Daily Threat Intelligence
⛓️ Supply Chain Attack — Trivy Scanner Compromised
Trivy Vulnerability Scanner Backdoored — Spreading via Docker & GitHub
The TeamPCP hacking group compromised the widely-used open-source Trivy vulnerability scanner by Aqua Security. Malicious versions (0.69.4–0.69.6) were pushed to Docker Hub containing information-stealer malware. The attack expanded beyond Docker — TeamPCP hijacked Aqua Security's GitHub organization to tamper with dozens of repositories. The last known clean release is 0.69.3. Malicious images have been removed but the blast radius across developer environments remains significant.
This is exactly the type of supply chain compromise that KENSAI's SBOM analysis and dependency scanning can detect. If your CI/CD pulled Trivy images between the compromised window, you need immediate audit. Organizations using KENSAI's continuous monitoring would have been alerted to the unexpected binary changes.
Sources: BleepingComputer, The Hacker News, SecurityWeek — Mar 23
TeamPCP Deploys Iran-Targeted Kubernetes Wiper
The same TeamPCP group behind the Trivy compromise is also targeting Kubernetes clusters with a destructive wiper. The malicious script detects if systems are configured for Iran-based infrastructure and wipes all machines if the condition is met. This represents a significant escalation from data theft to full destructive capability within containerized environments.
Source: BleepingComputer — Mar 23
🔴 Critical Vulnerabilities
CVE-2026-21992 — Oracle Identity Manager RCE (Emergency Patch)
Oracle released an emergency out-of-band patch for CVE-2026-21992, a critical vulnerability in Oracle Identity Manager. The flaw allows unauthenticated remote code execution and may have already been exploited in the wild. Organizations running Oracle Identity Manager should apply the patch immediately — this is pre-auth RCE on an identity management system, making it extremely high-value for attackers.
Source: SecurityWeek — Mar 23
CVE-2025-32975 (CVSS 10.0) — Quest KACE SMA Under Active Attack
A maximum-severity vulnerability in Quest KACE Systems Management Appliance is being actively exploited, particularly targeting the education sector. Arctic Wolf observed exploitation activity starting the week of March 9 on unpatched SMA systems exposed to the internet. Given the CVSS 10.0 score and confirmed exploitation, this demands immediate patching.
Source: The Hacker News, SecurityWeek — Mar 23
DarkSword iOS Exploit Chain — CISA KEV Addition
CISA added three DarkSword vulnerabilities (CVE-2025-31277, CVE-2025-43510, CVE-2025-43520) to its Known Exploited Vulnerabilities catalog. DarkSword is a sophisticated iOS exploit kit chaining 6 vulnerabilities for sandbox escape, privilege escalation, and RCE on iPhones (iOS 18.4–18.7). Linked to Turkish commercial surveillance vendor PARS Defense (UNC6748) and Russian espionage group UNC6353. Three malware families deployed: GhostBlade, GhostKnife, GhostSaber. Federal agencies have until April 3 to patch.
Source: BleepingComputer, CISA — Mar 23
QNAP Patches Four Pwn2Own Vulnerabilities
QNAP patched four vulnerabilities that were demonstrated at Pwn2Own, allowing information disclosure, code execution, and unexpected behavior on NAS devices. Given QNAP's history as a ransomware target, prompt patching is essential.
Source: SecurityWeek — Mar 23
💾 Data Breaches
Crunchyroll Investigates Breach — 6.8M Users Claimed Stolen
The popular anime streaming platform Crunchyroll (owned by Sony) is investigating after hackers claimed to have stolen personal data for approximately 6.8 million users. The breach is under active investigation — scope and authenticity are still being verified.
Source: BleepingComputer — Mar 23
Mazda Discloses Employee & Partner Data Breach
Mazda Motor Corporation confirmed a security incident first detected in December 2025 that exposed employee and business partner data. The disclosure came in March 2026, highlighting the continued gap between detection and public disclosure in the automotive sector.
Source: BleepingComputer — Mar 23
Trio-Tech Semiconductor Subsidiary Hit by Ransomware
Chip services firm Trio-Tech International disclosed that a subsidiary in Singapore was hit by file-encrypting ransomware. The semiconductor supply chain continues to be targeted, with manufacturing and chip services firms facing increasing ransomware pressure.
Source: SecurityWeek — Mar 23
🕵️ State-Sponsored & APT Activity
FBI/CISA: Russian Hackers Mass-Phishing Signal & WhatsApp Users
The FBI and CISA issued a joint warning that Russian Intelligence Services are conducting large-scale phishing campaigns targeting Signal and WhatsApp accounts of high-value individuals — government officials, military personnel, political figures, and journalists. Thousands of accounts have been compromised globally. Once inside, attackers view messages, exfiltrate contacts, and conduct further phishing from trusted identities.
Source: The Hacker News, FBI — Mar 21–23
FBI Warns of Iranian Handala Hackers Using Telegram for Malware
The FBI warned that Iranian hackers linked to the Ministry of Intelligence and Security (MOIS) — known as Handala — are using Telegram to distribute malware. The US has confirmed Handala's link to the Iranian government and seized several domains used in their cyber-enabled psychological operations.
Source: BleepingComputer, SecurityWeek — Mar 23
North Korean Hackers Abuse VS Code for StoatWaffle Malware
The Contagious Interview threat actor (WaterPlum) is distributing StoatWaffle malware through malicious VS Code projects. The attack abuses VS Code's tasks.json auto-run feature — a relatively new tactic adopted since December 2025. This targets developers who open seemingly legitimate VS Code projects, executing malware automatically.
Source: The Hacker News — Mar 23
🎣 Phishing & Social Engineering
Tycoon2FA PhaaS Platform Back to Full Strength After Police Disruption
The Tycoon2FA phishing platform that Europol disrupted on March 4 has already returned to pre-disruption activity levels. Attack volumes and tactics remain unchanged, demonstrating the resilience of cybercriminal infrastructure against law enforcement takedowns. The platform specializes in bypassing two-factor authentication.
Source: BleepingComputer, SecurityWeek — Mar 23
Microsoft: IRS Tax Season Phishing Hits 29,000 Users
Microsoft warned of large-scale phishing campaigns exploiting US tax season urgency. Over 29,000 users targeted with fake IRS refund notices, payroll forms, and filing reminders. Campaigns deploy Remote Monitoring & Management (RMM) malware and leverage PhaaS platforms. Targets include both individuals and tax professionals with access to sensitive financial data.
Source: The Hacker News, Microsoft — Mar 23
📊 Emerging Trends & Research
M-Trends 2026: Initial Access Handoff Drops to 22 Seconds
Mandiant's M-Trends 2026 report, based on 500,000+ hours of incident response, reveals that the time between initial access broker compromise and handoff to ransomware operators has shrunk from hours to just 22 seconds. This dramatically reduces the window for defenders to detect and respond to intrusions before ransomware deployment.
22-second handoff times mean manual SOC triage is no longer viable for initial access detection. Automated, continuous scanning — like KENSAI's approach — becomes the only realistic defense. Organizations without automated response capabilities are essentially defenseless against this speed of attack.
Source: SecurityWeek / Mandiant — Mar 23
Eight Attack Vectors Discovered in AWS Bedrock
XM Cyber's threat research team mapped eight validated attack vectors in AWS Bedrock AI platform: log manipulation, knowledge base compromise, agent hijacking, flow injection, guardrail degradation, and prompt poisoning. As AI agents gain access to enterprise data (Salesforce, Lambda, SharePoint), they become high-value attack surfaces with permissions and reachability to critical assets.
AI infrastructure security is an emerging frontier. As enterprises connect AI agents to production systems, the attack surface expands dramatically. This aligns with KENSAI's positioning in AI security — scanning and securing the infrastructure that powers AI systems.
Source: The Hacker News / XM Cyber — Mar 23
Browser-Based Attacks Bypassing Traditional Security Controls
A new report from Push Security documents how browser-based attacks — AITM phishing, ClickFix, malicious OAuth apps, and session hijacking — are driving today's biggest breaches and evading traditional security controls. The browser is increasingly the primary attack surface.
Source: BleepingComputer / Push Security — Mar 23
💰 Industry & Funding
Cape Raises $100M for Cellular Security
Cape, a privacy-focused mobile virtual network operator (MVNO), raised $100 million for protection against cellular security threats — serving consumers, enterprises, and government customers.
Source: SecurityWeek — Mar 23
Eclypsium Raises $25M for Device Supply Chain Security
Eclypsium secured $25 million to expand its device supply chain security platform and grow channel partnerships. Timely given the Trivy supply chain attack dominating today's news.
Source: SecurityWeek — Mar 23
3 Men Charged for Smuggling AI Hardware to China
Three men were charged with conspiring to violate US export controls by diverting massive quantities of high-performance AI servers assembled in the US to China. Reflects continued geopolitical tension around AI hardware access.
Source: SecurityWeek — Mar 23
📋 Compliance & Regulation
UK Toughens Cyber Reporting Requirements
The UK is strengthening mandatory cyber incident reporting requirements. Along with NIS2 enforcement ramping up across the EU, organizations face an increasingly complex web of reporting obligations. Automated compliance reporting — a KENSAI differentiator — becomes essential.
Source: SecurityWeek — Mar 23