"An 'exploit for CVE-2026-11645 exists in the wild,'" Google wrote as it pushed out an emergency set of Chrome fixes this week — one more reminder that a single vulnerability can force global software housekeeping on short notice.
Google Chrome: 74 fixes and a V8 zero-day
Google released updates addressing 74 vulnerabilities in Chrome, including a high-severity zero-day tracked as CVE-2026-11645 (CVSS 8.8). The bug is described as an out-of-bounds memory access in V8, Chrome's JavaScript and WebAssembly engine. Google acknowledged that an "exploit for CVE-2026-11645 exists in the wild" but withheld additional technical detail to prioritize widespread patching. The company has fixed five actively exploited Chrome zero-days so far this year, including CVE-2026-2441, CVE-2026-3909, CVE-2026-3910, and CVE-2026-5281.
ShinyHunters (UNC6240) exploits Oracle PeopleSoft zero-day
The extortion group ShinyHunters, also tracked as UNC6240, exploited an unpatched Oracle PeopleSoft flaw, CVE-2026-35273 (CVSS 9.8), which involves missing authentication for a critical function and could allow takeover of PeopleSoft Enterprise PeopleTools. Google Mandiant observed exploitation between May 27 and June 9, 2026. Rapid7 reported attackers conducted targeted internal reconnaissance using MeshCentral, then moved laterally and exfiltrated data; stolen data was published on the ShinyHunters Data Leak Site on June 9, 2026. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the flaw to its Known Exploited Vulnerabilities (KEV) catalog and set a remediation deadline for Federal Civilian Executive Branch (FCEB) agencies of June 15, 2026. The campaign primarily hit higher education: 68% of more than 100 notified organizations were universities and colleges, Rapid7 said.
Atomic Arch: abandoned Arch Linux packages weaponized
Sonatype documented a campaign, codenamed Atomic Arch, in which unknown actors compromised hundreds of legitimate-but-abandoned packages in the Arch User Repository (AUR). Malicious preinstall scripts were added that downloaded and executed an npm package named atomic-lockfile. Sonatype's analysis found atomic-lockfile bundled a Linux payload with credential-harvesting, stealth, anti-debugging, and potential data-exfiltration capabilities. The initial count of affected packages was 400; Sonatype said the total rose to over 1,500. As of June 12, 2026, Arch Linux developers had deleted all the malicious commits they were aware of.
Outsider PhaaS takedown: scale, templates, and Gemini
The U.S. Federal Bureau of Investigation announced it took down several domains tied to Outsider, a Chinese phishing-as-a-service (PhaaS) kit that Google estimated enabled the theft of about 3,870,000 credit cards and roughly $1.9 billion in losses since July 2023. Google said it is pursuing legal action against the operators, who used Gemini to "help generate fraudulent phishing pages and deploy massive SMS phishing ('smishing') attacks." According to a Google complaint, the group "built, maintains, and uses a turn-key, online software suite that enables criminals, regardless of technical skill, to publish fraudulent websites designed to rob victims and enrich themselves." Outsider reportedly sold access at $88 per week or $200 per month and offered more than 290 pre-built templates designed to harvest passwords, multi-factor authentication codes, and real-time financial information.
Check Point VPN flaw CVE-2026-50751: deprecated defaults remain dangerous
Check Point warned of active exploitation of CVE-2026-50751 (CVSS 9.3), impacting Remote Access VPN and Mobile Access setups that still use the deprecated IKEv1 key exchange. The flaw is a logic flow weakness in certificate validation that can let an unauthenticated remote attacker bypass user authentication and establish a VPN session without a valid password. Check Point first noted suspicious activity on June 4, 2026, but the earliest observed exploitation dates to May 7, 2026; exploitation efforts increased in June and have been limited to a "few dozen targeted organizations globally." In at least one incident, post-exploitation activity tied to the flaw was associated with a Qilin ransomware affiliate.
What this means for security teams, higher education, and FCEB agencies
- Security teams: Patch cadence and inventory hygiene are central. Multiple active zero-days and a flood of high-severity CVEs (including Chrome, Check Point VPN, and Oracle PeopleSoft) underscore the need to prioritize fixes for KEV-listed flaws and to hunt for legacy protocols such as IKEv1.
- Higher education institutions: With 68% of PeopleSoft notifications affecting universities and colleges, these organizations should review PeopleSoft Environment Management Hub endpoints (PSEMHUB) and apply vendor patches immediately while investigating signs of lateral movement and MeshCentral activity.
- FCEB agencies: CISA's KEV deadline for CVE-2026-35273 set a firm remediation target of June 15, 2026, reinforcing the expectation that federal systems remove known-exploited exposures within prescribed windows.
This week's incidents are less about technical wizardry than familiar operational failures: unpatched systems, abandoned packages, deprecated defaults, and commodified phishing tools. The linked cases — from Chrome and PeopleSoft zero-days to the Arch repository compromise and Outsider's PhaaS — make the same point in different languages. One disclosed flaw may be the first clue to a wider set of forgotten risks hidden in a network's day-to-day entropy.
