The trust playbook is getting weaponized

Delinea Labs June 2026 Threat Outlook

In this monthly series, Delinea Labs reviews the identity-related activity that had the greatest operational impact over the previous month. We focus on how attacks unfolded, what failed in real environments, and what those failures signal for the month ahead.

May added a new wrinkle to a pattern this series has been tracking since December: attackers are now inheriting trust.

The month’s most significant incidents weren’t defined by credential theft or exploitation in the traditional sense. In each case, attackers moved through systems that were working as designed: signed packages, guest-user APIs, third-party vendor access, federated authentication.

The controls didn’t fail, but the trust model behind them did

That’s a deeper problem that requires a different answer than the ones organizations have been deploying.

Here’s Delinea Labs’ outlook for June 2026.

When the security playbook becomes the attack trigger

On May 11, attackers published 84 malicious package versions across 42 @tanstack/*npm packages in 6 minutes. By the time it was contained, the campaign had spread to 404 versions across npm and PyPI, including packages tied to Mistral AI, UiPath, OpenSearch, and Guardrails AI. OpenAI confirmed that two employee devices were affected.

What made Mini Shai-Hulud different was that none of the standard controls failed. No credentials were stolen, MFA was enabled, and packages carried valid signed provenance. Attackers moved through these defenses by inheriting trust that was already there.

The payload made it worse. A persistent daemon monitored the compromised tokens in the background. The moment a developer took the correct action and revoked the stolen token, the daemon wiped their entire home directory. Following the incident response procedure ended up being the trigger.

What we’re seeing at Delinea Labs

SaaS misconfiguration is becoming a repeatable operational playbook

ShinyHunters’ Salesforce Experience Cloud campaign has been systematically running since September 2025. The attack exploits a single misconfigured guest-user permission on a default API endpoint. Claimed victims in May alone included 7-Eleven, Vimeo, Zara, Cisco, Medtronic, Rockstar Games, and Google. The vulnerability is a default configuration that organizations haven’t touched.

Biometric exposure creates permanent identity damage

NYC Health + Hospitals disclosed that attackers maintained access for roughly 11 weeks through a third-party vendor compromise. The breach affected 1.8 million individuals and included fingerprint and palm-print biometric data. Unlike passwords or tokens, biometrics can’t be rotated. The identity damage from this breach is irreversible.

AI is making the vulnerability window smaller

According to Delinea’s 2026 Identity Security Report, 92% of organizations believe AI will amplify identity-related threats in the coming years. May’s CVE surge suggests that’s already happening, as the window between discovery and exploitation shortens.

Centralized identity infrastructure concentrates systemic risk

Five critical vulnerabilities affecting Microsoft identity infrastructure were disclosed in a single month. These spanned authentication, token validation, secrets management and federated SSO. A weakness in any one of these layers can propagate failures across every application and service that inherits from it.

The vulnerability picture

May recorded 6,308 total CVEs. Of those, 523 were identity-related and 78 directly impacted identity products.

Three CVEs are worth specific attention:

• CVE-2026-40379 – Azure Entra ID ESTS spoofing. A weakness in Microsoft’s Enterprise Security Token Service exposed sensitive information through flawed token handling. Because ESTS underpins Microsoft 365, Azure and most third-party federated applications, the downstream exposure was significant. Microsoft patched it server-side before disclosure, and no customer action was required.

• CVE-2026-42602 – Azure Authenticator Extension token validation bypass. A flaw in token validation logic allowed any valid Azure access token to authenticate across unintended receivers. Tokens were replayable for their full issued lifetime.

• CVE-2026-41103 – Microsoft SSO Plugin for Jira and Confluence. A crafted authentication response allowed attackers to bypass Entra ID and sign in as any user in developer environments. If the entry point is where developers work, the downstream access tends to be significant.

What enterprises should prioritize in June

1. Revisit incident response procedures for supply-chain scenarios. Mini Shai-Hulud demonstrated that standard token revocation can be anticipated and weaponized. Response procedures for CI/CD and package ecosystem compromises need to account for destructive payloads triggered by remediation actions, not just credential rotation.

2. Audit SaaS authorization configurations independently of software versions. The ShinyHunters campaign exploits a default configuration, not a software vulnerability. Organizations running Salesforce Experience Cloud should confirm guest-user permissions have been explicitly reviewed and locked down.

3. Tighten third-party access scope and detection. The NYC H+H breach maintained access for one week through a third-party vendor path. Third-party identities require the same scope constraints, session monitoring, and access expiration as internal privileged users.

4. Apply runtime token validation, not just issuance controls. CVE-2026-42602 was exploitable because validation happened incorrectly at runtime despite correct issuance. Both layers need enforcement.

The Delinea Platform, powered by Iris AI, continuously discovers identities, analyzes privilege risk and enforces access control at the moment of execution across human, machine and AI identities.

Learn how Delinea can help your organization govern trust in real time.