Threats

Two CVSS 10.0 flaws top the March 12 CVE digest, with Himmelblau's Azure Entra ID bypass letting attackers authenticate to any tenant and a Jellyfin GitHub Actions flaw enabling full repo takeover. 644 new CVEs in one day.

An Iran-linked group turned Stryker's own device management against it, remotely wiping 200,000+ systems through Microsoft Intune. The Fortune 500 medtech firm filed an SEC disclosure. Handala called it retaliation for the Minab school strike.

A North Korean spy's own malware infection exposed the mastermind behind the Polyfill.io attack. Hudson Rock traced 100+ credentials on one laptop to Funnull CDN, a US crypto exchange, and a Japanese defense lab.

A poisoned Git tag turned a security vendor's own GitHub Action into a backdoor. The C2 implant in xygeni-action ran for seven days, giving attackers access to repo secrets on every workflow run. Same technique that hit tj-actions last year.

Fake job applications are delivering kernel-level malware to HR departments. The BlackSanta campaign, attributed to allegedly Russian-speaking hackers, uses BYOVD to kill EDR before stealing crypto wallets and employee data. Active for over a year.

No confirmed exploitation, but six flaws tagged Exploitation More Likely. Microsoft's March 2026 Patch Tuesday fixes 83 CVEs, two zero-days in SQL Server and .NET, and critical Office RCEs exploitable through the Preview Pane.

A nother ingress-nginx annotation injection (CVSS 8.8) continues a year-long chain of Kubernetes controller flaws that started with IngressNightmare. Seven Unisoc NR modem bugs can crash Android phones remotely. Budibase leaks shell commands through its PostgreSQL integration.

An open-source tool that tracks body poses through walls using $54 in Wi-Fi hardware has 31,700 GitHub stars. RuView builds on Carnegie Mellon research and runs on ESP32-S3 chips, but independent reviewers question whether the code is fully functional.

A phishing campaign is hijacking Signal and WhatsApp accounts of officials and journalists by tricking them into sharing verification codes. Dutch intelligence confirmed victims among its own government employees and published detection indicators for compromised accounts.

March 9 brought 117 new CVEs but no critical-severity entries. The two worth tracking are an unpatched UltraVNC DLL hijack with a public exploit, and two Tiandy surveillance flaws from a vendor that has ignored disclosures since 2017.

Over 221 CVEs dropped in two days — headlined by a CVSS 9.9 RCE in Tencent's WeKnora LLM framework, a Parse Server authentication bypass at 9.3, and a WooCommerce CSRF that put 4.5 million online stores at risk. Patches are …

A fake CleanMyMac website tricks macOS users into running a Terminal command that installs SHub Stealer — an infostealer targeting 14 browsers and 102 crypto extensions. Worse, it silently backdoors Exodus, Ledger, Atomic, and Trezor wallets to harvest seed phrases …

Proton Mail shared payment data with Swiss authorities, who forwarded it to the FBI. A bank card tied to the Stop Cop City protest account revealed the holder's identity.

Six critical RustDesk Client vulnerabilities (CVSS 9.1–9.3) affect all platforms. Nginx UI CVE-2026-27944 (CVSS 9.8) leaks full server backups without authentication. No RustDesk patch yet.

Identity theft kit for the price of a laptop. A dark web broker is selling full root access to a US tax service with 15 years of client history. The cost? Just $3,000. Why this low-cost entry point is a …