Top Cybersecurity Incidents March 2026: iOS Exploit Leaks and Supply Chain Hacks
In March 2026, two powerful iOS exploit kits hit the dark web: Coruna and DarkSword. Coruna, built by L3Harris for U.S. government contracts, chains together 5 exploits across 23 vulnerabilities, targeting iOS versions from 13 to 17.2.1. The kit borrows components from the "Triangulation Operation," sharing the same framework and kernel exploit code. According to Kaspersky Lab, it's an upgraded Triangulation chain with four brand-new exploits.
Coruna went from a Five Eyes government project through APT groups to Chinese cybercriminals. L3Harris insiders anonymously confirmed its legitimacy: Coruna was an internal codename for the component. The leak stemmed from a top executive, Peter Williams, selling off exploits.
DarkSword targets iOS 18.4–18.7 with a six-vulnerability chain, including three zero-days. It swiftly extracts data and wipes its tracks. Both kits signal a maturing market: government vendors → gray-market sellers → APTs → street crime.
Supply Chain Compromises: Libraries and Source Code Leaks
The popular Axios library on npm (versions 1.14.1 and 0.30.4) was compromised on March 31. Attackers hijacked a maintainer's account via a ClickFix attack in Microsoft Teams, injecting a remote access trojan (RAT) for macOS, Windows, and Linux. The malicious publish bypassed GitHub Actions CI/CD checks. The malware was pulled within hours, but infections spread instantly. With 100 million weekly downloads, the risk is massive.
Anthropic's Claude Code leaked via a sourcemap in an npm package: 500K lines of TypeScript. The code exposes advanced features like self-healing memory to dodge context window limits, background agents, and disguising AI in open-source commits. Fake GitHub forks popped up with Vidar and GhostSocks malware masquerading as unlocked versions—up to 793 forks.
Cisco lost source code from ~300 repositories after a Trivy compromise. The vulnerability scanner breach granted access to CI/CD credentials, AWS accounts, and developers' machines. It hit unreleased products, AI projects, and client repos from banks and government agencies.
- Scale of Impact:
1. Axios: Instant infections due to its massive popularity.
2. Claude Code: Competitors dissecting the code, malware lurking in forks.
3. Cisco: AI code and client data exposed.
4. Trivy: Systemic risk to software supply chains.
High-Profile Breaches and Regulatory Shifts
FBI Director Kasha Patel's email was hacked by the Iranian group Handala via an old Gmail account lacking 2FA and reusing passwords. The dump includes correspondence and photos from before his appointment. The U.S. slapped a $10 million bounty on the hackers.
Brazil's new age-verification law forces platforms and OSes to implement checks. Linux distros like ArchLinux32 and MidnightBSD are blocking Brazilian IP access or banning it in licenses. GrapheneOS flat-out refused data collection. The law mandates APIs to share age data with app stores, raising major privacy red flags.
The U.S. banned imports of foreign routers over security concerns, slapping restrictions on vendors' shipments.
Key Takeaways
- Coruna and DarkSword leaks show how government exploits trickle down to the dark web: from APTs to widespread crime.
- Axios and Trivy compromises highlight npm and CI/CD weaknesses—stolen tokens and ClickFix attacks as prime entry points.
- Source code leaks (Claude Code, Cisco) speed up reverse-engineering and malware in repos.
- Regulations (Brazil, U.S.) are reshaping OS development and hardware supply chains.
- Attacks on big targets (FBI) exploit basics like no 2FA.
— Editorial Team
No comments yet.