A week with a clear pattern: Spanish companies in the crosshairs. Leroy Merlin and Indra with incidents that have already made national headlines, Vodafone with internal telesales documentation circulating on dark web forums, a critical library without an official patch that sits inside curl, Git and PHP, and a flaw in Fortune 500's most-used code editor that executes commands without the developer clicking anything. The summary you need before the weekend.

The five stories of the week

🔴 Leroy Merlin Spain: Saturne group leaks 54,723 customer records including DNI numbers, addresses and loyalty card data

The Saturne group published a database free of charge on hacking forums containing 54,723 records from leroymerlin.es customers. Data exposed includes full names, DNI numbers, shipping addresses, billing history and loyalty card codes. Financial data and passwords were reportedly not affected. The DNI is the most serious element: it is a permanent, non-alterable identifier that enables identity impersonation in financial and administrative processes. It is the second security incident affecting Leroy Merlin in less than seven months, following the attack on its French subsidiary in December 2025. Technical audit firm ESIX rated the incident at a severity index of 4.86 out of 5.

→ What you should do: If you are a Leroy Merlin customer, be extra cautious with calls or emails that use personal data to build trust. If your company has loyalty programmes with customers' DNI data, audit the protection of that database and review AEPD notification deadlines (72 hours from the moment of knowledge). Full analysis →

🔴 CVE-2026-55200: Public exploit for a critical libssh2 flaw without an official patch affecting curl, Git and PHP

A researcher published a proof-of-concept for CVE-2026-55200 (CVSS 9.2), a heap overflow in the libssh2 library that lets a malicious or compromised SSH server execute code on any connecting client, without credentials or user interaction. The attack direction is the one least monitored: it is not the server that is exposed, it is the client. The library is statically linked into curl, Git, PHP, backup agents and network devices, meaning a system package manager update does not fix it. The fix is merged into the main repository but no official release has been published yet.

→ What you should do: Inventory which internal tools use libssh2, paying special attention to statically linked binaries. Apply the patch from commit 97acf3d of the repository if you cannot wait for the official release. Restrict outbound SSH connections to untrusted external servers while patching. Full analysis →

🔴 Vodafone and Lowi: internal documentation and telesales tool credentials leaked through an external provider

An actor identified as PescobarLegado put up for sale for $400 nearly one million records and internal documentation from Be Call BPO, the provider that manages telesales for Vodafone and Lowi in Spain. The most serious element is not customer data, which does not appear in the published samples, but the access instructions for critical tools such as Smart, RetailX and the OneWay application, with credentials that may still be active until Vodafone revokes them. It is the same third-party risk pattern that affected Vodafone in 2023 and the third incident in the Spanish telco sector in just a few weeks, following Lemmon and Netllar. Vodafone confirmed it is investigating.

→ What you should do: If your company outsources processes with access to critical systems, audit credentials granted to external providers and establish immediate revocation protocols upon any suspicion of compromise. Internal operational documentation deserves the same protection as customer data. Full analysis →

🔴 DuneSlide: two critical Cursor flaws let prompt injection escape the sandbox and run commands with no click or approval

Cato AI Labs published the full research on DuneSlide, two critical vulnerabilities (CVSS 9.8) in Cursor, the AI code editor used by more than half of Fortune 500 companies. A zero-click prompt injection breaks Cursor 2.x’s default sandbox and runs arbitrary commands on the developer’s system with no click and no approval box: it triggers when the developer makes a normal request that unknowingly ingests attacker-controlled content from a connected MCP server or a poisoned search result. CVE-2026-50548 and CVE-2026-50549 are patched in Cursor 3.0 since April, but any earlier version remains exposed.

→ What you should do: Update to Cursor 3.0 or later across the entire developer fleet. Audit which MCP servers the coding agents have connected and limit those connections to what is strictly necessary. Implement OS-level network controls complementary to the native sandboxing. Full analysis →

🔴 Indra confirms a ransomware cyberattack: The Gentlemen group gives 236 hours before leaking stolen data

The Gentlemen ransomware group claimed to have breached the systems of Indra Group, the Spanish technology company present in defence, electoral systems, public administration and transport. Indra confirmed the presence of ransomware in a subsidiary and immediately activated its CSIRT, ruling out spread to the rest of the group. The attackers activated a 236-hour countdown before publishing the allegedly stolen data. The Gentlemen is a Russian-speaking group with over 250 claimed victims since July 2025, characterised by targeted, highly disciplined operations and use of AI-powered tools.

→ What you should do: Do not pay the ransom (INCIBE’s official recommendation). Verify network segmentation between subsidiaries and critical environments. Review that your incident response plan has immediate CSIRT activation protocols. If you operate in strategic sectors, assume groups like The Gentlemen have identified you as a high-value target. Full analysis →

Apolo Cybersecurity: your weekly cybersecurity partner

Every week we break down the news that really matters for your organisation’s security. If you want to know how exposed your business is to any of these threats, we’re one click away.

__wf_reserved_inherit
Prev Post
Next Post

Any questions?
We're happy to help!