L'attaque sur la chaîne d'approvisionnement du scanner de vulnérabilités Trivy s'est étendue aux images Docker et aux dépôts GitHub. La plateforme Tycoon2FA est revenue à pleine activité quelques semaines après la perturbation par Europol. Crunchyroll enquête sur une fuite touchant potentiellement 6,8 millions d'utilisateurs.
The TeamPCP hackers who initially backdoored the popular open-source Trivy vulnerability scanner have expanded their attack, pushing malicious Docker images and hijacking Aqua Security's GitHub organization to tamper with dozens of repositories.
This is one of the most significant supply-chain attacks of 2026 so far. Trivy, maintained by Aqua Security, is one of the most widely used open-source vulnerability scanners in the world — integrated into thousands of CI/CD pipelines, Kubernetes deployments, and DevSecOps workflows. Compromising Trivy means compromising the security tool that organizations rely on to find vulnerabilities.
The TeamPCP hackers have now expanded the attack in two critical ways:
Organizations using Trivy trusted it to improve their security posture. Instead, compromised versions actively undermine it — sending vulnerability data to attackers (essentially giving them a roadmap of exploitable weaknesses) while providing organizations with false assurance that their systems have been scanned. This is the security tool supply-chain nightmare scenario.
The Tycoon2FA phishing-as-a-service (PhaaS) platform, which Europol and partners disrupted on March 4, has already returned to previously observed activity levels — just three weeks after the takedown.
Tycoon2FA is one of the most dangerous phishing platforms in operation because it specifically targets and bypasses multi-factor authentication (MFA). Using adversary-in-the-middle (AiTM) proxy techniques, Tycoon2FA intercepts both the user's credentials and their MFA tokens in real-time, giving attackers full access to accounts protected by SMS, TOTP, or push-based MFA.
The platform's rapid recovery after the Europol disruption on March 4 demonstrates the resilience of modern cybercrime infrastructure. Key observations:
For organizations subject to NIS2, the Tycoon2FA resurgence highlights a critical gap: standard MFA is no longer sufficient as a standalone control. NIS2 Article 21(2)(j) requires multi-factor authentication, but the regulation doesn't specify the type. Organizations should proactively move to phishing-resistant MFA (FIDO2/WebAuthn) before auditors and regulators start making this distinction.
Anime streaming platform Crunchyroll is investigating a security incident after a threat actor claimed to have stolen personal information for approximately 6.8 million users.
Crunchyroll, owned by Sony, is one of the world's largest anime streaming platforms. A threat actor has posted claims of having exfiltrated user data including email addresses, usernames, subscription details, viewing history, and potentially hashed passwords. Crunchyroll has confirmed it is investigating the claims but has not yet confirmed the scope or authenticity of the data.
If confirmed, this would be one of the larger entertainment-sector breaches of 2026. The data is particularly valuable for:
The TeamPCP hacking group is targeting Kubernetes clusters with a malicious script that detects Iranian system configurations and deploys a wiper to destroy all data on affected machines.
In a move that blends hacktivism with infrastructure sabotage, the TeamPCP group — the same actors behind the Trivy supply-chain attack — is deploying destructive wiper malware against Kubernetes clusters configured for Iran. The attack uses a script that checks system locale settings, timezone configurations, and network indicators to determine if a cluster serves Iranian infrastructure.
When Iranian indicators are detected, the script triggers a full wiper sequence:
Regardless of geopolitical targeting, this attack demonstrates critical Kubernetes security gaps that affect all organizations: container escape to host, insufficient RBAC policies allowing cluster-wide destruction, and lack of immutable backup strategies. The EU Cyber Resilience Act (CRA) will require manufacturers of Kubernetes platforms and container tools to address these categories of risk.
Mazda Motor Corporation has disclosed a security incident detected in December 2025 that exposed information belonging to employees and business partners. While the company has not disclosed the full scope, the breach affects internal corporate data rather than customer-facing systems.
The delayed disclosure — more than three months between detection and public announcement — raises questions about incident reporting timelines. Under NIS2, essential and important entities would be required to submit an early warning within 24 hours and a full incident notification within 72 hours. Automotive manufacturers increasingly fall under NIS2 scope as part of critical supply chains.
The FBI has issued a warning that Iranian hackers linked to the Ministry of Intelligence and Security (MOIS) are using Telegram as a malware delivery and command-and-control channel. The Handala group, recently officially attributed to the Iranian government, is distributing malware through Telegram channels and using the platform's API for C2 communications.
This is notable because Telegram is widely used for legitimate business communications, particularly in the Middle East, Central Asia, and parts of Europe. The FBI advisory recommends:
With U.S. tax season approaching, Microsoft has flagged campaigns targeting approximately 29,000 users with IRS-themed phishing emails. The campaigns deploy Remote Monitoring and Management (RMM) malware — legitimate tools repurposed for unauthorized remote access. This is a growing trend: attackers use tools like ConnectWise ScreenConnect, AnyDesk, or similar RMM software to maintain persistent access that blends in with legitimate IT management traffic.
| Menace | Sévérité | Type | Action requise |
|---|---|---|---|
| Trivy Supply-Chain Attack Expansion | CRITICAL | Supply Chain | Stop using Trivy, audit CI/CD pipelines |
| Tycoon2FA PhaaS Resurgence | CRITICAL | Phishing | Deploy FIDO2/WebAuthn MFA |
| Crunchyroll 6.8M User Breach | HIGH | Data Breach | Change passwords, check reuse |
| TeamPCP Kubernetes Wiper | HIGH | Wiper/Destructive | Audit RBAC, implement immutable backups |
| Mazda Employee Data Breach | MEDIUM | Data Breach | Review incident response timelines |
| Handala/Iran Telegram Malware | MEDIUM | Nation-State | Restrict Telegram, monitor for C2 |
| IRS Phishing / RMM Malware | MEDIUM | Phishing | Block unauthorized RMM tools |
L'attaque supply-chain de Trivy prouve que même vos outils de sécurité peuvent être compromis. KENSAI analyse vos applications, dépendances et infrastructure.
Lancez votre scan gratuit →Publié par l'équipe KENSAI Threat Intelligence
Briefing Sécurité Quotidien — 24 mars 2026
Lire plus de briefings →
🛡️ Votre site web est-il sécurisé ?
Découvrez les vulnérabilités avant les attaquants.
Scannez votre site gratuitement →