Originally reported by The Hacker News, Qualys, SANS ISC, MSRC Security Updates
TL;DR
Microsoft's March Patch Tuesday addresses 84 vulnerabilities including two publicly known zero-days, while concurrent supply chain attacks target npm and Rust ecosystems. Active campaigns exploit FortiGate devices and router botnets demonstrate continued infrastructure targeting.
Microsoft's Patch Tuesday includes two publicly known zero-days among 84 vulnerabilities, with active supply chain attacks leveraging nx npm package and FortiGate devices being exploited in live campaigns.
Microsoft released patches for 84 security vulnerabilities in March Patch Tuesday, including two that are publicly known. The update addresses eight critical and 76 important severity flaws. The vulnerability breakdown shows 46 privilege escalation issues, 18 remote code execution flaws, 10 information disclosure vulnerabilities, and additional categories.
The presence of publicly known vulnerabilities indicates these issues may already be under active research or limited exploitation, making immediate patching critical for enterprise environments.
Mandiant researchers documented how threat actor UNC6426 leveraged stolen keys from the nx npm package supply chain compromise to achieve complete cloud environment breach within 72 hours. The attack chain began with theft of a developer's GitHub token, which the attacker used to gain unauthorized cloud access and exfiltrate data.
This case demonstrates the cascading impact of supply chain compromises, where initial package-level access can rapidly escalate to full infrastructure compromise through credential theft and lateral movement.
Socket researchers identified five malicious Rust crates masquerading as time-related utilities to steal .env file data. The packages chrono_anchor, dnp3times, time_calibrator, time_calibrators, and time-sync were published to crates.io between late February and early March 2026.
These crates impersonate timeapi.io and specifically target developer environments to extract sensitive configuration data, highlighting the ongoing threat to open source package repositories across multiple ecosystems.
Security researchers report a new campaign targeting FortiGate Next-Generation Firewall appliances as network entry points. Attackers exploit recently disclosed vulnerabilities or weak credentials to extract configuration files containing service account credentials and network topology information.
This campaign represents a shift toward targeting network infrastructure devices as initial access vectors, leveraging their privileged network position and often-delayed patch cycles.
Lumen's Black Lotus Labs discovered KadNap malware targeting Asus routers to build a proxy botnet. First detected in August 2025, the malware has infected over 14,000 devices, with more than 60% of victims located in the United States.
The botnet's proxy functionality enables threat actors to route malicious traffic through compromised home and small business routers, complicating attribution and detection efforts.
Tenable researchers disclosed nine cross-tenant vulnerabilities in Google Looker Studio, collectively named LeakyLooker. These flaws could have allowed attackers to execute arbitrary SQL queries on victims' databases and exfiltrate data within Google Cloud environments.
While no evidence of exploitation exists, the vulnerabilities highlight risks in multi-tenant cloud services where improper isolation can lead to cross-customer data exposure.
Several new CVEs were published, including:
CVE-2026-0866: "Zombie Zip" vulnerability under analysis by SANS researchersCVE-2026-26030: Remote code execution in Microsoft Semantic Kernel Python SDK's InMemoryVectorStore filter functionalityCVE-2026-21262: SQL Server elevation of privilege vulnerability allowing network-based privilege escalationCVE-2026-25166: Windows System Image Manager remote code execution through deserialization of untrusted dataAdditional CVEs affect CoreDNS, libssh, binutils, MariaDB, and various system components, representing a broad attack surface across enterprise infrastructure.
Originally reported by The Hacker News, Qualys, SANS ISC, MSRC Security Updates