10 Cyberattacks. One Architecture.

The 10 most significant cyberattacks of early 2026 are being reported as separate incidents. They are not. Laid side by side, they reveal a shared attack architecture — one built not on exploiting software flaws, but on exploiting trust itself.

Incident reports are written in isolation. A company discloses a breach, a researcher publishes indicators of compromise, and the story moves on. What rarely happens is someone stepping back far enough to ask whether the breach at a Canadian BPO giant, a federal law enforcement surveillance network, and hundreds of open-source code repositories are all expressions of the same underlying problem. In early 2026, they are.

The 10 Incidents at a Glance

These are the most significant attacks and disclosures from late February through mid-March 2026. They span ransomware, state-sponsored espionage, open-source poisoning, and identity-based extortion — but the underlying mechanics are far more similar than the headlines suggest.

01 — March 2026

TELUS Digital

Data Extortion / Supply Chain

ShinyHunters claimed nearly one petabyte of data — customer support recordings, source code, Salesforce data, FBI background checks — stolen over months via credentials found in a prior third-party breach (Salesloft/Drift). The group demanded $65 million. TELUS did not negotiate.

02 — February 2026

FBI Wiretap Network

State-Sponsored / Supply Chain

On February 17, FBI analysts detected abnormal log activity in the Digital Collection System Network — the system that holds court-authorized wiretap data, pen register records, and FISA warrant information. Entry came through a commercial ISP vendor's infrastructure. U.S. investigators suspect Chinese government involvement.

03 — March 2026

GlassWorm / ForceMemo

Supply Chain / Developer Credential Theft

A threat actor used credentials stolen from a prior VS Code extension campaign to force-push malware into 400+ GitHub repositories, npm packages, and VSCode extensions. Injections used invisible Unicode characters and blockchain-based C2 via Solana — invisible to standard code review tools.

04 — February 2026

Odido (Netherlands)

Data Extortion / Telecom

ShinyHunters exposed personal data from more than six million accounts at the Dutch telecom formerly known as T-Mobile Netherlands. Stolen data included bank account numbers and passport numbers. The same group that breached TELUS weeks later.

05 — February 2026

Wynn Resorts

Ransomware / Hospitality

ShinyHunters listed Wynn Resorts on its leak portal, claiming exfiltration of company data. The listing was later removed — a pattern consistent with a negotiation or remediation action. The breach follows a sustained wave of hospitality sector targeting where peripheral booking and CRM systems serve as entry points.

06 — February 2026

Conpet (Romania)

Ransomware / Critical Infrastructure

Qilin ransomware compromised Romania's national oil pipeline operator, exfiltrating over one terabyte of data including passports and financial records. Conpet's 3,800-kilometer pipeline network supplies crude oil and gasoline to refineries across the country.

07 — February 2026

Choice Hotels International

Social Engineering / Identity

A social engineering attack bypassed MFA to access an internal application containing Social Security numbers and dates of birth for franchisees and franchise applicants. The attacker's access window lasted less than an hour before detection. No ransomware group claimed responsibility.

08 — February 2026

ANSI Database Leak

Data Exfiltration / Standards Body

The American National Standards Institute's database — approximately 2.3 terabytes — appeared on a data breach forum. Contents included internal communications, draft standards, rejected standards, historical files, and access logs. The exposure of technical committee records and draft standards has intelligence value that goes beyond typical breach impact.

09 — March 2026

Stryker (Medical Devices)

State-Sponsored / Healthcare

The Handala threat group, assessed to operate under Iranian government direction, claimed an attack on medical device maker Stryker. The targeting follows a pattern of Iranian cyber activity escalating in response to conventional military pressure — specifically Operation Epic Fury strikes against Iranian infrastructure in early 2026.

10 — March 2026

IndusInd Bank App Spoofing

Malware / Financial Fraud

A malicious Android APK mimicking the IndusInd Bank app was deployed in a phishing campaign targeting Indian users. Data was exfiltrated simultaneously to a phishing server and a Telegram-controlled C2 channel. The attack reflects a broader pattern of banking malware using dual-channel exfiltration to complicate attribution and takedown.

Three Patterns Nobody Is Connecting

Treating these as ten separate stories misses what is actually happening. Across incidents involving different threat actors, geographies, and sectors, three structural patterns repeat with enough consistency to be diagnostic.

Pattern 1: The Credential Chain

The most important detail in the TELUS Digital breach is not the volume of data stolen — it is how access began. ShinyHunters did not attack TELUS directly. They attacked Salesloft's GitHub environment, stole OAuth tokens from a Drift chatbot integration, used those tokens to query Salesforce data from hundreds of organizations, found Google Cloud Platform credentials for TELUS inside that Salesforce data, then used those GCP credentials to access TELUS's BigQuery environment. Once inside BigQuery, they used TruffleHog — an open-source credential-scanning tool — to mine the downloaded data for additional passwords and tokens, then moved laterally further into TELUS infrastructure.

That is a five-step credential chain that began at a company that had nothing to do with TELUS. The GlassWorm campaign follows the same logic in a different environment. GlassWorm stole developer credentials through compromised VS Code extensions, then used those credentials to access GitHub accounts, then used those accounts to inject malware into Python repositories that other developers would install via pip install. The FBI wiretap breach followed the same architecture in a government context — attackers didn't breach FBI systems, they compromised the ISP vendor connected to those systems and used that trusted infrastructure as a bridge.

Credential Chain — Shared Attack Architecture

TELUS Digital, GlassWorm/ForceMemo, and the FBI wiretap breach all follow this same five-stage credential chain pattern — the initial target is never the final target.

The implication is significant and underreported: the organization that gets breached is often not the organization that made the security mistake. TELUS's breach began at Salesloft. The FBI's breach began at an ISP. GlassWorm's latest wave began with developer accounts compromised months earlier through an IDE extension marketplace. Organizations are, in practice, inheriting the vulnerabilities of every vendor and platform their employees use.

Pattern 2: Trusted Channels as Delivery Vehicles

A second pattern runs through multiple incidents: attackers are not bypassing legitimate systems — they are using legitimate systems as weapons. This is more significant than it sounds.

GlassWorm injected malware into repositories that developers trust and use daily — GitHub, npm, the VS Code extension marketplace, and OpenVSX. The malicious code was invisible in standard review: hidden inside Unicode characters from the Private Use Area ranges (U+FE00–U+FE0F and U+E0100–U+E01EF) that no editor, diff tool, or linter renders visibly. Aikido Security assessed that the attack likely used LLM-generated cover commits — realistic-looking documentation tweaks, version bumps, and bug fixes — to make the injections blend in across 150+ different codebases. A developer doing a standard code review would see nothing wrong.

The March 2026 phishing campaign exploiting trusted domains registered since 1996 follows the same logic. Attackers didn't build convincing fakes — they hijacked redirect functions on legitimate, long-standing domains that antivirus tools consistently rated as clean. Users were moving between real pages and never saw a suspicious URL. The IndusInd Bank APK mimicked a legitimate app. The FBI breach blended into normal ISP traffic.

Note

GlassWorm's use of Solana blockchain transactions as a command-and-control mechanism is a documented evasion technique that has now expanded beyond a niche exploit. Querying a blockchain wallet's memo field for payload URLs is functionally invisible to perimeter-based security tools, which do not flag outbound connections to public blockchain RPC endpoints as suspicious.

The common thread is the exploitation of trust infrastructure — not technical vulnerabilities. Detection tools built to recognize bad behavior cannot catch bad actors behaving like trusted ones. This is what a CSO Online analyst described in the context of the TELUS breach: organizations are good at detecting bad behavior but not abnormal trusted behavior. That gap is now the primary attack surface across at least six of these ten incidents.

Pattern 3: BPO and Aggregator Organizations as Force Multipliers

The third pattern is the one with the least public attention. Business process outsourcing companies, SaaS aggregators, and developer tooling platforms are becoming high-value targets precisely because they serve as trusted intermediaries to many downstream organizations simultaneously.

When ShinyHunters breached TELUS Digital, they didn't just breach TELUS — they accessed data from at least 28 client companies whose customer support, fraud detection, AI data operations, and call center functions TELUS Digital runs on their behalf. The ANSI database leak is a version of the same problem: a standards body holds technical committee records, draft standards, internal communications, and access logs for hundreds of member organizations. The Salesloft breach — which was the starting point for the TELUS chain — exposed Salesforce data from approximately 760 organizations simultaneously.

This is force multiplication through aggregation. A single breach at an intermediary organization yields data on dozens or hundreds of the organizations that rely on it. Attackers understand this math better than defenders do. ShinyHunters' targeting pattern across 2025 and 2026 — GAP, Qantas, SoundCloud, Crunchbase, Odido, Wynn Resorts, TELUS Digital — is consistent with a group that actively selects targets based on downstream data yield, not target size alone.

The Deeper Issue: Trust as Infrastructure

There is a connection across these incidents that has not been publicly reported: what attackers are systematically attacking in 2026 is not technology — it is the trust architecture that modern organizations depend on to function.

Consider what "trust" means operationally. An organization trusts its ISP to carry legitimate traffic. It trusts its BPO vendor to handle customer data responsibly. It trusts its developer ecosystem — GitHub, npm, VS Code extensions — to contain clean code. It trusts its employees to recognize phishing. It trusts MFA to catch credential misuse. It trusts its antivirus to flag dangerous domains. In every one of these ten incidents, attackers exploited one of those trust assumptions directly.

"The biggest risk today is not that attackers are getting better at breaking in — it's that they're getting better at being trusted." — CSO Online analysis of the TELUS Digital breach

The FBI wiretap breach makes this explicit in a way that is uncomfortable for the security industry. The FBI's perimeter defenses held. Their direct systems were not compromised through a frontal attack. Attackers entered through the ISP vendor's infrastructure and blended into normal network traffic. The White House, NSA, DHS, and CISA all joined the investigation — because a nation-state actor likely used supply chain access to reach the bureau's most sensitive surveillance data. If that is possible with the FBI's security budget and mandate, it is possible against any organization relying on commercial internet infrastructure.

What is not yet widely connected in public reporting is the possibility that the FBI breach and the TELUS breach share more than an attack pattern. Both incidents involve suspected Chinese state-affiliated actors (Salt Typhoon attribution was being investigated for the FBI breach) and telecom or telecom-adjacent infrastructure. The TELUS breach exposed voice recordings and call metadata. The FBI breach exposed pen register data and wiretap returns. Both categories of data reveal the same thing: who is talking to whom. The intelligence value of combining these two datasets — if they were combined — goes well beyond what either breach appears to mean in isolation.

That connection has not been reported. It may be coincidental. But it is worth stating clearly: two major breaches in the same 30-day window, both involving telecom-layer data, both involving third-party vendor access paths, and both with credible Chinese state-actor suspicion, are not obviously unrelated.

What Organizations Should Do Now

The shared architecture of these attacks suggests that perimeter security and traditional malware detection are insufficient controls against the current threat environment. The following responses address the patterns directly.

Map your trust dependencies, not just your attack surface. Identify every third party that holds credentials, data, or network access related to your organization — including their vendors. The Salesloft-to-TELUS chain involved a company that most TELUS clients had never heard of. Your exposure may begin at a vendor two or three steps removed.
Treat credential scanning as a continuous operation. ShinyHunters used TruffleHog — a free, open-source tool — to extract credentials from data they had already stolen. Running the same tool against your own code repositories, cloud storage, and exported datasets before an attacker does costs nothing and reveals what is already exposed.
Add committer date anomaly detection to code review workflows. GlassWorm's ForceMemo injection technique leaves one forensic trace that standard diff tools miss: the committer date is newer than the original author date. Automated checks for this discrepancy in merged commits would catch a technique that has now compromised 400+ repositories across four registries.
Audit vendor ISP and network dependencies explicitly. The FBI breach path — through a commercial ISP's infrastructure — represents a supply chain entry point that few organizations include in penetration testing scope. Third-party network access paths should be tested as attack vectors, not assumed to be clean because they carry legitimate traffic.
Revise incident response playbooks to address silent exfiltration. Several of these incidents — including TELUS — involved months of undetected access. Organizations that build incident response plans around ransomware encryption as the primary impact signal will miss exfiltration-only attacks entirely. Data-centric monitoring with volume and access anomaly thresholds needs to be the detection layer, not the aftermath investigation.

Every one of these ten incidents will be closed as a separate case. Forensic teams will document indicators of compromise, write their reports, and move to the next engagement. The pattern connecting them — trust exploitation as a systematic, repeating, cross-sector attack strategy — is unlikely to appear in any single incident report. That is why it is worth naming directly. The attackers already know the pattern. It is time for defenders to see it too.