Your Endpoint Manager Is Now a Weapon
On March 11, Iran-linked hacktivists (Handala) used a compromised Global Administrator account to wipe between 80,000 and 200,000 Stryker corporate devices — all via a single Microsoft Intune wipe command. CISA and the FBI responded with a joint advisory urging organizations to harden their Intune environments. The story isn't about Stryker specifically; it's that your endpoint management platform, built to give IT teams remote control over every device in the fleet, now gives attackers exactly the same power if they get in. If you haven't audited privileged access to your MDM/UEM environment — conditional access policies, admin account MFA, break-glass procedures — that review belongs on this week's list.
Your Vulnerability Scanner Was Stealing Your Secrets
On March 19, attackers known as TeamPCP compromised Aqua Security's Trivy — one of the most widely deployed open-source vulnerability scanners — for the second time this year. They force-pushed 75 of 76 version tags in the trivy-action GitHub repository, injecting a credential stealer that extracted SSH keys, cloud credentials, Kubernetes tokens, and Docker registry configs from CI/CD pipelines for approximately 12 hours. The root cause was incomplete credential rotation after the first breach. If Trivy runs in your pipelines, audit the version pins. More broadly, the tools you trust to find vulnerabilities are themselves high-value targets — and most organizations don't apply the same scrutiny to their security toolchain that they apply to production code.
ShinyHunters Turned Salesforce Misconfigs Into a 400-Company Breach
ShinyHunters claims to have breached between 300 and 400 organizations — including Okta, Snowflake, LastPass, and Sony — by exploiting overly permissive guest user settings in Salesforce Experience Cloud. They weaponized AuraInspector, an open-source Salesforce auditing tool originally developed by Mandiant, to automate exploitation at scale. The attackers have been in since September 2025 and started extortion in March 2026. Salesforce's position is that this is a customer misconfiguration, not a platform vulnerability — and they're technically correct. That distinction doesn't matter to the organizations whose data is now on the market. If you have any Salesforce Experience Cloud portals, guest user access controls need an audit this week.
VMware Aria Operations: The Federal Deadline Is Monday
CISA's remediation deadline for CVE-2026-22719 — a command injection flaw in VMware Aria Operations — is March 24. Federal agencies are required to patch or apply Broadcom's workaround by Monday. The flaw is actively exploited, it's in CISA's KEV catalog, and it allows unauthenticated remote code execution during Aria's migration workflow (CVSS 8.1). If you're not a federal agency, you don't have a hard deadline. But "actively exploited" and "unauthenticated RCE" should remove any discretion from the conversation.
Watch This
Agentic AI governance is becoming the security gap nobody has a plan for. Gartner forecasts 40% of enterprise applications will feature task-specific AI agents by 2026, but only 6% of organizations have an advanced AI security strategy. Microsoft published guidance on securing agentic AI end-to-end this week — notable because even the vendor building these systems is acknowledging the governance layer is missing. Keep an eye on this because the first significant agentic AI breach at a major enterprise won't look like a technical failure. It'll look like a governance failure that was entirely visible in retrospect, and the question of who is personally liable is already being litigated.
Across the DoGood network, we're tracking how IT leaders are approaching AI governance frameworks and the security controls around agentic systems. More on that Wednesday.
The CXO Brief is powered by the DoGood network — 5,000+ IT leaders sharing what they're actually working on.
Know a CIO who needs this? Forward it — they can subscribe here.