This Week in Cyber: Developer Tools Turned Against You, 340 Companies Breached, and the AI Audit Blind Spot Nobody's Talking About

The thread connecting this week's biggest stories is trust — specifically, the dangerous habit of trusting things simply because they've been trusted before. The TeamPCP supply chain attacks weaponized security tools that developers trust implicitly. The Microsoft 365 phishing campaign abused a legitimate Microsoft login feature. The Cisco ransomware attackers exploited a flaw that defenders trusted their vendor to disclose promptly. In each case, attackers didn't break through the front door — they walked through a side entrance that everyone assumed was safe.

On the compliance front, the Department of Justice dropped its first unified Corporate Enforcement Policy, and the SEC had what analysts are diplomatically calling a "busy month." Translation: the rules governing how companies disclose incidents, manage AI, and handle investigations just shifted — and the window between "announced" and "enforced" is getting uncomfortably short. If your compliance calendar is still running on last year's assumptions, this week is a good time to recalibrate.

And then there's the AI governance time bomb quietly ticking in the background. A new Cloud Security Alliance study found that 68% of organizations can't tell the difference between a human and an AI agent acting on their systems. Regulators absolutely can tell the difference — and they expect you to as well. That gap between expectation and reality is exactly where enforcement actions are born.

The Big Stories

Your Security Tools Are Now the Attack

TeamPCP compromised Trivy (a widely-used security scanner), Checkmarx's code scanning tools, and an AI library called LiteLLM — turning them into credential-harvesting weapons. The attack also deployed a self-spreading worm that wiped data on systems with Iranian settings, which means this isn't just espionage. It's sabotage. If your development team uses automated security scanning in their build pipelines, your cloud credentials and internal secrets may already be gone.

Why it matters: Trusted tools don't stay trusted forever. Your team needs to audit every third-party tool in your build pipeline — today.  Read more →

340 Companies Breached Through a Legitimate Microsoft Login

Since February 2026, attackers have compromised Microsoft 365 accounts at over 340 organizations across the US, Canada, Australia, New Zealand, and Germany. The method: abusing a real Microsoft feature called "device code authentication" to steal account access without ever needing a password. Once inside, they have full access to email, files, Teams chats — everything. The login prompt looks completely legitimate because it is one.

Why it matters: Conditional access policies need to explicitly block device code flow for most users. If your IT team hasn't done this, it's this week's fire drill.  Read more →

Ransomware Gang Knew About the Cisco Flaw Before You Did

The Interlock ransomware group exploited a perfect 10-out-of-10 severity flaw in Cisco's enterprise firewall software — weeks before Cisco publicly disclosed it. No password required. Full system control. Cisco has now released patches, but organizations that haven't applied them are still sitting ducks. The fact that attackers knew first means some businesses were compromised before defense was even theoretically possible.

Why it matters: If your organization uses Cisco Secure Firewall Management Center, patch immediately. This is not a "schedule it for next sprint" situation.  Read more →

DOJ Now Has One Unified Policy for Charging Your Company

The Department of Justice published its first-ever unified Corporate Enforcement Policy — a single framework that governs how prosecutors decide whether to criminally charge a company versus offer a deferred prosecution agreement. The good news: it's more transparent. The complicated news: there's still significant room for prosecutorial discretion, and the policy puts enormous weight on whether you self-reported an incident and how cooperative you were. Your incident response playbook just became a legal document.

Why it matters: Brief your board on this framework now. Self-disclosure thresholds and response protocols need to be reviewed before you're in a situation where they matter.  Read more →

68% of Organizations Can't Tell Humans from AI Bots in Their Own Systems

A Cloud Security Alliance study released at RSAC 2026 found that while 73% of organizations expect AI agents to be mission-critical within a year, 68% cannot distinguish AI agent activity from human activity in their systems. That means audit trails, access logs, and incident investigations all have a massive blind spot. Regulators — including the SEC and data protection authorities — expect you to know exactly who or what accessed sensitive data and when. "We couldn't tell it was the bot" will not hold up.

Why it matters: Check whether your identity governance tools can flag and log AI agent activity separately from human activity. If they can't, that's your most urgent AI governance gap right now.  Read more →

Tax Season Phishing Just Hit 29,000 People — More Coming

Microsoft is warning about a large phishing campaign using fake IRS refund notices, payroll forms, and tax professional requests to trick employees into installing remote access malware. Attackers who succeed get full control of the victim's computer. A separate campaign is using fake tax-related Google Ads to deliver malware that disables security software before striking. With tax deadlines approaching, urgency is the weapon.

Why it matters: Send a company-wide reminder this week: the IRS does not initiate contact by email. Any tax-related email asking for clicks or downloads should go straight to your IT security team.  Read more →

The SEC Had a Very Busy Month. Your Compliance Team Hasn't Caught Up Yet.

The SEC crammed a significant number of major policy shifts — enforcement priorities, disclosure expectations, and guidance updates — into the past few weeks. The pace of change is itself the story. What was acceptable 60 days ago may not be today, and the window between announcement and enforcement keeps shrinking. Public companies and investment product managers are most exposed, but the ripple effects reach further.

Why it matters: Schedule a compliance review of your current SEC-related disclosures and controls this quarter. Don't wait for your annual cycle.  Read more →

Quick Hits by Category

Security Watch

• Apple Patches 85 Vulnerabilities — Update Everything Now
  Apple pushed a major security update across iPhones, iPads, Macs, Apple Watch, and Apple TV fixing 85 vulnerabilities. Separately, older iPhones are being actively targeted by exploit kits that can steal everything on your device just by visiting a malicious website. This one is simple: update your Apple devices today.  Read more →

• FBI Dismantles Four Botnets That Hijacked 3 Million Devices
  US, Canadian, and German authorities jointly took down four botnets — named Aisuru, Kimwolf, JackSkid, and Mossad — that collectively controlled 3 million hijacked routers, cameras, and internet-connected devices. They were sold as paid attack services capable of knocking virtually any target offline. The good guys won this round.  Read more →

• Russian Hackers Are Now Coming for Signal and WhatsApp
  The FBI and CISA (the government's cybersecurity agency) issued a joint warning that Russian intelligence-linked hackers are running phishing campaigns to hijack Signal and WhatsApp accounts. Targets are high-value individuals with access to sensitive government or business information. The attack uses convincing fake login pages and group invite links.  Read more →

• Fake Palo Alto Networks Recruiters Ran a 7-Month Job Scam
  Scammers posed as recruiters from cybersecurity firm Palo Alto Networks for seven months, using LinkedIn data to craft highly personalized fake job offers that stole credentials and money. AI-assisted social engineering is making these attacks dangerously convincing. If your company name is being used as bait, your brand and your employees are both at risk.  Read more →

Privacy Pulse

• FCC Bans New Foreign-Made Consumer Routers Over Security Concerns
  The FCC (the agency that regulates communications technology) has banned the import of new foreign-made consumer routers — predominantly Chinese-made brands — citing national security risks. New models of affected brands will no longer be available for sale in the US. If your offices use consumer-grade routers from affected brands, start planning replacements.  Read more →

• Disgruntled Data Analyst Stole Payroll Database, Demanded $2.5M in Bitcoin
  A data analyst who lost his contract stole the entire company payroll database and sent an extortion demand from a company he named "Loot." He was caught. The case is a textbook example of why offboarding procedures — including immediate data access revocation — are not optional.  Read more →

• Your AI Policy Needs a Maintenance Schedule, Not a Launch Party
  AI governance experts are warning that most enterprise AI policies are written once and then forgotten. As AI use cases multiply and regulations evolve, a static policy becomes a liability. Step one: inventory all AI use cases in your organization and classify them by risk level — not at next year's review, but now.  Read more →

Compliance Corner

• NIST's AI Security Framework Is Being Rewritten — Weigh In Now
  NIST (the government body that sets security standards) is incorporating workshop feedback into the next draft of its AI Cybersecurity Framework Profile. This framework influences SOC 2, FedRAMP, and many enterprise security requirements. If your organization uses AI systems, engage with the draft process before it's finalized and becomes a requirement you had no hand in shaping.  Read more →

• NIST IoT Security Workshop on March 31 — Connected Device Makers Should Attend
  NIST is holding a two-day workshop on the future of its IoT (Internet of Things — connected devices) security program. If you make, sell, or deploy connected devices, the standards coming out of this workshop will eventually become customer requirements. Better to shape them than scramble to meet them.  Read more →

• Measles Is Back — And Your Workplace Health Policies Probably Haven't Kept Up
  With 14 measles outbreaks reported in 2026, compliance teams are being reminded that many workplace health policies were written for COVID-era circumstances and never updated. OSHA-related exposure is real if your policies don't reflect current public health realities. A quick policy review now beats an enforcement action later.  Read more →

The Bottom Line

This week's theme is inherited trust — and how attackers are exploiting it systematically. Security tools, legitimate login features, trusted vendors, and even your own former employees are all vectors right now. The organizations getting hit aren't the ones who ignored security. They're the ones who trusted the right things at the wrong time.

If you do one thing this week: Have your IT team audit every third-party tool in your software development pipeline and verify the Cisco Secure Firewall patch has been applied. Those two actions address the highest-severity, actively-exploited risks on the board right now.

Looking ahead: NIST's AI framework is moving toward finalization, the DOJ's new enforcement policy is already in effect, and tax season phishing campaigns will intensify through April. The organizations that treat compliance as a living practice — not a once-a-year checkbox — are the ones that won't be in next week's newsletter as a cautionary tale.