Ransomware hits Spanish port of Vigo, disrupting digital operations

A ransomware attack has disrupted digital systems at Spain’s Port of Vigo, forcing parts of its network offline and pushing some operations back to manual processes. Detected early Tuesday, the incident affected servers responsible for cargo management and port services, with reports confirming a ransom demand and encrypted systems.

In response, the port authority isolated impacted infrastructure to contain the threat, while physical operations such as ship movements and cargo handling continue. However, logistics coordination has been significantly affected, with operators relying on paper-based workflows.

Port president Carlos Botana confirmed systems will not be restored until security teams are confident the threat has been fully eradicated. Investigations are ongoing to determine the initial access point and assess any potential data compromise.

The attack highlights the growing focus on maritime infrastructure by ransomware groups, as disruption to ports can have immediate and wide-reaching impacts on global supply chains.

Malicious LiteLLM package fuels major supply chain breach

A significant supply chain attack has compromised the widely used LiteLLM Python package, with malicious versions exposing organisations to large-scale credential theft and potential system compromise. The attack, attributed to the TeamPCP group, saw tampered versions of LiteLLM deployed via PyPI, impacting a library used millions of times daily.

The malicious packages introduced hidden payloads designed to execute on import, harvesting sensitive data including SSH keys, cloud credentials, Kubernetes secrets and environment variables. More advanced variants ensured persistence by embedding backdoors that activate whenever Python runs, allowing ongoing access and lateral movement across environments.

Initial reports suggest up to 500,000 devices may have been affected, though figures remain unverified. The campaign follows earlier TeamPCP activity targeting tools such as Trivy, highlighting a pattern of exploiting trusted software in the development pipeline.

The incident reinforces the growing risk of software supply chain attacks, where a single compromised dependency can cascade across thousands of organisations, exposing critical systems, data and infrastructure at scale.

Read more in our Threat Advisory

Cyberattack hits Dutch ministry of finance systems

The Dutch Ministry of Finance has confirmed a cyberattack affecting internal systems, with unauthorised access detected following a third-party alert on 19 March. An investigation is ongoing, with officials confirming that some employees have been impacted and access to affected systems has been restricted as a precaution.

The breach is understood to involve systems used within policy departments, though critical national services remain unaffected. Authorities confirmed that tax collection, customs operations and benefits systems continue to function normally, ensuring no disruption to citizens or businesses.

At this stage, the scale of the incident remains unclear, with no confirmation on whether sensitive data has been accessed or exfiltrated. No threat actor has claimed responsibility.

The incident follows a series of cyber events targeting Dutch institutions, highlighting continued pressure on government systems. As investigations continue, the focus will be on identifying the attack vector, assessing impact, and strengthening controls to prevent further compromise.

AstraZeneca data allegedly stolen and listed for sale on dark web

A hacking group has claimed to have breached AstraZeneca’s IT systems, exfiltrating approximately 3GB of sensitive data and attempting to sell it on the dark web. The group, identified as LAPSUS$, has reportedly released sample files to validate the breach, though the company has not yet confirmed the incident.

The alleged data includes source code, cloud infrastructure details, employee-linked records and access credentials. While no customer data is believed to be involved, the exposure of internal systems and identity-related information could present significant security risks. Even without active credentials, such data can enable targeted phishing, privilege escalation and further intrusion attempts.

Security researchers warn that if verified, the breach could have serious implications for the healthcare sector, where intellectual property and operational data are highly valuable targets. Notably, the attackers appear to be monetising the data directly rather than using traditional ransomware tactics.

The incident reflects a broader shift in cybercriminal strategy, with data theft and resale becoming an increasingly prominent threat to enterprise organisations.

Foster City USA declares emergency after cyberattack disrupts services

Foster City has declared a State of Emergency following a cyberattack that forced officials to take its entire network offline, severely disrupting municipal operations. While emergency services remain operational, core City Hall functions, including communications and permitting systems, have been brought to a standstill.

Authorities have not disclosed the full scope of the breach, including what data may have been accessed or compromised. However, residents and businesses have been advised to change passwords as a precaution. The lack of detail has created uncertainty around the scale and impact of the incident.

City staff are currently unable to send or receive emails or make calls, highlighting the operational disruption caused by the attack. Officials are working with external cyber security experts to investigate the incident and restore systems, though no timeline has been provided.

The declaration of emergency enables access to additional funding and resources, underlining the severity of the disruption and the growing impact cyber incidents can have on public sector operations.

Crunchyroll breach linked to third-party support systems impacts 6.8 million users

Anime streaming platform Crunchyroll is investigating a reported breach after threat actors claimed to have accessed data linked to up to 6.8 million users. The company stated the incident appears to be limited to customer service ticket data following a compromise involving a third-party vendor.

According to reports, attackers gained access via a support agent’s account, allegedly compromised through malware, enabling entry into multiple internal systems including Zendesk and corporate collaboration tools. The threat actors claim to have exfiltrated millions of support records containing user details such as email addresses, IP data and support queries.

Crunchyroll maintains there is no evidence of ongoing access, and investigations with external cyber security experts are ongoing. While payment data exposure appears limited, the incident highlights the risks associated with sensitive information stored in support systems.

The breach underscores the growing threat posed by attacks on third-party providers, where compromising a single account can provide access to large volumes of customer and organisational data across interconnected platforms.

Critical PLM vulnerability sparks urgent warnings across Europe

PTC has disclosed a critical vulnerability affecting its Windchill and FlexPLM platforms, raising concerns over potential remote code execution in widely deployed product lifecycle management systems. Tracked as CVE-2026-4681, the flaw stems from insecure deserialisation of trusted data and impacts multiple supported versions.

While no active exploitation has been confirmed, authorities in Germany have taken the unusual step of issuing direct, in-person warnings to organisations, highlighting the perceived immediacy of the threat. Reports indicate law enforcement contacted companies nationwide, urging rapid mitigation.

With no official patch yet available, PTC has advised organisations to implement temporary controls, including restricting access to vulnerable components or disconnecting affected systems from the internet where necessary. Indicators of compromise have also been released to support threat detection.

Given the critical role PLM systems play across manufacturing, engineering and supply chains, the vulnerability presents a significant risk. The response underscores growing concern around the exploitation of enterprise software to enable industrial espionage and large-scale disruption.

If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation. 

The Threat Intel Roundup was prepared by Integrity360 summarising threat news as we observe it, current at the date of publishing. It should not be considered to be legal, consulting or any other professional advice. Any recommendations should be considered in the context of your own organisation. Integrity360 does not take any political stance in the information that we share. Moreover, the opinions expressed may not necessarily be the views of Integrity360.