Weekly Cyber Threat Roundup: March 30, 2026 – Critical Breaches, AI Risks, and Patches

Introduction

This week's cyber threat landscape reveals a troubling convergence of state-sponsored attacks, financially motivated breaches, and novel AI supply chain vulnerabilities. Organizations must remain vigilant as threat actors exploit both human and technical weaknesses. Below is a detailed analysis of the most significant incidents reported for the week of March 30, 2026.

Major Attacks and Breaches

Handala Hack Targets FBI Director's Personal Email

The Iranian state-affiliated group known as Handala Hack has breached the personal Gmail account of FBI Director Kash Patel, leaking numerous private photos and documents. This attack follows the FBI's seizure of domains associated with Handala Hack's operations the previous week, which was part of an ongoing crackdown on the group's persistent targeting of Israeli and American entities. The breach underscores the escalating cyber conflict amid the ongoing Iran tensions, with threat actors retaliating against law enforcement actions.

Ransomware Attack Disrupts Port of Vigo

Spain's Port of Vigo in Galicia has been hit by a ransomware attack that forced officials to disconnect parts of its network and revert to manual cargo handling procedures. The incident locked critical equipment and disrupted digital logistics systems, though physical ship movements continued without digital communication. The attack highlights the vulnerability of maritime infrastructure to ransomware, emphasizing the need for robust offline contingencies.

Netherlands Ministry of Finance Breach

The Netherlands' Ministry of Finance confirmed a cyberattack on March 19 that breached internal systems within its policy department, causing disruption for some employees. Authorities promptly blocked access to affected environments, while tax, customs, and benefits services remained operational. No threat actor has publicly claimed responsibility, suggesting the incident may be part of a broader espionage campaign or a failed ransomware attempt.

DeFi Platform Resolv Exploited for $24.5 Million

The decentralized finance platform Resolv suffered a cyberattack after a compromised private key allowed an attacker to mint approximately $80 million in uncollateralized USR tokens. The attacker then swapped these tokens for 11,408 ETH, valued at around $24.5 million. Resolv confirmed the incident, paused the application, and offered a 10% bounty for the return of the stolen funds. This incident underscores the persistent risks associated with private key management in DeFi ecosystems.

Emerging AI Threats

LiteLLM Supply Chain Compromise

Researchers have demonstrated a supply chain attack against LiteLLM, a Python library that connects applications to major AI services. Attackers hijacked a security tool associated with the library and pushed malicious releases on March 24. The tainted packages harvested API keys and cloud credentials, creating downstream exposure for a wide range of AI projects that rely on LiteLLM for integration. This incident highlights the growing risk of software supply chain attacks targeting AI infrastructure.

Critical Vulnerabilities in LangChain and LangGraph

Three high-severity vulnerabilities have been discovered in LangChain and LangGraph, popular open-source frameworks for building AI assistants. These flaws could expose files, environment secrets, and prior conversations to unauthorized parties. Specifically, the vulnerabilities enabled arbitrary file access, secret leakage, and SQL injection in checkpointing functions. Patches have been issued in updated components, and users are strongly urged to upgrade immediately.

Zero-Click Flaw in Anthropic's Claude Chrome Extension

Researchers identified a zero-click vulnerability in Anthropic's Claude Chrome extension that allowed any website to silently inject prompts and take control of the AI assistant. The attack combined an overly permissive trusted domain list with a scripting bug in Arkose Labs CAPTCHA handling. This could enable token theft, unauthorized chat access, and malicious email actions. Users should ensure their extensions are updated to the latest version.

Critical Vulnerabilities and Patches

Cisco Secure Firewall Management Center Flaw (CVE-2026-20131)

Cisco has addressed a critical vulnerability in its Secure Firewall Management Center, designated CVE-2026-20131 with a CVSS score of 10. The flaw allows unauthenticated attackers to execute arbitrary code as root via the web interface, posing a severe risk to affected systems. Cisco confirmed that attempted exploitation occurred in March 2026 and has released fixes. On-premises customers have no workaround beyond applying the updates promptly. Check Point IPS provides protection against this threat through signature coverage for Cisco Secure Firewall Management Center Insecure Deserialization (CVE-2026-20131).

Conclusion

The week of March 30, 2026, brought a stark reminder of the diverse and sophisticated cyber threats facing organizations worldwide — from state-backed breaches and ransomware on critical infrastructure to novel AI supply chain attacks and critical vulnerabilities. Staying informed and proactive with patch management, network segmentation, and robust security awareness is essential to mitigating these risks.