Trivy Supply Chain Attack Exposes CI/CD Pipelines; Stryker Hit by Destructive Wiper

Trivy Supply Chain Attack: Credential-Stealing Malware Injected into Official Releases and GitHub Actions

The widely-used open-source security scanner Trivy has been compromised in a sophisticated supply chain attack. Threat actors identified as TeamPCP injected a multi-stage infostealer into official Trivy binaries and GitHub Actions. The breach stemmed from an incomplete credential rotation following a previous compromise, allowing attackers to regain access and modify 75 of 76 `trivy-action` tags and publish a malicious Trivy version `0.69.4`. The malware was designed to steal a wide array of secrets, including cloud credentials, API tokens, and SSH keys from CI/CD environments. The incident has triggered urgent warnings for all users to rotate pipeline secrets, audit workflows, and verify the integrity of their scanner versions, as the malicious code was active for up to 12 hours.

CI/CDDevSecOpsGitHub Actionscredential theftinfostealer +2 more

5 min read

Supply Chain Attack

Malware

Cisco Firewall Zero-Day Exploited by Interlock Ransomware for Over a Month Before Patch

Cisco FMC Flaw (CVE-2026-20131) Actively Exploited as Zero-Day in Interlock Ransomware Attacks

A critical insecure deserialization vulnerability in Cisco's Secure Firewall Management Center (FMC), tracked as CVE-2026-20131, was exploited as a zero-day by the Interlock ransomware gang. Amazon's threat intelligence team discovered that exploitation began on January 26, 2026, a full 36 days before Cisco released a patch in early March. The flaw allows an unauthenticated remote attacker to execute arbitrary Java code with root privileges on the management interface. Following the discovery of in-the-wild exploitation, CISA added the CVE to its Known Exploited Vulnerabilities (KEV) catalog, mandating federal agencies to patch by March 22, 2026. Cisco strongly advises against exposing the FMC management interface to the internet.

zero-dayinsecure deserializationransomwareKEVCISA +2 more

Vulnerability

Ransomware

Identity Protection Firm Aura Ironically Breached via Vishing, 900,000 Records Exposed

HIGH

Aura Data Breach: Voice Phishing Attack on Employee Leads to Exposure of 900,000 Marketing and Customer Records

In a deeply ironic turn of events, identity theft protection company Aura has confirmed a data breach exposing the records of nearly 900,000 individuals. The incident began with a successful voice phishing (vishing) attack, where an employee was socially engineered over the phone into providing credentials. This gave attackers access to a legacy marketing database from an acquired company. The notorious ShinyHunters group claimed responsibility, stating they exfiltrated 12GB of data. The breach affects 35,000 direct Aura customers, whose names, emails, phone numbers, and addresses were exposed. The incident highlights the power of social engineering and the persistent risks of legacy systems from mergers and acquisitions.

vishingsocial engineeringPIIidentity theftM&A security +1 more

Identity Protection Firm Aura Ironically Breached via Vishing, 900,000 Records Exposed

Data Breach

Phishing

Critical UNISOC Modem Flaw Allows Zero-Click RCE on Millions of Android Phones via Cellular Call

Unpatched UNISOC Modem Vulnerability (CWE-674) Enables Remote Code Execution Over Cellular Network

A critical, unpatched vulnerability has been discovered in the modem firmware of several UNISOC chipsets, affecting millions of budget and mid-range Android devices from major brands like Samsung and Motorola. The flaw, an uncontrolled recursion issue (CWE-674), allows a remote attacker to achieve arbitrary code execution simply by initiating a cellular video call and sending a specially crafted SDP message. This triggers a stack overflow in the modem's firmware, crashing it and enabling the execution of shellcode. The attack requires no user interaction beyond the device being reachable on the cellular network, posing a severe risk to users of affected devices, including the Realme C33, on which a full RCE was demonstrated.

modemfirmwarezero-clickRCEstack overflow +2 more

Critical UNISOC Modem Flaw Allows Zero-Click RCE on Millions of Android Phones via Cellular Call

Vulnerability

Mobile Security

Nordstrom Email System Hijacked to Blast Crypto Scams, Abusing Salesforce and Okta Integration

MEDIUM

Nordstrom's Official Email System Compromised to Send Cryptocurrency Scam Messages to Customers

The official customer email system of retailer Nordstrom was compromised and used to send fraudulent cryptocurrency scam emails. Attackers leveraged Nordstrom's integration with Salesforce Marketing Cloud and Okta, sending emails from the trusted `nordstrom@eml.nordstrom.com` address. Disguised as a St. Patrick's Day promotion, the emails promised to double cryptocurrency deposits and successfully bypassed spam filters due to their legitimate origin. The campaign led to at least $5,600 in confirmed losses for victims. This incident follows a pattern of similar attacks on other companies, highlighting a trend of attackers targeting and abusing trusted third-party SaaS platforms to exploit brand trust and reach customers directly.

cryptocurrencyscamSaaS securitybrand impersonationemail security

Nordstrom Email System Hijacked to Blast Crypto Scams, Abusing Salesforce and Okta Integration

Phishing

Cyberattack

Cloud Security

Disgruntled Affiliate Leaks 'The Gentlemen' Ransomware Gang's Playbook

INFORMATIONAL

Inner Workings of 'The Gentlemen' RaaS Leaked by Affiliate, Exposing TTPs and FortiGate Exploitation

The operational playbook of 'The Gentlemen,' a nascent Ransomware-as-a-Service (RaaS) operation, has been leaked by a disgruntled affiliate known as 'hastalamuerte'. The leak, stemming from a financial dispute, provides a rare, unfiltered look into the group's methods. It reveals that The Gentlemen, an offshoot of the Qilin ransomware group, employs dual-extortion tactics and targets Windows, Linux, and ESXi environments. A primary initial access vector is the exploitation of vulnerable Fortinet FortiGate VPNs. The leaked TTPs include using PowerShell and WMI for lateral movement, deploying anti-forensic tools, and using Bring Your Own Vulnerable Driver (BYOVD) exploits. The incident highlights growing instability and internal conflict within the cybercrime ecosystem.

RaaSTTPsthreat intelligenceFortiGateBYOVD +1 more

Ransomware

Threat Intelligence

Critical ConnectWise ScreenConnect Flaw (CVE-2026-3564) Allows Session Hijacking

ConnectWise Patches Critical ScreenConnect Vulnerability (CVE-2026-3564) Enabling Session Hijacking

ConnectWise has patched a critical cryptographic vulnerability in its ScreenConnect remote access software, tracked as CVE-2026-3564. The flaw, which affects all versions prior to 26.1, allows an unauthenticated attacker to extract unique ASP.NET machine keys from server configuration files. These keys can then be used to forge authentication tokens and hijack active remote access sessions. This is extremely dangerous as ScreenConnect is widely used by Managed Service Providers (MSPs) with high levels of privilege in client networks. While ConnectWise is not aware of active exploitation of this specific CVE, it has observed abuse of the underlying technique. All administrators are urged to update to ScreenConnect version 26.1 immediately.

MSPremote accesssession hijackingauthentication bypasscryptography +1 more

Critical ConnectWise ScreenConnect Flaw (CVE-2026-3564) Allows Session Hijacking

Vulnerability

Patch Management

Supply Chain Attack

Microsoft Teams Phishing Campaign Uses Quick Assist to Deploy 'A0Backdoor' Malware

MEDIUM

Attackers Abuse Microsoft Teams and Quick Assist in Social Engineering Campaign to Deliver A0Backdoor

A social engineering campaign is targeting enterprise users on Microsoft Teams to deploy a malware strain named 'A0Backdoor'. Reported on March 20, 2026, the attack begins with attackers contacting employees directly on Teams. They then trick the target into granting remote access to their machine using the legitimate Windows Quick Assist tool. Once access is established, the attackers manually deploy the A0Backdoor malware, which allows them to infiltrate the corporate network, escalate privileges, and maintain persistence. The campaign, which primarily targets the financial and healthcare sectors, highlights the growing abuse of trusted internal collaboration platforms as a vector for initial access and lateral movement.

social engineeringliving off the landbackdoorcollaboration toolsremote access

Phishing

Malware

Security Operations

International Law Enforcement Operation Dismantles Major IoT DDoS Botnets

INFORMATIONAL

Global Operation Disrupts Aisuru, Kimwolf, and Other IoT Botnets Used in 30 Tbps DDoS Attacks

A coordinated international law enforcement operation involving the U.S., Canada, and Germany has successfully disrupted the command-and-control (C2) infrastructure of several major IoT botnets. The operation, reported on March 20, 2026, targeted the Aisuru, Kimwolf, JackSkid, and Mossad botnets, which collectively had infected over 3 million IoT devices like routers and cameras. These botnets were rented out in a 'cybercrime-as-a-service' model to launch massive Distributed Denial-of-Service (DDoS) attacks, some reaching speeds of 30 Terabits per second. The operation involved seizing domains and servers, significantly degrading the criminals' ability to conduct attacks and offer their services.