Week of March 13–19, 2026
ShinyHunters weaponizes stolen credentials to chain-breach SaaS platforms — one compromise unlocking the next. This week: 1 petabyte exfiltrated from Telus Digital, AI-generated malware enters production, and npm supply chain attacks hit the React Native ecosystem.
01 / Breach Cascade
ShinyHunters' March campaign demonstrates how a single credential theft can cascade into an enterprise-scale breach chain. The group leveraged GCP credentials stolen in the 2025 Salesloft breach to pivot across Telus Digital, Salesforce customer environments, and the Woflow SaaS platform.
2025 — Origin Point
ShinyHunters compromised Salesloft and obtained Google Cloud Platform credentials. These credentials would become the master key for a chain of breaches extending into 2026.
INITIAL ACCESSMarch 15, 2026
Using the stolen GCP credentials, ShinyHunters breached Telus Digital — a major Canadian business-process outsourcer. The attack was described as "strategic, disciplined, and optimized for maximum leverage." Stolen data includes PII, call-center recordings, FBI background check data, and source code from multiple business divisions.
1 PB STOLENMarch 9, 2026
ShinyHunters targeted approximately 100 high-profile companies through Salesforce Experience Cloud sites with overly permissive guest user profiles. The group used a modified Mandiant-developed scanning tool to identify exposed instances. Salesforce confirmed this exploited configuration drift — not a platform vulnerability.
CONFIG EXPLOITATIONMarch 2026
ShinyHunters breached Woflow — a third-party SaaS provider serving Uber, DoorDash, and Walmart — claiming exfiltration of hundreds of millions of records. This exemplifies a shift toward targeting integration-rich SaaS vendors to gain downstream access to multiple enterprises via OAuth tokens and API connections.
SUPPLY CHAIN PIVOT02 / Supply Chain Under Siege
The developer supply chain faced coordinated attacks this week from two distinct threat actors, both exploiting the npm package ecosystem to steal credentials and infiltrate CI/CD pipelines.
Glassworm
On March 16, Glassworm compromised two popular React Native npm packages — react-native-country-select@0.3.91 and react-native-international-phone-number@0.11.8 — injecting a malicious preinstall hook that deploys a multi-stage Windows payload via obfuscated JavaScript during standard npm install.
134,887 downloads in the month prior to compromise
PhantomRaven
Discovered March 11, PhantomRaven distributed 88 malicious packages through 50 disposable npm accounts using "slopsquatting" — mimicking established projects like Babel and GraphQL Codegen. The malware harvests developer credentials, CI/CD tokens, and system information from compromised build environments.
88 packages across 50 disposable accounts
03 / AI-Generated Malware Arrives
IBM X-Force discovered "Slopoly" — likely the first confirmed case of AI-generated malware used in a real ransomware operation. Deployed by Hive0163 as part of the Interlock ransomware campaign, Slopoly represents a threshold moment for AI-enabled offensive operations.
Slopoly functions as a PowerShell backdoor, serving as a loader stage in the Interlock ransomware kill chain. IBM's analysis identified structural markers consistent with LLM-generated code — including characteristic naming patterns and error handling structures. Interlock operators also exploited a critical Cisco Secure Firewall vulnerability (CVE-2026-20131) beginning in January 2026, weeks before its public disclosure on March 4.
04 / Vulnerability Intelligence
Microsoft addressed 83 CVEs including 2 zero-days and 8 critical-severity flaws. Meanwhile, critical vulnerabilities in VMware Aria Operations, the pac4j Java framework, and Google Chrome's V8 engine are under active exploitation.
CVE-2026-21536
CVSS 9.8Microsoft Devices Pricing Program remote code execution. Critical RCE with no user interaction required.
MICROSOFT · MARCH PATCH TUESDAY
CVE-2026-29000
CVSS 9.1pac4j-jwt authentication bypass — attackers forge identity tokens with server RSA public key. 30,000+ vulnerable downloads in one week.
PAC4J · JAVA · SONATYPE
CVE-2026-22719
CVSS 8.1VMware Aria Operations unauthenticated command injection. Added to CISA KEV March 3. Exploits migration operations for system-level access.
VMWARE · CISA KEV · ACTIVELY EXPLOITED
CVE-2026-3910
CVSS HIGHGoogle Chrome V8 sandbox escape. Actively exploited in the wild before patch. Added to CISA KEV March 13.
GOOGLE CHROME · CISA KEV · ACTIVELY EXPLOITED
CVE-2026-21262
ZERO-DAYSQL Server elevation of privilege — improper access control allows authenticated users to escalate to sysadmin. Publicly disclosed before patch.
MICROSOFT · SQL SERVER · ZERO-DAY
CVE-2026-3888
CVSS 7.8Ubuntu Snap privilege escalation to root. Interaction between snap-confine and systemd-tmpfiles on Ubuntu Desktop 24.04+.
CANONICAL · UBUNTU · QUALYS
CISA Known Exploited Vulnerabilities — March 2026 Additions
05 / APT Intelligence
A rare OPSEC failure by APT28 reveals the scale of Russian espionage across NATO members, while China-nexus actors target the Persian Gulf and Russian-aligned operators deploy novel malware against Ukraine.
Russia — GRU Unit 26165
Researchers exposed a major operational security blunder by APT28, revealing compromised government and military entities across Ukraine, Romania, Bulgaria, Greece, Serbia, and North Macedonia — all NATO member countries or partners. The infrastructure operated undetected for over 500 days before exposure. The breach revealed harvested emails, stolen credentials, and exfiltrated communications from military and diplomatic targets.
11,500+
Harvested Emails
240+
Stolen Credentials
2,800+
Exfiltrated Emails
500+
Days Active
China — Mustang Panda Nexus
A China-nexus threat actor launched attacks against the Persian Gulf region using Arabic-language lures depicting missile strikes to deliver PlugX backdoors. The multi-stage attack chain employs LNK files and CHM droppers with advanced obfuscation to hinder reverse engineering.
Russia — APT28 / Unattributed
ClearSky exposed Russian-aligned cyber operations deploying two previously undocumented malware families — BadPaw and MeowMeow — against Ukrainian targets. Both use .NET Reactor obfuscation and advanced evasion techniques. Attribution points to APT28 at low confidence. Separately, Operation MacroMaze targeted Western and Central Europe from September 2025 to January 2026 using Office macro-based droppers and legitimate services like webhook.site for exfiltration.
06 / Ransomware Operations
A new Babuk-derivative targets healthcare and energy. Interlock exploits Cisco firewalls before disclosure. And the University of Hawaii Cancer Center reveals a breach affecting 1.2 million individuals.
Payload Ransomware
A new ransomware strain using Babuk-derived encryption emerged in February 2026, targeting both Windows and ESXi systems. By mid-March, Payload had claimed 12 victims across 7 countries with 2,603 GB of stolen data, targeting healthcare, real estate, energy, and telecom. On March 15, Payload publicly claimed a breach of Royal Bahrain Hospital.
Interlock
Interlock exploited CVE-2026-20131 in Cisco Secure Firewall Management Center beginning in January 2026 — six weeks before the vulnerability's public disclosure on March 4. The group deployed custom remote access trojans through compromised firewall infrastructure, then loaded the AI-generated Slopoly backdoor.
Undisclosed Actor
The University of Hawaii Cancer Center confirmed a ransomware attack affecting over 1.2 million individuals. The breach — which occurred in August 2025 but was reported in March 2026 — exposed Social Security numbers, driver's license numbers, and health information dating back to 1993. The university paid a ransom for a decryption tool.
07 / Critical Infrastructure
Poland's energy infrastructure sustained permanent equipment damage from a Sandworm-linked attack, while Iranian cyber operations escalate against U.S. critical infrastructure following February's military strikes.
Poland — Energy Sector
Russian-linked threat group Electrum (associated with Sandworm/APT44) attacked Polish energy infrastructure including wind farms, solar facilities, and combined heat and power plants. Attackers deployed DynoWiper data-wiping malware, causing permanent damage to Hitachi RTU560 controllers and protection relays. Initial access exploited FortiGate devices lacking MFA and used default credentials on industrial components.
~30
Sites Impacted
1.2 GW
Capacity Affected
Iran ↔ United States
Following February 28 military strikes, Iranian-affiliated threat actors — including Cotton Sandstorm, CyberAv3ngers, and Cyber Islamic Resistance — escalated attacks against U.S. water utilities, power systems, and fuel infrastructure. Over 60 hacktivist groups activated within hours. Research identifies 40,000+ internet-exposed ICS devices in the U.S. as potential targets. 82% of CPS attacks use VNC protocol to access exposed HMI/SCADA systems.
60+
Hacktivist Groups
40K+
Exposed ICS Devices
08 / Cloud & SaaS Attack Surface
ShinyHunters' Salesforce campaign highlights how SaaS misconfiguration — not code-level vulnerabilities — has become the primary attack vector for cloud-first enterprises. The pattern is clear: attackers are targeting upstream SaaS vendors to cascade downstream.
ShinyHunters targeted approximately 100 companies by identifying Salesforce Experience Cloud instances with overly permissive guest user profiles. The group used a modified version of a Mandiant-developed open-source scanning tool to automate discovery. Salesforce confirmed the issue stems from customer-managed access controls — not a platform vulnerability. Security experts recommend continuous SaaS security posture management and identity-centric monitoring to detect configuration drift and third-party connection risks.
The Woflow breach demonstrates the emerging pattern of targeting integration-rich SaaS vendors to gain downstream access to multiple enterprise environments. Attackers exploit OAuth tokens, API connections, and third-party integrations to move laterally across cloud environments — turning a single SaaS compromise into access to dozens of enterprise tenants.
09 / AI Threat Landscape
HiddenLayer's 2026 AI Threat Landscape Report reveals autonomous AI agents now account for more than 1 in 8 reported AI breaches. Attackers are operationalizing AI faster than defenders can adapt.
1 in 8
AI breaches involve agentic AI systems
96%
Security leaders view AI attacks as significant threat
35%
AI breaches trace to malware in open model repos
53%
Organizations have withheld AI breach reporting
"Attackers using AI tools are moving faster than defenders can respond, with tools like HexStrike exploiting vulnerabilities in minutes rather than the standard 15-day patching window."
— Booz Allen Hamilton, March 2026 AI Security Report via CyberScoop
Microsoft's own analysis published March 6 documents how threat actors are operationalizing AI as tradecraft — from drafting phishing lures and generating malware to creating social engineering content. Shadow AI usage continues accelerating: over 75% of organizations now cite it as a definite or probable problem, up from 61% in 2025. Meanwhile, organizations dedicating at least a quarter of their cybersecurity budget to AI solutions are projected to jump from 9% to 48% within two years.
10 / Regulatory Pulse
European enforcement moves from theory to action. Germany issues its first NIS2 penalty, DORA compliance clocks are ticking for financial entities, and cumulative GDPR fines cross the €7 billion threshold.
NIS2 Directive
Germany issued its first NIS2 penalty of €850,000 in February 2026, while France opened investigations into 14 entities. Organizations face fines up to €10 million or 2% of global annual turnover for non-compliance with network and information security requirements.
FINES UP TO €10M OR 2% GLOBAL TURNOVER
DORA
The Digital Operational Resilience Act (DORA) has less than 9 months until full compliance is required for banks, insurance companies, payment institutions, and crypto-asset service providers. Requirements span ICT risk management, incident reporting, resilience testing, and third-party risk.
< 9 MONTHS TO FULL COMPLIANCE
GDPR
GDPR enforcement has reached €7.1 billion in cumulative fines since May 2018, with €1.2 billion issued in 2025 alone. Daily breach notifications exceeded 443 per day in 2025 — a 22% year-over-year increase. Insufficient legal basis for processing remains the most common violation.
443+ DAILY BREACH NOTIFICATIONS IN 2025
1 PB
Exfiltrated from Telus Digital
83
CVEs in March Patch Tuesday
11.5K
Emails exposed in APT28 blunder
88
Malicious npm packages
1.2M
UH Cancer Center victims
60+
Iranian-linked hacktivist groups
€850K
First NIS2 penalty (Germany)
12 / The Week Ahead
March 24, 2026
Federal agencies must patch CVE-2026-22719 (VMware Aria Operations command injection) per BOD 22-01. Actively exploited in the wild.
March 25, 2026
Google typically releases Chrome stable updates on Tuesdays. Watch for additional V8 and Skia patches following March's active exploits.
March 27, 2026
Remediation deadline for CVE-2026-3910 (V8 sandbox escape) and CVE-2026-3909 (Skia out-of-bounds write). Both actively exploited.
Late March
Financial entities in the EU should be finalizing ICT risk management frameworks and third-party risk assessments under DORA requirements.
Ongoing
Following Germany's first penalty and France's 14 open investigations, expect additional EU member states to begin NIS2 enforcement actions.
April 14, 2026
Anticipate patches for any residual exploitation of March's zero-days (CVE-2026-21262, CVE-2026-26127) and potential new disclosures.