Polymarket, Wells Fargo, GitHub RCE Lead High-Volume Breach Day

Summary

Today's threat landscape is defined by a high volume of opportunistic data breaches targeting government and education sectors, particularly in Indonesia and Latin America, alongside significant financial sector exposures. Defenders should prioritize patching a critical GitHub RCE flaw (CVE-2026-3854) and be aware that the VECT 2.0 ransomware variant now acts as a destructive wiper, making file recovery impossible for victims. The resurfacing of the Brazilian LofyGang group with a new Minecraft-targeted stealer signals a continued shift toward gaming-adjacent malware campaigns.

Today's developments

A wave of alleged data breaches and leaks dominated today's reporting, with several high-profile incidents demanding immediate attention. The most notable include an alleged full API breach of Polymarket.com, a US-based prediction market platform, with the actor xorcat claiming to have accessed over 300,000 records. Separately, actor RubiconH4ck claims to have breached Wells Fargo, alleging a database of 4.6 million records. These financial sector incidents underscore the persistent targeting of high-value data repositories.

Government and education sectors remain heavily targeted. In Indonesia, multiple actors claimed breaches against the Indonesian Police Database (JAX7), the Ministry of Health (Citizen), and several universities including Universitas Gadjah Mada (Mr. Hanz Xploit). In France, actors claimed breaches against paris.fr (430k records, Data Breach VIP), MONDIAL RELAY, and URSSAF (hackplanete). Guatemala saw a significant alleged breach of RENAP (18M records) and SAT (5.6M vehicles) by actor GordonFreeman.

Industry analysis provides critical context for these events. Researchers disclosed CVE-2026-3854, a critical command injection flaw in GitHub.com and GitHub Enterprise Server (CVSS 8.7) that allows authenticated users to achieve remote code execution via a single git push. Microsoft confirmed active exploitation of CVE-2026-32202, a Windows Shell spoofing vulnerability. Additionally, threat hunters warn that VECT 2.0 ransomware irreversibly destroys files over 131KB across Windows, Linux, and ESXi, functioning as a wiper. The Brazilian group LofyGang has resurfaced after three years with a new stealer, LofyStealer, targeting Minecraft players.

Threat landscape signals

Actor concentration is notable, with NoName057(16) responsible for 16 DDoS-focused events and BABAYO EROR SYSTEM claiming 11 events, primarily targeting Indonesian entities. The United States (26 events), United Kingdom (14), and Indonesia (13) were the most victimized countries. The data breach category (68 events) far outpaces ransomware (21) and DDoS (43), indicating a shift toward data exfiltration and extortion over encryption-based attacks. The high number of alleged breaches against government administration and education sectors -- particularly in Indonesia and Latin America -- suggests these actors view these as soft targets with weak security postures. The emergence of destructive ransomware variants like VECT 2.0 and the return of LofyGang highlight an evolving, multi-vector threat environment where traditional recovery strategies may fail.