Security Research
⚡ TL;DR — What Matters Today
- Trivy supply chain attack escalates: CanisterWorm self-propagating malware now infects 47+ npm packages via compromised GitHub Actions
- Oracle emergency patch: CVE-2026-21992 (CVSS 9.8) — unauthenticated RCE in Identity Manager, patch immediately
- DoJ takes down record DDoS botnets: 3M+ devices across 4 IoT botnets disrupted (31.4 Tbps peak attacks)
- FBI warns on Russian Signal/WhatsApp phishing: Thousands of accounts already compromised targeting gov/military
- Langflow CVE-2026-33017 exploited within 20 hours: CVSS 9.3 unauthenticated RCE in the AI pipeline tool
- Navia breach exposes 2.7M records: Personal and health plan data stolen between Dec 2025 – Jan 2026
Trivy Scanner Compromise Spawns CanisterWorm — 47 npm Packages Infected
CriticalThe Trivy vulnerability scanner supply chain attack by threat group TeamPCP has escalated dramatically. The attackers compromised GitHub Actions aquasecurity/trivy-action and aquasecurity/setup-trivy, hijacking 75 tags to steal CI/CD secrets. A follow-on attack deployed CanisterWorm, a self-propagating worm using ICP canisters (tamperproof smart contracts) that has now spread to 47 npm packages, making it extremely difficult to contain.
VoidStealer Bypasses Chrome Application-Bound Encryption via Debugger Trick
HighA new info-stealer called VoidStealer uses a novel technique to bypass Chrome's Application-Bound Encryption (ABE) and extract the browser master key. This enables decryption of all stored passwords, cookies, and sensitive data. The debugger-based approach represents an evolution in credential theft techniques that bypasses Chrome's latest protections.
CVE-2026-21992 — Oracle Identity Manager Unauthenticated RCE (CVSS 9.8)
CriticalOracle issued an out-of-band emergency patch for a critical unauthenticated remote code execution vulnerability in Identity Manager and Web Services Manager. The flaw requires no authentication and is remotely exploitable. Organizations running Oracle Identity Manager should patch immediately — this is an emergency release outside the regular quarterly cycle.
CVE-2026-33017 — Langflow Unauthenticated RCE Exploited Within 20 Hours
CriticalA critical vulnerability in Langflow (CVSS 9.3), the popular AI pipeline tool, was exploited in the wild within just 20 hours of public disclosure. The flaw combines missing authentication with code injection to achieve remote code execution via the POST /api/v1 endpoint. Active exploitation confirmed — patch or take offline immediately.
CVE-2026-20131 — Cisco Secure Firewall Management Center (Max Severity)
CriticalCISA ordered federal agencies to patch a maximum-severity vulnerability in Cisco Secure Firewall Management Center (FMC) by March 22. This has been added to the KEV catalog, indicating confirmed exploitation. Organizations running Cisco FMC should verify patching immediately.
CISA Adds Apple, Craft CMS, Laravel Livewire Flaws to KEV
HighCISA added five actively exploited vulnerabilities to the Known Exploited Vulnerabilities catalog: CVE-2025-31277 (Apple, CVSS 8.8) and flaws in Craft CMS and Laravel Livewire. Federal agencies must patch by April 3, 2026. These are confirmed under active exploitation.
Magento PolyShell — Unauthenticated RCE via REST API Image Upload
CriticalSansec disclosed "PolyShell," a critical flaw in Magento's REST API allowing unauthenticated attackers to upload arbitrary executables disguised as images, achieving code execution and account takeover. Thousands of Magento sites are already under attack in an ongoing defacement campaign targeting e-commerce platforms and global brands since Feb 27.
Quest KACE Vulnerability Exploited Against Education Sector
HighA critical vulnerability in Quest KACE (CVE-2025-32975) is potentially being exploited in attacks targeting the education sector. Quest KACE is widely used for systems management and endpoint security in schools and universities.
Navia Data Breach — 2.7 Million Records Stolen
HighBenefits administration company Navia disclosed a breach impacting 2.7 million individuals. Between late December 2025 and mid-January 2026, hackers exfiltrated personal information and health plan data. This is one of the largest healthcare-adjacent breaches reported in Q1 2026.
FBI: Russian Intelligence Targeting Signal & WhatsApp in Mass Phishing Campaign
HighThe FBI and CISA issued a joint warning that Russian intelligence-linked threat actors are conducting phishing campaigns against Signal and WhatsApp users. Targets include current/former US government officials, military personnel, political figures, and journalists. Thousands of accounts have already been compromised. Attackers gain full message/contact access and use compromised accounts for further phishing from trusted identities.
Azure Monitor Alerts Abused for Callback Phishing
MediumMicrosoft Azure Monitor alerts are being weaponized to send legitimate-looking callback phishing emails impersonating the Microsoft Security Team. The emails warn about "unauthorized charges" and use the trust of Azure infrastructure to bypass email security filters.
US Confirms Handala Link to Iranian Government, Seizes Domains
MediumThe US has officially confirmed that the Handala hacking group operates on behalf of the Iranian government and has seized several domains used in their cyber-enabled psychological operations.
3 Men Charged With Smuggling AI Hardware to China
IntelThree individuals have been charged with violating US export control laws by scheming to divert massive quantities of high-performance AI servers from the US to China, highlighting ongoing tensions around AI technology transfers.
DoJ Disrupts 4 IoT Botnets — 3 Million Devices, Record 31.4 Tbps DDoS
IntelThe US DoJ, with Canada and Germany, disrupted C2 infrastructure for the AISURU, Kimwolf, JackSkid, and Mossad botnets. These botnets had enslaved 3M+ IoT devices (DVRs, cameras, routers, smart TVs) and launched record-breaking DDoS attacks reaching 31.4 Tbps. Private sector partners included Akamai, AWS, Cloudflare, Google, and others. The Kimwolf botmaster is linked to a 23-year-old in Ottawa; a 15-year-old in Germany is also suspected. No arrests announced yet.
Operation Alice — 373,000 Dark Web Sites Taken Down
IntelInternational law enforcement operation "Operation Alice" shut down over 373,000 dark web sites. This represents one of the largest coordinated takedowns of illicit dark web infrastructure to date.
Security Startups Raise $282M+ This Week
IntelMajor security funding rounds this week:
- Oasis Security — $120M for agentic access management
- Cape — $100M for cellular security / privacy-focused MVNO
- Eclypsium — $25M for device supply chain security
- 1stProtect — $20M (stealth) for endpoint behavior monitoring
- Allure Security — $17M for online brand protection
Key Trends This Week
Analysis1. Supply Chain Attacks Accelerating: The Trivy compromise + CanisterWorm represents a new paradigm — self-propagating worms in package ecosystems using blockchain-based C2. CI/CD pipelines are now a primary attack surface.
2. Time-to-Exploit Collapsing: Langflow CVE-2026-33017 was weaponized within 20 hours of disclosure. Defenders have less than a day to react to critical disclosures — automated patching is no longer optional.
3. AI Tool Attack Surface Expanding: Both Langflow (AI pipeline tool) and the AI hardware smuggling charges highlight that AI infrastructure is now a primary target — both the tools and the hardware.
4. Nation-State Messaging App Targeting: Russian intelligence mass-targeting Signal/WhatsApp signals a shift from targeting email to targeting encrypted messaging apps, undermining the "just use Signal" security advice.
5. Agentic Security Emerging: Oasis Security's $120M raise for "agentic access management" and the broader trend toward AI-driven security tools reflects the industry betting heavily on autonomous defense capabilities.
Opportunities for KENSAI This Week
- Magento PolyShell: Thousands of e-commerce sites affected → KENSAI can detect this via DAST scanning. Content opportunity for DACH e-commerce market.
- Supply chain attacks: Trivy/CanisterWorm validates KENSAI's SBOM/dependency scanning value prop. NIS2 requires supply chain risk management.
- 20-hour exploit window: Perfect talking point for KENSAI's continuous scanning pitch — "Can your security team patch in 20 hours?"
- Oasis $120M raise: Validates market appetite for autonomous security tools — KENSAI's autonomous pentest positioning is on-trend.
- Oracle/Cisco critical patches: Highlight in NIS2 compliance content — mandatory patching requirements under the directive.