Executive Summary
- North Korean actors deploying StoatWaffle malware via VS Code projects, exploiting developer trust in IDE automation
- Trivy supply chain attack spreading infostealer malware and Kubernetes wipers across CI/CD pipelines, compromising cloud credentials and SSH keys
- Iran-linked threat actors launching destructive wiper campaigns (CanisterWorm, TeamPCP) targeting Kubernetes and cloud infrastructure with geolocation-based triggers
- Phishing-as-a-service platforms rapidly resurging after law enforcement disruption; IRS tax season campaigns hitting 29,000 users with RMM malware
- Initial access handoff timeline compressed from hours to 22 seconds, indicating accelerated attack velocity and AI-assisted exploitation
Top Threats Today
1. Trivy Supply Chain Attack – CI/CD Infostealer & Kubernetes Wiper
Severity: Critical Affected: Technology
Malicious versions (0.69.4, 0.69.5+) of the popular Trivy security scanner distributed via Docker Hub contain credential-harvesting infostealer payloads and Kubernetes cluster wipers. The attack compromises CI/CD secrets including cloud credentials, SSH keys, API tokens, and authentication materials. This represents a direct threat to software supply chains and containerized infrastructure across all sectors using Trivy for vulnerability scanning.
Recommended Action
- Immediately audit Trivy versions in use; verify only version 0.69.3 or earlier is deployed
- Rotate all cloud credentials, SSH keys, API tokens, and secrets that may have been exposed via CI/CD pipelines
- Scan Docker registries and container repositories for malicious Trivy artifacts; block untrusted image pulls
- Review CI/CD logs for suspicious credential access or lateral movement patterns in the past 30 days
2. North Korean StoatWaffle Malware via VS Code Projects
Severity: Critical Affected: Technology
WaterPlum/Contagious Interview campaign distributes StoatWaffle malware through malicious VS Code projects that abuse the tasks.json auto-run functionality. This leverages developer trust in IDE configuration and requires no user interaction beyond opening a project. The attack directly targets developer workstations with elevated system access.
Recommended Action
- Disable VS Code auto-run task execution; require explicit user approval for all task execution
- Audit all VS Code project configurations (.vscode/tasks.json) for suspicious command entries
- Implement code repository scanning for malicious VS Code configuration patterns
- Deploy endpoint detection and response (EDR) monitoring on all developer workstations
3. Iran-Linked Destructive Wiper Campaigns – CanisterWorm & Stryker Attack
Severity: Critical Affected: Healthcare, Technology
CanisterWorm and TeamPCP threat actors deploying geolocation-triggered data wipers targeting Kubernetes clusters and cloud services. Wiper payloads activate based on system timezone (Iran TZ) or language settings (Farsi). Confirmed attack against Stryker medical technology company disrupted operations across international hubs. This represents a destructive cyber warfare escalation combining data theft, extortion, and infrastructure destruction.
Recommended Action
- Implement Kubernetes cluster segmentation and network isolation; restrict cross-cluster communication
- Deploy runtime container security to detect and block unauthorized process execution and data access patterns
- Enable immutable backups of critical data with offline storage; test recovery procedures immediately
- Monitor for lateral movement and privilege escalation attempts in cloud environments (AWS, Azure, GCP)
- Review cloud IAM policies; disable overly permissive service account permissions
4. Phishing-as-a-Service Resurrection – Tycoon2FA Returns
Severity: High Affected: Government, Finance, Healthcare
Tycoon2FA phishing platform resurged to previous activity levels within days of Europol disruption (March 4). IRS phishing campaigns exploiting tax season urgency have compromised 29,000 users with RMM (Remote Monitoring & Management) malware deployment. Phishing-as-a-service platforms continue to lower attacker barriers for credential harvesting and malware distribution.
Recommended Action
- Deploy advanced email filtering with OSINT-based phishing link detection and sandboxing
- Enforce multi-factor authentication (MFA) with phishing-resistant mechanisms (FIDO2 hardware keys preferred over SMS/TOTP)
- Implement conditional access policies blocking sign-ins from unfamiliar locations or high-risk geographies
- Conduct phishing awareness training with simulated campaigns; track user susceptibility metrics
5. AWS Bedrock AI Platform Attack Vectors
Severity: High Affected: Technology, Finance
Researchers identified eight distinct attack vectors within AWS Bedrock AI platform, exploiting connectivity between foundation models and enterprise data/systems. Risks include prompt injection, data exfiltration, unauthorized API access, and lateral movement through connected services. AI platform security controls lag behind traditional application security maturity.
Recommended Action
- Implement prompt input validation and output sanitization for all Bedrock integrations
- Enforce least-privilege IAM roles for Bedrock service accounts; audit data access patterns
- Conduct security assessments specifically targeting AI/ML data pipelines and model integration points
- Establish monitoring for anomalous API usage, data volume transfers, and model inference patterns
Today’s Action Checklist
- ☐ URGENT: Audit and remediate Trivy scanner versions; rotate all exposed CI/CD credentials
- ☐ URGENT: Disable VS Code auto-run tasks; scan developer machines for StoatWaffle malware
- ☐ URGENT: Test Kubernetes backup and recovery procedures; implement immutable offline backups
- ☐ URGENT: Deploy MFA with phishing-resistant factors across all critical systems
- ☐ Review Microsoft March 2026 Patch Tuesday advisories; prioritize patching 77 vulnerabilities
- ☐ Conduct incident response tabletop exercise focused on supply chain compromises and wiper attacks
- ☐ Implement EDR solutions on all developer workstations and CI/CD infrastructure
- ☐ Review and strengthen cloud security posture assessment (CSPM) rules for Kubernetes and AWS Bedrock