Weekly Cybersecurity Roundups Highlighting Government Campaigns, Nation-State Activity, and Emerging Vulnerabilities
Multiple weekly cybersecurity roundups and newsletters highlighted a mix of policy, threat, and vulnerability developments rather than a single discrete incident. UK government messaging featured prominently, including a campaign urging businesses to “lock the door” against cyber criminals and publication of longitudinal survey results indicating most organizations continue to experience cyber incidents (with reported rates in the 70–80% range across businesses and charities). Separately, commentary from European security circles emphasized growing calls for offensive cyber capabilities (“strike back”) amid concerns about Russian aggression and sabotage activity across Europe, including references to cyber operations targeting critical infrastructure.
Threat reporting in the same period emphasized escalating nation-state and proxy activity against critical infrastructure and the defense industrial base, citing research that espionage groups (including those linked to China, Russia, and North Korea) have compromised organizations by exploiting zero-day vulnerabilities in edge devices (e.g., VPNs and gateways). Additional reporting pointed to newly identified OT-focused threat groups (e.g., Sylvanite, Azurite, Pyroxene) and a broad set of emerging technical risks and product/security changes, including discussion of an OpenSSL RCE risk, Foxit 0-days, and analysis of LockBit 5.0 ransomware techniques (e.g., ETW tampering, process hollowing, log clearing) alongside Android platform security changes (e.g., deprecating cleartext traffic defaults and adding HPKE support).
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
12 events from the most recent confirmed update back to the earliest known activity.
npm token compromise used to ship malicious CLI update
A compromised npm token was reportedly used to publish a malicious command-line tool update, underscoring software supply-chain risk. The incident was cited in a roundup focused on current developer ecosystem threats.
U.S. law enforcement disrupts North Korea-linked laptop farm scheme
Authorities took action against a 'laptop farm' operation that allegedly supported North Korean fraudulent IT worker activity. The case was highlighted as part of broader efforts to counter DPRK cyber-enabled revenue generation.
UNC6201 reportedly exploits Dell RecoverPoint zero-day
A suspected PRC-linked cluster tracked as UNC6201 was reported exploiting a Dell RecoverPoint zero-day and deploying multiple malware families. The disclosure added a new intrusion set and exploitation vector to current nation-state activity reporting.
Researchers link APT28 to spearphishing using spoofed Spanish government lures
Threat intelligence reporting described an alleged APT28 spearphishing campaign using macro-laced documents that spoofed Spanish government content. The activity was presented as part of ongoing nation-state operations across Europe.
UK officials reiterate need for stronger business cyber hygiene
UK government and NCSC messaging emphasized improving cyber hygiene for businesses, alongside survey findings that most UK organizations continue to experience cyber incidents. The statements were highlighted in a weekly government security summary.
Poland detains suspect tied to Phobos and 8Base investigations
Authorities in Poland detained an individual in connection with investigations into Phobos and 8Base cybercrime activity. The arrest was cited in multiple weekly roundups as a notable law-enforcement development.
Researchers report active exploitation of critical Ivanti EPMM flaws
Security reporting said critical remote code execution vulnerabilities in Ivanti Endpoint Manager Mobile were being actively exploited in the wild. Later roundup coverage also noted evidence that exploitation began before patches were released.
CISA adds GitLab SSRF vulnerability to KEV catalog
CISA added a GitLab server-side request forgery flaw to its Known Exploited Vulnerabilities catalog, signaling that defenders should prioritize remediation. The listing was noted as part of active exploitation and response activity.
Microsoft fixes Copilot bug that exposed DLP-protected email content
Microsoft remediated a Copilot issue that allowed access to email content protected by data loss prevention labels. The fix was highlighted in a weekly security roundup as a notable platform security response.
European and NATO officials push for more offensive cyber retaliation
European and NATO officials were reported to be increasingly calling for offensive cyber capabilities to 'strike back' at adversaries, driven largely by Russian aggression and sabotage activity across Europe. The discussion reflects a policy shift toward considering cyber retaliation as part of Europe’s response toolkit.
Google and OpenAI highlight growing concern over AI distillation attacks
Reporting said Google and OpenAI are warning that 'distillation' or model-extraction attacks are being used to copy proprietary AI model behavior. The disclosures framed model theft as an emerging security and policy issue for major AI providers.
OpenAI warns of AI model extraction attempts linked largely to China
OpenAI said adversaries are attempting to steal proprietary model behavior through large-scale querying and that much of the activity appears to originate from China. It also named DeepSeek as trying to circumvent its countermeasures and called for U.S. government support to protect frontier AI firms.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
CTO at NCSC Summary: week ending February 22nd
ctoatncsc.substack.com
Open sourceNews brief: Nation-state hackers active on the global stage | TechTarget
techtarget.com
Open sourceThreatsDay Bulletin: OpenSSL RCE, Foxit 0-Days, Copilot Leak, AI Password Flaws & 20+ Stories
thehackernews.com
Open sourceSrsly Risky Biz: Europe's Cyber Bullets Can't Replace Political Will
news.risky.biz
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Weekly Cybersecurity Roundups Highlighting New Vulnerabilities and Incidents
Multiple outlets published **weekly cybersecurity roundups** summarizing a mix of vulnerability disclosures, ransomware/breach reporting, and policy developments rather than a single discrete incident. TechTarget highlighted a surge in reported vulnerabilities (citing **48,000+ new CVEs in 2025**) and called out several high-impact issues, including a **critical ServiceNow weakness** tied to weak authentication in the legacy *Virtual Agent* chatbot that became more dangerous when paired with agentic AI (*Now Assist*), potentially enabling impersonation and **admin-level access** into connected enterprise systems. Other roundup coverage aggregated unrelated security events across sectors. Sherpa Intelligence’s “Five for Friday” compiled items including ransomware claims (e.g., **Everest** targeting Nissan; **Nightspire** claiming an attack on a Hyatt Place property) and breach reporting (e.g., a **Korean Air** employee-data breach attributed to **Clop**). The Cyber Express weekly roundup similarly mixed disparate topics (platform policy changes around AI abuse, senior government appointments, and national-level connectivity disruptions), reinforcing that the common thread is **curation of multiple stories** rather than new primary reporting on one specific cyber event.
Mar 21, 2026
Weekly Cybersecurity Roundups Covering Breaches, Zero-Days, and AI-Driven Threats
Two weekly “roundup” articles summarized a broad set of security developments rather than a single incident. Reported items included **data breaches** (e.g., PayPal, SpyX, California Cryobank), **active exploitation of multiple vulnerabilities** (including a **Google Chrome 0-day** and critical issues in products such as *BeyondTrust*, *Ivanti EPMM*, *Splunk Enterprise*, and *Windows Admin Center*), and **ransomware activity** (e.g., **Hellcat** reportedly breaching Ascom’s ticketing infrastructure and exfiltrating ~44GB of data). The digest also highlighted availability risk via a reported **Cloudflare** global outage attributed to a cascading password-rotation failure. The week-in-review content also mixed security news with interviews and tool/project updates, including discussion of the evolving CISO role amid **agentic AI**, the release of *REMnux v8* (malware analysis distro) with AI integration, and commentary on “harvest now, decrypt later” **quantum** risk. It additionally referenced separate security headlines such as a **firmware-level Android backdoor** on tablets and a **Dell zero-day** reportedly exploited since 2024, but did not provide a unified, single-event narrative across the items.
Mar 21, 2026
Weekly security roundups highlight exploited enterprise vulnerabilities and energy-sector attacks
The items provided are **editorial roundups/newsletters** aggregating multiple, unrelated security stories rather than reporting a single discrete incident. Across the roundups, recurring high-priority themes include **actively exploited vulnerabilities** (e.g., Microsoft Office zero-day `CVE-2026-21509`, Fortinet SSO authentication bypass `CVE-2026-24858`, and a critical SmarterMail code-execution flaw), plus broader reporting on exploitation activity (e.g., nation-state and criminal use of a WinRAR flaw) and supply-chain/package-manager risk (e.g., “PackageGate” bypass issues affecting NPM/PNPM/VLT/Bun). These are not marketing/event promotions, but they are **not a cohesive single event**; they function as curated link collections. The roundups also surface operational threat activity, including reporting that **Poland faced disruptive/wiper-style attacks against energy-related systems** in late December 2025 (targeting combined heat and power plants and renewable-energy management systems), and multiple malware/campaign writeups (e.g., KONNI using AI to generate PowerShell backdoors, Android trojan delivery via Hugging Face hosting, and other multi-stage Windows malware and extension-based abuse). For CISOs, the actionable takeaway is to treat the referenced **KEV-listed and in-the-wild exploited** issues as patch/mitigation priorities while monitoring energy-sector TTPs and malware delivery trends highlighted in the linked research.
Mar 21, 2026