This Week in Cybersecurity: We All Need a Little St. Patrick's Day Luck

Below is a concise roundup of the most important cybersecurity developments from the past seven days — what happened, and why it matters.

eguard, frequently asked questions, and more.

Explore this content with AI:

ChatGPT | Perplexity | Claude | Google AI Mode | Grok

Google patches two Chrome zero-days being actively exploited

Google issued an emergency out-of-band update to Chrome this week after confirming that two high-severity vulnerabilities — CVE-2026-3909 and CVE-2026-3910, both rated 8.8 on the CVSS scale — were already being exploited in the wild. The first flaw is an out-of-bounds write vulnerability in Skia, the open-source 2D graphics library Chrome uses to render web content and UI elements.

The second is an inappropriate implementation bug in V8, Chrome's JavaScript and WebAssembly engine, which could allow a remote attacker to execute arbitrary code inside the browser sandbox via a crafted HTML page. Both vulnerabilities were discovered internally by Google on March 10 and patched within two days. CISA added both to its Known Exploited Vulnerabilities catalog on March 13, setting a deadline of March 27 for federal agencies to apply the fixes.

Why it matters: These are Chrome's second and third actively weaponized zero-days in 2026 alone. Browser-based zero-days are among the most dangerous in circulation — all an attacker needs is for a target to visit a malicious or compromised page. With Chrome running on an estimated 3.8 billion devices, the patch window between discovery and widespread exploitation is extremely short. Consider this your lucky reminder: if your browser is prompting a restart for an update, don't wait.

• Read more at BleepingComputer

GlassWorm expands to GitHub, silently poisoning hundreds of Python repositories

A sprawling and active supply chain campaign came into sharper focus this week. Researchers at StepSecurity revealed that the GlassWorm threat actor — which has been compromising VS Code and Cursor extensions since October 2025 — has expanded its reach with a new attack vector dubbed ForceMemo. Using GitHub credentials stolen by GlassWorm malware lurking in malicious IDE extensions, the attackers gained access to hundreds of developer accounts and injected obfuscated malicious code into Python files including setup.py, main.py, and app.py.

The technique is particularly difficult to detect: attackers rebase the latest legitimate commit with their malicious version and force-push it to the default branch, preserving the original commit message, author name, and author date. The only trace is a modified committer date — an easy detail to miss. The campaign has been active since at least March 8 and was still ongoing at time of publication. Aikido Security separately confirmed a parallel wave that compromised over 151 GitHub repositories using invisible Unicode characters to hide payloads, with both campaigns sharing the same Solana-based command-and-control infrastructure.

Why it matters: ForceMemo is notable not just for its scale but for its evasion. Rewrites to Git history that look legitimate are exactly the kind of compromise that slips past routine code review. Any developer running pip install from a repository — or cloning and executing code — could trigger the malware. Organizations should audit GitHub access tokens, enforce branch protection rules that prevent force-pushes, and carefully verify the integrity of recently updated dependencies.

• Read more at SecurityWeek

Microsoft's March Patch Tuesday fixes 82 vulnerabilities including one zero-day

Microsoft released its March 2026 Patch Tuesday update on March 10, addressing 82 vulnerabilities across Windows, Microsoft Office, Azure, SQL Server, and .NET. The luck of the draw wasn't great this month: the release includes CVE-2026-21262, the sole confirmed zero-day in this update, which Microsoft has not publicly attributed to a specific threat actor. Eight vulnerabilities received Microsoft's highest Critical rating, including two remote code execution flaws in Microsoft Office, a Critical RCE in the Devices Pricing Program with a CVSS score of 9.8, and multiple SharePoint Server vulnerabilities that represent high-value targets in enterprise environments.

Elevation of privilege flaws account for the largest share of this month's patches at 56%, with notable entries affecting the Windows Kernel, Windows SMB Server, and the Azure Connected Machine Agent. A .NET Denial of Service vulnerability was also marked as publicly disclosed, meaning exploit details were available before the patch landed.

Why it matters: With an active zero-day and a publicly disclosed vulnerability in the same release, this month's Patch Tuesday carries above-average urgency. The Office RCE flaws in particular are a priority for any organization where users regularly open documents from external sources — a description that fits nearly every enterprise.

• Read more at CrowdStrike

Russia-linked APT deploys new DRILLAPP backdoor against Ukrainian targets

Researchers disclosed this week that a Russia-linked advanced persistent threat group has been deploying a previously undocumented backdoor, dubbed DRILLAPP, in a campaign targeting Ukrainian organizations. The malware is designed for covert surveillance and persistent access, consistent with the long-running pattern of Russian cyber operations against Ukraine that has accompanied and outlasted periods of active kinetic conflict.

DRILLAPP provides attackers with remote access capabilities and data collection functionality, and its discovery adds to a growing catalog of novel Russian tooling developed specifically for operations in the Ukrainian theater.

Why it matters: Russia's sustained investment in novel malware against Ukrainian targets reflects a broader doctrine of using cyber operations as a persistent complement to conventional warfare. For organizations outside Ukraine, the practical concern is that tooling developed and refined in this theater has historically migrated to broader campaigns targeting NATO members, critical infrastructure, and defense supply chains.

• Read more at The Hacker News

Final thoughts

The stories this week share a common thread: attackers are going after the infrastructure developers and organizations rely on to do their jobs — browsers, code repositories, network management layers, and patching workflows. The ForceMemo campaign's abuse of Git history and the continued exploitation of Cisco SD-WAN both demonstrate an adversary mindset focused on trusted systems, not just vulnerable ones.

There's no shamrock that'll keep the threat actors away — keeping pace requires more than reactive patching; it demands scrutiny of the tools and platforms your teams depend on every day.

Check back next week for another roundup of the cybersecurity stories shaping the threat landscape.