the threat gazette
Afternoon Update 2026-04-11
Intraday Update
Ransomware

ShinyHunters Claims Rockstar Games Cloud Breach via Snowflake; Ransom Deadline Expired

Scattered Spider

ShinyHunters has claimed responsibility for breaching Rockstar Games' cloud infrastructure via Snowflake, with Rockstar confirming unauthorized data access to Kotaku. The group's April 14 extortion deadline has passed, making data publication likely if ransom was not paid. The attack vector reprises ShinyHunters' 2024 Snowflake credential-stuffing campaign that compromised ~165 organizations including Ticketmaster and Santander Bank. The playbook is well-established: harvest credentials from infostealers or credential dumps, target Snowflake tenants lacking enforced MFA, exfiltrate in bulk, then run staged extortion. Financial institutions with Snowflake deployments share the same threat profile if MFA enforcement, network policy restrictions, and session token auditing have gaps. Note: the enrichment pipeline misattributed this to Scattered Spider. ShinyHunters and Scattered Spider are distinct actors with different TTPs and membership — the 2022 Rockstar breach (via corporate Slack) was Scattered Spider/LAPSUS$; this is a different group exploiting a different vector.

ShinyHunters keeps operating despite arrests across multiple jurisdictions — unusual resilience for a financially-motivated group. The more important pattern: Snowflake as shared cloud data infrastructure remains a single-point-of-failure across hundreds of enterprises. One compromised tenant credential, no MFA, mass exfil. The 2024 campaign proved this at scale, and they're running the same play again. If you're on Snowflake, this is your quarterly reminder that credential hygiene on cloud data platforms is existential.

2026-04-11
1 source
+ Scattered Spider
Hacker News: Active

Editorial

The Rockstar Games breach is headline-grabbing but the underlying mechanic is the real story: ShinyHunters is still successfully leveraging Snowflake credential compromise nearly two years after the AT&T/Ticketmaster campaign that should have been a sector-wide wake-up call. Scattered Spider's appearance in the actor list suggests the same loose affiliate ecosystem that powered the 2024 wave remains operationally active. With the ransom deadline having expired yesterday and no public resolution, expect a data dump shortly — but the strategic takeaway is that cloud data warehouse credentials remain a persistently underprotected attack surface, particularly where MFA enforcement is optional rather than mandatory.

The GNU tar desync vulnerability (CVE-2026-5704) is the kind of subtle, boring bug that ends up in post-mortems a year from now. The association of Axiom and Moafee — both Chinese espionage-focused groups with long track records in supply chain operations — with a vulnerability that lets you smuggle files past pre-extraction audits is deeply suggestive; this is purpose-built for poisoning CI/CD pipelines and software build systems that trust `tar -t` output as a security gate. Three oss-sec entries on day one indicates the research community sees it too. Any pipeline that ingests untrusted archives and relies on listing before extraction to validate contents has a logic flaw that no amount of patching will fix — the architectural assumption itself is broken.

Notable

Vulnerabilities

GNU tar Archive Listing/Extraction Desynchronization Enables Hidden File Injection (CVE-2026-5704)

CVE-2026-5704 Axiom Moafee

CVE-2026-5704 describes a desynchronization between GNU tar's listing (`tar -t`) and extraction (`tar -x`) operations that allows a crafted archive to contain files invisible to pre-extraction audits. An attacker who controls a tarball processed by an automated pipeline can inject arbitrary files that won't appear in any content verification step. EPSS is negligible (0.00025) and no public exploit exists, so mass exploitation isn't the concern. The real attack surface is automated pipelines performing check-then-extract workflows on untrusted archives: CI/CD artifact intake, container image builds, package processing. This is a TOCTOU class bug where the audit and the action operate on different views of the same archive.

Low-EPSS, high-consequence-if-it-matters. The realistic attacker isn't scanning the internet — it's someone who controls a package or artifact your build pipeline ingests, which is exactly the threat model behind 3CX and XZ Utils. Worth a targeted review of any pipeline that pre-audits tar contents before extraction. The spurious APT attribution in enrichment (Axiom, Moafee) is a false positive worth investigating on the pipeline side.