Rupert, Moelester Lead Breach Wave; Gogs RCE Zero-Day Lands

Summary

Today's board was dominated less by novel tradecraft than by sheer volume: a long tail of forum, credential and government-database dumps from a handful of prolific actors, layered over a developer toolchain that keeps springing critical holes. The recurring theme is exposure through trusted but unglamorous infrastructure -- public web apps, code forges, package registries and back-office portals -- where one tired credential or one unpatched server hands an attacker a national identity set or a corporate customer list. Defenders are again being asked to win on patch speed and credential hygiene rather than on spotting anything clever.

Today's developments

The forum scene was driven by two unusually busy actors. "Rupert" posted alleged breaches across retail and government, including The Home Depot's Canadian arm, Coleman BBQ and HardwareSales in Canada, Brazil's Mercado Pago and Petlove, Algeria's Ministry of Tourism and Handicrafts, and -- in a pointed run at one state -- both Argentina's Ministry of Justice and the Judicial Branch of the Nation. "Moelester" claimed an even longer string of forum and service-provider breaches, among them the Dutch housing association Stadgenoot, Latvia's Jelgava municipality, the Czech retailer Alza.cz, Poland's home.pl hosting provider, France's Doctissimo forum, and Argentina's Swiss Medical.

A heavy Latin American government cluster recurred beneath them. VandalsGroup advertised 490,000 records it described as covering "all citizens" of Ambato, Ecuador, paired with a web shell on the municipality's systems; CHRONUSTEAM and a related "Chronus leaks" handle posted the Social Security Institute of the State of Guanajuato and Mexico's CECyTE Coahuila; Hermes_Olymp claimed a Sinaloa billing system with more than 100,000 users; Olympus_group named the Colima state pension institute IPECOL; and System_Rippers targeted Chile's judiciary at pjud.cl. Elsewhere, Flipperone advertised what it called sensitive personal data on 1.5 million Pakistani citizens, "The BlackH4t MD-Ghost" claimed a Belarusian bank, and actors posting as "mossad" and "mosad" claimed roughly 3.8 GB of South Korean military drone documentation. All of these remain unverified claims drawn from forum posts.

External reporting filled in the harder edges. SecurityWeek said the ShinyHunters extortion group leaked more than 42 million records allegedly stolen from Charter Communications in April, a breach the company estimates could affect nearly five million people, and flagged a Gogs zero-day rated CVSS 9.4 -- an argument-injection flaw letting authenticated attackers reach remote code execution through pull requests with malicious branch names -- alongside a Chrome 148 update that closed 151 vulnerabilities. The Hacker News attributed a previously undocumented Russian-linked actor, GREYVIBE, to AI-powered attacks on Ukraine-related targets running since at least August 2025, and documented an intruder using a large language model agent to automate post-exploitation after abusing a public Marimo instance (CVE-2026-39987).

Two further threads tied the forum noise to real tradecraft. The Hacker News and Microsoft tracked converging supply-chain campaigns -- a malicious NuGet package impersonating Brazil's Sicoob banking SDK to steal credentials, and a "Mini Shai-Hulud" run of typosquatted npm packages hunting cloud and CI/CD secrets. And The Hacker News tied the North Korean group Kimsuky (Velvet Chollima) to a fresh campaign deploying HTTPSpy and HelloDoor and abusing VS Code tunnels against South Korean military and corporate targets -- the same sector named in the day's forum leak claims. Separately, CyberScoop reported a Commerce Inspector General audit finding NIST's National Vulnerability Database hampered by poor planning and a backlog of 27,000 unprocessed flaws, while The Record covered Microsoft calling a researcher's serial zero-day drops on GitHub "never justifiable."

Threat landscape signals

Concentration sat with the breach crews rather than the denial-of-service scene. Of 128 tracked events, 57 were data breaches and 7 data leaks, and just two actors -- Rupert with 16 posts and Moelester with 14 -- accounted for nearly a quarter of the day's volume, almost all of it credential and database dumps rather than ransomware. Ransomware (17) and DDoS (16) ran roughly level, with the pro-Russian crews NoName057(16) and Keymous Plus behind most denial-of-service claims. Victims skewed toward Latin American government and pension systems -- Mexico, Argentina, Ecuador, Chile and Colombia all featured -- plus consumer retail, while the United States, Indonesia, India and Thailand were the most-named countries and government administration the most-hit sector.

The actionable signal again points at the toolchain. A Gogs remote-code-execution zero-day, a 151-fix Chrome release, npm and NuGet supply-chain poisoning, and an LLM agent automating post-exploitation all hit the surface that developers and IT teams own. The practical priorities are to patch the Gogs flaw and update Chrome now, rotate any credentials that may have transited package registries, and treat the South Korean military leak claims as a prompt to assume Kimsuky-style access attempts against defense-adjacent suppliers.