← Back to Blog
Security Briefing 12 min read 24 de março de 2026

Ataque à cadeia de suprimentos do Trivy se espalha para Docker e GitHub, Tycoon2FA ressurge, Crunchyroll investiga vazamento de 6,8M de usuários

O ataque à cadeia de suprimentos do scanner de vulnerabilidades Trivy se expandiu para imagens Docker e repositórios GitHub. A plataforma Tycoon2FA voltou à atividade total semanas após a interrupção da Europol. Crunchyroll investiga um vazamento que pode afetar 6,8 milhões de usuários.


1. Trivy Supply-Chain Attack Expands to Docker Images and GitHub Repos

⚠️ CRITICAL — Open-Source Security Tool Backdoored, Attack Surface Growing

The TeamPCP hackers who initially backdoored the popular open-source Trivy vulnerability scanner have expanded their attack, pushing malicious Docker images and hijacking Aqua Security's GitHub organization to tamper with dozens of repositories.

This is one of the most significant supply-chain attacks of 2026 so far. Trivy, maintained by Aqua Security, is one of the most widely used open-source vulnerability scanners in the world — integrated into thousands of CI/CD pipelines, Kubernetes deployments, and DevSecOps workflows. Compromising Trivy means compromising the security tool that organizations rely on to find vulnerabilities.

The TeamPCP hackers have now expanded the attack in two critical ways:

Why This Is Devastating

Organizations using Trivy trusted it to improve their security posture. Instead, compromised versions actively undermine it — sending vulnerability data to attackers (essentially giving them a roadmap of exploitable weaknesses) while providing organizations with false assurance that their systems have been scanned. This is the security tool supply-chain nightmare scenario.

Immediate Actions


2. Tycoon2FA Phishing Platform Returns After Europol Disruption

⚠️ CRITICAL — MFA-Bypassing Phishing-as-a-Service Platform Back at Full Strength

The Tycoon2FA phishing-as-a-service (PhaaS) platform, which Europol and partners disrupted on March 4, has already returned to previously observed activity levels — just three weeks after the takedown.

Tycoon2FA is one of the most dangerous phishing platforms in operation because it specifically targets and bypasses multi-factor authentication (MFA). Using adversary-in-the-middle (AiTM) proxy techniques, Tycoon2FA intercepts both the user's credentials and their MFA tokens in real-time, giving attackers full access to accounts protected by SMS, TOTP, or push-based MFA.

The platform's rapid recovery after the Europol disruption on March 4 demonstrates the resilience of modern cybercrime infrastructure. Key observations:

NIS2 Relevance

For organizations subject to NIS2, the Tycoon2FA resurgence highlights a critical gap: standard MFA is no longer sufficient as a standalone control. NIS2 Article 21(2)(j) requires multi-factor authentication, but the regulation doesn't specify the type. Organizations should proactively move to phishing-resistant MFA (FIDO2/WebAuthn) before auditors and regulators start making this distinction.

Immediate Actions


3. Crunchyroll Investigates Breach Affecting 6.8 Million Users

🔶 HIGH — Major Streaming Platform Data Breach Under Investigation

Anime streaming platform Crunchyroll is investigating a security incident after a threat actor claimed to have stolen personal information for approximately 6.8 million users.

Crunchyroll, owned by Sony, is one of the world's largest anime streaming platforms. A threat actor has posted claims of having exfiltrated user data including email addresses, usernames, subscription details, viewing history, and potentially hashed passwords. Crunchyroll has confirmed it is investigating the claims but has not yet confirmed the scope or authenticity of the data.

If confirmed, this would be one of the larger entertainment-sector breaches of 2026. The data is particularly valuable for:

Immediate Actions


4. TeamPCP Deploys Iran-Targeted Wiper in Kubernetes Attacks

🔶 HIGH — Destructive Wiper Malware Targeting Kubernetes Clusters

The TeamPCP hacking group is targeting Kubernetes clusters with a malicious script that detects Iranian system configurations and deploys a wiper to destroy all data on affected machines.

In a move that blends hacktivism with infrastructure sabotage, the TeamPCP group — the same actors behind the Trivy supply-chain attack — is deploying destructive wiper malware against Kubernetes clusters configured for Iran. The attack uses a script that checks system locale settings, timezone configurations, and network indicators to determine if a cluster serves Iranian infrastructure.

When Iranian indicators are detected, the script triggers a full wiper sequence:

Kubernetes Security Implications

Regardless of geopolitical targeting, this attack demonstrates critical Kubernetes security gaps that affect all organizations: container escape to host, insufficient RBAC policies allowing cluster-wide destruction, and lack of immutable backup strategies. The EU Cyber Resilience Act (CRA) will require manufacturers of Kubernetes platforms and container tools to address these categories of risk.

Immediate Actions


5. Mazda Discloses Security Breach Exposing Employee and Partner Data

Mazda Motor Corporation has disclosed a security incident detected in December 2025 that exposed information belonging to employees and business partners. While the company has not disclosed the full scope, the breach affects internal corporate data rather than customer-facing systems.

The delayed disclosure — more than three months between detection and public announcement — raises questions about incident reporting timelines. Under NIS2, essential and important entities would be required to submit an early warning within 24 hours and a full incident notification within 72 hours. Automotive manufacturers increasingly fall under NIS2 scope as part of critical supply chains.


6. FBI Warns of Handala Hackers Using Telegram for Malware Distribution

The FBI has issued a warning that Iranian hackers linked to the Ministry of Intelligence and Security (MOIS) are using Telegram as a malware delivery and command-and-control channel. The Handala group, recently officially attributed to the Iranian government, is distributing malware through Telegram channels and using the platform's API for C2 communications.

This is notable because Telegram is widely used for legitimate business communications, particularly in the Middle East, Central Asia, and parts of Europe. The FBI advisory recommends:


7. Microsoft Warns of IRS-Themed Phishing Targeting 29,000 Users

With U.S. tax season approaching, Microsoft has flagged campaigns targeting approximately 29,000 users with IRS-themed phishing emails. The campaigns deploy Remote Monitoring and Management (RMM) malware — legitimate tools repurposed for unauthorized remote access. This is a growing trend: attackers use tools like ConnectWise ScreenConnect, AnyDesk, or similar RMM software to maintain persistent access that blends in with legitimate IT management traffic.


Daily Threat Summary

ThreatSeverityTypeAction Required
Trivy Supply-Chain Attack ExpansionCRITICALSupply ChainStop using Trivy, audit CI/CD pipelines
Tycoon2FA PhaaS ResurgenceCRITICALPhishingDeploy FIDO2/WebAuthn MFA
Crunchyroll 6.8M User BreachHIGHData BreachChange passwords, check reuse
TeamPCP Kubernetes WiperHIGHWiper/DestructiveAudit RBAC, implement immutable backups
Mazda Employee Data BreachMEDIUMData BreachReview incident response timelines
Handala/Iran Telegram MalwareMEDIUMNation-StateRestrict Telegram, monitor for C2
IRS Phishing / RMM MalwareMEDIUMPhishingBlock unauthorized RMM tools

Is Your CI/CD Pipeline Secure?

The Trivy supply-chain attack proves that even your security tools can be compromised. KENSAI scans your applications, dependencies, and infrastructure for vulnerabilities — with integrity you can verify.

Start Your Free Security Scan →

Published by the KENSAI Threat Intelligence Team
Daily Security Briefing — March 24, 2026
Read more briefings →

🛡️ Is your website secure?

Discover vulnerabilities before attackers do.

Scan your website for free →