ShinyHunters Claims 100-Plus Oracle Breaches as North Korean Operators Hit Half of US Tech

Enterprise breach claims, leaked attack-framework source code, and a CrowdStrike finding that North Korean operators are behind roughly half of all US tech-sector attacks converged to make security the lead story. On the AI side, a whistleblower lawsuit and a German court ruling gave the industry two legal problems it doesn't have clean answers to.

Security

ShinyHunters is claiming credit for compromising Oracle PeopleSoft servers at more than 100 organizations — universities and large enterprises among them — in what appears to be an active data-theft and extortion campaign. Oracle has not confirmed the breach, but the target selection makes sense: PeopleSoft runs HR, payroll, finance, and student information systems at thousands of institutions globally. That is a concentrated source of sensitive records, and for any organization on the victim list, the calculus for paying quietly is obvious. ShinyHunters' established pattern is high-volume targeting followed by extortion and data resale; a claimed victim count this large is consistent with that playbook.

That breach doesn't sit in isolation. CrowdStrike reported that North Korean operators posing as remote IT workers and recruiters accounted for roughly half of all attacks on US tech companies over the past twelve months. The scale is striking: what began as isolated incidents of North Koreans faking their way into remote roles has matured into a systematic, industrialized operation. Operators now clear background checks with synthetic identities, embed inside organizations for months, and execute exfiltration or payload deployment from inside trusted network perimeters. European and Asian companies are targets too, but US tech absorbs the largest share.

Supply-chain attack surface shifted on two fronts simultaneously. The Miasma credential-stealing framework — previously deployed in attacks targeting open-source package ecosystems — had its source code briefly posted to GitHub before removal. The window was short, but code on GitHub proliferates via forks faster than takedowns can follow; lower-skilled actors now have a working blueprint to adapt. On the defensive side, GitHub announced npm v12, due next month, will introduce security controls specifically targeting install-time hook behaviors that supply-chain attackers have exploited. The timing is not coincidental — npm's new controls are a direct response to the attack class Miasma exemplifies.

Rounding out a dense security day: a cannabis-club management platform left nearly a million passport scans and national IDs sitting on the open internet with no authentication required. And a Florida man is suing police after a facial recognition system's "93% match" led to his wrongful arrest; the complaint alleges officers treated the probabilistic AI output as conclusive and ignored contradicting evidence that was readily available. The case adds to a growing body of litigation challenging how law enforcement deploys automated identification tools.

AI

A German court ruled that AI-generated search summaries are not a necessity, handing Google a direct loss over its AI Overview feature. The court's framing — that nobody needs AI to find things on the internet — is blunt, and if the logic spreads to other European jurisdictions, Google could face pressure to restructure or remove AI summary features across a major market. AI Overview is central to Google's search engagement strategy and its defense against AI-native competitors; this ruling creates legal uncertainty at a moment when Google can least afford it.

The xAI safety story went to court. A former engineer is suing xAI and SpaceX, claiming he was fired after raising concerns about Grok's safety practices in the days immediately before SpaceX's IPO. The timing is the heart of the allegation: safety advocacy was treated, he claims, as a risk to manage during a high-stakes capital event rather than as legitimate engineering feedback. The lawsuit may not succeed on its merits, but it documents a tension between safety functions and business timelines that most AI labs experience internally and few discuss publicly.

Anthropic is managing its own contradiction with Claude Fable 5. The company launched the model with specific praise for its biology capabilities, but the model refuses to answer basic biology questions — material covered in a standard high-school curriculum. Over-filtering that directly contradicts vendor marketing creates a credibility problem that benchmark performance cannot recover. On the policy front, Anthropic proposed a public investment fund that would give Americans equity stakes in AI companies, framing it as a mechanism for distributing AI's economic upside rather than concentrating it — a preemptive positioning move ahead of political scrutiny that is already building.

Tech

Microsoft is preparing significant Xbox layoffs. CEO Asha Sharma has been framing the restructuring internally as a "reset", and the cuts reflect declining Xbox revenue and margin compression. The Activision Blizzard acquisition was supposed to deliver content scale and platform leverage; the layoffs suggest that conversion into durable margin improvement has not materialized.

Amazon borrowed $17.5 billion from banks — following a recent bond sale — to sustain AI infrastructure investment. At this scale, AI buildout has moved from product R&D budgeting to infrastructure debt financing. AWS faces competitive pressure on AI capability and pricing from Azure and Google Cloud; the borrowing signals that management has concluded the cost of falling behind exceeds the interest rate exposure.

Google is also facing legal action over its Lyria music AI: independent musicians are suing over claims that YouTube uploads were used to train Lyria without consent or compensation. Google has declined to confirm how it sources training data for Lyria. The case joins a growing wave of creator-vs-platform AI training disputes moving through multiple court systems simultaneously, with outcomes that could affect how platforms treat user-uploaded content industry-wide.

Bluesky announced communities — smaller, interest-based spaces built on the AT Protocol, expected sometime this year. The feature directly addresses the Reddit-style topical engagement gap that has been a consistent friction point for users who arrived from Reddit, and it signals Bluesky's shift from decentralized experiment to full-featured platform.

The Oracle PeopleSoft campaign and the North Korean IT-worker findings are the threads worth tracking: both represent sustained, systemic threats with long dwell times, and both suggest that enterprise attack surfaces are wider than most security programs have mapped.

Also yesterday

• Microsoft Defender 'RoguePlanet' Zero-Day Grants SYSTEM Privileges — Patch Now
• Microsoft Defender 'RoguePlanet' Zero-Day Grants SYSTEM on Fully Patched Windows
• Ivanti Patches Max-Severity Sentry Flaw Enabling Remote Code Execution as Root