🛡️ Daily Security Intelligence
2026-03-16 · Monday · compiled at 04:00 CET
💥 Data Breaches & Incidents
Loblaw Data Breach Exposes Customer Information
Canadian retail giant Loblaw confirmed a data breach exposing customer names, email addresses, and phone numbers. Attackers accessed personal information through compromised systems. Loblaw is one of Canada's largest retailers, making this a significant consumer data exposure.
Starbucks Employee Data Breach via Phishing
Starbucks disclosed a data breach affecting employee information, stemming from phishing attacks targeting an internal employee portal. Hundreds of employees impacted. Demonstrates continued effectiveness of targeted phishing against corporate HR systems.
AppsFlyer Web SDK Hijacked for Crypto Theft
The AppsFlyer Web SDK was temporarily hijacked with malicious JavaScript code designed to steal cryptocurrency — a supply-chain attack targeting downstream websites that embed the SDK. The malicious payload was active before being detected and removed.
🔴 Critical Vulnerabilities & Zero-Days
Chrome 146: Two Actively Exploited Zero-Days Patched
Google released Chrome 146 update patching two zero-day vulnerabilities affecting Skia (graphics) and V8 (JavaScript engine) that were actively exploited in the wild. The flaws allow data manipulation, security restriction bypass, and potentially remote code execution. Immediate update required.
HPE AOS-CX: Unauthenticated Admin Password Reset
Critical vulnerability in HPE Aruba AOS-CX network switches allows remote, unauthenticated attackers to reset administrator passwords, completely bypassing authentication controls. Any organization running HPE AOS-CX switches should patch immediately.
Windows 11 RRAS RCE — Out-of-Band Hotpatch Released
Microsoft issued an emergency out-of-band update for Windows 11 Enterprise devices using hotpatch updates to fix a Remote Code Execution vulnerability in the Routing and Remote Access Service (RRAS). This bypassed the normal Patch Tuesday cycle due to severity.
Apple Patches Coruna Exploits in Legacy iOS
Apple released iOS/iPadOS 16.7.15 and 15.8.7 to patch vulnerabilities known as "Coruna exploits" — linked to a US defense contractor. These affect legacy devices still in wide use, particularly in enterprise and government contexts.
🎯 Active Threat Campaigns
Chinese APT CL-STA-1087 Targets SE Asian Militaries
Palo Alto Unit 42 exposed a Chinese state-backed campaign (CL-STA-1087) targeting Southeast Asian military organizations since 2020 using custom malware families "AppleChris" and "MemFun." The operation focused on stealing classified military documents about Western collaboration and organizational structures — not bulk data theft.
Iran-Linked Hackers Hit Stryker, Disrupt Manufacturing
An Iran-linked threat actor attacked medical device manufacturer Stryker, disrupting manufacturing and shipping operations. Notably, the attackers used existing endpoint management software (not traditional malware) to wipe devices — a sophisticated living-off-the-land technique.
Pro-Iranian Hackers Expanding Targets to US Infrastructure
Iran-linked hackers are broadening their scope from Middle Eastern targets to US critical infrastructure, including defense contractors, power stations, and water treatment plants. The escalation coincides with ongoing regional conflict.
Storm-2561: Trojan VPN Clients via SEO Poisoning
Microsoft disclosed the Storm-2561 campaign distributing trojanized VPN clients through SEO poisoning. Users searching for legitimate enterprise VPN software are redirected to malicious downloads containing digitally signed trojans that steal credentials.
GlassWorm: 72 Malicious VS Code Extensions in Open VSX
A new iteration of the GlassWorm campaign abuses extensionPack and extensionDependencies in the Open VSX registry to create transitive infection chains through 72 seemingly legitimate VS Code extensions. Developers are the primary targets — a growing attack vector against the software supply chain.
⚖️ Law Enforcement Operations
INTERPOL: 45,000 Malicious IPs Seized, 94 Arrested
INTERPOL coordinated a massive takedown across 72 countries, dismantling 45,000 malicious IP addresses and servers used for phishing, malware, and ransomware. 94 arrests made, 110 more under investigation. Bangladesh alone arrested 40 suspects. 212 devices and servers seized.
SocksEscort Proxy Botnet Dismantled — 369K IPs
US and European authorities disrupted SocksEscort, a criminal proxy service that enslaved 369,000 residential routers across 163 countries using the AVrecon botnet since 2020. The service sold access to infected home routers for fraud operations, with ~8,000 actively compromised devices as of February 2026.
🛠️ Security Tools & Industry
Betterleaks: New Secrets Scanner to Replace Gitleaks
A new open-source tool called Betterleaks scans directories, files, and git repositories to identify valid secrets using customizable rules. Positioned as a modern replacement for the popular Gitleaks scanner.
Bold Security: $40M for AI-Powered Device Protection
Bold Security emerged from stealth with $40M in funding. The startup uses AI to turn devices into active security agents that understand user behavior and provide real-time protection. Signals strong investor appetite for AI-driven endpoint security.
Onyx Security: $40M for Autonomous AI Agent Oversight
Onyx Security launched with $40M to build a control plane for overseeing autonomous AI agents in enterprise environments. Two $40M rounds in one week targeting AI security — confirms the market KENSAI is positioning in.
Google Paid $17M in Bug Bounties in 2025
Google disclosed it paid over $17 million in bug bounty rewards in 2025, including $3.7M for Chrome vulnerabilities and $3.5M for cloud security defects. Demonstrates the scale of vulnerability discovery in major platforms.
Meta Killing Instagram E2E Encrypted Chat — May 2026
Meta announced it will discontinue end-to-end encryption for Instagram DMs after May 8, 2026. Users will need to download their encrypted messages before the cutoff. A significant privacy regression affecting millions of users.