Forum Breaches Hit Polymarket, PNC as Gemini CLI RCE Patched

Summary

The day's two distinct surfaces collide. On the underground forums, 47 alleged data-breach posts and 10 leak claims targeted US financial-services firms, government databases and Indonesian regional administrations -- a heavy concentration of US victims under one cluster of actors. In the published-research lane, Google patched a CVSS-10 RCE in its Gemini CLI tooling, a Linux kernel logic flaw originally introduced in 2017 was disclosed as enabling root takeover, and cPanel acknowledged that a critical authentication bypass had been exploited as a zero-day for months. Defenders should read the day's pattern as the gap between the criminal volume layer (forum claims, ransomware) and the strategic vulnerability layer (AI tooling, OS kernels, hosting control panels) closing fast.

Today's developments

Forum claims clustered against US victims. Actor xorcat posted alleged breaches of Polymarket, the Arkansas Justice System and State Employee Database, software firm KBROApp, fishing-app database Lakemonster (43,773 accounts), and a series of French-market entities including Yaaka and an ADEMI/AQUAES agriculture-data sale. Actor Fallen (also posting as TheFallen) collated a US-focused portfolio: Liberty Mutual Insurance, e-commerce vendor American Luxury Unlimited, finance firm TastyFX, retailer Big Island Candies, American Investors Company, American Franchise Academy and an "Executive High-Income Individuals" list. Actor AdminOwner claimed alleged breaches of US Air Force data and a 6-million-record sale tied to PNC wealth-and-asset-management clients, alongside a separate Philippine National Police claim and a 30 GB UAE Investors trove. Actor GordonFreeman posted a 150K-record Ministry of Education Guatemala dataset.

Government-administration and education saw a separate Indonesia cluster. Mr. Hanz Xploit claimed alleged breaches of Jember Regency, the regional revenue agency Bapenda Inhu and Universitas Pembangunan Nasional "Veteran" Jakarta (UPNVJ); Xyph0rix claimed a Yogyakarta resident-data leak. Government administration was the day's second-largest victim industry behind unspecified entries -- 15 of 150 events. Cyber_Isnaad_Front claimed a sale targeting Israeli defence supplier IMCO Industries Ltd. French breach claims targeted ChimeraZ on NEMEA Group (real estate), ijpys on Yomoni, and Lagui on a "FRENCH DATABASE EASY CASH". A separate Vave888 listing claimed access to "Chase bank and Citibank database" data.

DDoS activity was concentrated in three actor handles. Order403 accounted for 10 of 31 DDoS events, NoName057(16) for 6 -- the latter following its established Ukraine-aligned-target playbook -- with smaller clusters from Payouts King and HellR00ters Team. Ransomware operators distributed 23 events across the day. The published-research ransomware story landed separately: Sandhills Medical disclosed an Inc Ransom breach affecting 170,000 individuals, with disclosure coming nearly one year after the original incident.

The day's vulnerability disclosures landed in critical territory:

• Google patched a maximum-severity (CVSS 10) RCE in Gemini CLI -- both the @google/gemini-cli npm package and the google-github-actions/run-gemini-cli workflow -- that allowed attackers to execute arbitrary commands on host systems via a planted malicious configuration; companion flaws in Cursor were also patched.
• A high-severity Linux kernel local-privilege-escalation vulnerability tracked as CVE-2026-31431 (CVSS 7.8), codenamed "Copy Fail" by Xint.io and ThreatGen, allows an unprivileged local user to obtain root; the bug, in the kernel's authenc cryptographic template, was introduced in 2017 and affects all major distributions.
• SecurityWeek reported that a critical cPanel and WHM authentication-bypass flaw -- patched on April 28 -- had been exploited as a zero-day for months prior to disclosure, allowing administrative access to vulnerable servers.
• Claroty disclosed two EnOcean SmartServer flaws (security bypass and remote code execution) exposing buildings using the protocol stack to remote takeover.

Two malware-stack pieces rounded out the published research. A new Python-based backdoor framework called DEEP#DOOR uses tunneling-service infrastructure for persistent access and broad credential harvesting from browsers and cloud services. A separate campaign tracked by Atos Threat Research Center as EtherRAT, identified in March 2026, distributes RAT payloads through GitHub facades posing as administrative tools, specifically targeting high-privilege accounts of enterprise administrators, DevOps engineers and security analysts. Anthropic separately disclosed it would not release its Mythos AI model publicly after the model discovered "thousands of previously unknown software vulnerabilities" in major operating systems and browsers, raising governance questions about AI-driven offensive research.

Threat landscape signals

Top-3 actor concentration is meaningful: Order403, HellR00ters Team and Payouts King together account for 28 of 150 events -- roughly 19 percent of the day's posts. The forum-target geography skews heavily to US victims (41 of 150) followed by Indonesian government and academic victims (12). The vulnerability-stack concentration on AI tooling, Linux kernel internals, and hosting control panels suggests defenders should weight these surfaces in patch prioritisation: a published RCE in an AI CLI used at scale by developers, a 2017-vintage kernel flaw, and a hosting-panel zero-day exploited for months are all single-step routes to administrative access. Inc Ransom's nearly year-long disclosure delay on the Sandhills Medical incident is an operational reminder that breach-detection-to-disclosure timelines remain long even after regulatory pressure.