Daily Security Research
2026-03-22 · Saturday March 21 → Sunday March 22 · Auto-generated at 04:00 CET
⚡ TL;DR — What Matters Today
- Trivy supply chain attack evolves — new self-propagating "CanisterWorm" hits 47 npm packages using blockchain-based C2
- Oracle emergency patch — CVE-2026-21992 (CVSS 9.8) allows unauthenticated RCE in Identity Manager
- FBI warns of Russian Signal/WhatsApp phishing — thousands of accounts already compromised
- DoJ takes down record-breaking DDoS botnets — 3M+ devices, 31.4 Tbps attacks disrupted
- CISA deadline TODAY — max-severity Cisco FMC flaw CVE-2026-20131 must be patched by March 22
- Langflow RCE exploited within 20 hours — CVE-2026-33017 (CVSS 9.3) actively targeted
- Navia breach hits 2.7M people — personal and health plan data stolen
Trivy Scanner Compromised — CanisterWorm Spreads to 47 npm Packages
supply chain criticalThe Trivy vulnerability scanner by Aqua Security was compromised a second time in a month. Threat group TeamPCP hijacked 75 GitHub Action tags across aquasecurity/trivy-action and aquasecurity/setup-trivy, injecting credential-stealing malware into CI/CD pipelines. A follow-on attack deployed CanisterWorm, a self-propagating worm that infected 47 npm packages across @EmilGroup, @opengov, and other scopes. The worm uses Internet Computer Protocol (ICP) blockchain canisters as dead-drop C2 resolvers — the first documented case of this technique — making takedown extremely difficult. Persistence via systemd services masquerading as PostgreSQL tooling.
Sources: The Hacker News · BleepingComputer
Magento PolyShell — Unauthenticated Upload & RCE via REST API
criticalSansec discovered a critical flaw in Magento's REST API allowing unauthenticated attackers to upload arbitrary executables disguised as images, achieving remote code execution and account takeover. Dubbed PolyShell, the attack exploits image file handling. No public exploitation observed yet, but thousands of Magento sites are already under a separate ongoing defacement campaign that started February 27.
Sources: The Hacker News · SecurityWeek
CVE-2026-21992 — Oracle Identity Manager Unauthenticated RCE
critical CVSS 9.8Oracle issued an out-of-band emergency patch for a critical unauthenticated remote code execution vulnerability in Identity Manager and Web Services Manager. No authentication required for exploitation. Oracle urged immediate patching.
Source: The Hacker News
CVE-2026-20131 — Cisco Secure Firewall Management Center (Max Severity)
critical CVSS 10.0CISA ordered all federal agencies to patch this max-severity Cisco FMC vulnerability by today, March 22. Details indicate it could allow complete system compromise. Added to CISA's Known Exploited Vulnerabilities catalog.
Source: BleepingComputer
CVE-2026-33017 — Langflow Unauthenticated RCE (Exploited in 20 Hours)
critical CVSS 9.3Critical missing-authentication + code injection flaw in Langflow (popular AI workflow builder). Threat actors weaponized the vulnerability within 20 hours of public disclosure via the POST /api/v1 endpoint. Highlights the shrinking window for patch deployment.
Source: The Hacker News
CISA Adds Apple, Craft CMS, Laravel Livewire to KEV Catalog
actively exploitedFive additional vulnerabilities added to CISA's KEV catalog with a patch deadline of April 3, 2026. Includes CVE-2025-31277 (Apple, CVSS 8.8) plus flaws in Craft CMS and Laravel Livewire. All confirmed under active exploitation.
Source: The Hacker News
CVE-2025-32975 — Quest KACE Exploitation in Education Sector
criticalCritical vulnerability in Quest KACE systems management appliance potentially exploited against education sector targets. Organizations using Quest KACE should patch immediately.
Source: SecurityWeek
FBI/CISA: Russian Intelligence Targeting Signal & WhatsApp at Scale
nation-state high impactThe FBI and CISA issued a joint public service announcement warning that Russian Intelligence Services are running mass phishing campaigns against Signal and WhatsApp users. Targets include current/former U.S. government officials, military personnel, political figures, and journalists. Thousands of accounts already compromised. After gaining access, actors view messages, steal contacts, impersonate victims, and chain further phishing from trusted identities. FBI Director Kash Patel confirmed the campaign on X.
Sources: The Hacker News · BleepingComputer
US Confirms Handala Linked to Iranian Government
nation-stateThe U.S. government has seized several domains used by Handala, confirming its link to the Iranian government. The group conducted cyber-enabled psychological operations. Domains taken down in a coordinated effort.
Source: SecurityWeek
3 Men Charged for Smuggling AI Hardware to China
export controlsThree individuals charged with violating U.S. export control laws by scheming to divert massive quantities of high-performance AI servers assembled in the United States to China.
Source: SecurityWeek
DoJ Disrupts 3M-Device IoT Botnets — Record 31.4 Tbps DDoS
criticalThe U.S. DoJ, along with Canadian and German authorities, disrupted C2 infrastructure for AISURU, Kimwolf, JackSkid, and Mossad botnets — collectively controlling over 3 million infected IoT devices (DVRs, smart TVs, set-top boxes). These botnets launched record-breaking DDoS attacks reaching 31.4 Tbps. A massive private-sector coalition assisted (Akamai, AWS, Cloudflare, Google, Oracle, PayPal, and more). Suspects include a 23-year-old in Canada and a 15-year-old in Germany. No arrests announced.
Source: The Hacker News
Navia Data Breach — 2.7 Million Affected
large-scaleBetween late December 2025 and mid-January 2026, hackers stole personal and health plan information from Navia's environment, impacting 2.7 million individuals. Healthcare and benefits data compromised.
Source: SecurityWeek
Thousands of Magento Sites Under Ongoing Defacement Campaign
web attacksA mass defacement campaign started February 27 has hit thousands of Magento-based e-commerce sites, targeting global brands and even government services. Combined with the new PolyShell vulnerability, Magento operators face a serious threat landscape.
Source: SecurityWeek
Microsoft Azure Monitor Alerts Abused for Callback Phishing
phishingAttackers are abusing Microsoft Azure Monitor alerts to send callback phishing emails impersonating the Microsoft Security Team. The emails warn of unauthorized charges, luring victims into calling attacker-controlled phone numbers.
Source: BleepingComputer
Google Android "Advanced Flow" — 24h Sideloading Cooldown
androidGoogle announced a new sideloading mechanism for Android: apps from unverified developers now require a 24-hour mandatory wait period before installation. Part of their developer verification mandate to reduce malware and scam app distribution.
Source: The Hacker News
Operation Alice — 373,000 Dark Web Sites Taken Down
law enforcementInternational law enforcement operation shut down over 373,000 dark web sites offering fake illegal material packages.
Source: BleepingComputer
UK Toughens Cyber Incident Reporting Requirements
regulationThe UK is tightening cyber incident reporting obligations for organizations, joining the EU's NIS2 trend of stricter breach disclosure requirements.
Source: SecurityWeek
Oasis Security — $120M for Agentic Access Management
R&D expansion for AI framework access management and go-to-market scaling.
Cape — $100M for Cellular Security
Privacy-focused MVNO for consumers, enterprises, and governments.
Eclypsium — $25M for Device Supply Chain Security
Expanding firmware and supply chain security platform capabilities.
1stProtect — $20M (Stealth Exit) for Endpoint Security
Behavioral monitoring and user intent verification to stop attacks in real time.
Allure Security — $17M for Online Brand Protection
Digital brand protection platform expansion.
Key Trends This Week
1. Supply chain attacks accelerating: Trivy/CanisterWorm shows attackers chaining supply chain compromises — one breach leads to self-propagating worms across entire ecosystems. Blockchain-based C2 (ICP canisters) makes takedown nearly impossible.
2. Time-to-exploit collapsing: Langflow CVE-2026-33017 was exploited within 20 hours of disclosure. The patch window is effectively zero for internet-facing services.
3. AI-enabled phishing sophistication rising: Behavioral analytics becoming essential as AI generates personalized phishing that bypasses legacy detection. Browser-based AITM attacks and ClickFix techniques driving major breaches.
4. Nation-state messaging app targeting: Russian intelligence services running industrial-scale campaigns against encrypted messaging (Signal, WhatsApp). Trust chains exploited — compromised accounts used to phish contacts.
5. IoT botnet scale reaching infrastructure levels: 31.4 Tbps DDoS capacity from compromised consumer devices. Even after takedowns, the infected device population persists.
6. Regulatory tightening continues: UK joins NIS2-style reporting mandates. Compliance burden increases for EU/UK organizations.
What This Means for KENSAI Customers
Supply chain monitoring: The Trivy/npm compromise reinforces why continuous dependency scanning matters. KENSAI's SBOM analysis and dependency checks catch exactly these patterns.
Patch management urgency: With CVE exploitation windows shrinking to hours (Langflow) and CISA mandating same-day patches (Cisco), automated vulnerability scanning is no longer optional — it's survival.
NIS2 reporting: UK's tightened reporting rules mirror NIS2 Article 23. DACH organizations face the same obligations. KENSAI's compliance reporting capabilities directly address this need.
Messaging security: The Russian Signal/WhatsApp campaign is a wake-up call for any organization relying on consumer messaging for sensitive communications.