The Lyceum: Cybersecurity Daily — Mar 23, 2026

A Windows Notepad RCE is trending at 800+ points on Hacker News, ShinyHunters is claiming 200GB of financial data from Ameriprise, a Linux root escalation just hit Full Disclosure, and an actively exploited automation-tool flaw is sitting on CISA's "being attacked right now" list while almost nobody covers it. Meanwhile, law enforcement dismantled the phishing kit that was bypassing your MFA at scale, and Oracle shipped an emergency patch for identity infrastructure that may already be compromised. It's a patch-everything, check-your-data, question-your-assumptions kind of Monday.

Notepad. The thing you open .txt files with. The application so simple it's been the punchline of "at least it can't hurt you" jokes for thirty years. It has a Remote Code Execution vulnerability — meaning an attacker can run arbitrary code on your machine by getting you to open a crafted file.

CVE-2026-20841 is generating over 800 points and hundreds of comments on Hacker News today as the security community processes the actual CVE record. Microsoft patched this in the March 11 Patch Tuesday cycle, so if your Windows Update is applied, you are protected. The real danger zone is enterprise environments where patch cycles lag, isolated systems, or legacy machines that haven't phoned home to Windows Update in weeks.

What makes this matter beyond the patch: it breaks a foundational assumption. Security teams have always treated Notepad as near-zero-risk — no macros, no scripting, no network calls. If the simplest text renderer in Windows can carry an RCE, the community is now asking what other "harmless" inbox apps (Paint, Snipping Tool, Calculator) might be hiding similar bugs. Watch for researchers to start fuzzing every default Windows utility over the next few weeks. If similar CVEs start appearing in other inbox apps, it would signal a systemic parsing problem in Windows' shared libraries, not just a Notepad quirk.

ShinyHunters — the group behind breaches of Ticketmaster, Santander Bank, and AT&T — posted Ameriprise Financial on their leak site on March 22, claiming over 200GB of compressed Salesforce and SharePoint corporate data including customer PII (personally identifiable information — names, account details, contact records).

Neither Ameriprise nor a second claimed victim, Infinite Campus (a student information system used by K-12 school districts across the US), has publicly confirmed or denied the claims. ShinyHunters has a documented track record of following through on leak threats. The specific targeting of Salesforce records is significant: that's where companies store their most sensitive customer relationship data, not just internal documents. If confirmed, the Ameriprise claim would be one of the largest financial-sector CRM data exposures in recent memory.

If you're an Ameriprise customer: enable login alerts, watch for phishing that references real account details, and consider a credit freeze. If you're a defender: this is another data point that Salesforce and SharePoint instances are becoming primary targets, not just the databases behind them. If Ameriprise issues a formal breach notification within 72 hours, expect it to set a template for how ShinyHunters is evolving from ransomware into pure data-exfiltration leverage.

n8n is an open-source workflow automation platform — think Zapier but self-hosted — widely used to wire together AI agents, APIs, databases, and internal tools. CVE-2025-68613 is an RCE (remote code execution) in n8n's workflow expression evaluation system, and it's now on CISA's Known Exploited Vulnerabilities catalog, which means there is confirmed evidence of active exploitation in the wild.

Here's why this is worse than a typical RCE: n8n's entire purpose is to have credentials and API keys for everything it orchestrates — databases, email providers, cloud services, AI models. An RCE in n8n can therefore expose every system n8n touches. Public proof-of-concept exploit code has now landed on Exploit-DB, lowering the bar from skilled adversaries to copy-paste attacks.

If you or anyone on your team runs a self-hosted n8n instance: update immediately, lock dashboards behind VPN or IP allowlists, and rotate every credential n8n can access. If n8n starts appearing in ransomware IR reports over the next few weeks, the initial-access story is likely to center on this CVE.

A coalition including Microsoft, Europol, Coinbase, and Cloudflare seized roughly 330 domains tied to Tycoon 2FA, a phishing-as-a-service (PhaaS) platform that used reverse-proxy techniques to steal session tokens after users entered both their passwords and MFA codes. The platform had spun up over 24,000 malicious sites and powered a large fraction of blocked phishing activity across Microsoft's ecosystem.

This is a genuine win — disrupting infrastructure at this scale blunts active fraud and account-takeover operations. The operational lesson is unchanged: Tycoon 2FA operated amid the ability to relay SMS codes and authenticator-app OTPs through a proxy in real time. Phishing-resistant MFA (hardware FIDO2/WebAuthn keys) stops this class of attack entirely. Copycats and replacement services historically appear within weeks of major takedowns.

If your organization still relies on SMS or TOTP for high-value accounts, this takedown bought you time, not safety. Use it to deploy phishing-resistant MFA for admins and critical personnel before the next platform fills the gap.

CERT-UA Advisory #19542 warns that UAC-0001 (APT28/Fancy Bear, Russia's GRU-linked cyber unit) is conducting active cyberattacks against Ukrainian government agencies and EU member states using an exploit for CVE-2026-21509. The advisory details the attack chain and indicators of compromise. This is operationally significant for any organization in the EU government or defense supply chain — APT28 campaigns frequently expand targeting once initial tooling is validated. The advisory was published in Ukrainian with no confirmed English-language coverage at time of publication, though Broadcom has covered related UAC activity.

Source: CERT-UA — Ukrainian. No English-language coverage confirmed at time of publication.

Check Point Research published a detailed report on "Silver Dragon," a threat actor targeting organizations across Southeast Asia and Europe. While Check Point publishes in English, this report has not yet appeared in mainstream English-language security press. The campaign's geographic spread and targeting profile suggest state-aligned espionage operations, and the technical indicators may be relevant for defenders in affected regions.

Source: Check Point Research — English (not yet covered by mainstream English-language press). No English-language coverage confirmed at time of publication.

A text editor that executes code, a children's grade system on a leak site, and a Chuck E. Cheese kiosk running as God — the security assumptions we never thought to question are having a very bad Monday.

Somewhere, a sysadmin is explaining to their CISO that the automation tool designed to connect everything just connected everything to the wrong people.

Stay paranoid. Stay patched.

If someone you know runs n8n, WordPress backups, or a Chuck E. Cheese franchise — forward this their way.