Today’s roundup
Trivy Hack Spreads Infostealer via Docker, Triggers Worm and Kubernetes Wiper
Oracle fixes critical RCE flaw CVE-2026-21992 in Identity Manager
U.S. CISA adds Apple, Laravel Livewire and Craft CMS flaws to its Known Exploited Vulnerabilities catalog
Russia-linked actors target WhatsApp and Signal in phishing campaign
Iran-linked actors use Telegram as C2 in malware attacks on dissidents
VoidStealer malware steals Chrome master key via debugger trick
International police Operation Alice take down 373,000 dark web sites exploiting children
New KB5085516 emergency update fixes Microsoft account sign-in
Microsoft Exchange Online service change causes email access issues
Summary
Cybersecurity researchers identified a supply chain attack on Trivy via Docker Hub. Malicious versions 0.69.4, 0.69.5, and 0.69.6, now removed, were spreading an infostealer and triggering a worm and Kubernetes wiper. The last clean release was 0.69.3.
Oracle issued security updates for CVE-2026-21992, a critical remote code execution flaw (CVSS 9.8) in Identity Manager and Web Services Manager versions 12.2.1.4.0 and 14.1.2.1.0. The vulnerability allows unauthenticated HTTP attackers to gain full system control; immediate patching is advised.
The U.S. CISA updated its Known Exploited Vulnerabilities (KEV) catalog with five flaws. These include three Apple iOS vulnerabilities (CVE-2025-31277, -43510, -43520) exploited by the DarkSword kit, a Craft CMS code injection (CVE-2025-32432), and a Laravel Livewire code injection (CVE-2025-54068) linked to Iran's MuddyWater APT. Federal agencies must patch by April 3, 2026.
The FBI reported that Russia-linked intelligence actors are conducting phishing campaigns to compromise high-value WhatsApp and Signal accounts, targeting U.S. government officials, military personnel, political figures, and journalists. Attackers use social engineering to trick victims into sharing verification codes to gain account access.
The FBI alerted about Iran's Ministry of Intelligence and Security (MOIS) employing Telegram for command-and-control in malware attacks. These campaigns deliver multi-stage malware (e.g., MicDriver.exe) disguised as legitimate apps to Iranian dissidents, journalists, and opposition groups for surveillance and data theft.
A new information stealer, VoidStealer, has been discovered. It uses a novel debugger trick to bypass Chrome's Application-Bound Encryption (ABE) and extract the browser's master key for decrypting sensitive user data.
German-led Operation Alice, supported by Europol, successfully shut down over 373,000 fraudulent dark web sites between March 9 and 19, 2026. These sites, allegedly run by one individual, falsely advertised child sexual abuse material (CSAM) and cybercrime-as-a-service offerings; 105 servers were seized, and investigations into 440 customers are ongoing.
Microsoft released an emergency update (KB5085516) to fix a critical issue affecting Microsoft account sign-ins across various Microsoft applications, including Teams and OneDrive.
Microsoft is actively working to resolve an intermittent service issue preventing some users from accessing their cloud-based Exchange Online mailboxes via Outlook mobile and Mac desktop clients since Thursday.
Want to dig deeper?
Vulnerabilities
Cyber Groups
| MuddyWater | Earth Vetala, MERCURY, Static Kitten, Seedworm, TEMP.Zagros, Mango Sandstorm, TA450 |
IP Address Details