Cyber Intelligence Weekly

Cyber Intelligence Weekly (March 29, 2026): Our Take on Three Things You Need to Know

By Dan Desko
Posted on Mar 29 / 2026

Welcome to our weekly newsletter where we share some of the major developments on the future of cybersecurity that you need to know about. Make sure to follow my LinkedIn page as well as Echelon’s LinkedIn page to receive updates on the future of cybersecurity!

To receive these and other curated updates to your inbox on a regular basis, please sign up for our email list here: https://echeloncyber.com/ciw-subscribe

Before we turn to this week’s edition of Cyber Intelligence Weekly, I want to introduce a new Personal Spotlight Series: The Human Side of Cybersecurity.

This series is grounded in conversation rather than commentary. It centers on CISOs and other cyber leaders who are in the seat—navigating real leadership pressure, complex risk decisions, and the human realities of building and sustaining security programs. Some are earlier in their journey, others further along paths many of you may recognize or aspire toward. What they share isn’t theory. It’s experience—earned through moments of progress, frustration, growth, and reflection. These conversations are for the professionals who show up every day to quietly carry the weight of this industry.

John Scrimsher (Kontoor Brands) — “Your voice matters.”

In this episode, I sat down with John Scrimshire, CISO at Contour Brands, the company behind brands like Wrangler, Lee, and Helly Hansen. John has spent more than 30 years in cybersecurity, with experience that spans Fortune 10 enterprises, startups, and everything in between. His path into security was not part of some polished long-term master plan. It was more what he called being in the “wrong place at the right time”—stepping into problems that needed solved, saying yes to opportunities others did not want, and gradually building a career around curiosity, problem-solving, and scale.

What stood out most in our conversation was how early John learned that security is not just about defense—it is about enabling the business at scale. He talked about the era of macro viruses, Melissa, ILOVEYOU, and the early years of offensive tools like Back Orifice, and how that period pushed him to reverse engineer threats and create solutions large enough for global enterprise environments. In one example, when commercial tools were too slow to scan a massive global network, John worked with a strong security research team to build internal capability that could identify vulnerable systems in minutes instead of months. That mindset—using security knowledge to create operational advantage—is a theme that has clearly stayed with him throughout his career.

He also shared one of the most valuable leadership lessons in the interview: adaptability matters as much as expertise. John described traveling to negotiate a security agreement in a different country and initially approaching it with a Western, hard-charging style that failed. After candid feedback from a local leader, he adjusted his approach to fit the culture, built trust, and ultimately closed in six months what had previously taken years of failed attempts. It was a powerful reminder that leadership is not just about being right or knowledgeable—it is about knowing how to connect, listen, and adapt so that your message can actually land.

Additional takeaways from the conversation:

  • Some of the best security careers start by saying yes to the work nobody else wants. John’s early path was built by taking ownership of problems and figuring things out as he went.
  • Cybersecurity is one of the strongest collaboration communities in business. John’s example of the retail and hospitality ISAC showed that even fierce business competitors can still share openly to defend the industry together.
  • The biggest room in the world is the room for improvement. John actively seeks out uncomfortable feedback because that is often where the biggest growth happens.
  • Production mistakes leave lasting scars—but they also build discipline. After a firewall change knocked 30,000 machines offline, John came away with an even deeper conviction around dev environments, backout plans, and disciplined change management.
  • AI may not create entirely new risks, but it dramatically changes the velocity of risk. In John’s view, AI exposes and accelerates the risks organizations already had.
  • Take care of the human first. John is deeply focused on making sure his team knows family and health come first, because people cannot perform well when life outside work is unraveling.
  • The CISO role is broader than most younger professionals realize. It is not just blue-team defense. It includes architecture, engineering, GRC, compliance, budgeting, and resource planning.
  • Ownership is a leadership discipline. One of the books that shaped John most was Extreme Ownership, particularly the idea that if someone on your team fails, a leader needs to examine what they could have done better too.

His billboard message for every new CISO was simple but deeply resonant: Your voice matters. John’s point was not that security always gets its way. It was that CISOs cannot stop advocating, communicating, and repeating what matters just because the message takes time to land. The moment a security leader starts believing their voice no longer matters is often the moment burnout begins.

If there was one thread that ran through this conversation, it was this: the best security leaders do not just protect systems. They adapt, communicate, build trust, own the hard lessons, and keep showing up with a voice that helps the business move forward

Watch the Full Interview Here: https://www.youtube.com/watch?v=eTFFLjoHUgk&t

Echelon Thought Leadership Highlight

MSPs aren’t always required to get CMMC Level 2 certified - but depending on how they touch CUI, they might be in scope.

This resource breaks down when MSPs fall under certification requirements, why it matters, and what questions to ask before assuming you’re out of scope: https://lnkd.in/ePhG-jAA

 

Away we go!

1. The Trivy Supply Chain Attack: A Wake-Up Call for DevSecOps

Over the past week, we’ve been watching a supply chain incident unfold that should make every engineering and security leader pause. What started as a compromise of Trivy, a widely used open-source container security scanner made by Aqua Security, has quickly cascaded into something much bigger, impacting over a thousand SaaS environments and potentially many more. At its core, this wasn’t just a vulnerability. It was a breach of trust inside the very tools organizations rely on to keep their pipelines secure.

The initial access appears to have come from stolen personal access tokens, likely harvested by an automated, AI-assisted bot. From there, attackers were able to push malicious container images and manipulate GitHub Actions workflows by force-updating version tags, essentially weaponizing normal developer behavior. Anyone pulling what looked like a legitimate security tool update could unknowingly execute a credential-stealing payload. That payload, now widely referred to as TeamPCP, didn’t just grab a few secrets, it went deep, scraping cloud metadata, developer credentials, webhook tokens, and anything else it could find before quietly exfiltrating it.

What makes this incident particularly concerning is how quickly it spread beyond its original foothold. Researchers have already tied downstream compromises to ecosystems like Docker Hub, npm, PyPI, and Kubernetes environments. In one case, a widely used Python library tied to AI workflows was backdoored and distributed at massive scale. In another, a worm-like component began propagating itself through developer packages by stealing tokens and reinfecting new environments. This is the modern supply chain reality, once an attacker gets into the pipeline, they don’t stop at one target. They ride the trust relationships outward.

If there’s one takeaway here, it’s that traditional perimeter thinking doesn’t apply to CI/CD anymore. Your build pipeline is now part of your attack surface, and in many cases, it’s one of the most privileged environments you have. The immediate priorities are clear: pin dependencies to immutable versions, aggressively rotate credentials (including developer tokens), audit workflows that can be triggered from untrusted sources, and assume that anything dynamically pulled into your pipeline could be compromised. Because in this case, the tool meant to find risk became the risk itself.

When Your Security Tool Becomes the Entry Point

One of the most urgent cloud-adjacent issues this week centers on a critical vulnerability in widely deployed firewall management infrastructure. The flaw allows attackers to gain unauthenticated, remote access with full administrative control—and it’s already being actively exploited in the wild, including by ransomware operators.

What makes this especially concerning is where the vulnerability sits. Firewall management platforms often act as a central control plane for hybrid and cloud-connected environments. Compromising this layer doesn’t just provide access to a single system—it can give attackers visibility and control across cloud workloads, segmentation policies, and traffic flows.

What This Looks Like in the Real World

Recent investigations show attackers:

  • Exploiting exposed management interfaces to gain initial access
  • Deploying remote access tools and persistence mechanisms
  • Pivoting into cloud-connected environments (Azure, AWS, SaaS) • Modifying firewall rules to allow long-term access or data exfiltration

In some cases, this has led to full environment compromise within hours, especially where firewall systems are integrated with identity and cloud orchestration layers.

Patches & Immediate Actions

There are no viable workarounds—patching is the only fix. If you haven’t already:

  • Identify all instances of affected firewall management systems
  • Apply vendor patches immediately (treat as active incident response)
  • Restrict management interface exposure (no public internet access)
  • Rotate credentials and API keys tied to these systems
  • Review logs for unusual admin activity or configuration changes

The Bottom Line

Cloud security isn’t just about protecting workloads—it’s about protecting the control planes that manage them. If an attacker owns your management layer, they don’t need to “break into” your cloud—they can simply reconfigure it.

2. Cyber Fallout from Geopolitics: What Unit 42 Is Seeing Right Now

If you step back and look at the latest intelligence from Palo Alto’s Unit 42 team, this isn’t just an uptick in cyber activity, it’s a coordinated surge that mirrors what’s happening in the physical world. In the immediate aftermath of the February strikes, more than 60 hacktivist groups mobilized almost overnight, many aligned with Iranian or pro-Russian interests, forming what appears to be a loosely coordinated cyber front. What’s important here is the speed. This wasn’t a slow build, it was near-instant activation, which tells you these groups were either prepared in advance or able to organize at a pace we haven’t historically seen.

At the tactical level, Unit 42 is seeing a multi-pronged approach to cyber operations. On one end of the spectrum, there’s widespread phishing, everything from fake mobile apps to impersonated government portals, designed to harvest credentials and deploy malware. On the other, there are disruptive campaigns like DDoS attacks, website defacements, and early-stage destructive activity, including wiper-style attacks. The blend of these tactics matters. It’s not just about stealing data or knocking systems offline, it’s about creating noise, confusion, and psychological pressure at scale.

What stands out most is how accessible these operations have become. Unit 42 notes that many of these campaigns are being carried out not just by sophisticated nation-state actors, but by loosely affiliated groups and proxies, often leveraging shared tooling, AI-assisted phishing, and pre-built infrastructure. In other words, the barrier to entry is dropping. You don’t need a top-tier offensive capability anymore to participate in a geopolitical cyber campaign—you just need access to the ecosystem.

From a business perspective, this is where things get real. Unit 42’s findings reinforce something we’ve been telling clients for a while: cyber risk doesn’t scale linearly with geopolitical events—it spikes. And when it does, attackers don’t just target governments, they go after enterprises, supply chains, and critical infrastructure. The practical takeaway is simple but critical: tighten identity controls, double down on phishing resilience, validate backups, and assume that anything internet-facing is now a potential target. Because when cyber becomes a proxy for conflict, everyone’s in scope.

AI Tools Are Becoming the New Supply Chain Attack Surface

This week highlighted a growing risk in AI adoption: developer-focused AI tools introducing new execution paths attackers can exploit. Recent vulnerabilities in an AI coding assistant platform showed how malicious configuration files could trigger remote code execution and API key theft—before a user even approves access.

The issue stems from how these tools ingest and trust project-level configurations. By embedding malicious instructions into configuration files, attackers can hijack the AI tool’s behavior—executing commands, redirecting API traffic, or exfiltrating sensitive data.

What This Looks Like in the Real World

We’re already seeing early-stage attack patterns:

  • A developer clones a repository → hidden config file loads automatically
  • AI tool executes embedded commands → local system access gained
  • API keys are redirected to attacker-controlled endpoints
  • Stolen credentials are then used to access cloud environments or models

This creates a direct bridge between AI tooling and cloud compromise.

Patches & Defensive Moves

Vendors have responded by:

  • Requiring explicit user approval before executing commands or network calls
  • Blocking automatic execution from untrusted directories
  • Improving visibility into configuration-driven actions

But organizations need to go further:

  • Treat AI configuration files as untrusted code
  • Run AI tools in sandboxed or restricted environments
  • Use short-lived, scoped API keys wherever possible
  • Scan repositories for malicious configs before use • Educate developers on risks tied to AI-assisted workflows

The Bottom Line

AI is accelerating development—but it’s also expanding your attack surface in ways traditional security controls don’t yet see. If your developers are using AI tools, your risk model needs to evolve from “code security” to “execution path security.”

3. Infinity Stealer: New macOS Malware Uses Fake CAPTCHA to Trick Users

A newly discovered macOS malware campaign is challenging long-held assumptions about Apple’s relative immunity to commodity cyber threats. The malware, dubbed Infinity Stealer, is being delivered through a clever social engineering tactic known as “ClickFix,” where victims are tricked into believing they are completing a routine CAPTCHA verification. Instead, they are instructed to paste and execute a command in their terminal—effectively bypassing many of the operating system’s built-in safeguards.

Once executed, the attack chain unfolds quickly and quietly. The initial command pulls down a secondary payload, removes macOS security restrictions, and launches a compiled binary designed to evade detection. Unlike traditional Python-based malware, this variant is compiled into a native macOS executable using a toolchain that makes analysis significantly more difficult. The result is a more stealthy and resilient payload that blends in with legitimate system processes.

From there, Infinity Stealer begins harvesting sensitive data at scale. Researchers observed the malware extracting browser credentials, macOS Keychain entries, cryptocurrency wallet data, and even plaintext secrets stored in developer files. It can also capture screenshots and package the collected information for exfiltration to attacker-controlled infrastructure, often notifying operators in real time when a compromise is complete. Notably, the malware includes checks to avoid running in sandboxed or virtualized environments, further complicating detection efforts.

The campaign highlights a broader shift in attacker behavior: rather than relying solely on technical exploits, adversaries are increasingly combining user manipulation with advanced tooling to achieve their goals. For organizations, this serves as a reminder that endpoint security is only as strong as user behavior. Even the most secure platforms can be undermined if users are convinced to execute commands they don’t fully understand.

Thanks for reading!

About us: Echelon is a full-service cybersecurity consultancy that offers wholistic cybersecurity program building through vCISO or more specific solutions like penetration testing, red teaming, security engineering, cybersecurity compliance, and much more! Learn more about Echelon here: https://echeloncyber.com/about

Are you ready to get started?