Weekly Cyber Update: 20 March 2026

The Cyber Threat Intelligence Briefing is a weekly round-up of the latest cybersecurity news, trends and indicators, curated by our CISO, Nick Harris. Here’s our pick of the top stories, and why you should care.

---

Google patches two Chrome zero-days exploited in attacks

Google has patched two high-severity Chrome flaws which have already been exploited in zero-day attacks. Exploits for both CVE-2026-3909 and CVE-2026-3910 exist in the wild, Google said. CVE-2026-3909 is an out-of-bounds write vulnerability in the open-source 2D graphics library Skia, which could crash the browser or enable code execution. CVE-2026-3910 is an inappropriate implementation vulnerability in the V8 JavaScript and WebAssembly engine that could enable a remote attacker to execute arbitrary code within a sandbox via a crafted HTML page.

Why it matters

CVE-2026-3910 could be exploited in a drive-by attack to steal sensitive data from the browser, including credentials and session cookies. Both it and CVE-2026-3909 could also be chained with another exploit to achieve full admin access.

Assured’s recommended action

Ensure Chrome is updated to version 146.0.7680.75/76 for Windows/Mac and 146.0.7680.75 for Linux. Google says it will roll out the updates in the coming days/weeks.

---

Companies House bug exposed director and business data

Companies House has confirmed a flaw in its WebFiling service which exposed the details of five million UK businesses since October. This included directors’ home and business email addresses. The bug could have been exploited by logged-in users who opted to “file for another company”. By pressing “back” a few times during the process, they could access the other company’s dashboard.

Why it matters

​Scammers could theoretically have used the glitch to obtain information for spear-phishing. Or altered company details to open credit lines and bank accounts to borrow in their name.

Assured’s recommended action

Check that your company details are still correct on the portal. Sign up for the Companies House “Follow” service to get real-time alerts when a document is filed or details are updated on behalf of your company. Inform directors that their PII may be used in scams.

---

Glassworm returns to compromise hundreds of open source components

A sophisticated open-source supply-chain campaign has returned, compromising more than 400 repositories and extensions across GitHub, npm, and VS Code. The Russian-speaking group responsible first compromises GitHub accounts to force-push malicious commits. Malicious packages and extensions are then published to npm and VSCode/OpenVSX, using invisible Unicode characters to evade detection. The goal is to covertly infect developer environments, steal sensitive credentials and potentially harvest crypto wallet data.

Why it matters

​Compromised VS Code extensions and npm packages enable threat actors to access developer workstations, where they could steal SSH keys, cloud credentials and source code.

Assured’s recommended action

Consider mandating hardware security keys (YubiKeys) for developers. Audit codebases for “lzcdrtfxyqiplpd” – which indicates Glassworm infection. Look for the ~/init.json file on developer workstations (which Glassworm uses for persistence), and unusual Node.js installations in the home directory. Enforce branch protection rules in GitHub (disabling “allow force pushes”) to mitigate force-push techniques.

---

Interlock ransomware group exploits Cisco zero-day since January

Ransomware group Interlock has been exploiting a Cisco zero-day vulnerability since late January, AWS has revealed. A detailed write-up explained that the group used CVE-2026-20131 for initial access. It’s a remote code execution (RCE) flaw in the web-based management interface of Cisco Secure Firewall Management Center (FMC) Software. Interlock then used multiple techniques, including a PowerShell script to collect details on victims’ networks; two custom remote access trojans (RATs) for persistent control; a “persistent memory-resident backdoor” (webshell); and ConnectWise ScreenConnect as a backup entry point.

Why it matters

​Attacks are thought to be ongoing, exposing organisations running the FMC software to a potentially serious ransomware breach.

Assured’s recommended action

Follow AWS advice on patching, and compromise assessments, ongoing detection, and long-term defence in depth, including continuous threat monitoring/hunting and incident response testing.

---

New FCA rules set to streamline incident reporting in financial services sector

The FCA has announced a new set of rules and guidance to give financial services firms more clarity over incident reporting. The rules cover internal cyber-related incidents and outages caused by suppliers. In-scope firms will have a single portal via which most will simply be able to submit an online form.

Why it matters

Financial services firms had complained that the previous incident reporting regime was unclear about what to report and what information to provide. The FCA said it will use reporting data to share insights to help firms improve cyber resilience and to provide updates during major disruptions.

Assured’s recommended action

Consult the FCA guidance to prepare for the new reporting regime, which will come into force on March 18, 2027. Assured response can help FCA-regulated clients prepare.