Critical Infrastructure Under Siege as Supply Chain Attacks and Zero-Days Rattle Global Defenses

The initial report stated that medical records were not compromised. However, new information confirms that the breach exposed highly sensitive Protected Health Information (PHI), including specific medical details related to conditions like erectile dysfunction and hair loss, significantly escalating the incident's severity and regulatory implications (HIPAA). Furthermore, the new article provides a deeper technical analysis of the attack vector, detailing how ShinyHunters employed sophisticated MFA bypass techniques such as real-time vishing and OAuth abuse to steal session tokens, rather than just a compromised Okta SSO account. This highlights the need for phishing-resistant MFA like FIDO2/WebAuthn.

Google Chrome has begun rolling out Device Bound Session Credentials (DBSC) in Chrome 146 for Windows. This new security feature cryptographically binds an authentication session to a specific device, rendering stolen session cookies useless to attackers. DBSC directly addresses the threat of session hijacking and MFA bypass via info-stealing malware, which was a core technique used by PhaaS platforms like Tycoon 2FA. This significantly enhances user security by neutralizing a common attack vector.

The update confirms that 71 EU institutions were impacted, explicitly naming the European Medicines Agency (EMA), European Banking Authority (EBA), and notably, ENISA (the EU Agency for Cybersecurity), which escalates the incident's significance. A more precise attack timeline reveals TeamPCP manipulated the Trivy GitHub repository on March 19, 2026, leading to a five-day data exfiltration period until March 24, 2026. The stolen data is further specified to include sensitive emails and personal information of staff. Additional MITRE ATT&CK and D3FEND techniques were also detailed, providing deeper technical insight into the compromise.

New analysis reveals attackers are chaining two zero-day vulnerabilities in Ivanti EPMM: an authentication bypass followed by a code injection, to achieve unauthenticated remote code execution. Post-exploitation activities now include the deployment of webshells, cryptominers, and persistent backdoors, indicating a more severe and persistent threat. This exploit chain allows attackers to gain full control over the MDM server, enabling them to bypass security controls, manipulate device policies, and establish a lasting presence within compromised networks. Organizations are urged to apply vendor patches immediately and hunt for these specific post-exploitation indicators.