Infrastructure Intelligence
Morning Briefing — 20 March 2026
Today’s signal: Trump told reporters the US was considering “winding down” operations against Iran — while simultaneously deploying more Marines to the Middle East. Iran struck Kuwait’s Mina Al-Ahmadi refinery a second time. In cyber, a supply-chain attack planted 72 malicious VS Code extensions targeting developer environments, and 31 new ransomware victims were claimed in 24 hours. The European Council concluded with concrete defence procurement commitments and Germany’s defence budget reaching EUR 108 billion.
Security & Defence
Trump signals “winding down” — but deploys more troops
President Trump told reporters the administration was considering “winding down” military operations against Iran, while simultaneously deploying additional Marine units to the Middle East. Trump criticised Israel’s strike on Iran’s South Pars gas field. The contradictory signals — de-escalation rhetoric paired with force deployments — created immediate market whiplash, with Brent crude swinging between $107 and $113 intraday.
Why it matters: Contradictory signalling from Washington complicates risk assessment for every actor in the region. Energy markets, defence planners and infrastructure operators cannot price risk when the policy direction changes within the same news cycle.
NPR (primary) · Fortune (primary)
European Council concludes: defence ramp-up, EUR 108B German defence spend
EU leaders concluded their Brussels summit, calling for accelerated production of air defence systems, ammunition, drones and missiles. The EU welcomed Ukraine’s offer to provide counter-drone expertise to Gulf countries — explicitly linking the Iran war to European defence cooperation. Germany’s total defence spending now stands at approximately EUR 108 billion (base budget EUR 82.6B plus Sondervermögen).
Why it matters: Ukraine offering counter-drone support to Gulf states creates a new axis of cooperation that GSL’s sectors — physical security, counter-UAS, defence technology — sit directly within. The EUR 108B German budget signals sustained procurement demand through the decade.
European Council (official) · Atlas Institute (primary)
Energy & Infrastructure
Iran strikes Kuwait refinery a second time — pattern established
Iranian drones struck Kuwait’s Mina Al-Ahmadi refinery for the second consecutive day, sparking fires and forcing extended shutdown of processing units. Goldman Sachs warned that triple-digit oil prices could persist for years if the Strait remains disrupted. The IEA’s March Oil Market Report flagged the situation as the worst disruption to world oil markets ever experienced.
Why it matters: The second strike establishes a pattern — Iran is systematically degrading Gulf refining capacity, not conducting one-off retaliatory gestures. This is an infrastructure attrition campaign. European energy security planning must now account for a structurally reduced Gulf supply baseline.
Al Jazeera (primary) · CNN Business / Goldman Sachs (primary)
Cyber & Vulnerabilities
GlassWorm: 72 malicious VS Code extensions targeting developer environments
Socket Research Team disclosed the GlassWorm campaign — at least 72 malicious Open VSX extensions planted between January 31 and March 13, targeting developer environments. The extensions mimic linters, formatters and AI coding assistants, abusing dependency fields to silently pull in malicious payloads after marketplace review. Over 9 million installs were reported; 151+ GitHub repositories were also affected.
Why it matters: This is a supply-chain attack on the tools that build your software. Any organisation using VS Code or Open VSX extensions is potentially exposed. The technique — post-review transitive dependency injection — bypasses existing marketplace security controls entirely.
The Hacker News (primary) · BleepingComputer (primary)
CISA adds five KEVs including three Apple zero-days
CISA added five vulnerabilities to its Known Exploited Vulnerabilities catalogue, including three targeting Apple devices (buffer overflow and improper locking), plus Craft CMS remote code execution and Laravel Livewire unauthenticated code injection. Apple urged users on outdated iOS to update immediately against exploit kits “Coruna” and “DarkSword.”
Why it matters: Three Apple zero-days in one batch is unusual. Organisations with BYOD policies or executive device fleets should prioritise immediately. The Craft CMS and Laravel vulnerabilities affect web-facing infrastructure without authentication.
CISA (official) · CybersecurityNews (primary)
Ransomware: 31 new victims in 24 hours — DragonForce and World_Leaks lead
Purple Ops’ daily ransomware report counted 31 new victims. DragonForce and World_Leaks were the most active groups (8 compromises each), followed by Akira (5) and Qilin (4). The US and manufacturing sectors were the primary targets.
Why it matters: 31 victims in a single day confirms the sustained high tempo of ransomware operations. DragonForce and World_Leaks are newer groups rapidly gaining market share — the ecosystem is fragmenting and diversifying, making attribution and defence more complex.
Purple Ops (primary)
55 sources scanned · 14 countries · 09:00 CET
Primary and official sources take precedence. State media is marked. This is an intelligence briefing, not editorial commentary.