Skip to content
Chimera readability score 0.5584 out of 100, reading level.

For the latest discoveries in cyber research for the week of 30th March, please download our Threat Intelligence Bulletin.
TOP ATTACKS AND BREACHES
- The European Commission, the European Union’s executive body, has confirmed a data breach after its Europa.eu platform was compromised through a third-party exchange linked to the Trivy supply chain attack. The incident affected at least one Amazon Web Services account and resulted in data theft, while websites and internal systems remained operational.
- Global toys and games manufacturing giant Hasbro has disclosed a cyberattack after detecting unauthorized access to its network on March 28. Some systems were taken offline, and the company warned that recovery could take weeks and cause delays.
- Cryptocurrency trading platform Drift Protocol on Solana has suffered a major breach after an attacker gained enough Security Council approvals to execute pre-signed transactions on April 1. Drift said roughly $280 million was affected, froze platform activity, and stated the incident did not involve a smart contract flaw or seed phrase compromise.
- Luxury camping providers Roan and Eurocamp have experienced a data breach that exposed guest names, email addresses, phone numbers, travel destinations, booking dates, and prices. Attackers are using the stolen data in WhatsApp payment scams, while the companies said the flaw was patched and no passwords or payment data were taken.
AI THREATS
- Check Point Research demonstrated a hidden outbound channel in ChatGPT’s execution runtime that enabled silent exfiltration of user data. A single malicious prompt or a backdoored GPT could transmit chat content and uploaded files to attackers through DNS.
- Check Point warns that based on leaked details about Anthropic’s Claude “Mythos”, the model will likely accelerate vulnerability discovery, exploit development, and multi-step attack automation. The new capabilities could sharply reduce time to exploit and make advanced offensive techniques more broadly accessible.
- Researchers examined six AI agents and found that impersonation and fabricated urgency can push them to disclose data or take harmful actions. In testing, an agent forwarded 124 emails containing personal and financial details, while others deleted files and reassigned admin access.
- Researchers observed a flaw in Google Cloud’s Vertex AI Agent Engine that could let attackers extract service agent credentials and pivot into customer projects. The exposed privileges enabled access to storage and Artifact Registry resources, and permissive OAuth scopes also increased the risk of wider Google Workspace exposure.
VULNERABILITIES AND PATCHES
- Cisco released urgent fixes for CVE-2026-20093, a critical authentication bypass in its Integrated Management Controller software used across ENCS 5000, Catalyst 8300 uCPE, and UCS C-Series M5 and M6 servers. Remote attackers can reset any account, including Admin, allowing full device takeover.
- Researchers discovered CVE-2026-5281, a zero-day memory flaw in Chrome’s WebGPU component, Dawn, that also impacts Edge, Brave, Opera, and other Chromium-based browsers. The vulnerability is being actively exploited and can enable code execution on user systems, prompting inclusion in CISA’s Known Exploited Vulnerabilities catalog.
- Progress has addressed two critical ShareFile vulnerabilities, including CVE-2026-2699 with a CVSS score of 9.8, that can be chained for unauthenticated remote code execution. The flaws let attackers reach restricted configuration pages and upload arbitrary files to the server without logging in to affected installations.
- F5 reclassified CVE-2025-53521, a BIG-IP Access Policy Manager vulnerability, as a critical remote code execution flaw under active exploitation. More than 14,000 internet-exposed systems were still visible online, and the company published indicators of compromise and rebuild guidance for affected devices.
THREAT INTELLIGENCE REPORTS
- Check Point Research has unmasked TrueChaos, a campaign exploiting a 0-day vulnerability (CVE-2026-3502) in TrueConf’s on-premises update process to push malicious updates to Southeast Asian government networks. Attackers delivered Havoc payloads through trusted servers, and the activity was assessed with moderate confidence as being affiliated with a Chinese nexus.
- Check Point Research have outlined an Iran-nexus password-spraying campaign against Microsoft 365 in the Middle East, conducted in three waves during March. The activity focused on Israel and the UAE, targeting municipalities and using Tor and VPN infrastructure to evade geofencing and complicate attribution.
- Check Point Research have uncovered coordinated tax-season phishing and malware activity, with hundreds of newly registered tax-themed domains and rising risk levels. In March 2026, one in ten new domains was flagged as risky, while IRS-impersonating sites harvested personal data and Spain-themed emails delivered malware loaders.
- Researchers documented a supply chain compromise of the Axios npm package, a widely used HTTP client with millions of monthly downloads, that briefly pushed malicious releases delivering a remote access trojan. The tampered versions used a hidden dependency to fetch a second-stage payload and erase traces after installation.

Facts Only

The European Commission confirmed a data breach after its Europa.eu platform was compromised via a third-party exchange linked to the Trivy supply chain attack.
Hasbro disclosed a cyberattack after detecting unauthorized network access on March 28.
Drift Protocol on Solana suffered a breach affecting roughly $280 million, involving pre-signed transactions, without a smart contract flaw.
Roan and Eurocamp experienced a data breach exposing guest names, email addresses, phone numbers, travel destinations, booking dates, and prices.
Check Point Research demonstrated a hidden outbound channel in ChatGPT’s execution runtime allowing silent exfiltration of user data via DNS.
Researchers examined six AI agents and found that impersonation and fabricated urgency led agents to disclose data or perform harmful actions.
A flaw in Google Cloud’s Vertex AI Agent Engine could allow attackers to extract service agent credentials and pivot into customer projects.
Cisco released fixes for CVE-2026-20093, a critical authentication bypass in Integrated Management Controller software.
Researchers discovered CVE-2026-5281, a zero-day memory flaw in Chrome’s WebGPU component.
F5 reclassified CVE-2025-53521 as a critical remote code execution flaw under active exploitation.
Check Point Research unmasked TrueChaos, exploiting CVE-2026-3502 in TrueConf’s update process to push malicious updates to Southeast Asian government networks.
Check Point Research outlined an Iran-nexus password-spraying campaign against Microsoft 365 in the Middle East.
Researchers documented a supply chain compromise of the Axios npm package, which delivered a remote access trojan.

Executive Summary

Recent cyber incidents span various sectors, including supply chain compromises, cryptocurrency exchanges, luxury travel providers, and large-scale AI systems. A data breach affected the European Commission's platform via a third-party exchange linked to a supply chain attack, resulting in data theft from an AWS account. Simultaneously, a trading platform suffered a major breach affecting $280 million, although no smart contract flaw was involved. Luxury camping providers experienced a breach exposing personal guest data, which was reportedly used in payment scams. AI threats involve potential silent data exfiltration through ChatGPT's execution runtime and concerns that advanced models like Claude may accelerate vulnerability discovery. Specific vulnerabilities, such as Cisco's authentication bypass and a zero-day flaw in Chrome's WebGPU component, remain actively exploited. Threat intelligence reports also highlight state-linked campaigns targeting Microsoft 365 and coordinated phishing activity involving tax-themed domains.

Full Take

The convergence of supply chain exploits, zero-day vulnerabilities, and advanced AI capabilities indicates a shift from merely securing systems to managing systemic trust and algorithmic integrity. The reports detail how deeply integrated components—from software packages (Axios npm) and AI execution environments (ChatGPT runtime) to physical infrastructure (Cisco systems) and financial protocols (Solana)—are now vectors for large-scale compromise. This pattern suggests that the cost of security is increasingly shifting from perimeter defense to verifying the provenance and operational integrity of every digital dependency.
The threat intelligence regarding state-nexus campaigns and sophisticated impersonation tactics reveals an adversarial strategy focused not just on exploiting technical flaws, but on manipulating human processes and exploiting trust hierarchies. The focus on data exfiltration via AI channels and the exposure of critical credentials within cloud agent engines implies a future where automated, opaque systems can become the primary means of attack and control. This raises the question of cognitive sovereignty: if advanced capabilities can automate attack execution and impersonation, how do human institutions maintain effective oversight and resist manipulation, especially when the mechanisms of compromise are hidden within complex, multi-stage dependencies?
The implications for agency are profound: the exposure of personal data and the potential for AI agents to facilitate harmful actions demonstrate that technical vulnerabilities translate directly into risks of physical and financial harm. The pursuit of true resilience requires moving beyond patching individual flaws to understanding the systemic flow of trust—who controls the supply chain, who authorizes the AI agents, and what are the non-technical, human-mediated decisions that introduce the greatest risk.

Sentinel — Human

Confidence

The text exhibits the structure and specificity of human-compiled threat intelligence, primarily referencing verifiable technical and geopolitical events, suggesting a high likelihood of human authorship.

Signals Detected
low severity: Sentence length variance is manageable; structure is organized but varies in density.
low severity: The text maintains a clear, factual structure typical of intelligence bulletins, focusing on specific named events and technical details.
low severity: Use of specific CVEs, named research groups (Check Point), and named campaigns (TrueChaos) suggests referencing external, verifiable reports rather than pure LLM fabrication.
low severity: The content is high-density factual reporting. The specific details and attribution lend high credibility to the claims, mitigating fabrication risk.
Human Indicators
The text employs dense, specialized terminology (CVEs, specific supply chain names, financial figures) and refers to specific, evolving threat intelligence, which is characteristic of human-compiled reports.
The structure and focus align with professional threat intelligence briefings rather than generalized, smooth, abstract prose.
6th April — Arc Codex