This week, we are looking at how the boundaries between physical and digital threats, and simulations versus reality, continue to blur. On the defense side, the FBI has launched a modern-day Hogan’s Alley in Huntsville, Alabama: a massive 22,000-square-foot fake town complete with a hospital, gas station, and furnished houses designed to simulate real-world cyberattacks. But while the feds are running kinetic simulations, the open-source community is fighting a very real, escalating war. The Atomic Arch supply chain attack on the Arch User Repository (AUR) has spiraled out of control, compromising over 1,500 community-maintained packages with a fresh wave of sophisticated, obfuscated malware just as maintainers thought the breach was contained.

Subscribe to this newsletter.

Last year, the FBI opened a Cyber Range in Huntsville, Alabama, for simulating cyberattacks. Think of it sort of like the famous Hogan’s Alley, but for modern digital crime training. It’s a massive 22,000 square-foot replica of an entire town, complete with a convenience store, gas station, hospital, and even fully furnished houses.
https://www.theverge.com/tech/949648/fbi-fake-town-cyberattacks-kinetic-cyber-range

What began as a troubling but seemingly contained breach has spiraled into one of the largest and most damaging attacks ever recorded against the Arch User Repository (AUR). The campaign, dubbed “Atomic Arch” by researchers at software supply chain firm Sonatype, has now compromised over 1,500 community-maintained packages — and just when maintainers thought they had it under control, a new, more sophisticated wave of obfuscated malware has been discovered.
https://peq42.com/blog/aur-malware-problems-got-worse/

In a coordinated effort, the FBI, working with Google and Black Lotus Labs, has dismantled a massive Chinese phishing-as-a-service operation called Outsider Enterprise with thousands of phishing websites used to steal credit card data and passwords. The cybercrime operation used AI and distributed phishing kits for campaigns impersonating various trusted brands in texts sent through AT&T, T-Mobile, and Verizon.
https://www.bleepingcomputer.com/news/security/fbi-disrupts-massive-ai-powered-phishing-service-using-a-million-urls/

A recent security lapse has unveiled the internal workings of an active malware distribution platform, all due to an unsecured PHP installation page. This oversight granted a security researcher unintended administrative access to the threat actor’s dashboard, shedding light on the platform’s operations. The discovery began during routine validation of Indicators of Compromise (IoCs) and web enumeration. The researcher identified several sensitive directories, notably an exposed installation endpoint at “/install/install.php.” This misconfiguration allowed the PHP installer to be rerun on a live production system, a critical security flaw.
https://thedailytechfeed.com/malware-platform-exposed-via-unsecured-php-installer/

FortiAppSec Cloud experienced a major incident on June 15, 2026 affecting WAF Scrubbing Region - GCP - Europe West 3 (Frankfurt), lasting 27m. The incident has been resolved; the full update timeline is below.
https://pingoru.io/providers/fortiweb-cloud/incidents/4093298

Palo Alto Networks has revealed that it has observed "active exploitation" of a recently disclosed PAN-OS vulnerability by an unknown threat actor to obtain unauthorized access to GlobalProtect portals. The vulnerability in question is CVE-2026-0257 (CVSS score: 7.8), an authentication bypass flaw affecting the portal and gateway components of PAN-OS software that could be exploited by bad actors to set up VPN connections.
https://thehackernews.com/2026/06/palo-alto-warns-of-active-exploitation.html

ServiceNow on June 10 issued a public response to reports that it released a patch June 5 for a cybersecurity issue that they say affected bug bounty security researchers, not the exploitation of one of its customers by attackers, as first reported. The story broke about a day ago when a letter to ServiceNow customers that notified them of a patch related to the cybersecurity incident was posted on Reddit.
https://www.scworld.com/news/servicenow-says-security-researchers-not-hackers-accessed-data

The officer is accused of using the technology to create evidence in a "number of cases", according to Derbyshire Police. The CPS said it is "engaging with" defence teams and courts which may have been affected by the alleged conduct. The officer has been taken off frontline duties pending the outcome of the investigation, and no arrests have been made. This comes after PoliceAI, a national centre for AI in policing, was launched this week.
https://news.sky.com/story/derbyshire-police-officer-investigated-for-using-ai-to-create-evidence-in-multiple-cases-13553661

Amazon (AMZN.O), opens new tab CEO Andy Jassy was ​among tech leaders who raised concerns to senior Trump administration officials this week about security risks in Anthropic’s most ‌advanced AI models, a person familiar with the matter told Reuters. Jassy's involvement sheds light on the extraordinary move by Anthropic on Friday to shut down its latest models globally in response to national security orders from President Donald Trump's administration.
https://www.reuters.com/business/retail-consumer/amazon-voiced-concerns-about-anthropic-ai-models-before-us-governments-crackdown-2026-06-13/

A massive operation dubbed the SearchJack campaign has been uncovered, revealing twenty-three deceptive Chrome browser extensions that silently override users’ default search engines. According to recent reports by IntCyberDigest, these extensions route search queries through monetization middleware before delivering any actual results to the user. This illicit campaign currently affects approximately 758,000 users. It spans at least eight distinct monetization brokers and twenty-two unique publishers.
https://cyberpress.org/chrome-extensions-hijack-searches/

New variants of the NFCShare Android malware are being distributed as fake updates for legitimate banking apps hosted on GitHub. The malware has evolved and is now targeting customers of multiple banks and financial institutions across Europe in a phishing campaign aimed at stealing payment card data. After tricking victims with a fake verification screen to place the cards near the mobile device's near-field communication (NFC) chip, NFCShare reads the information using Android’s IsoDep interface and EMV commands.
https://www.bleepingcomputer.com/news/security/nfcshare-android-malware-spreads-via-fake-banking-app-updates-on-github/

Professional services firm KPMG has pulled a report titled, “Redefining excellence in the age of agentic AI,” after numerous organizations said the report’s claims about their AI usage were untrue. Research group GPTZero identified a number of inaccuracies in the report, which was published in October 2025. GPTZero told the FT that the inaccuracies stemmed from AI hallucinations. In other words, the professional services firm appears to have used AI to help write a report about AI.
https://techcrunch.com/2026/06/13/kpmg-pulls-report-on-ai-usage-due-to-apparent-hallucinations/

A newly discovered data-collection operation, PromptSnatcher, is secretly intercepting the private AI conversations of approximately 90,000 browser users. Operating under the guise of two malicious ad-blocking extensions, the campaign captures sensitive chat logs, account metadata, and model usage from eight major AI platforms while maintaining a completely legitimate appearance.
https://cyberpress.org/ad-blockers-steal-ai-chats/

Nearly a year after a critical vulnerability was patched, advanced threat actors continue exploiting WinRAR to compromise targets across Ukraine. The flaw, tracked as CVE-2025-8088 (CVSS 8.4), allows attackers to bypass security warnings and silently install malware on a victim’s machine. Russia-aligned groups, including SHADOW-EARTH-066 and Earth Dahu, have integrated this exploit into their attack chains to establish a highly reliable initial access vector.
https://cyberpress.org/winrar-ads-malware-delivery/

The global ransomware ecosystem continues to evolve at an alarming pace, with cybercriminal groups increasingly using public leak sites and social media monitoring channels to amplify pressure on their victims. A recent claim circulating through cybersecurity monitoring networks suggests that the ransomware group known as AuditTeam has allegedly targeted a Russian organization identified only as “I-YS.” According to the claim, encrypted systems and potentially stolen corporate data may eventually be exposed if demands are not met.
undercodenews.com/auditteam-targets-russian-organization-with-alleged-ransomware-attack-exposure-plans-dark-web-recent-claims-video

Prior to version 9.2.0495, a Vimscript code injection vulnerability exists in s:NetrwBookHistSave() in the netrw plugin (runtime/pack/dist/opt/netrw/autoload/netrw.vim) when serializing browsed directory paths to the history file ~/.vim/.netrwhist. A directory name derived from the filesystem is interpolated into a single-quoted Vimscript string literal without escaping embedded single quotes, allowing a crafted directory name to break out of the string context and execute arbitrary Vimscript, including shell commands via system() and :!, the next time the history file is sourced.
https://www.thehackerwire.com/vulnerability/CVE-2026-47162/

Atomic Edge analysis of CVE-2026-49078:The WP Travel Engine plugin is vulnerable to unauthorized access due to a missing capability check on a function in versions up to 6.7.10. This vulnerability allows unauthenticated attackers to perform unauthorized action. The severity is moderate (CVSS 5.3), but the exact nature of the action remains unspecified in the provided diff.
https://atomicedge.io/cve-proof/cve-2026-49078-wp-travel-engine-version-6-7-10-medium-vulnerability-proof-of-concept/

The reported cybersecurity event involving Frey highlights a familiar but increasingly dangerous scenario in the ransomware ecosystem. Frey, known for its environmentally conscious laundry care products in Switzerland, reportedly suffered a disruption after an attack attributed to a group referred to as krybit. Early signals suggest that core systems were impacted enough to require operational remediation, meaning that internal digital infrastructure may have been temporarily compromised or rendered unstable.
https://undercodenews.com/cybersecurity-shockwave-hits-switzerland-frey-ransomware-incident-raises-fresh-alarm-over-european-industrial-cyber-risk-dark-web-recent-claims-video

Pharmaceutical giant Novo Nordisk says data related to clinical trial participants was stolen as part of a cyberattack. The affected patient data was pseudonymized and not directly linked to names or other direct identifiers, the company said. The maker of the Wegovy weight-loss drug said the affected data types include patient ID, information on trial participation, gender, year of birth, biomarkers, health/immunogenicity data, and lifestyle factors including smoking status, alcohol use, and BMI.
https://www.theregister.com/security/2026/06/12/novo-nordisk-says-hackers-stole-clinical-trial-data