Security Check-in Quick Hits: Proxy Botnets, Medical Breaches, AI Coding Risks, and Firewall Credential Heists
For July 3, 2026
Google Disrupts Massive NetNut Residential Proxy Network Spanning Millions of Devices
Google, in coordination with the FBI, Lumen, and other partners, has significantly degraded the NetNut (also known as Popa) residential proxy network, which compromised around 2 million home devices like smart TVs and streaming boxes. These devices were rented out to cybercriminals and nation-state actors to mask their origins during attacks, including password-guessing campaigns.
The operation involved disabling Google accounts and services tied to the network’s command-and-control infrastructure, sharing technical intelligence, and updating protections like Google Play Protect. This disruption reduces the pool of usable proxy devices by millions, hampering threat actors who rely on residential IPs for stealth. Home users with IoT devices should ensure firmware updates, strong segmentation, and monitoring for unusual outbound traffic. This highlights the ongoing battle against botnets that turn consumer hardware into infrastructure for crime.
Medtronic Data Breach Affects 3.8 Million Individuals via ShinyHunters
Medical device giant Medtronic has notified over 3.8 million individuals of a data breach that occurred in April 2026. The infamous ShinyHunters extortion group allegedly accessed corporate IT systems, claiming to have stolen millions of records including personally identifiable information (PII) and terabytes of internal data. While patient-facing devices and operations were reportedly unaffected, the breach involved unauthorized access between April 13-19.
This incident fits ShinyHunters’ pattern of targeting SaaS platforms and using social engineering. Affected individuals should monitor for identity theft, and organizations everywhere are reminded of the risks from third-party access and misconfigurations. Medtronic’s disclosure underscores the high stakes in healthcare cybersecurity, where breaches can expose sensitive medical and personal data.
Critical DuneSlide Vulnerabilities in Cursor AI Code Editor Enable Zero-Click RCE
Researchers at Cato AI Labs discovered two critical remote code execution (RCE) vulnerabilities (CVE-2026-50548 and CVE-2026-50549, CVSS 9.8) in the popular Cursor AI code editor, used by over half of Fortune 500 companies. Dubbed DuneSlide, these flaws allow zero-click prompt injection attacks that escape the IDE’s sandbox, leading to arbitrary code execution on the developer’s machine.
Attackers can plant malicious instructions in connected services, web searches, or MCP (Model Context Protocol) inputs. Patches are available in newer versions, but developers using AI coding tools must update immediately, review sandbox configurations, and be cautious with untrusted contexts. This serves as a stark warning about the expanding attack surface of AI-augmented development environments.
FortiBleed Campaign Fuels Ransomware with Stolen FortiGate Credentials
The FortiBleed credential-harvesting operation has compromised tens of thousands of Fortinet FortiGate firewalls worldwide (estimates range from 30k–75k+ devices). Attackers extracted and cracked credentials, with links now confirmed to INC Ransom and Lynx ransomware operations. Over 100 million credentials may be involved, enabling follow-on intrusions and ransomware deployments.
Organizations must enforce MFA, rotate credentials, apply patches, and monitor for anomalous access. This campaign exploits weak password hygiene and internet-exposed devices, emphasizing the need for proper network segmentation and zero-trust principles. Fortinet has issued guidance, but the scale underscores persistent risks to edge security appliances.
These quick hits reflect the relentless pace of cyber threats— from large-scale infrastructure takedowns and data exfiltration to emerging AI risks and supply-chain-adjacent campaigns. Stay vigilant with updates, least-privilege access, and continuous monitoring



