March 30, 2026 Emerging Threats Weekly

kroll logo
Kroll
Mar 30, 2026
Kroll

This week’s briefing covers:

00:00 – Intro

01:02 [MALWARE] TeamPCP expands its open-source compromise campaign from Trivy to KICS and LiteLLM
Wiz reported that TeamPCP first compromised Aqua Security’s Trivy scanner and associated GitHub Actions on March 19, injecting credential-stealing code into official releases and action tags used in CI/CD workflows.

02:37 [VULNERABILITY] Interlock exploited Cisco FMC flaw CVE-2026-20131 before public disclosure
Amazon Threat Intelligence said Interlock ransomware operators exploited CVE-2026-20131 in Cisco’s Secure Firewall Management Center beginning on January 26, 36 days before Cisco publicly disclosed the bug on March 4.

04:03 [THREAT ACTOR] DarkSword iPhone exploit chain used in watering-hole attacks against Ukrainians
Lookout Threat Labs uncovered and reported on DarkSword, a full iOS exploit chain and infostealer targeting iPhones running iOS 18.4 through 18.6.2, while Recorded Future noted the exploit chain was used by a likely Russia-linked actor tracked as UNC6353 against Ukrainian users

05:18 [THREAT ACTOR] North Korea-linked WATERPLUM uses VS Code auto-run to deploy STOATWAFFLE
CyberSecurityNews, citing NTT Security research, report that North Korea-linked WATERPLUM deployed a new modular malware framework named STOATWAFFLE through malicious Visual Studio Code repositories disguised as legitimate blockchain projects.

Dive deeper:

Kroll’s Monthly Threat Intelligence Spotlight Report: https://www.kroll.com/en/reports/cyber/threat-intelligence-reports/cti-spotlight-trends-report

Kroll’s Q4 2024 Cyber Threat Landscape: https://www.kroll.com/en/reports/cyber/threat-intelligence-reports/q4-2024-threat-landscape-report-phishing

Kroll’s 2025 Cyber Threat Landscape Report: Cybercrime in the Crypto Era: https://www.kroll.com/Reports/Cyber/Threat-Intelligence-Reports/Threat-Landscape-Report-Lens-on-Crypto

Playlist of Kroll's Weekly Cyber Threat Intelligence Briefings: https://www.youtube.com/playlist

Kroll Cyber Blog: https://www.kroll.com/en/insights/cyber

Kroll Cyber Threat Intelligence: https://www.kroll.com/en/services/cyber/threat-intelligence-services

Kroll Threat Intelligence Reports: https://www.kroll.com/en/reports/cyber/threat-intelligence-reports

Kroll Responder MDR: https://www.kroll.com/en/services/cyber/kroll-responder

#krollcyber #threatintelligence #cyberthreats

Copyright © 2026 OpsMatters™. All rights reserved.