Today’s roundup
FBI links Signal phishing attacks to Russian intelligence services
Oracle Patches Critical CVE-2026-21992 Enabling Unauthenticated RCE in Identity Manager
Police take down 373,000 fake CSAM sites in Operation Alice
Trivy Security Scanner GitHub Actions Breached, 75 Tags Hijacked to Steal CI/CD Secrets
CISA Flags Apple, Craft CMS, Laravel Bugs in KEV, Orders Patching by April 3, 2026
Critical Langflow Flaw CVE-2026-33017 Triggers Attacks within 20 Hours of Disclosure
7,500+ Magento sites defaced in global hacking campaign
Cyberattack on a Car Breathalyzer Firm Leaves Drivers Stuck
California city reports ransomware attack as LA transit agency finds ‘unauthorized activity’
FBI takes down leak sites tied to Iran’s Ministry of Intelligence and Security
Summary
The FBI has issued a public service announcement warning that Russian intelligence-linked threat actors are actively targeting users of encrypted messaging apps such as Signal and WhatsApp in phishing campaigns, compromising thousands of accounts. This highlights ongoing nation-state activity focused on communication interception.
Oracle released an out-of-band security update to fix CVE-2026-21992, a critical unauthenticated remote code execution (RCE) vulnerability in its Identity Manager and Web Services Manager. The flaw, with a CVSS score of 9.8, allows for remote exploitation without authentication, necessitating immediate patching.
An international law enforcement initiative, Operation Alice, successfully dismantled over 373,000 dark web sites that facilitated the offering of fake Child Sexual Abuse Material (CSAM) packages. This operation underscores global efforts to combat illicit online content.
The GitHub Actions for Aqua Security's Trivy vulnerability scanner, specifically "aquasecurity/trivy-action" and "aquasecurity/setup-trivy," were compromised for a second time within a month. Attackers hijacked 75 tags to deliver malware designed to steal sensitive CI/CD secrets, indicating a sophisticated supply chain attack.
CISA has added five new security flaws to its Known Exploited Vulnerabilities (KEV) catalog, impacting Apple (CVE-2025-31277), Craft CMS, and Laravel Livewire. Federal agencies are mandated to patch these actively exploited vulnerabilities by April 3, 2026, to secure their systems.
A critical security flaw in Langflow, tracked as CVE-2026-33017 (CVSS 9.3), has come under active exploitation within 20 hours of public disclosure. This vulnerability involves missing authentication combined with code injection, which can lead to remote code execution (RCE).
Over 7,500 Magento sites and 15,000 hostnames have been defaced in a large-scale global hacking campaign active since February 27. Attackers placed plaintext defacement files, impacting e-commerce platforms, global brands, and government services, often through opportunistic exploitation.
A cyberattack on a car breathalyzer firm has disrupted operations, causing significant issues for drivers who rely on these devices for legal compliance. The incident highlights the growing impact of cyberattacks on critical support services and individuals.
Foster City, California, has reported a ransomware attack that may have led to the compromise of public information, prompting residents to update personal passwords. Concurrently, the Los Angeles transit agency, LA Metro, disclosed detecting unauthorized activity within its systems.
The FBI has successfully taken down leak sites and associated infrastructure directly linked to Iran’s Ministry of Intelligence and Security (MOIS), which has operated under various aliases including "Handala." This action targets ongoing digital campaigns by the nation-state actor.
Want to dig deeper?
Vulnerabilities
Malware Families