Breaches

ShinyHunters Claims Second Leader Arrested as Group's X Account Suspended

ShinyHunters, one of the most prolific data breach and extortion groups of the past five years, has posted a message to their official Telegram channel claiming that a "second leader has been arrested."

The brief update also confirmed that the group's X (formerly Twitter) account has been suspended and cannot be recovered.

No additional details were provided regarding the identity of the arrested individual, the jurisdiction involved, or the circumstances of the arrest.

Background

ShinyHunters first emerged in 2020 and quickly became one of the most active data breach actors in the cybercriminal ecosystem. The group is responsible for breaching dozens of major organizations, including Ticketmaster, AT&T, Microsoft, Tokopedia, Wishbone, and Mashable — collectively exposing hundreds of millions of user records.

In July 2024, French authorities arrested Sebastien Raoult, a 22-year-old French national extradited from Morocco, who pleaded guilty to charges related to ShinyHunters operations. Raoult was sentenced to three years in federal prison and ordered to pay over $5 million in restitution.

If confirmed, today's claim of a second leadership arrest would mark another significant blow to the group's operational capability.

Implications

The combination of leadership arrests and platform deplatforming suggests mounting pressure on ShinyHunters' ability to operate openly. However, the group has historically demonstrated resilience — pivoting between communication channels, marketplaces, and operational models.

Organizations previously targeted by ShinyHunters or operating in sectors the group has historically focused on — SaaS platforms, technology companies, gaming, and e-commerce — should remain vigilant for potential retaliatory leaks or opportunistic attacks by remaining group members.

GitHub Confirms TeamPCP Breach of 3,800 Internal Repositories After Employee Installed Poisoned VS Code Extension

GitHub has confirmed that approximately 3,800 internal repositories were compromised after a TeamPCP supply chain attack that began with a single employee installing a poisoned Visual Studio Code extension. The breach was announced on Tuesday after TeamPCP posted claims on an underground forum offering GitHub's stolen source

Nx Console VS Code Extension Compromised — 2.2 Million Installs Exposed to Credential Stealer With Sigstore Supply Chain Poisoning Capability

A compromised version of the Nx Console extension — a popular VS Code plugin with over 2.2 million installations — was published to the Visual Studio Code Marketplace after an attacker leveraged stolen developer credentials to inject a multi-stage credential stealer into the official nrwl/nx GitHub repository. The malicious version

Grafana Confirms GitHub Breach After Coinbase Cartel Demands Ransom — Codebase Stolen via Compromised Token

Grafana Labs has confirmed a data breach after attackers used a compromised token to access the company's GitHub environment and download its entire codebase. The open source visualization and analytics platform disclosed the incident on Sunday, two days after cybercrime group Coinbase Cartel listed Grafana on its leak

Pre-Stuxnet Sabotage Malware Fast16 Confirmed as Nuclear Weapons Simulation Tampering Tool Dating Back to 2005

Symantec and Carbon Black have published a definitive analysis confirming that Fast16, a Lua-based malware framework first surfaced by SentinelOne weeks ago, was purpose-built to sabotage nuclear weapons testing simulations. The findings establish Fast16 as the earliest known cyber sabotage tool targeting nuclear weapons research — predating the first known version