Security Check-in Quick Hits: Argentina Mega-Breach, Mercor AI Hack, Grafana RCE, and Supply Chain Attacks Rock Cybersecurity in the Last 24 Hours
For March 31, 2026
CHRONUSTEAM Launches Unprecedented 28-Breach Assault on Argentine Government Infrastructure
In a coordinated offensive that sent shockwaves through Latin American cybersecurity circles, the threat actor CHRONUSTEAM claimed responsibility for simultaneously breaching 28 critical Argentine government entities on March 30, 2026. Targets spanned national and provincial agencies, including the Central Bank of Argentina (BCRA), the Chief of the Cabinet of Ministers, multiple Ministries of Education, Health, and Security, the National Disability Agency, the Supreme Court of Justice of Buenos Aires, and numerous provincial police forces and health ministries.
The breaches exposed sensitive citizen data, financial records, judicial information, and personnel databases—potentially affecting hundreds of thousands of individuals. CHRONUSTEAM publicly detailed the victims and published proof, highlighting systemic weaknesses in government digital infrastructure. Analysts are treating this as one of the largest state-level data exposures in recent months, raising alarms about national security, privacy violations, and potential follow-on ransomware or espionage campaigns. Organizations worldwide should review third-party government data handling policies immediately, as ripple effects could extend beyond Argentina.
LAPSUS$ Claims 4TB Data Heist from AI Powerhouse Mercor
High-profile hacktivist group LAPSUS$ announced a major compromise of Mercor.com (a tech/AI firm reportedly valued at $750 billion), exfiltrating approximately 4TB of data. The group released samples and threatened full disclosure after failed ransom negotiations, claiming access to databases, complete platform source code, and sensitive employee/client personnel records.
The alleged attack vector points to a development team lapse—specifically, production credentials leaked via an AI tool (Claude). This incident underscores the growing “shadow AI” risk where developers inadvertently expose secrets through generative tools. Mercor has not issued a formal confirmation at the time of writing, but the claim has ignited discussions on X about AI supply-chain hygiene and credential management. For enterprises, the takeaway is clear: enforce strict separation of AI tool usage from production environments and implement real-time secret scanning.
Critical RCE Vulnerability Discovered in Grafana (CVE-2026-27876)
Security researchers disclosed CVE-2026-27876, a severe remote code execution flaw in Grafana that chains an enabled sqlExpressions feature toggle in the OSS version with vulnerable Enterprise plugins. Attackers can inject malicious SQL expressions, triggering deserialization or code evaluation that leads to full RCE. Over 83,000 exposed Grafana instances were identified globally via ZoomEye scanning.
The vulnerability has already drawn significant researcher attention due to its ease of exploitation in dashboard-heavy environments. Grafana users—especially those running Enterprise data transformation or scripting plugins—are urged to disable sqlExpressions immediately or apply patches. This flaw joins a growing list of visualization and analytics tools becoming prime targets as organizations lean harder into real-time dashboards.
Supply Chain Poisoning Hits Popular Packages—Axios, Databricks, and TeamPCP Activity
Developers woke up to fresh supply-chain nightmares: the widely used Axios library (100M+ weekly downloads) was found containing a malicious dependency injection, while Databricks faced potential compromise linked to the TeamPCP group. Additional reports flagged malicious PyPI packages and other credential-harvesting payloads hidden in media files.
These incidents highlight how even trusted open-source components can become vectors overnight. Security teams are scrambling to audit dependency trees and enable automated SBOM scanning. The speed of these attacks—some surfaced and spread within hours—demonstrates why “shift-left” security and lockfile verification are no longer optional.
Databricks has now responded to the report:
Bottom line for today’s Security Check-in: Nation-state and hacktivist actors are moving faster than ever, critical enterprise tools remain exposed, and the software supply chain continues to be the soft underbelly of modern development. Stay vigilant, patch aggressively, and treat every dependency as potentially hostile. Check back tomorrow for the next 24-hour pulse.