🪱 A supply-chain attack on Trivy pushed trojanized Docker images that stole credentials and spread an infostealer. Attackers (TeamPCP) used the stolen data to infect npm packages with a self-propagating worm and to deface Aqua Security repos. They also deployed a Kubernetes wiper that targets Iranian clusters and urged organizations to avoid the compromised Trivy versions.

→ Trivy Supply Chain Attack Expands to Compromised Docker Images

→ TeamPCP expands: Supply chain compromise spreads from Trivy to Checkmarx GitHub Actions

→ TeamPCP Backdoors LiteLLM Versions 1.82.7–1.82.8 Likely via Trivy CI/CD Compromise

→ TeamPCP pushed malicious telnyx versions 4.87.1 and 4.87.2 to PyPI

🇮🇷 🇺🇸 😵‍💫 Iran-linked hacking group Handala says it breached FBI director Kash Patel’s personal Gmail and posted photos and files. TechCrunch verified some leaked emails as authentic and Reuters says the Justice Department confirmed the breach. Handala has ramped up attacks since the U.S.-Israeli war with Iran, and U.S. prosecutors accuse Iran’s intelligence ministry of running the group.

🇪🇺 ☁ The European Commission is investigating a breach after a threat actor accessed its Amazon cloud infrastructure. The attacker claims to have stolen over 350 GB of data and shared screenshots as proof. The Commission's cybersecurity team detected the intrusion and is investigating while the attacker says they will later leak the data.

🇪🇸 🚢 A ransomware attack hit Spain’s Port of Vigo, forcing officials to disconnect parts of the network. Cargo moves continue, but many tasks are being done manually with paper. An investigation is underway and the port won’t reconnect systems until they are declared safe.

🇸🇪 🇬🇧 The Lapsus$ extortion group claims it hacked AstraZeneca and stole about 3GB of internal data. Stolen files allegedly include code, cloud infrastructure details, credentials, and employee info. AstraZeneca has not confirmed the breach and researchers say links to a recent supply-chain attack are unproven.

🇺🇸 HackerOne says 287 of its employees had personal data stolen after a hack of benefits administrator Navia. Exposed details include names, Social Security numbers, addresses, dates of birth, and plan enrollment information. Affected workers are being offered 12 months of identity protection and warned to watch for phishing.

🇺🇸 Healthcare management firm QualDerm Partners says a December 2025 data breach exposed personal, medical, and insurance information for about 3.1 million people. The attackers accessed the network for two days and stole names, contact details, medical records, diagnoses, insurance data, and in some cases IDs. QualDerm is investigating, notified authorities, and is offering 12 months of free identity and credit monitoring to affected people.

🇳🇱 🚓 Dutch National Police say a phishing attack led to a security breach with limited impact. Investigators quickly blocked the attackers and report no citizen or investigative data was accessed. A criminal probe is ongoing and authorities are tightening security measures.

🇳🇱 The Dutch Ministry of Finance said some of its systems were breached in a cyberattack detected on March 19. Access to the affected systems has been blocked and the investigation is ongoing. Tax, customs, and benefits systems were not impacted and no data loss or attacker identity has been disclosed.

🗾 Mazda said a security breach last December exposed 692 records of employee and business partner data from a warehouse management system tied to parts from Thailand. The leaked fields include names, user IDs, emails, company names, and partner IDs, though no customer data was involved. Mazda notified authorities, tightened its IT security, and found no confirmed misuse so far.

🇸🇬 Trio-Tech said a Singapore subsidiary suffered a ransomware attack on March 11 that encrypted some files. The subsidiary took systems offline, hired cybersecurity experts, notified law enforcement, and is investigating the impact. Stolen data was posted by a ransomware group, and the company now considers the incident possibly material.

→ More:

🇷🇺 Russian police arrested the suspected administrator of LeakBase, a large marketplace for stolen personal and financial data. Authorities seized equipment and said the site held hundreds of millions of credentials and over 147,000 registered users. U.S. and Russian reports tied the forum to a threat actor known as Chucky and said the site was dismantled in a recent takedown.

🇷🇺 ⚖ 🇺🇸 A Russian man, Ilya Angelov, was sentenced to two years for running a phishing botnet used in BitPaymer ransomware attacks. The botnet infected thousands of computers and helped affiliates extort over $14 million from more than 70 U.S. companies. The group sold access to infected machines to other cybercriminals and partnered with multiple ransomware gangs.

🇷🇺 ⚖ 🇺🇸 Aleksei Volkov, a 26-year-old Russian, was sentenced to 6.75 years in the U.S. for helping ransomware groups cause over $9 million in real losses. He sold access to company networks that attackers used to encrypt data and demand cryptocurrency ransoms. Volkov must pay full restitution and forfeit the tools used in the crimes.

🆙 ✅ Tycoon 2FA, a subscription phishing service that bypasses MFA, remains fully operational despite a recent international takedown. The disruption briefly cut activity but attacks and cloud compromises soon returned to previous levels. Law enforcement seized domains and pursued operators, but CrowdStrike says the platform’s tactics and reach continue.

🗓️ {Cyber,Info}Sec Events — A community-maintained list of infosec conferences worldwide. Subscribe to the ICS calendar feed to get events straight into your calendar, or follow @[email protected] on Mastodon for weekly digests. Contributions and ⭐ welcome!

🤷‍♂ 🇺🇸 Four former NSA and U.S. Cyber Command leaders warned that the U.S. is losing its offensive edge in cybersecurity. They said rising AI threats, China, and cybercrime outpace government and industry response. They urged stronger public-private cooperation and bolder policy action.

🇬🇧 🇨🇳 The UK has sanctioned Xinbi, a Chinese-language marketplace that sells stolen data and crypto services to Southeast Asian scam centers. Xinbi is linked to laundering billions and to North Korean thefts, according to Chainalysis. The sanctions also target Cambodia's #8 Park scam compound and aim to cut Xinbi off from legitimate crypto channels.

🇬🇷 Intellexa founder Tal Dilian, convicted in Greece for mass phone hacking, says he will appeal and denies being a "scapegoat." He hinted the Greek government may have authorized the hacks that targeted ministers, journalists, and others. The spyware Predator, sold mainly to governments, led to U.S. sanctions after being used against officials and journalists.

🇺🇸 🔋 The U.S. Department of Energy’s CESER released a 5-year plan (2026–2030) to protect the nation’s energy systems. It focuses on three goals: build advanced security technologies, harden critical energy infrastructure, and improve response and recovery. Programs like AI-FORTS and Project Armor aim to stop AI-enabled attacks and strengthen resilience.

🇮🇱 🇮🇷 Israel used hacked Iranian street cameras and AI to locate and help kill Iran’s supreme leader — Poorly secured cameras worldwide can be hijacked and turned into real-time targeting tools. Experts warn mass surveillance meant to control dissent can make leaders and civilians more vulnerable.

🇷🇺 ❌ Russian authorities have blocked the paywall-bypass site Archive.today and some of its domains, showing Roskomnadzor error pages. The agency confirmed access to at least one Archive.is page was limited but gave no reason. The extent of the block is unclear, and Archive.today and Roskomnadzor did not comment.

❌ 🇺🇸 The FCC has banned the sale of new consumer routers made outside the USA by adding them to its Covered List. The move follows a national security finding that foreign-made routers pose severe supply-chain and cybersecurity risks. Existing routers can still be sold, but future models may be harder to buy and cost more unless makers get special approval.

🇺🇸 🗳 A California sheriff seized 650,000 Riverside County ballots claiming an election-fraud probe — State officials and experts say the claims are weak and the sheriff lacked authority. They warn the seizure risks breaking ballot security and undermining trust in elections.

🤔 ✅ An anonymous post accuses compliance startup Delve of giving customers fake audit evidence and claiming compliance they didn’t earn. Delve denies the claims, saying it only provides templates and access for independent auditors. The dispute raises possible legal and security risks and promises more allegations to come.

🍎 📲 Kaspersky found that the Coruna iOS exploit kit reuses and expands the kernel exploit code from 2023's Operation Triangulation. The kit now targets many iPhones and is being used in mass attacks and watering-hole campaigns. Its modular, updated design lets more attackers reuse it and puts unpatched users at risk.

🇦🇲 ⚖ 🇺🇸 Armenian national Hambardzum Minasyan was extradited to the U.S. for allegedly running parts of the RedLine infostealer, including servers, domains, and payment handling. He faces charges including access device fraud, money laundering, and CFAA violations, with up to 20 years on some counts. RedLine is a popular malware-as-a-service that steals credentials and crypto data and remains active despite international takedown efforts.

🇺🇸 🤑 A malvertising campaign used Google Ads to lure U.S. tax-searchers to fake sites that install rogue ScreenConnect remote access tools. The attackers deploy a crypter and a Huawei-signed audio driver (HWAuidoOs2Ec.sys) as HwAudKiller to disable EDRs and steal credentials. They hide using commercial cloaking services and may be preparing ransomware or selling access.

🇮🇷 The FBI warns Iran-linked hackers are using Telegram to spread malware that targets dissidents, journalists, and others seen as threats to Iran. Attackers fake apps and contacts to trick victims into downloading files that give the hackers control. The malware has led to data theft, leaks, and reputational harm.

🎣 🤑 Microsoft warned of mass tax‑season phishing that stole credentials and installed remote‑management malware on devices. One Feb 10 campaign hit over 29,000 users across 10,000 U.S. organizations by spoofing the IRS and delivering ScreenConnect and other RMM tools. Organizations are urged to enforce 2FA, monyitor email/links, and block malicious domains to prevent persistent access.

ℹ 🔑 VoidStealer is a new info‑stealer that bypasses Chrome’s Application‑Bound Encryption to extract the browser's master key. It uses a debugger trick with hardware breakpoints to read the v20_master_key from Chrome memory during startup. The technique appears based on the open‑source ElevationKatz tool and is the first such method seen in the wild.

💰 OpenAI launched a public safety bug bounty for AI-specific abuse and safety risks in its products. The program accepts non-security issues like prompt injection, data exfiltration, agentic misuse, and connector vulnerabilities. Researchers can earn up to $7,500 for high-severity, reproducible reports with clear mitigations.

🍎 🔐 Apple says that since launching Lockdown Mode nearly four years ago, it has not seen any successful mercenary spyware hacks on devices with the feature enabled. Independent researchers and organizations have documented attacks but found no confirmed bypasses of Lockdown Mode, and some cases show it blocking spyware. Experts say Lockdown Mode greatly reduces attack surfaces and is recommended for people at high risk.

📆 🔐 Google will finish switching its products to quantum-resistant encryption by 2029 — The company sped up its plan because quantum computing progress is faster than expected. Google hopes its aggressive timeline will push other companies to act sooner.

🆕 🔐 Mozilla released Firefox 149 with a built-in VPN that gives signed-in users 50 GB of browser-only traffic per month. The VPN routes browser traffic through a U.S.-based proxy, can be toggled on per site, and will roll out first in the U.S., UK, Germany, and France. Firefox 149 also adds Split View, tighter SafeBrowsing controls, and patches many security flaws.

🆕 🔎 GitHub is adding AI-powered security detections to Code Security to find vulnerabilities in more languages and frameworks beyond what static analysis covers. These AI detections work with CodeQL and show risks and suggested fixes directly in pull requests. Copilot Autofix can then help developers fix issues quickly before code is merged.

➝ From the Patching Department:

🔓 📲 A hacker has posted a newer version of the DarkSword iPhone exploit kit on GitHub. The leaked code makes it easy for anyone to hack iPhones and iPads running older iOS versions, likely affecting hundreds of millions of devices. Apple urges users to update their software to stay protected.

🔓 ☁ Researchers found eight ways attackers can exploit AWS Bedrock by abusing permissions, logs, agents, flows, knowledge bases, and prompts. A single over‑privileged identity can redirect data, hijack agents, poison prompts, or access corporate systems. Securing Bedrock requires tight permissions, inventory of AI workloads, and mapping attack paths.

💥 🔓 Arctic Wolf found activity suggesting attackers exploited CVE-2025-32975, a critical authentication bypass in unpatched Quest KACE SMA appliances. The flaw can let unauthenticated actors impersonate users and gain full admin control, and Quest patched it in May 2025. Organizations with internet-exposed, unpatched KACE SMAs should apply the patch immediately.

🤷 🤷 🤷

Follow me on Mastodon for quick daily updates and bite-sized content.

Prefer using an RSS feed? Add Infosec MASHUP to your feed here.

Enjoying our newsletter? Forward it to a colleague—
it’s one of the best ways to support us.

Thanks for reading today’s newsletter, and if you're enjoying it and want to support my work, you can buy me a coffee ☕ over at https://www.buymeacoffee.com/0x58

See you next time!

-X.