Featured image of post Cybersecurity Week in Review: March 17–23, 2026
News

Cybersecurity Week in Review: March 17–23, 2026

Cyberattacks, data breaches, zero-days, and global responses—discover the biggest cybersecurity headlines of this week.

By Senthorus SOC

Major Data Breaches

Trivy Vulnerability Scanner Supply Chain Attack

A significant supply chain attack targeted the widely used open-source Trivy vulnerability scanner, maintained by Aqua Security. Attackers leveraged a compromised credential to push trojanized versions of Trivy (versions 0.69.4, 0.69.5, and 0.69.6) to Docker Hub, embedding the TeamPCP infostealer. The malicious images were quickly removed, but not before being downloaded and distributed across developer environments. The attack also led to the compromise of related GitHub Actions and npm packages, with a self-propagating worm dubbed “CanisterWorm” spreading across at least 47 npm packages. This marks the first documented abuse of an ICP canister for command-and-control in a supply chain context. The incident highlights the growing risk of software supply chain attacks and the need for vigilant credential management and artifact verification1.

Key Details:

  • Affected Product: Trivy vulnerability scanner (Docker Hub, GitHub Actions, npm)
  • Malware: TeamPCP infostealer, CanisterWorm
  • Initial Access: Compromised developer credential
  • Impact: Widespread distribution of infostealer and worm across developer environments

Significant Cyberattacks

North Korean Threat Actors Abuse VS Code for Malware Delivery

North Korean threat actors, associated with the “Contagious Interview” (WaterPlum) campaign, have adopted a novel technique to distribute the StoatWaffle malware via malicious Visual Studio Code (VS Code) projects. By manipulating the tasks.json file to use the runOn: folderOpen option, attackers ensure malware is automatically executed when any file in the project is opened. The payload checks for Node.js and downloads further malicious components, demonstrating a cross-platform approach. This campaign, active since December 2025, underscores the evolving tactics of state-backed actors targeting developers1.

Key Details:

  • Attack Vector: Malicious VS Code projects (tasks.json)
  • Malware: StoatWaffle
  • Target: Developers across platforms
  • Discovery: NTT Security, March 2026

Russian Intelligence-Linked Phishing Campaigns Target Messaging Apps

The FBI and CISA issued a joint alert regarding Russian intelligence-affiliated threat actors conducting mass phishing campaigns against commercial messaging applications, including WhatsApp and Signal. The campaign targets individuals of high intelligence value—such as government officials, military personnel, and journalists—seeking to compromise accounts, access sensitive communications, and conduct further phishing from trusted identities. Thousands of accounts have reportedly been compromised globally. The attacks rely on phishing rather than exploiting technical vulnerabilities in the apps themselves1.

Key Details:

  • Targeted Platforms: WhatsApp, Signal
  • Victims: High-profile individuals (government, military, journalists)
  • Attack Method: Phishing for account takeover
  • Response: FBI and CISA joint advisory

Microsoft Warns of IRS-Themed Phishing Campaigns

Microsoft reported a surge in phishing campaigns exploiting the U.S. tax season, with over 29,000 users targeted. The campaigns use IRS-themed lures to harvest credentials and deploy remote monitoring and management (RMM) malware. Both individuals and professionals handling sensitive financial data are at risk, with attackers leveraging Phishing-as-a-Service (PhaaS) platforms to scale operations1.

Key Details:

  • Attack Vector: IRS-themed phishing emails
  • Malware: RMM tools
  • Victims: Individuals, accountants, financial professionals

Critical Vulnerabilities

Quest KACE SMA Authentication Bypass (CVE-2025-32975)

A maximum-severity authentication bypass vulnerability (CVSS 10.0) in Quest KACE Systems Management Appliance (SMA) is being actively exploited. The flaw allows attackers to impersonate legitimate users and seize administrative control, enabling remote command execution and payload delivery. Quest patched the issue in May 2025, but unpatched systems remain at risk. Arctic Wolf observed exploitation activity beginning the week of March 9, 20261.

Technical Details:

  • CVE: CVE-2025-32975
  • CVSS Score: 10.0 (Critical)
  • Affected Product: Quest KACE SMA (unpatched versions)
  • Exploit: Authentication bypass, admin takeover, remote command execution

Oracle Identity Manager Remote Code Execution (CVE-2026-21992)

Oracle released emergency patches for a critical remote code execution vulnerability (CVSS 9.8) in Oracle Identity Manager and Web Services Manager. The flaw is remotely exploitable without authentication and affects versions 12.2.1.4.0 and 14.1.2.1.0. Successful exploitation could allow attackers to fully compromise affected systems. Oracle urges immediate patching1.

Technical Details:

  • CVE: CVE-2026-21992
  • CVSS Score: 9.8 (Critical)
  • Affected Products: Oracle Identity Manager, Web Services Manager (specified versions)
  • Exploit: Unauthenticated remote code execution

Government Responses

CISA Adds Multiple Exploited Vulnerabilities to Catalog

During the week, CISA added several new vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, including those affecting endpoint management systems and widely used enterprise software. CISA also issued an alert urging organizations to harden endpoint management systems following a cyberattack against a U.S. organization. These advisories emphasize the need for rapid patching and enhanced monitoring of exposed systems2.

Key Details:

  • Actions: Addition of new CVEs to KEV catalog, endpoint hardening advisory
  • Focus: Enterprise software, endpoint management, supply chain risk

Miscellaneous

Cloud Security Risks in AWS Bedrock

Research by XM Cyber highlighted eight validated attack vectors within AWS Bedrock, Amazon’s AI application platform. These include log manipulation, knowledge base compromise, agent hijacking, flow injection, guardrail degradation, and prompt poisoning. The findings underscore the complexity and interconnectedness of modern cloud environments, where AI agents can access critical enterprise data and systems1.

Key Details:

  • Platform: AWS Bedrock
  • Risks: Multiple attack vectors, including AI agent hijacking and prompt poisoning
  • Recommendation: Review permissions, monitor agent activity, implement robust guardrails

Conclusion

This week’s cybersecurity landscape was marked by a major supply chain attack on a core open-source tool, the exploitation of critical vulnerabilities in enterprise software, and sophisticated phishing campaigns by state-backed actors. The rapid response from vendors and government agencies highlights the ongoing arms race between defenders and attackers. Organizations are urged to prioritize patching, monitor for supply chain risks, and educate users about evolving phishing tactics.

Sources:

All incidents and vulnerabilities referenced are strictly within the period March 17–23, 2026, and verified from trusted sources.

© 2026 Senthorus Blog