The Lyceum: Cybersecurity Daily — Mar 14, 2026

Stop what you're doing and patch things. Google shipped emergency Chrome fixes for two zero-days already being exploited in the wild, Cl0p is burning through Oracle's customer base using a zero-day that has affected over a hundred organizations, and the FBI just revealed that malware has been hiding inside Steam games for nearly two years. It's a "patch first, read second" kind of morning — but you're here, so let's make it count.

The Cl0p ransomware gang found a skeleton key, and it fits a lot of doors. By exploiting CVE-2025-61882 — a zero-day in Oracle's E-Business Suite (EBS), the sprawling enterprise platform that runs HR, financials, and procurement for thousands of organizations — Cl0p quietly breached systems starting back in August 2025. The flaw carries a CVSS score of 9.8 out of 10.

The victim list now reads like a Fortune 500 directory crossed with a hospital roster. Barts Health NHS had data published on Cl0p's leak site. Harvard University, Cox Enterprises, Logitech, Schneider Electric, The Washington Post, and Mazda have all surfaced in reporting. BlackFog estimates over a hundred companies may be affected. A disclosure exposed nearly 10,500 employees' personal data — names, passport numbers, bank details, the works.

This is Cl0p's signature move: find one widely deployed enterprise product, exploit it silently at scale, exfiltrate everything, then slow-roll the victim naming to maximize pressure. They did it with MOVEit. They did it with Cleo. Now it's Oracle's turn. Oracle's first emergency patch reportedly failed for some customers, requiring a second fix, which may have widened the exposure window.

The U.S. government is reportedly offering a $10 million reward for information tying Cl0p to a foreign government, amid reporting that officials view the campaign as a national security concern. If you run Oracle EBS, verify both emergency patches are applied, hunt for published indicators of compromise, and assume you may already be in the blast radius.

Google pushed an out-of-band emergency update for Chrome to fix two zero-days that attackers are already weaponizing. CVE-2026-3909 is an out-of-bounds write in Skia (Chrome's graphics library), and CVE-2026-3910 is a flaw in V8 (the JavaScript engine). Both carry CVSS scores around 8.8. Visiting a malicious website is enough to trigger exploitation — no clicks, no downloads, just a page load.

Here's the part most coverage is missing: this isn't just a Chrome problem. CISA explicitly notes the Skia flaw affects ChromeOS, Android, Flutter, and potentially any product using the Skia library. If your organization ships Flutter apps or Android applications, check your SDK versions. Vivaldi has already patched; Edge, Brave, and Opera will follow on their own timelines. Don't forget headless containers, CI runners, and VDI images — those are the blind spots that stay vulnerable for weeks.

CISA added both CVEs to its Known Exploited Vulnerabilities catalog, which means federal agencies are on the clock and these will start appearing in vendor questionnaires and risk attestations faster than usual. Open Chrome, click "About," let it update. Two minutes. Do it now.

The FBI's Seattle Division is publicly seeking victims of a campaign that planted malware inside games on Steam — the world's largest PC gaming platform, with over 132 million monthly active users. The suspected titles: BlockBlasters, Chemia, Dashverse/DashFPS, Lampy, Lunara, PirateFi, and Tokenova. The operation ran from May 2024 through January 2026.

The attack was patient and clever. Through Steam Direct, anyone can publish a game for a $100 fee. The initial builds passed Valve's automated checks. Then post-launch updates introduced the malicious payloads — the gaming equivalent of a trojanized software update. The malware focused on stealing crypto wallets, saved passwords, and session cookies.

The real concern for security teams: anyone gaming on a machine that also has a corporate VPN, a password manager, or email access just handed attackers a bridge from personal entertainment into business networks. If Steam is allowed on corporate devices, tighten installation policies now. Anyone affected can email [email protected].

Meta announced it will discontinue end-to-end encryption for Instagram DMs after May 8, 2026. End-to-end encryption (E2EE) means only the sender and recipient can read a message — not the platform, not advertisers, not anyone else. After May 8, Meta will be able to access Instagram message content.

Meta's explanation: not enough people were using it, so just use WhatsApp instead. That's a thin justification for a significant privacy rollback. Proton notes that Meta said in December 2025 that interactions with its AI tools inside private conversations may be used for targeted ads — which makes the "low adoption" framing worth questioning.

The timing is conspicuous. TikTok said the same week that it won't introduce E2EE for DMs, claiming it makes users "less safe." The European Commission is expected to present a Technology Roadmap on encryption enabling lawful access by law enforcement. Two major platforms abandoning private messaging in the same week, amid regulators pushing for lawful access, is suggestive rather than coincidental. If your organization relies on Instagram DMs for sensitive coordination — journalists, incident responders, anyone — start migrating to Signal or another E2EE platform now, before May.

A ransomware gang using Oracle's own software as a battering ram against over a hundred companies including the NHS; an FBI agent emailing gamers to ask if their copy of "PirateFi" stole their Bitcoin; and Meta explaining that nobody really wanted private messages anyway. Meanwhile, somewhere a security researcher is reading a cease-and-desist letter and wondering if they should have just sold the bug instead. Stay patched, stay skeptical.

If someone you know is still running an unpatched Chromium browser on a machine with Steam installed, do them a favor and forward this.