Weekly Cyber Update: 27 March 2026

The Cyber Threat Intelligence Briefing is a weekly round-up of the latest cybersecurity news, trends and indicators, curated by our CISO, Nick Harris. Here’s our pick of the top stories, and why you should care.

---

Attackers target Trivy with infostealing malware

Prolific threat actor TeamPCP is targeting the software supply chain for popular vulnerability scanner tool Trivy to steal enterprise secrets. Researcher Paul McCarty warned that Trivy version 0.69.4 had been backdoored to spread container images and GitHub releases loaded with infostealer malware. The same group subsequently pushed malicious Docker images after hijacking Trivy developer Aqua Security’s GitHub organisation.

Why it matters

Trivy is designed to find secrets and vulnerabilities in CI/CD pipelines, providing TeamPCP with a potential treasure trove to raid.

Assured’s recommended action

Treat every secret touched by a Trivy scan between March 19 and March 24 as compromised and rotate them immediately. Audit your GitHub organisation for unauthorised public repositories named “tpcp-docs” – indicating successful exfiltration.

---

Tycoon2FA phishing platform back online after police disruption

A popular phishing-as-a-service (PhaaS) tool has come back online just days after a major law enforcement operation aimed at disrupting it. Daily campaigns associated with Tycoon2FA had dropped to 25% of pre-disruption levels after police seized 330 domains. However, daily cloud compromises linked to the tool have since rebounded, said CrowdStrike, highlighting the difficulties facing law enforcement.

Why it matters

The platform is a key cog in the cybercrime supply chain, enabling threat actors to use adversary-in-the-middle techniques to bypass MFA. Microsoft said it has been responsible for tens of millions of phishing messages reaching over 500,000 organisations each month globally. In doing so, it helps facilitate Google/Microsoft account takeovers and business email compromise.

Assured’s recommended action

Move to phishing-resistant MFA, using FIDO2/WebAuthn hardware-based keys or passkeys. To contain a potential intrusion, revise access policies to apply the principle of least privilege.

---

“Prompt poaching” report raises fears over GenAI usage in the enterprise

Security researchers have warned of an uptick in so-called “prompt poaching” attacks involving malicious Google Chrome extensions. The add-ons in question are sometimes spoofed to appear as if genuine tools (such as those by developer AITOPIA) which are designed to help users chat with their favourite LLMs. Or else, they are introduced as harmless extensions, but malicious code is subsequently inserted by the developer once user numbers have grown.

Why it matters

The malicious extensions are designed to secretly monitor and exfiltrate users’ AI conversations, amplifying the security and compliance risks of employees using public chatbots. Some have accrued hundreds of thousands of downloads.

Assured’s recommended action

Run a strict allowlist model for use of AI chatbots and related extensions to minimise the attack surface. Update user awareness programmes to communicate the dangers of sharing corporate information with public LLMs. And provide “safe” managed alternatives with enterprise-grade protections.

---

NCSC urges firms to patch Citrix ADC/gateway appliances

The NCSC has recommended UK organisations to urgently patch two vulnerabilities in Citrix NetScaler ADC and NetScaler Gateway. CVE-2026-3055 is a critical out-of-bounds read flaw which could enable remote attackers without privileges to steal session tokens and other sensitive information. CVE-2026-4368 is a race condition bug which could lead to user session mix-ups.

Why it matters

CVE-2026-3055 has been likened to the infamous Citrix Bleed zero-day exploits which are still being used by threat actors in attacks today. Experts have warned customers to expect in-the-wild exploitation soon. Edge devices are particular favourites of ransomware groups and other threat actors.

Assured’s recommended action

Follow the advice in the Citrix advisory to upgrade any impacted appliances immediately. If you’re concerned about compromise, terminate all active sessions after patching and rebooting.