💥 Major Breaches & Incidents - European Commission cloud breach tied to the Trivy supply chain attack

🛠️ Emerging Threats & Vulnerabilities - Fortinet FortiClient EMS exploitation, TrueConf zero-day abuse, Axios supply-chain compromise

🕵️ Privacy Watch - WhatsApp spyware targeting, Hims & Hers support-system breach

🎯 APTs and State Sponsored Attacks - Star Blizzard’s iOS exploit kit, Russia revisiting old footholds, Zimbra exploitation against Ukraine

🤖 AI in Cyber - DeepMind maps web attack paths against AI agents

☁️ EU Commission Cloud Breach Turns a Trivy Problem Into a Government-Scale Mess
The European Commission confirmed that attackers stole more than 300GB from an AWS environment supporting the Europa web hosting service after abusing an API key compromised in the Trivy supply chain attack. CERT-EU said the attackers used the stolen key to create another access key, run reconnaissance, and look for additional secrets before exfiltrating data tied to dozens of EU clients. That takes this from abstract open-source risk to a very concrete example of how a poisoned update can snowball into government cloud exposure.
👉 Key takeaway: Supply chain risk is not just a developer headache anymore - it is a direct path to cloud compromise when exposed keys and trusted tooling collide.

🚨 Fortinet EMS Flaw Is Already Being Exploited, and CISA Isn’t Sending Friendly Reminders
Singaporean authorities and CISA both warned that CVE-2026-35616 in FortiClient EMS is being exploited in the wild, with CISA giving federal agencies until Thursday to apply Fortinet’s hotfix. Researchers said the platform is widely used across governments, and watchTowr reported seeing exploitation hit honeypots on March 31. That makes this less of a theoretical patch notice and more of a very live holiday-weekend problem for security teams.
👉 Key takeaway: Treat this as an active incident-response problem, not just a routine patch cycle item.

🎥 TrueConf Zero-Day Turns Trusted Updates Into a Delivery Mechanism for Trouble
Check Point said Chinese hackers exploited CVE-2026-3502 in TrueConf against government entities in Asia by taking advantage of weak update verification in the platform. Because TrueConf is often deployed on premises by government, military, and critical infrastructure users, the trusted server-client update flow became the soft spot instead of the safety net. One tampered update path turning into code execution is exactly the kind of sentence defenders never enjoy reading.
👉 Key takeaway: When update infrastructure becomes the attack path, defenders need to think beyond endpoint compromise and toward software trust validation.

🧱 Axios Supply-Chain Attack Shows How Invisible Software Can Cause Very Visible Damage
Reuters reported that North Korea-linked hackers breached Axios by adding malicious code to an update, turning a widely used open-source HTTP library into a delivery vehicle for credential theft and follow-on attacks. Researchers said the tainted software could have reached millions of environments across macOS, Windows, and Linux before it was removed. This is what supply-chain trouble looks like when the compromised tool sits quietly underneath modern apps and web services.
👉 Key takeaway: Deep-stack dependencies may be out of sight, but they absolutely cannot stay out of your risk model.

🛰️ WhatsApp Spyware Case Puts Commercial Surveillance Firms Back in the Spotlight
WhatsApp said an Italian surveillance company tricked around 200 people, primarily in Italy, into downloading a bogus version of the app loaded with spyware. Reuters reported the campaign was highly targeted and tied it to ASIGINT, a subsidiary of Italy-based SIO, which markets cyber intelligence tools to government and law enforcement customers. It is another reminder that commercial surveillance keeps reappearing with a new logo, a new wrapper, and the same old privacy nightmare underneath.
👉 Key takeaway: Commercial spyware is still a live operational and policy problem, and messaging platforms remain a prime delivery surface.

🩺 Hims & Hers Learns the Hard Way That Support Platforms Hold Plenty of Sensitive Data Too
Hims & Hers said attackers broke into its third-party ticketing system between February 4 and February 7 and stole support tickets containing names, contact details, and other customer-submitted personal information. TechCrunch reported the company described the incident as a social engineering attack and said medical records were not affected. That is still not a comfort blanket, because support systems in telehealth can reveal plenty about a person’s account, care context, and private life.
👉 Key takeaway: Third-party support tooling deserves the same privacy scrutiny as frontline apps, especially in health-related businesses.

📱 Star Blizzard Adds iPhone Exploitation to Its Espionage Toolkit
Proofpoint said Star Blizzard adopted the DarkSword iOS exploit kit in a campaign using Atlantic Council-themed lures and emails sent from multiple compromised accounts. The targets included government, higher education, finance, legal organizations, and think tanks, which fits the group’s usual espionage profile almost too neatly. The bigger point is that mobile exploitation is not some exotic side quest anymore - it is part of the main toolkit.
👉 Key takeaway: High-risk organizations need mobile threat monitoring to stop being the thing they plan to improve “later.”

🔁 Ukraine Warns Russian Hackers Are Coming Back to Old Breaches for Seconds
CERT-UA warned that Russian hackers are returning to previously breached infrastructure to check whether access still works, whether the original vulnerabilities were patched, and whether stolen credentials remain valid. The report says this reflects a broader shift from quick smash-and-grab activity toward maintaining longer-term access for later espionage or follow-on operations. In other words, yesterday’s half-finished remediation can become tomorrow’s fresh compromise.
👉 Key takeaway: Remediation is not finished when the alert volume drops - it is finished when the original access path is actually dead.

📬 Russian APT Exploits Zimbra Again Because Old Email Weaknesses Still Pay Off
Security researchers said a Russian state-linked actor exploited CVE-2025-66376, a stored XSS flaw in Zimbra Collaboration’s Classic UI, against Ukrainian targets. The bug allowed malicious HTML email content to reference external resources or execute inline scripts when opened in a browser, creating a practical path to mailbox theft. It is not flashy tradecraft, but email access still pays extremely well in espionage, so here we are again.
👉 Key takeaway: Mature attackers do not need exotic access when known mail-platform weaknesses still open the door.

🧠 DeepMind’s AI Agent Trap Research Maps a New Web Threat Model
Google DeepMind researchers said malicious web content can set “AI Agent Traps” that manipulate autonomous agents into leaking data, promoting content, or taking actions the operator never intended. The paper maps six classes of attacks, from content injection and semantic manipulation to behavioral and human-in-the-loop traps, all built around the gap between what humans see and what agents parse. It is a useful reality check for anyone treating web-connected agents like they are just chatbots with better branding.
👉 Key takeaway: If your AI agent can browse, act, or retrieve, then hostile web content is part of your threat model whether your roadmap admits it or not.