Top 5 Cybersecurity News Stories March 13, 2026

This is a strategic read on the top cybersecurity news stories March 13, 2026, and what they reveal about where systemic risk is shifting.

Across legal data brokers, healthcare processors, browser‑based AI, phishing‑as‑a‑service platforms, and developer‑tool ecosystems, the common thread this week is simple: attackers are going after the control planes of the digital economy, not just another endpoint.
For CISOs and technology leaders, these stories are signals about how fast governance models are falling behind the way systems are actually used.

LexisNexis: Legacy cloud as a blind spot in data‑broker risk

LexisNexis Legal & Professional confirmed that the FulcrumSec group exploited the React2Shell vulnerability in an unpatched React front‑end to access its AWS environment and exfiltrate about 2 GB of structured data, including millions of records and tens of thousands of customer accounts.
The firm insists the breach mainly involved pre‑2020 “legacy, deprecated” data rather than active, high‑sensitivity content. 

LexisNexis is infrastructure for law firms, corporates, and governments; even “old” datasets still map who works with whom, on what, and through which accounts.
For customers, this is less about direct PII loss and more about the visibility it gives adversaries into legal workflows, public‑sector dependencies, and the structure of high‑value relationships. 

Data brokers and analytics platforms are now systemic concentration points; their legacy cloud estates often sit outside modern control baselines, yet still hold enough context to power targeting, extortion, and long‑tail social engineering. 

Read more on: BleepingComputer

TriZetto: Healthcare eligibility pipes as systemic exposure

TriZetto Provider Solutions, a Cognizant subsidiary that handles insurance eligibility checks for U.S. providers, disclosed that a 2024 intrusion exposed personal and health data for more than 3.4 million people and went undetected for nearly a year.
Stolen records include names, dates of birth, addresses, Social Security numbers, and detailed insurance eligibility reports. 

TriZetto sits in the transactional core of U.S. healthcare, serving hundreds of thousands of providers and roughly 200 million covered lives.
A breach here does not just leak isolated charts; it exposes cross‑payer, cross‑provider views of patients that are hard to reconstruct elsewhere, with long‑term fraud and identity‑theft implications. 

Healthcare risk is moving from individual hospitals to shared clearinghouses and processors—entities that aggregate eligibility, billing, and routing data but often operate under older monitoring and incident‑detection regimes. 

Read more on: TechChurch

Malicious AI extensions: LLM usage as an exfiltration surface

Microsoft reported malicious Chromium extensions posing as AI assistants that were distributed via official stores, amassing around 900,000 installs across more than 20,000 enterprise environments.
These add‑ons harvested browsing data and LLM chat content from services like ChatGPT and DeepSeek, exfiltrating internal prompts, code, and documents to attacker‑controlled infrastructure. 

Most organizations have no governance layer for browser extensions or for how LLMs are used day‑to‑day.
This means sensitive IP, internal decision logs, and deal discussions can leak without any compromised account, only a user installing a “productivity” plugin. 

AI adoption is outpacing controls: the browser has quietly become a shadow data‑plane for AI, where policy, DLP, and extension allow‑listing lag far behind real usage. 

Read more on: Microsoft Security Blog

GitHub‑driven stealer: BoryptGrabvia fake repositories

Researchers discovered BoryptGrab, an info‑stealer distributed through more than 100 deceptive GitHub repositories that mimic popular tools, game‑related utilities, and “crack” packages.
Users who download and run the ZIPs from these repositories execute the stealer, which then collects browser data, saved credentials, and cryptocurrency‑wallet information from the host machine. 

GitHub is treated as a collaboration platform, not a primary malware‑delivery vector, so many organizations have no policy or controls limiting which external repositories developers or employees can pull ZIPs and scripts from. This turns open‑source‑adjacent workflows into a soft supply‑chain risk: a single deceptive repo can distribute malware at scale without touching formal software distribution channels. 

Public code‑hosting platforms are becoming attacker‑owned software‑supply‑chain surfaces; treating them as neutral or “developer‑safe” environments is no longer tenable.
Organizations that allow developers to freely download and run code from GitHub should treat ZIPs and scripts from external repos as untrusted artifacts and enforce sandboxing, allow‑listing, and strict execution‑approval workflows around them. 

Read more on: Trend Micro Research

Tycoon 2FA: Industrialised MFA bypass as a service 

A Europol‑led coalition with Microsoft and others disrupted Tycoon 2FA, a phishing‑as‑a‑service platform that used adversary‑in‑the‑middle techniques to intercept credentials, MFA codes, and session cookies.

The service is linked to over 64,000 phishing attacks, tens of millions of emails per month, and unauthorized access to nearly 100,000 organizations, with 330+ domains seized in the takedown. 

Tycoon 2FA turned MFA bypass into a commodity capability any low‑skill actor could rent, collapsing the security gap between basic and advanced phishers.
For defenders, this erodes the assumption that “we’re safe because we have MFA” and shifts emphasis to phishing‑resistant methods and session‑level detection. 

Identity is now an ecosystem battleground, where criminal tooling evolves as fast as enterprise IAM, expect successors to Tycoon to reappear, more distributed and more automated. 

Read more on: Cybersecurity Dive 

If this week tells us anything, it’s this:

Risk is migrating into the connective tissue of your organization, the brokers, processors, controllers, AI surfaces, and identity ecosystems that sit between traditional “systems of record” and the outside world. Securing endpoints and applications is table stakes; the strategic question now is how quickly leadership can bring legacy cloud, shared industry platforms, browser‑based AI usage, network control planes, and identity supply chains under the same level of architectural scrutiny as core systems.

At DIESEC, our experts are ready to assist with all your cybersecurity needs. We ensure your system is safe and secure and provide training for your employees to avoid falling victim to social engineering tactics.
For more information, please contact us now!