Brief #147: Trivy CanisterWorm, Stryker Wiper Attack, XBOW Hits $1B

Happy Sunday!

In this week's brief:

• Trivy CanisterWorm Supply Chain Attack: A self-spreading worm infected 47 npm packages using blockchain-based C2, harvesting developer tokens to automatically compromise entire package ecosystems. Time to audit those postinstall hooks.
• Stryker Wiper Attack: Iran-linked Handala group destroyed thousands of devices across 79 country offices, exfiltrating 50TB before detonation. When geopolitics meets inadequate segmentation, the result is total environment destruction.
• XBOW Reaches Unicorn Status: The autonomous hacker that hit #1 on HackerOne raised $120M at $1B+ valuation, backed by the creator of GitHub Copilot. Manual-only pentesting firms should be paying attention.

Trivy Supply Chain Attack Triggers Self-Spreading CanisterWorm Across 47 npm Packages

• Threat actors exploited the Trivy security scanner supply chain compromise to deploy CanisterWorm, a self-propagating malware that infected 47 npm packages across multiple scopes, using Internet Computer blockchain canisters as command-and-control dead drop resolvers.
• The worm harvests npm tokens from developer machines and automatically publishes malicious versions of packages via a self-spreading "deploy.js" script, meaning a single infected developer can compromise their entire organization's package ecosystem.
• Audit npm dependencies for unexpected postinstall hooks, rotate all npm tokens that may have been exposed, and monitor for systemd services masquerading as PostgreSQL tooling ("pgmon").

Critical 9.8 CVSS Flaw Exposes Oracle Identity Manager to Full Remote Takeover

• Oracle issued an emergency security alert for CVE-2026-21992, a CVSS 9.8 unauthenticated remote code execution flaw in Oracle Identity Manager and Web Services Manager (versions 12.2.1.4.0 and 14.1.2.1.0) that allows complete system takeover via HTTP with no credentials required.
• Because Oracle Identity Manager controls user provisioning, role assignments, and access governance across the enterprise, a compromised instance gives attackers the ability to create admin accounts, modify access policies, and pivot into every connected system.
• Apply Oracle's emergency patches immediately, prioritize any internet-facing Identity Manager deployments, and audit identity infrastructure logs for unauthorized administrative actions or unusual REST API calls.

Iran-Linked Handala Group Wipes Thousands of Stryker Devices, 79 Country Offices Offline for Over a Week

• Pro-Iranian hacktivist collective Handala launched a destructive wiper attack against medical device giant Stryker, taking down the company's global Microsoft environment, forcing 79 country offices offline, halting production lines, and leaving thousands of employees unable to work for over a week.
• Unlike ransomware, wiper attacks destroy data with no option for recovery or negotiation, and Handala claims to have exfiltrated roughly 50 terabytes of corporate data before detonating the wiper, making this one of the largest geopolitically motivated attacks against a U.S. healthcare company.
• Organizations in sectors likely to face geopolitical targeting should validate offline backup integrity, segment critical manufacturing systems from corporate IT infrastructure, and pressure-test incident response plans that assume complete environment destruction rather than partial compromise.

Pentera Study: 67% of CISOs Have Limited AI Visibility, Only 11% Deploy AI-Specific Security Tools

• Pentera's 2026 AI and Adversarial Testing Benchmark surveyed 300 U.S. CISOs and found that 67% have limited visibility into AI usage across their organization, with zero respondents reporting full visibility, while 75% still rely on legacy security controls not designed for AI environments.
• The core problem is not awareness or budget; 50% cited lack of internal expertise as the top obstacle, and only 11% have deployed AI-specific security tools, meaning most organizations are flying blind on AI risk even as deployment accelerates across every business unit.
• Start with a centralized AI inventory that maps every AI system, its data access, and its behavior patterns before investing in new tooling, since you cannot secure what you cannot see.

Russia-Linked Hacktivists Shift From DDoS to Credential-Based OT Intrusions, ICS Attacks Nearly Double

• Cyble research shows Russian-linked hacktivist groups like Cyber Army of Russia Reborn, Z-Pentest, and Sector16 have shifted from disruption-focused DDoS campaigns to credential-based intrusions targeting industrial control systems, with ICS-related attacks comprising 25% of all hacktivist operations, nearly doubling from the previous quarter.
• The techniques are disturbingly simple: password spraying, default credential exploitation, and reuse of leaked credentials from unrelated breaches to access exposed VNC services on ports 5900-5910, meaning sophisticated zero-days are not required to compromise critical infrastructure.
• Eliminate any VNC or remote access services exposed to the public internet, enforce strong authentication on all OT operator accounts, and segment IT/OT networks so that a compromised corporate credential cannot provide a path into industrial control environments.

UK's 1.5B Pound Jaguar Land Rover Cyber Bailout Sparks Debate on Government as Insurer of Last Resort

• The UK government issued a 1.5 billion pound loan guarantee to Jaguar Land Rover after a major cyberattack, prompting Ciaran Martin, former NCSC CEO and chair of the UK Cyber Monitoring Center, to warn this sets a dangerous precedent without clear criteria for when governments should intervene.
• Security experts argue that government bailouts create a "too important to fail" dynamic that could actually increase targeting by threat actors, while enabling underinvestment in security by organizations that assume the state will absorb catastrophic cyber losses.
• Security leaders should use this precedent to strengthen their board-level risk conversations: if your organization's cyber posture is weak enough to require a government bailout, the real failure happened long before the breach, and compulsory cyber insurance with minimum security standards may become the regulatory response.

Qualys Warns: MCP Servers Are the New Shadow IT, 53% Run on Static Secrets With Zero Visibility

• Qualys published research arguing that MCP servers have become a new shadow IT layer, with over 10,000 active public servers deployed in under a year and most organizations having zero visibility into where they run, what enterprise data they expose, or how AI agents can abuse them.
• Unlike traditional APIs, MCP servers sit at the intersection of natural-language reasoning and privileged execution, where capabilities are discovered dynamically and invoked autonomously by AI agents; 53% of servers rely on static secrets, creating widespread credential exposure across environments.
• Treat MCP servers as AI-driven control planes, not standard API layers: inventory all deployments across network and host levels, separate discovery privileges from invocation capabilities, and log all tool invocations with anomaly monitoring.

AI Agent Hacks McKinsey's Lilli Chatbot in Under 2 Hours, Exposes 46.5 Million Chat Messages

• CodeWall's autonomous AI security agent breached McKinsey's internal AI chatbot Lilli in under two hours by discovering publicly accessible API documentation with over 200 endpoints, 22 of which had no authentication, then executing a SQL injection to gain full system access.
• The exposed data included 46.5 million chat messages containing strategy discussions and client data, 728,000 files, 57,000 user accounts, and 384,000 AI assistant configurations, from a platform used by over 70% of McKinsey's 23,000+ workforce processing 500,000+ monthly prompts.
• Every organization deploying internal AI chatbots should audit API endpoint exposure, ensure no documentation is publicly accessible, and apply the same authentication and authorization controls to AI platforms that they would to any system handling their most sensitive data.

Scan of 1,808 MCP Servers Finds 66% Have Security Flaws, 843 Contain Toxic Data Flow Chains

• AgentSeal scanned 1,808 MCP servers across GitHub, npm, and PyPI and found that 66% had at least one security finding, with 427 critical and 1,841 high severity issues identified across 16,840 tools analyzed.
• The most alarming category is toxic data flows (37.2% of critical/high findings), where individually safe servers create dangerous attack chains when combined; for example, a server that reads Slack messages piped to a server that writes files creates a data exfiltration path even when neither server is malicious on its own.
• Before connecting MCP servers to AI agents in production, map the full capability graph of tool inputs and outputs across all connected servers to identify toxic combinations that create unintended data movement paths.

AWS Security Veterans Launch Native With $42M to Build Cloud Security Control Plane

• Native emerged from stealth with $42 million in funding led by Ballistic Ventures with participation from General Catalyst and YL Ventures, founded by the team that built Amazon GuardDuty and AWS Security Hub, with former Google Cloud CISO Phil Venables joining the board.
• Instead of layering on more monitoring tools, Native translates security policies into provider-specific controls enforced through native mechanisms already built into AWS, Azure, Google Cloud, and Oracle Cloud, addressing the gap between security intent and actual enforcement across multi-cloud environments.
• The founding team's pedigree signals that the next wave of cloud security will focus on policy enforcement through existing cloud primitives rather than adding more detection layers on top.

XBOW Hits Unicorn Status With $120M Series C for Autonomous Offensive Security

• XBOW raised $120 million in Series C funding led by DFJ Growth and Northzone, pushing its valuation past $1 billion and bringing total funding to over $235 million, with backing from Sequoia Capital, Altimeter, and Alkeon Capital.
• Founded by Oege de Moor, creator of GitHub Copilot and GitHub Advanced Security, XBOW became the first autonomous system to hit #1 on the HackerOne leaderboard, proving its AI can find and exploit vulnerabilities faster than top human researchers, with over 100 companies including Moderna and Samsung already using the platform.
• The autonomous pentesting category is now officially validated at unicorn scale, signaling that AI-driven offensive security is moving from research novelty to enterprise standard, and manual-only penetration testing firms face existential pressure to adapt.

Oasis Security Raises $120M Series B for Agentic Access Management, ARR Grows 5x

• Oasis Security closed a $120 million Series B led by Craft Ventures with participation from Sequoia Capital, Accel, and Cyberstarts, bringing total funding to $195 million as the company positions itself as the first platform purpose-built for Agentic Access Management.
• New ARR grew 5x year over year with the majority of clients coming from the Fortune 500, validating that managing nonhuman identities and AI agent access is becoming a board-level priority as enterprises scale agentic deployments across their infrastructure.
• The size of this round confirms that identity and access management for AI agents is emerging as a standalone category, distinct from traditional IAM, and security teams deploying agentic systems need dedicated controls for how agents authenticate, authorize, and interact with enterprise resources.

Socket

Software supply chain security platform that proactively detects malicious npm, PyPI, and Go packages before they enter your codebase. Directly relevant this week as the CanisterWorm supply chain attack spread through 47 npm packages via compromised postinstall hooks. View on CybersecTools

Claroty xDome Network Protection

OT/ICS network visibility and protection platform for industrial control systems and critical infrastructure. Relevant this week as Cyble research showed Russian-linked hacktivists are shifting to credential-based intrusions targeting exposed VNC services on industrial systems. View on CybersecTools

Oasis Agentic Access Management

Purpose-built identity governance platform for managing nonhuman identities and AI agent access across enterprise environments. Directly tied to this week's AI security theme, with MCP server shadow IT, McKinsey's AI chatbot breach, and Oasis's own $120M raise all highlighting the urgency of controlling what AI agents can access. View on CybersecTools

Thank you for reading this week's brief.

Whenever you're ready, there are three ways I can help you:

• Get your cybersecurity product in front of 15,000 cybersecurity professionals on CybersecTools. Submit Your Product
• Position your product to sell to CISOs correctly. CISO Lens
• Get deep market intelligence on your company, competitors and the whole industry. Sign Up for Waitlist

Talk to you in the next one.

Nikoloz