TeamPCP Trivy Attack Confirmed at Cisco and EU Commission; BlueHammer Windows LPE Leaks Unpatched
TeamPCP Supply-Chain Breach Confirmed for Cisco and EU Commission
Confidence: High
Official statements from CERT-EU and internal acknowledgments from Cisco have confirmed these entities were impacted by the March 19 poisoned-Trivy event. The breach exploited a vulnerability in the widely used container security scanner to exfiltrate credentials and sensitive data during pipeline execution.
A13E intelligence suggests that over 1,000 organisations remain within the potential blast radius. Given the confirmation of institutional and corporate compromises, we advise an immediate audit of CI/CD environments and a full rotation of any credentials handled by Trivy during the compromise window.
TrueConf Client RCE Added to CISA KEV (CVE-2026-3502)
Confidence: High
CISA has added CVE-2026-3502 to its Known Exploited Vulnerabilities (KEV) catalog following evidence of active exploitation. The flaw resides in the TrueConf client update mechanism, where a lack of integrity checks allows for unauthenticated remote code execution.
Organisation's using TrueConf for internal collaboration must ensure all clients are updated to version 8.5.3 immediately. The inclusion in KEV signals that this is no longer a theoretical risk but an active path for initial access or lateral movement.
BlueHammer Windows Local Privilege Escalation Unpatched
Confidence: High
A public exploit for a Windows Local Privilege Escalation (LPE), dubbed 'BlueHammer', continues to circulate without a vendor patch or official acknowledgment. The exploit allows a standard user to elevate to SYSTEM privileges by exploiting TOCTOU (time-of-check to time-of-use) vulnerabilities in SAM-targeting behaviours.
Whilst Microsoft has yet to assign a CVE, the reliability of the public PoC across various Windows versions makes this a high-priority threat for post-compromise activity. Defenders should deploy detections for unusual SAM access patterns and SYSTEM-level elevations from non-privileged accounts.
New Ransomware Activity: Akira and LockBit 5.0 Targeting EU
Confidence: Medium
Akira ransomware has added new victims in the French aviation and industrial supply chain, including Gauthier Connectique and Groupe SERAP. Simultaneously, LockBit 5.0 affiliates are expanding their footprint in Italian financial services and defence logistics, with Wibeats and Defcon 5 appearing on leak sites. These campaigns demonstrate a persistent focus on mid-market European entities within critical supply chains.
Update: Fortinet Releases FortiClient EMS Hotfix
Confidence: High
Fortinet has released an urgent hotfix for CVE-2026-35616, affecting FortiClient EMS versions 7.4.5 and 7.4.6. This moves the priority from monitoring to immediate remediation for exposed management interfaces.
Update: UK SMB Resilience and Public Sector DDoS
Confidence: High
New data indicates a significant security gap in the UK SMB sector, with 37% of businesses still lacking multi-factor authentication (MFA). This vulnerability coincides with a renewed DDoS campaign by NoName057(16) against UK public-sector targets, including Welsh tourism services and Stirling Council.
Why This Matters
The shift from theoretical supply-chain risks to confirmed institutional breaches (TeamPCP) marks a significant escalation in the threat landscape. When combined with unpatched LPEs like BlueHammer and the rapid exploitation of management tools (FortiClient, TrueConf), defenders face a compressed window for response and remediation.
- Recommended Actions
- Rotate Credentials: Perform an immediate rotation of all secrets, API keys, and service tokens handled by Trivy or adjacent CI/CD tools during the TeamPCP window.
- Apply Patches: Update TrueConf clients to 8.5.3 and apply the FortiClient EMS hotfix for CVE-2026-35616.
- Hardening: Enforce MFA across all UK/EU SMB accounts to mitigate the primary vector for ransomware groups like Akira and LockBit.
- Monitoring: Deploy specific hunt rules for BlueHammer LPE activity in Windows environments.
All findings grounded in A13E intelligence sweeps through 04:30 UTC 10 April 2026.