert revocations (GlobalSign): 08:12
Smart TV data tracking probes: 08:50
Linux VM escape "itscape": 10:09
Ziggo Safe Online wipe: 10:48
Edge browser new release cadence: 11:20

Episode Tone and Style

Concise and factual, the episode delivers each news story with a brisk, objective style, focusing on major technical and policy details without extraneous commentary.

For Listeners Who Missed the Episode

This episode covered a landmark supply chain attack on Arch Linux packages, major breaches affecting pharma, education, and crypto platforms, significant developments in US surveillance law, and a continued global crackdown on both cybercrime and privacy violations. The growing risks posed by software supply chain vulnerabilities, IoT privacy, and cross-border cyber threats remain front and center in this rapid-fire roundup.

Loading summary

Transcript1 lines

[00:04]
A
Almost 2000 Arch Linux packages have been infected with malware in a supply chain attack Pfizer surveillance powers expire for the first time since 2008 the FBI takes down a Chinese phishing service and a major supply chain attack hits the WordPress ecosystem. This is the risky bulletin prepared by Catalyn Kim Panu and read by me, Claire Airdrop. Today is the 15th of June and this podcast episode is brought to you by Ent AI. In today's top story, more than 1,900 arch Linux ecosystem packages have been hijacked to distribute Rootkit and Infostealer. The attacker targeted AUR packages that had been abandoned and were open for new maintainers. The attacks occurred in several waves over the last few days and are ongoing. Researchers have yet to attribute the attacks. In other news, Pfizer section 702 Foreign surveillance powers expired on Friday for the first time since they were granted in 2008. The US House of Representatives rejected a last minute short term extension. Members of both parties are unhappy with President Trump's decision to name his friend Bill Pulte acting Director of National Intelligence. Lawmakers say Pulte is unqualified for the role and voiced concerns about him having access to Pfizer powers. Last week, a vote to extend Pfizer for three years failed to pass the US Senate. Meantime, the US government has ordered AI company Anthropic to block foreign nationals from accessing its new models. The export control restrictions apply to Claude Fable 5 and Claude Mythos 5, which were released last week. The White House imposed the restrictions after Amazon reportedly found a jailbreak that bypassed guardrails on Anthropic's new newest releases. The United States is pressuring its NATO allies to use their defence budgets to replace Huawei gear in telecommunications and critical networks. The US designated Huawei a national security risk in 2020. American telcos are banned from using its equipment. Spain and Germany are among NATO countries that allow their telcos to use Huawei equipment. Hackers have gained access to the internal network of Danish pharmaceutical giant Novo Nordisk. The company has taken its systems offline to conduct incident response and evict the attackers. Novo says some sensitive data was copied during the intrusion, including patient pii. The company is known for developing the weight loss drugs Ozempic and Wegovy. Hackers have stolen terabytes of Data from major K12 school operator Global Schools Group. Extortion group Fulcrums claims to have obtained passport details for children and parents, attendance records, teacher passwords and photos of campus visitors. The Information was stolen in April from an unsecured and exposed database. The hackers leaked the data last week after a failed ransom negotiation. Singapore based Global Schools group manages 12 different schools that have 65 campuses between them in nine countries. Maine's Attorney General has taken down the state's data breach reporting portal. Last week, unknown individuals filed fake data breach notices claiming there were incidents at Online game company VRChat and messaging platform Discord. The fake reported breaches were subsequently listed on the attorney general's website with no verification. Maine officials said they're reworking submission procedures to prevent future abuse. The Shiny Hunters hacking group has published a new list of victims on its Dark Web leak site. The group says it's currently extorting the Council of Europe fashion house Ralph Lauren retailer J.C. penney, as well as America's largest TV broadcaster, Nextstar. Most companies that get listed on Shiny Hunter's leak page ultimately confirm the hacks. In recent weeks, the group has exploited a zero day vulnerability in Oracle. PeopleSoft hackers are demanding a $2 million ransom from Japanese gaming company Nintendo. The Shadow Bytes group claimed to have stolen almost 1 gigabyte of employee and business data from one of the company's suppliers, TinyPulse. Shadow Bytes first surfaced in April and describes itself as a data extortion group. Hackers have stolen $36 million worth of crypto assets from the Humanity Protocol platform. The attacker allegedly stole private multisig keys from a Compro developer laptop. The Humanity token lost almost 90% of its value following the hack. The FBI, Google and Lumen Technologies have taken down the Chinese phishing as a service platform outsider enterprise. The platform's been linked to the theft of more than 3.8 million credit card numbers and $1.9 billion from toll phishing scams. Officials have seized domains, server infrastructure and cryptocurrency wallets used to receive payments. Google's also suing the group for using Gemini AI to build the service. A Ukrainian national has pleaded guilty to hacking US companies and deploying Conti ransomware on their networks. Oleksiy Oleksiyevich Litvinenko was arrested in Ireland in 2023. He was extradited to the US last year. He faces up to 25 years in prison. Vietnamese police have arrested seven individuals for attempting to establish cyberscam compounds across the country. The group consisted of four Chinese nationals and three locals. They rented multiple resorts, farm stays and villas and were bringing in workers from Cambodia. French, Italian and US Authorities have shut down an online platform that generated and hosted non consensual deepfake pornography of famous women. The platform's administrator was arrested in Nice, former France. The service allegedly hosted thousands of photos and videos of female politicians, first ladies, movie stars and athletes. The US also seized two domains under America's new Take It Down Act. It's the first time the law has been used to shut down a deepfake platform. Certificate authority GlobalSign is mass revoking SSL certificates for Russian customers. The process began on Saturday. GlobalSign told Russian partners it's complying with new CAB forum rules passed in May. The rules require certificate authorities to follow strict customer verification procedures and observe international sanctions. More than 1.2 million websites have been backdoored following a security incident at awesom motive, a WordPress plugin developer. Malicious code was added to the JavaScript files of three of the company's plugins, OptinMonster, TrustPulse and Pushengage. When an admin logs in, the malicious code creates its own admin account and then installs a hidden backdoor plugin to maintain access. No malicious code has been found in awesome Motive's other plugins. The UK's communications watchdog will begin investigating smart TV makers for installing hidden trackers used to collect data about viewing habits. The ICO plans to launch several investigations throughout the year. They will ensure that device makers are obtaining consent and that users have opt out options, and that children's rights and privacy are being protected. The Texas Attorney General office launched a similar crackdown this year and sued several device makers for privacy violations and data tracking. Intellexa CEO Tal Dillian says he has documents that prove the involvement of the Greek intelligence service in the Predator Gate spyware scandal. Dillian was sentenced to eight years in a Greek prison earlier this year. The sentence is currently suspended pending an appeal. Dillian is now threatening to release the documents. He claims his company simply sold spyware, but the EYP intelligence service used it against opposition figures, journalists and prosecutors. In a controversial ruling, the Greek Supreme Court absolved the state of any involvement. In March, Dillian said he was being used as a scapegoat. He's technically been sentenced to 126 years in prison, but if his appeal fails, he'll only serve eight because the charges are misdemeanours. British police and tech giant Apple have entered into a partnership to counter the rising trend of smartphone thefts. The police will share the IMEI codes of stolen devices with the US tech company to prevent the phones from being reactivated. The device data will also be used to track the locations of stolen phones. The market for stolen phones is estimated to be in the millions of US Dollars. Most are resold in China as devices without government restrictions. A cyber espionage group operating out of Belarus is targeting the personal Gmail accounts of Polish citizens. The Ghostwriter group is targeting high profile Polish public figures and their family members. Targets include politicians, journalists and law enforcement personnel. Previously, Ghostwriter only targeted work related accounts. The change in tactics began in March. A new vulnerability allows attackers to escape Linux virtual machines and execute malicious code as root on the underlying host. The vulnerability, codenamed itscape, impacts the kernel based virtual machine component of Linux. It only impacts multi tenant clouds that use KVM on ARM 64 processors. The bug was discovered by security researcher Hyun Woo Kim and was patched in the Linux kernel last week. A technical malfunction has wiped Ziggo Safe Online password vaults. Ziggo Safe Online is a password manager app run by the Dutch ISP Ziggo. The company confirmed the incident but declined to say how many users were affected. Ziggo says customers will have to redownload the app and resync passwords. Zigosafe Online lists more than 500,000 downloads on its Platform Play Store page. And finally, the Microsoft Edge web browser will Switch to a two week release cycle starting with Edge version 152 in late August. Edge will sync with Chrome's new release cycle, which is also set to switch to two weeks in September. The change from four weeks is intended to reduce the patch gap in its open source components and deliver security updates faster. And that is all for this podcast edition. Today's show is brought to you by our sponsor ENT AI. Find them at entry AI thanks to your company.