joris-decombe · joris-decombe · Dec 23, 2025 · Dec 23, 2025
diff --git a/CLAUDE.md b/CLAUDE.md
@@ -83,7 +83,9 @@ Scenarios are defined as objects with:
 - `injects[]`: Optional events the facilitator can trigger (from Extra Injects table in manual)
 - Each turn has `publicText` (shown to players) and `facilitatorInfo` (hidden, facilitator-only)
 
-**Current Scenarios** (from NCSC NZ Rolls & Responders Facilitator Manual V1.1):
+**Current Scenarios**:
+
+**NCSC NZ Official Scenarios** (from Rolls & Responders Facilitator Manual V1.1):
 
 1. **DDoS Attack** (Code 4452) - Easy
    - Paid stressor service hired by criminals for Bitcoin extortion
@@ -100,10 +102,29 @@ Scenarios are defined as objects with:
    - 3 turns: Pre-Incident → Response Phase → Recovery
    - Injects: Historical researcher warning, media article
 
+**2025 Real-World Incident Scenarios**:
+
+4. **The "Deepfake" CFO** (Code 1461) - Easy
+   - AI-driven BEC via deepfake video (based on 2024 Arup Hong Kong $25M case)
+   - 3 turns: Pre-Incident → Response → Recovery
+   - Inject: Media coverage of similar attacks
+
+5. **The Poisoned Package** (Code 3164) - Medium
+   - Supply chain attack via NPM/PyPI typosquatting (based on XZ Utils CVE-2024-3094 & Polyfill.io)
+   - 3 turns: Pre-Incident → Response → Recovery
+   - Injects: Developer reports anomaly, additional compromised systems discovered
+
+6. **Hypervisor Ransomware** (Code 5126) - Hard
+   - ESXi/Hyper-V ransomware with double extortion (based on ESXiArgs & Akira campaigns)
+   - 3 turns: Pre-Incident → Response → Recovery
+   - Injects: Ransom demand with threat publication, backup corruption discovered
+
 **Adding custom scenarios**:
-1. Add to `SCENARIOS` object in `scenarios.js`
-2. Follow the structure of existing R&R scenarios
-3. Include difficulty rating and scenario code
+1. Add translations to `src/locales/en.json` and `src/locales/fr.json`
+2. Add to `getScenarioData(t)` function in `scenarios.js`
+3. Add scenario ID to `getScenarioIds()` array
+4. Follow the structure of existing R&R scenarios
+5. Include difficulty rating and scenario code
 
 ## Key Files
 

diff --git a/README.md b/README.md
@@ -15,7 +15,8 @@ Based on the [NCSC New Zealand "Rolls & Responders"](https://www.ncsc.govt.nz/pr
 ## Features
 
 - **Dual-View Architecture**: Separate facilitator console and player display that sync via localStorage
-- **Scenario Library**: 3 official NCSC NZ scenarios (DDoS, Ransomware, Cloud Compromise)
+- **Scenario Library**: 6 scenarios including 3 NCSC NZ official scenarios + 3 2025 real-world incident scenarios
+- **Multi-Language Support**: Full English and French translations
 - **D20 Dice System**: Advantage/Disadvantage mechanics for action resolution
 - **Dynamic Injects**: Facilitator can trigger unexpected events during gameplay
 - **Cross-Tab Sync**: Open in multiple windows for simultaneous facilitator/player views
@@ -70,18 +71,34 @@ Facilitators can trigger unexpected events during gameplay.
 
 ## Scenarios
 
-### 1. DDoS Attack (Easy)
+### NCSC NZ Official Scenarios
+
+#### 1. DDoS Attack (Easy)
 **Code**: 4452
 Paid stressor service hired by criminals for Bitcoin extortion. Tests availability response and stakeholder communication.
 
-### 2. Ransomware (Medium)
+#### 2. Ransomware (Medium)
 **Code**: 1456
 Security tester USB attack on admin laptop. Tests backup recovery and incident disclosure.
 
-### 3. Cloud Infrastructure Compromise (Hard)
+#### 3. Cloud Infrastructure Compromise (Hard)
 **Code**: 6244
 Misconfigured access keys lead to PII exfiltration. Tests data breach response and media handling.
 
+### 2025 Real-World Incident Scenarios
+
+#### 4. The "Deepfake" CFO (Easy)
+**Code**: 1461
+AI-driven Business Email Compromise using deepfake video technology. Based on the 2024 Arup Hong Kong incident where $25M was fraudulently transferred via deepfake video conference call. Tests detection of AI-generated media and social engineering response.
+
+#### 5. The Poisoned Package (Medium)
+**Code**: 3164
+Software supply chain attack via NPM/PyPI typosquatting. Based on XZ Utils backdoor (CVE-2024-3094) and Polyfill.io compromise. Tests secure development practices and supply chain security.
+
+#### 6. Hypervisor Ransomware (Hard)
+**Code**: 5126
+VMware ESXi/Hyper-V hypervisor-level ransomware with double extortion tactics. Based on ESXiArgs and Akira ransomware campaigns (2024). Tests critical infrastructure response and backup strategy at the virtualization layer.
+
 ## How to Play
 
 1. **Choose a scenario** on the landing page