Stryker wiper attack π©Ί, Splunk RCE flaw π, Chrome vulnerability π, NPM supply chain π¦, fake interview malware πΌ
Daily Threat Intel Digest - 2026-03-12
π΄ Critical Threats & Active Exploitation
[NEW] Iran-Linked Handala Group Launches Destructive Wiper Attack on Stryker Iranian state-aligned threat actor Handala has claimed responsibility for a devastating cyberattack against medical technology giant Stryker, deploying destructive wiper malware that erased data from approximately 200,000 corporate servers and mobile devices while stealing 50 TB of data. The attack, attributed by researchers to the Void Manticore persona, specifically targeted Stryker’s Microsoft Intune infrastructure to remotely wipe mobile devices and defaced login portals with the Handala logo. This incident is part of a broader escalation of Iranian cyber activity following recent military operations (“Operation Epic Fury”), which has also seen a surge in the exploitation of IP camera vulnerabilities (Hikvision/Dahua) by Iranian-nexus actors for surveillance and pre-positioning. The disruption to Strykerβs global operationsβincluding manufacturing and engineering platformsβraises significant concerns regarding supply chain stability for critical medical devices. [Cyberpress; Tenable; Security Boulevard]
[NEW] Critical RCE Vulnerability in Splunk Enterprise Exposes Systems to Arbitrary Shell Commands A high-severity Remote Code Execution (RCE) vulnerability tracked as CVE-2026-20163 (CVSS 8.0) has been discovered in Splunk Enterprise and Splunk Cloud Platform, allowing attackers to execute arbitrary shell commands directly on the host operating system. Classified under CWE-77 (Improper Neutralization of Special Elements used in an OS Command), this flaw bypasses standard input validation, posing a severe risk to organizations relying on Splunk for security monitoring and log analytics. Given Splunk’s prevalence in enterprise environments, unpatched instances could serve as a high-value entry point for attackers to pivot deeper into network infrastructure. Security teams are advised to review vendor advisories immediately and apply updates or enforce strict network segmentation to mitigate the risk of weaponization. [GBHackers]
[NEW] Google Chrome Update Patches Critical Heap Buffer Overflow (CVE-2026-3913) Google has released Chrome version 146 to the stable channel, addressing 29 vulnerabilities including a critical heap buffer overflow in the WebML component (CVE-2026-3913) that could allow remote code execution (RCE). Discovered by researcher Tobias Wienand, this flaw enables attackers to compromise systems simply by convincing a user to visit a malicious webpage. The update also resolves 11 high-severity issues, primarily “Use After Free” (UAF) errors in components such as Web Speech, Agents, and Extensions. Browser-based exploits remain a primary vector for initial access; delaying this update exposes endpoints to drive-by downloads and watering hole attacks. Organizations should prioritize pushing version 146.0.7680.71/72 to all endpoints immediately. [Cyberpress; GBHackers]
π― Threat Actor Activity & Campaigns
[NEW] UNC6426 Exploits NPM Supply Chain to Achieve Full AWS Admin Access
Mandiant has revealed the intricate attack path of threat group UNC6426, who compromised the popular Nx NPM package (injecting “QUIETVAULT” code) to steal GitHub Personal Access Tokens (PATs) and ultimately gain full administrative access to a victim’s AWS environment in under 72 hours. By leveraging the stolen GitHub PATs to access CI/CD environments and exploit GitHub-to-AWS OpenID Connect (OIDC) trust relationships, the attackers obtained temporary AWS STS tokens. They then used a compromised CloudFormation role to create a new IAM role with AdministratorAccess permissions, allowing them to exfiltrate sensitive data and terminate critical EC2 and RDS instances. This campaign highlights the catastrophic risk of combining supply chain poisoning with overly permissive identity trust in automated pipelines. [Cyberpress]
[NEW] “Contagious Interview” Campaign Weaponizes Fake Job Recruitments to Deliver Malware Microsoft Defender Experts have detailed the ongoing “Contagious Interview” campaign, where threat actors pose as recruiters from crypto trading firms or AI solution providers to deliver malware via fake technical interviews. Victims are instructed to clone malicious NPM packages or open repositories in Visual Studio Code, which then executes backdoors such as BeaverTail, Invisible Ferret, and FlexibleFerret. These payloads harvest high-value secrets, including API tokens, cloud credentials, and cryptocurrency wallet data. The campaign exploits the inherent trust in recruitment workflows and development tools, bypassing standard skepticism. Developers should be advised to perform coding assessments in isolated environments and never execute untrusted scripts or “paste-and-run” commands provided during interviews. [Microsoft Security Blog via MalwareNews]
[NEW] Ericsson US Suffers Data Breach via Third-Party Provider Ericsson Inc., the US subsidiary of the Swedish telecom giant, confirmed a data breach impacting 15,661 employees and customers. The intrusion did not directly breach Ericsson’s network but instead compromised a third-party service provider responsible for handling sensitive personal data. This incident underscores the persistent risk of supply chain attacks via third-party vendors, where attackers target smaller, softer targets in an ecosystem to access the data of larger, more secure entities. Security teams should review the security posture of all third-party data processors and enforce strict data handling agreements. [GBHackers]
β οΈ Vulnerabilities & Patches
[NEW] Cisco IOS XR Flaws Allow Root Command Execution Cisco has released updates to address two high-severity privilege escalation vulnerabilities in its IOS XR Software, enabling authenticated local attackers to execute arbitrary commands as the root user. These flaws affect routers running NCS 5700 Series line cards, fixed chassis, and other platforms running IOS XR. Given that these devices often serve as critical network backbone infrastructure, a successful compromise could allow attackers to sniff traffic, reroute traffic, or disrupt network availability entirely. Administrators should apply the latest software updates immediately. [GBHackers; Canadian Centre for Cyber Security]
β‘ Quick Hits
- pac4j Auth Bypass (CVE-2026-29000): A critical authentication bypass vulnerability in the widely used
pac4j-jwtlibrary affects 19 additional Java packages, potentially allowing attackers to bypass auth controls in applications using this dependency [Sonatype via MalwareNews]. - WordPress SQLi (CVE-2026-2313): An unauthenticated SQL injection vulnerability in the Elementor “Ally” plugin (400k+ installs) impacts over 250,000 sites that have not yet updated to version 4.1.0 [BleepingComputer].
- Drupal & GitLab Updates: Security advisories released for Drupal (AI module and Unpublished Node Permissions) and GitLab (versions prior to 18.9.2, 18.8.6, 18.7.6) addressing access bypass and information disclosure flaws [Canadian Centre for Cyber Security; Canadian Centre for Cyber Security].
- CastleRAT via Deno: A new malware campaign abuses the Deno JavaScript runtime to deliver the CastleRAT trojan, leveraging trusted development tools to evade enterprise defenses [GBHackers].
π Policy & Industry News
Meta Launches Anti-Scam Tools Across WhatsApp, Facebook, and Messenger Meta has rolled out new AI-driven protections designed to warn users at the moment of interaction with potentially malicious accounts or links. These tools, targeting fast-evolving online fraud, include stricter advertiser controls and behavioral analysis to detect scams before financial loss occurs. This deployment responds to the rising trend of social engineering and pig-butchering scams exploiting major messaging platforms. [GBHackers]