This Week's Top Five Stories in Cyber
Inside TeamPCP's Sophisticated Supply Chain Attack on Trivy
On 19 March 2026, a major cybersecurity incident involving Aqua Security’s Trivy sent shockwaves across the industry.
Trivy, a popular open source vulnerability scanner, was hijacked in a multi-phase supply chain attack that targeted sensitive credentials within CI/CD pipelines, planted persistent backdoors and even started the spread of a self-propagating worm.
For context, CI or Continuous Integration, refers to the automated building and testing of code while CD or Continuous Deployment/Delivery, automates the release of software into production.
Ory Segal, Technical Evangelist at Cortex Cloud, Palo Alto Networks notes on his LinkedIn: “Trusted security tooling became a credential-harvesting weapon, enabling a cascading breach across environments.
“We should also highlight that this Trivy supply chain attack appears to have been a root from which additional attacks are emerging in the last few days and we believe that we are not completely over this attack campaign.”
Was FBI Director Kash Patel Hacked by Iranian Bad Actors?
“Today, once again, the world witnessed the collapse of America’s so-called security legends,” reads the website of the Iranian hacktivist group Handala Hack.
The group published a series of personal images linked to FBI Director Kash Patel, boasting that his name was now “among the list of successfully hacked victims”.
The images – now spreading across social media – are stamped with the threat group’s watermark and shows Patel sniffing a cigar, posing with alcohol and stood beside a jet.
Alongside the nine released pictures was a sample of more than 300 work-related and personal emails dated between 2010 and 2019.
The hacking, the group claims, was in retaliation to the FBI’s ceasing of Handala-linked domains. The bureau had also offered a reward of US$10m for information on members linked to the group.
Why F5's BIG-IP APM Flaw Results in 'Cybersecurity Roulette'
When it comes to patching up holes in security, there is no time to waste.
The National Cyber Security Centre (NCSC) has issued a stark warning to UK organisations following the escalation of a serious vulnerability in F5 BIG-IP Access Policy Manager (APM).
Now classified as an unauthenticated remote code execution (RCE) flaw, CVE-2025-53521 presents a high-risk scenario, particularly as active exploitation has already been observed in the wild.
BIG-IP APM is widely deployed across large enterprises to manage secure access to applications and networks. Its prevalence makes this vulnerability especially concerning, as attackers may have a broad attack surface to target.
Initially disclosed with a lower severity and remediated as a denial-of-service (DoS) issue, the vulnerability has now been reclassified by F5 as an unauthenticated RCE issue.
Explained: The Source Code Leak that hit AI Giant Anthropic
In a significant setback, Anthropic’s flagship coding platform has found itself at the centre of a cybersecurity storm after its internal workings were inadvertently exposed.
The leak of the source code behind Claude Code was not triggered by a malicious attack but by what the company described as a simple “human error”.
Claude Code, Anthropic’s leading AI-powered development tool, is widely used to transform ideas into working applications with minimal manual coding. It forms part of the broader Claude AI ecosystem, which serves more than 300,000 enterprise customers.
The incident effectively handed developers, security researchers and the wider internet a rare window into the architecture of a high-profile AI product.
A post on X containing a live link to the exposed code quickly gained traction, drawing millions of views.
GTIG: How Did North Korean Hackers Compromise Axios?
North Korean cyber attackers have surfaced again.
In yet another incident involving the active compromise of the software supply chain this year, Axios – a popular npm package that is widely used by developers for handling HTTP requests – was subject to tampering by bad actors.
Researchers at Google Threat Intelligence Group (GTIG) have linked the incident to a North Korea-nexus threat actor, tracked as UNC1069.
Also known by aliases like CryptoCore or MASAN, UNC1069 is a financially motivated, state-sponsored threat actor nexus linked to North Korea that has been active since at least 2018.
At the heart of the campaign is the compromise of a trusted open-source dependency, one that has more than 100 million weekly downloads.
Company portals
Executives
Ory Segal
Technical Evangelist, Cortex Cloud
