The Lyceum: Cybersecurity Daily — Mar 21, 2026

The window between "vulnerability disclosed" and "vulnerability weaponized" didn't just shrink this week — it effectively closed. A critical flaw in the AI platform Langflow was exploited within 20 hours of publication, CISA added five new actively exploited bugs to its watchlist in a single day (three of them Apple), and the tool developers use to find vulnerabilities — Trivy — was hijacked for the second time in a month to deliver malware through the very version tags teams pin for safety. Meanwhile, ransomware rolled through three U.S. cities in 24 hours and another healthcare provider went to paper charts. It's a lot. None of it is theoretical.

On March 20, CISA added five vulnerabilities to its Known Exploited Vulnerabilities catalog — the government's official "someone is using this right now" list. Three are Apple flaws (CVE-2025-31277, CVE-2025-43510, CVE-2025-43520) spanning Safari, iOS, watchOS, visionOS, iPadOS, macOS, and tvOS — essentially every device Apple makes. The remaining two are code injection bugs in Craft CMS (CVE-2025-32432) and Laravel Livewire (CVE-2025-54068), both popular web frameworks that are public-facing by nature.

Federal civilian agencies are required to apply mitigations by April 3 under the CISA Known Exploited Vulnerabilities guidance. If you're not a federal agency, that two-week window is still too generous for actively exploited Apple kernel and WebKit flaws — an attacker only needs a user to visit a malicious website. Check Apple Software Update now; if anything's pending, install it before lunch. For Craft CMS and Laravel shops, these are internet-facing applications being targeted in live campaigns, which means your web application firewall logs may already have evidence of probing.

If Apple pushes an out-of-band emergency update in the next 48 hours, that would be a signal exploitation is escalating beyond what the initial KEV listing captured. Three Apple CVEs landing on the same day is not routine.

Trivy, the open-source vulnerability scanner maintained by Aqua Security that thousands of development teams rely on to find security flaws, was compromised for the second time in a month. An attacker force-pushed malicious code to 75 of 76 version tags in the GitHub Actions repositories aquasecurity/trivy-action and aquasecurity/setup-trivy, turning trusted version references into a distribution mechanism for an infostealer targeting CI/CD secrets — the cloud access keys, API tokens, and database credentials that are skeleton keys to an organization's infrastructure.

The attack is elegant in its cruelty: developers pin to specific version tags — a common practice intended to make builds reproducible and trustworthy. Force-pushing malicious code to those tags weaponizes that trust. If your team uses Trivy in any automated pipeline, verify the commit hashes of the version tags you're referencing against the official repository — don't just check the tag name.

Aqua Security's official incident report is expected imminently. If the scope is large — the popularity of these GitHub Actions suggests that possibility — downstream breach disclosures may follow. The structural question for every team running open-source security tooling in CI/CD: what's your verification layer when the scanner itself is the supply chain risk?

CVE-2026-33017, a CVSS 9.3 remote code execution flaw in Langflow — the open-source platform for building AI agent workflows — went from public advisory to active exploitation in roughly 20 hours. Attackers didn't wait for proof-of-concept code; they derived working exploits directly from the advisory text.

The flaw is in Langflow's public build endpoint, which allows building flows without authentication. When an optional data parameter is supplied, the endpoint executes attacker-controlled Python code with zero sandboxing. Unauthenticated. No credentials needed. Attackers just need to find the instance. Community reports indicate all versions prior to 1.9.0.dev8 are affected.

If you're unsure whether your organization runs Langflow, check with your AI or platform engineering teams — it's often deployed experimentally without formal procurement. If you find an instance, patch immediately or take it offline. Weekend mass scanning is the next phase, and exposed instances will be found. The broader signal: for high-value AI tooling, treat advisory publication as the start of an active attack window, not the beginning of a comfortable patch cycle.

At least one U.S. healthcare provider was forced onto paper workflows overnight by a LockBit ransomware campaign that affected services across multiple facilities and an estimated 500,000 patients annually. Separately, ransomware incidents were reported within 24 hours in Foster City, California; Blacksburg, Virginia; and Los Angeles — with Foster City temporarily losing both emergency and non-emergency police phone lines. Legacy Health LLC was also listed as a new victim by the Worldleaks group, with internal documents reportedly posted publicly.

The pattern suggests municipal networks and healthcare systems are being targeted as soft targets amid multiple simultaneous ransomware campaigns. LockBit's history of double extortion means patient data exposure is a live concern. If Foster City or Blacksburg formally declare states of emergency and confirm data theft, it would mark a shift from "IT outage" to recognized civic crisis — and if leak sites start posting actual datasets, expect a wave of targeted phishing using real appointment, billing, or permit data.

Xakep.ru reports on new Interpol statistics showing that fraud operations leveraging AI tools — deepfake voice, generated identity documents, automated social engineering — are generating 4.5 times more revenue per operation than their non-AI equivalents. The data reportedly comes from Interpol's cross-border financial crime unit and tracks cases from 2024–2025. This quantifies what many have suspected: AI isn't just making fraud easier, it's making it dramatically more profitable, which means the investment in AI-powered attack tooling will only accelerate.

Source: Xakep.ru — Russian. No English-language coverage confirmed at time of publication.

Xakep.ru details a newly identified Android banking trojan dubbed "Perseus" that specifically targets note-taking and memo applications on infected devices, searching for passwords, seed phrases, and financial credentials that users store in plaintext notes. The malware reportedly uses accessibility services to read note content across multiple apps and exfiltrates matches to a C2 server. For anyone who's ever saved a password in their phone's Notes app — and that's most people — this is the threat model catching up with the habit.

Source: Xakep.ru — Russian. No English-language coverage confirmed at time of publication.

Xakep.ru published a technical analysis confirming that the Stryker attack used legitimate device management tools — not traditional malware — to wipe approximately 80,000 devices. The Russian-language writeup emphasizes that attackers obtained administrative access to Stryker's Microsoft Intune environment and pushed mass wipe commands through the platform's own functionality, making the attack nearly invisible to endpoint detection tools that look for malicious executables.

Source: Xakep.ru — Russian. No English-language coverage confirmed at time of publication.

A vulnerability scanner delivering malware to the people scanning for malware, a trust dialog that loads after the code it's supposed to gate, and a city that lost its 911 lines to ransomware while three other municipalities fell in the same news cycle. The encrypted DNS on your Mac? Plaintext. The anonymous tip line? Not anonymous. The patch window? Closed 20 hours ago. Sleep well.

If someone you know is still saving passwords in their Notes app, forward this before Perseus finds them first.