TLS Certificate Lifecycle Shortened to 200 Days; GlassWorm in Python Packages on GitHub; Two Chrome Zero-Days Fixed

As of March 15, 2026, the maximum certificate lifespan for TLS certificates has dropped to 200 days. The change is one step in a process established by the CA/Browser Forum: On March 15, 2027, maximum validity period of subscriber certificates will drop to 100 days, and on March 5, 2029, that window will be shortened to 47 days. Certificate authorities began making the change shortly before the deadline. DigiCert moved to issuing certificates with a maximum 199-day validity window on February 24, 2026, and SSL began issuing certificates with 200-day expiration dates on March 11, 2026. As SSL explains, the rationale for the shortened validity window lies in enhanced security, improved cryptographic agility, and stronger validation practices.

StepSecurity is warning of an ongoing campaign compromising hundreds of Python repositories on GitHub with GlassWorm malware, which notably is now being injected into developers' code without leaving evidence in the activity feed. GlassWorm — which takes its name from the invisible Unicode characters that hide the malicious code — was first observed in October 2025 in extensions from the OpenVSX marketplace; it uses Solana Blockchain for command-and-control (C2) and installs an infostealer, then uses developers' stolen tokens to take over accounts and propagate itself into additional repositories. "Anyone who runs pip install from a compromised repo or clones and executes the code will trigger the malware." The initial infection in this March 2026 campaign is through malicious VSCode and Cursor extensions. StepSecurity calls the new injection technique "ForceMemo," because the attacker finds the latest legitimate commit of a branch, rebases it to include the GlassWorm code, and then force-pushes to the default branch, with Solana transaction memos as the C2 channel. This preserves the original commit message and author date, and sets the committer email to "null." The malware loader is also added as an extension dependency, rather than being included in the package. "The targeted repos include Django web applications, machine learning research code, Streamlit dashboards, Flask APIs, and Python packages installable via pip install from GitHub URLs." Aikido and Socket have also published notices, noting that the same technique is being used in npm and VS Code marketplace, and that most, but not all infected OpenVSX extensions have been removed. Users should follow StepSecurity's instructions to check for indicators of compromise and review git commit history.

Google has updated Chrome to fix two high-severity vulnerabilities that are being actively exploited. CVE-2026-3909 is an out-of-bounds write in Skia in Google Chrome prior to 146.0.7680.75 that allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. CVE-2026-3910 is an inappropriate implementation in V8 in Google Chrome prior to 146.0.7680.75 that allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. Users are urged to ensure that they are running the most current versions of Chrome, which are 146.0.7680.75/76 for Windows/Mac and 146.0.7680.75 for Linux at the time of writing. Both vulnerabilities were discovered in-house, and both have been added to the US Cybersecurity and Infrastructure Security Agency's Known Exploited Vulnerabilities (CISA KEV) catalog with mitigation deadlines of March 27, 2026.

Hewlett Packard Enterprise (HPE) has published a security advisory warning of five vulnerabilities, one rated critical, in HPE Aruba Networking AOS-CX before versions 10.10.1180, 10.13.1161, 10.16.1030, and 10.17.1001. CVE-2026-23813, CVSS score 9.8, allows an unauthenticated remote attacker to circumvent authentication controls for AOS-CX network switches, including resetting the admin password, due to a flaw in the web-based management interface. Three of the flaws are high-severity: a command parameters flaw allowing malicious command injection (CVE-2026-23814), a flaw in a custom binary in the CLI allowing command injection (CVE-2026-23815), and a flaw in the CLI allowing command injection at the operating system level (CVE-2026-23816). The fifth flaw is rated medium, and allows an attacker to redirect users to an arbitrary URL due to a vulnerability in the web-based management interface. Beyond applying the patches, HPE recommends the same initial mitigation for all five vulnerabilities: ensure that "management interfaces be restricted to a dedicated layer 2 segment/VLAN and/or controlled by firewall policies at layer 3 and above, along with accounting controls for tracking and logging user activities and resource usage." For the critical flaw, HPE has additional recommendations: "Disable HTTP(S) interfaces on Switched Virtual Interfaces (SVIs) and routed ports wherever management access is not required. Enforce Control Plane Access Control Lists (ACLs) to protect any REST/HTTP-enabled management interfaces, ensuring only trusted clients are allowed to connect to the HTTPS/REST endpoints. Enable comprehensive accounting, logging, and monitoring of all management interface activities to detect and respond to unauthorized access attempts promptly."

The UK government's business registry, Company House, says that a vulnerability in its WebFiling service could have allowed "a logged-in user of [the] WebFiling service [to] potentially access and change some elements of another company’s details without their consent after performing a specific set of actions." Companies House, which oversees the incorporation and dissolution of companies, temporarily shuttered the WebFiling service on Friday, March 13, and the service remained closed over the weekend. The issue has now been resolved, and the service is online as of Monday, March 16. Company House became aware of the vulnerability through Dan Neidle, a tax professional, who learned of the issue from Ghost Mail's director of operations John Hewitt. The incident has been reported to the Information Commissioner’s Office (ICO) and the National Cyber Security Centre (NCSC). The issue appears to have been introduced in an October 2025 WebFiling update.

Vancouver, British Columbia-based *TELUS Digital* has acknowledged that it experienced a cybersecurity incident after threat actors claimed to have stolen nearly one petabyte of data from the business process outsourcing company. TELUS Digital is investigating the incident but has not provided any specifics about when the incident occurred, nor what kind of data were compromised. Canadian retailer *Loblaw* has disclosed a data security breach that compromised basic customer data, including names, phone numbers, and email addresses. Loblaw, which is based in Brampton, Ontario, has notified customers of the incident, and acknowledged that as a precaution, all customers will be logged out of their accounts.

An international law enforcement operation coordinated by INTERPOL has arrested 94 individuals for their alleged roles in phishing and ransomware operations. Another 110 individuals remain under investigation. The operation also took down more than 45,000 malicious IP addresses and seized more than 200 electronic devices and servers. Operation Synergia III involved law enforcement agencies from 72 countries and territories as well as private sector partners. The operation ran from mid-July 2025 through the end of January 2026. The criminal activity included websites used in ransomware and phishing; phony sites for casinos, government, banking, and payments services; and romance scams, loan and job scams, payment card fraud, and identity fraud.

In a statement on March 12, 2026, Poland's National Centre for Nuclear Research (NCBJ) said that "an attempted cyberattack on the Institute's IT infrastructure" was thwarted "thanks to the rapid and effective actions of security systems and procedures ... as well as the quick response of our teams." NCBJ says that production, operations, and research were not disrupted and that "the MARIA nuclear reactor is safe." According to Reuters, NCBJ "is Poland’s main government nuclear research institute specializing in nuclear physics, reactor technology, particle physics, and radiation applications. It provides technical and scientific support for the country’s nuclear power program." Poland is building the country's first nuclear power plant. In January, elements of Poland's power grid — distributed energy resource (DER) sites, heat and power (CHP) facilities, wind, and solar dispatch systems — were also targeted by cyberattacks.

Recently unsealed court documents name Angelo Martino as the previously unnamed co-conspirator of Ryan Clifford Goldberg and Kevin Tyler Martin in extortion of US companies as affiliates of the ALPHV BlackCat ransomware scheme in 2023. At the time of the attacks, Martino and Martin were employed as ransomware threat negotiators at DigitalMint, and Goldberg was an incident response manager for Cygnia Cybersecurity Services. Martin and Goldberg were indicted in October 2025 and pleaded guilty to charges of extortion in December. The trio is variously indicted for ten ransomware attacks, six of which resulted in ransomware payments: one paid to Martin, Goldberg, and Martino directly, and five paid to other unnamed ALPHV BlackCat co-conspirators when Martino exploited his position as ransomware negotiator in exchange for a portion of the ransom, providing "direction and confidential information" about DigitalMint clients to the attackers to maximize the ransom payment. The total paid in ransoms across these cases exceeds US$75.25 million, with additional losses for all victims from the theft and encryption of their data. Martino's plea will be heard on March 19; in the meantime, his properties, vehicles, and financial assets have been seized, and he is forbidden from leaving the Southern District of Florida and from ever working in the cybersecurity industry again. The maximum term of imprisonment for these charges is 20 years.