Google Fixes Two Chrome Zero-Days Exploited in the Wild Affecting Skia and V8
Google has released an emergency update to Chrome patching two actively exploited high-severity zero-days discovered by its own internal security teams: CVE-2026-3909 (CVSS 8.8), an out-of-bounds write in the Skia 2D graphics library that allows a remote attacker to perform out-of-bounds memory access via a crafted HTML page, and CVE-2026-3910 (CVSS 8.8), an inappropriate implementation in the V8 JavaScript and WebAssembly engine enabling arbitrary code execution inside a sandbox — both reported by Google on March 10. This is the third actively exploited Chrome zero-day patched in 2026 already, following February’s CSS use-after-free (CVE-2026-2441), and CISA added both new CVEs to its Known Exploited Vulnerabilities catalog on March 13, setting a March 27 patch deadline for federal agencies. Users of Chrome, Microsoft Edge, Brave, Opera, Vivaldi, and other Chromium-based browsers should update immediately, as Google has confirmed exploits for both vulnerabilities exist in the wild.
FBI Seeks Victims of Steam Games Used to Spread Malware
The FBI’s Seattle Division has issued a public notice asking gamers who installed any of eight malicious Steam games between May 2024 and January 2026 to come forward as potential victims of an ongoing federal investigation, providing contact at Steam_Malware@fbi.gov for those affected — the latest development in a years-long problem of threat actors successfully publishing infostealer-laden titles to Valve’s platform, with BleepingComputer documenting multiple such incidents in the period including a compromised fan-made Slay the Spire mod and an early access title that redirected cancer treatment donations. The malware embedded in the affected games was designed to harvest credentials, cryptocurrency wallets, browser-stored passwords, and other sensitive data from players’ machines, and the FBI’s outreach to victims indicates prosecutors are building a case for charges and that restitution for affected individuals may be on the table. Valve has not responded to inquiries about the investigation or what additional platform-level controls are being implemented to prevent future occurrences. (Note: BleepingComputer blocks automated fetches but is fully accessible in-browser.)
Interpol’s ‘Operation Synergia III’ Nets 94 Arrests in Major Cybercrime Sweep
Interpol announced the results of Operation Synergia III on March 13 — a seven-month coordinated law enforcement action running from July 2025 through January 2026 involving 72 countries, private sector intelligence from Group-IB, Trend Micro, and S2W, and resulting in 94 arrests, 110 additional suspects under active investigation, 212 electronic devices and servers seized, and over 45,000 malicious IP addresses sinkholed — a dramatic scaling from Operation Synergia II, which involved 95 countries and produced only 41 arrests and 22,000 takedowns. Targeted criminal infrastructure included phishing sites (Macau investigators alone identified over 33,000 fake casinos, banks, and government portals), malware distribution networks, ransomware C2 infrastructure, and romance scam and credit card fraud operations — with Bangladesh alone producing 40 arrests and 134 seized devices tied to loan scams, job scams, identity theft, and credit card fraud rings. The operation’s scale and the public announcement are consistent with Interpol’s increasingly deliberate strategy of using large-scale, publicized joint enforcement actions to erode trust within transnational cybercriminal networks — making participants uncertain whether partners, infrastructure providers, or services they rely on have been compromised or are under active monitoring.
European Council Includes Ban on Nudification Tools in Its Proposal for Amending AI Act
The European Council released its proposal on March 13 for streamlining the EU AI Act — adding, notably, an outright prohibition on AI nudification tools: software that uses artificial intelligence to generate non-consensual intimate images by digitally removing clothing from photos of real individuals, a capability that exploded into public controversy in late December when Elon Musk’s Grok chatbot generated millions of such images that spread globally across X. The Council’s proposal, which now heads to negotiation with the European Parliament, also reinstates stricter necessity standards for processing special categories of sensitive personal data for bias detection purposes, requires providers claiming exemptions from high-risk AI rules to still register their systems in the EU’s AI database, and extends the timeline for when rules on high-risk AI systems take effect by up to 16 months to give smaller companies more adjustment time. The amendments reflect the EU’s pattern of using its legislative machinery as a reactive instrument to high-profile AI harms — in this case, moving with unusual speed given that the Grok incident occurred only three months ago — and the nudification tool ban, if it survives parliamentary negotiation, would be among the most direct regulatory responses to AI-generated non-consensual intimate imagery enacted anywhere in the world.
Telus Admits to Cyberattack, Possibly by ShinyHunters; Starbucks Employee Portal Also Breached
Canadian telecommunications giant Telus has confirmed it suffered a cyberattack, with ShinyHunters claiming responsibility and alleging they stole source code, employee data, and customer information — a claim consistent with the group’s recent wave of voice-phishing and SSO-compromise campaigns that have hit roughly 100 organizations across North America in 2026. In a separate but related development reported by The Register in the same story, Starbucks disclosed a data breach affecting 889 employees after threat actors built fake imitation versions of the company’s Partner Central HR portal — which employees use to view paystubs, direct deposit information, time off, and benefits — captured their login credentials through the spoof sites, then used those credentials to access the real portal and steal personal and financial data. Both incidents underscore the ongoing effectiveness of brand-impersonation credential harvesting as an initial access technique, and the Starbucks case in particular is a cautionary example of how HR and employee portal phishing can yield high-value personal and financial data with relatively low technical sophistication — while the Telus breach, if ShinyHunters’ broader claims prove accurate, could have significant downstream implications for Canadian critical infrastructure security.
