Top 5 Cyber Security stories from last week (week of March 9–15, 2026)

1. 🔴 Google Chrome Zero-Days Patched Under Active Exploitation Google released emergency security updates to fix two high-severity Chrome vulnerabilities — CVE-2026-3909 (an out-of-bounds write in the Skia graphics library) and CVE-2026-3910 (an inappropriate implementation in the V8 JavaScript engine). Both were discovered by Google itself on March 10, 2026, and are being actively exploited in the wild. The Hacker News

2. 🔴 Microsoft Patch Tuesday: 82 CVEs Including 8 Critical Flaws Microsoft addressed 82 vulnerabilities in its March 2026 security update, including eight critical issues and two publicly disclosed vulnerabilities. Windows received the most patches (48), followed by Azure (13). A notable critical flaw, CVE-2026-21536 (CVSS 9.8), allows unauthenticated remote code execution via an unrestricted file upload weakness in the Microsoft Devices Pricing Program — though Microsoft proactively patched this in the cloud without requiring customer action. CrowdStrike

3. 🟠 Starbucks Data Breach via Employee Portal Phishing Starbucks disclosed a data breach affecting hundreds of employees after threat actors gained access to their Partner Central accounts through phishing attacks. Personal information, including names, email addresses, and phone numbers, was accessed. SecurityWeek

4. 🟠 Storm-2561 SEO Poisoning Campaign Targets VPN Users Microsoft’s Threat Intelligence team flagged an ongoing campaign by threat actor Storm-2561, which redirects users searching for legitimate enterprise software to malicious ZIP files on attacker-controlled websites. The campaign deploys digitally signed trojans that masquerade as trusted VPN clients while harvesting VPN credentials and impersonating vendors such as SonicWall and Pulse Secure. The Hacker News

5. 🟠 GlassWorm Campaign Escalates via Open VSX Extension Registry Researchers flagged a significant escalation in the GlassWorm campaign, which now abuses extension dependency chains in the Open VSX registry — allowing initially benign-looking packages to quietly pull in malicious extensions after trust is established. At least 72 additional malicious extensions have been discovered since January 31, 2026, targeting developers by mimicking popular tools such as linters, code runners, and AI coding assistants. The Hacker News

It was a busy week with a heavy focus on zero-day exploits and supply chain threats. The Chrome zero-days and Patch Tuesday are the most urgent if you’re managing systems that need patching.