Insights, Guides & Product Strategy
Learn how teams discover, evaluate, and ship faster with the right tools.
New EvilTokens Service Fuels Microsoft Device Code Phishing Attacks
New malicious kit “EvilTokens” offers a phishing‑as‑a‑service that hijacks Microsoft accounts through device code phishing, enabling attackers to obtain short‑lived and refresh tokens for access to email, files, Teams, and SSO impersonation. The kit is sold via Telegram, continually expanded to support Gmail and Okta, and targets business roles with tailored documents and QR codes. Researchers at Sekoia identified widespread global campaigns, providing indicators of compromise, YARA rules, and technical details to help defenders block the attacks.
"NoVoice" Android Malware on Google Play Infected 2.3 Million Devices
NoVoice, an Android rootkit discovered on Google Play, infected over 2.3 million devices through more than 50 apps—including cleaners, galleries and games—without requiring suspicious permissions. The malware exploits old Android vulnerabilities (patched between 2016–2021) to gain root access, then installs a persistent rootkit that replaces key system libraries, disables SELinux, and re‑installs itself after reboot. It collects device information from a command‑and‑control server and, during post‑exploitation, injects code into every app launched on the device, primarily stealing WhatsApp data (encryption keys, session info) to clone user sessions. The malicious apps were removed from Google Play after McAfee reported them, but users who already installed them should check their devices. Upgrading to newer Android security patches mitigates the threat; users are advised to install only trusted apps from reputable publishers.
Google fixes fourth Chrome zero‑day exploited in attacks in 2026
Google Chrome released emergency updates to fix the fourth zero‑day vulnerability (CVE‑2026‑5281) exploited in attacks this year, addressing a use‑after‑free flaw in Dawn’s WebGPU implementation. The update is available for Stable Desktop users on Windows, macOS, and Linux, with automatic installation options. This marks the fourth actively exploited Chrome zero‑day patched since January 2026.
Routine Access Is Powering Modern Intrusions, a New Threat Report Finds
Blackpoint Cyber’s 2026 Annual Threat Report shows that modern intrusions increasingly start through legitimate access—especially via SSL VPN and trusted remote management tools—and rely on social engineering rather than software exploits. Attackers often use compromised credentials, abuse standard IT workflows, and exploit session reuse after MFA in cloud environments. The report highlights the need for heightened vigilance around remote access, strict inventory of approved RMM tools, restriction of unapproved software, and conditional access controls to mitigate these blended‑in threats.
Critical Citrix NetScaler memory flaw actively exploited in attacks
Citrix NetScaler ADC and Gateway appliances are being actively exploited for a critical memory overread flaw (CVE‑2026‑3055) that lets attackers extract sensitive session IDs and potentially take full control of devices configured as SAML IDPs. The vulnerability, disclosed on March 23, affects versions before 14.1‑60.58 and earlier releases, and has already been leveraged in the wild since March 27 by known threat actors. Security researchers have identified two separate overread bugs affecting /saml/login and /wsfed/passive endpoints, released a detection script, and warned that up to 29,000 NetScaler devices are exposed online. Citrix urges administrators of on‑premise appliances to patch immediately, but has yet to confirm exploitation reports in its bulletin.
Hackers Now Exploit Critical F5 BIG‑IP Flaw in Attacks – Patch Now Needed
F5 Networks has upgraded its BIG‑IP APM CVE‑2025‑53521 from a denial‑of‑service flaw to a critical remote code execution vulnerability that is already being exploited in the wild, with attackers deploying webshells on unpatched devices. The company released indicators of compromise and urged organizations—including federal agencies—to patch or mitigate the issue immediately, citing evidence of widespread exposure (over 240,000 online instances) and recent exploitation by nation‑state and cybercrime actors. CISA has added the flaw to its actively exploited catalog and ordered federal agencies to secure their BIG‑IP systems by March 30.
Microsoft pulls KB5079391 Windows update over install issues
Microsoft has pulled the Windows 11 KB5079391 preview update after users reported 0x80073712 installation errors. The update, which added Smart App Control, display improvements and better Windows Hello fingerprint reliability, was halted pending investigation. No fix timeline has been announced yet, but Microsoft expects a resolution before next Patch Tuesday on April 14. Meanwhile, other out‑of‑band hotpatches addressed Bluetooth visibility bugs, RRAS RCE flaws, and Samsung PC C: drive access issues caused by the Galaxy Connect app.
Critical Fortinet FortiClient EMS flaw now exploited in attacks
Fortinet’s FortiClient EMS platform is being actively exploited via a critical SQL injection flaw (CVE‑2026‑21643) that lets attackers run arbitrary code on unpatched systems through the web interface. The vulnerability, found in version 7.4.4, can be mitigated by upgrading to 7.4.5 or later. Defused reports attacks began four days ago, with nearly 1,000 exposed instances worldwide and over 2,000 identified by Shadowserver, many located in the U.S. and Europe. Fortinet has yet to issue an advisory marking it as exploited, but the flaw follows a pattern of recent Fortinet vulnerabilities being leveraged for ransomware and espionage campaigns.
European Commission confirms data breach after Europa.eu hack by ShinyHunters
European Commission confirmed a data breach after its Europa.eu platform was hacked by the ShinyHunters extortion gang, stealing over 350 GB of data from AWS accounts. The attack did not disrupt public websites but affected internal data, prompting investigations and security measures. ShinyHunters also released an archive of 90 GB of stolen files on their dark‑web leak site. The Commission is notifying affected EU entities and enhancing cybersecurity defenses amid ongoing investigations.
FBI confirms hack of Director Patel's personal email inbox
Iran‑linked Handala hackers breached FBI Director Kash Patel’s personal Gmail account, publishing photos and documents but no government data; the FBI confirmed the hack, noted it involved only historical information, and reiterated a $10 million reward for locating the threat actors.
File read flaw in Smart Slider plugin impacts 500K WordPress sites
Vulnerability in Smart Slider 3 (CVE‑2026‑3098) lets any authenticated user—including subscribers—read arbitrary server files such as wp-config.php, affecting over 800,000 WordPress sites; a patch was released on March 24, but about 500,000 sites remain vulnerable and should update promptly.
Backdoored Telnyx PyPI package pushes malware hidden in WAV audio
TeamPCP compromised the Telnyx PyPI package, uploading malicious 4.87.1 and 4.87.2 releases that drop credential‑stealing malware hidden in a WAV file. The backdoored SDK triggers on import, downloads an obfuscated WAV payload via C2, extracts code with XOR decryption, and harvests SSH keys, cloud tokens, crypto wallets, environment variables, and more. On Windows it drops msbuild.exe into the Startup folder; on Linux/macOS it spawns a detached process that pulls the steganographic file. Kubernetes hosts are also targeted to enumerate secrets and deploy privileged pods. The legitimate Telnyx SDK is available in version 4.87.0; any system importing the compromised versions should be treated as fully compromised and have all secrets rotated immediately.
Fake VS Code Alerts on GitHub Spread Malware to Developers
Fake VS Code security alerts posted in GitHub Discussions are part of a large‑scale campaign that tricks developers into downloading malware from external links such as Google Drive, which redirects to a malicious site that harvests system data before delivering a second‑stage payload. The spam is automated, uses realistic vulnerability titles and fake CVE IDs, and triggers email notifications to many users, exploiting GitHub’s notification system for mass phishing. Developers are warned to verify alerts against authoritative sources (NVD, CISA, MITRE) and look out for external download links, unverifiable CVEs, and mass tagging before acting.
Agentic GRC: Teams Get the Tech – The Mindset Shift Is What’s Missing
Agentic AI can automate all the operational tasks that GRC teams traditionally handle—evidence collection, control testing, audit preparation—and free them to focus on what they were really hired for: setting risk appetite, prioritizing controls, interpreting business context and making judgment calls that machines can’t replicate. Yet many practitioners hesitate because their identity is tied to the day‑to‑day operations they’ve spent years mastering. The article argues that embracing agentic GRC isn’t a threat but an opportunity to return to the core purpose of compliance—thinking clearly about risk, acting on what matters, and leading rather than just managing programs.
European Commission Investigating Breach After Amazon Cloud Hack
European Commission is investigating a breach of its Amazon cloud infrastructure after a threat actor accessed at least one account used to manage the compromised system, stealing over 350 GB of data—including multiple databases—and planning to leak it later; the incident follows earlier breaches linked to Ivanti Endpoint Manager Mobile vulnerabilities and coincides with the EU’s push for stronger cybersecurity legislation and sanctions on Chinese and Iranian firms.
Anti‑piracy coalition takes down AnimePlay app with 5 million users
The Alliance for Creativity and Entertainment (ACE) shut down AnimePlay, a major illegal anime streaming service with over 5 million users—primarily from Indonesia—by seizing its app, servers, domains, source code, and associated infrastructure. This action follows ACE’s recent takedowns of other large piracy platforms, such as Photocall, and highlights the coalition’s ongoing efforts to protect intellectual property through civil litigation, criminal referrals, and cease‑and‑desist operations.
Windows 11 KB5079391 Update Brings Smart App Control and Display Improvements
Microsoft released the optional KB5079391 preview cumulative update for Windows 11 24H2 and 25H2, adding 29 changes that improve Smart App Control (allowing users to toggle it without reinstalling), enhance display reliability with high‑refresh‑rate monitor support and native USB4 connections, and provide various performance, security, and UI fixes—including better stability in the Windows Recovery Environment on ARM64 devices, improved Windows Hello fingerprint reliability, and updated dialog box designs. The update can be installed via Microsoft Update or the catalog and will upgrade builds to 26200.8116 (25H2) and 26100.8116 (24H2).
Dutch Police Discloses Security Breach After Phishing Attack
Dutch Police reported that a phishing attack caused a security breach but had limited impact, with no citizen data exposed. The incident was detected quickly by the Security Operations Center, access was blocked, and a criminal investigation is underway. The police have not disclosed details on when the attack was detected or if any employee data was compromised. Previous breaches in 2024 involved state‑actor theft of officer contact information, prompting enhanced security measures such as two‑factor authentication. Additionally, a man was arrested for extortion after accidental police data leakage.
UK sanctions Xinbi marketplace linked to Asian scam centers
UK sanctions Xinbi, a Chinese‑language marketplace that sells stolen data and satellite internet gear to Southeast Asian scam rings, and also targets #8 Park in Cambodia and Legend Innovation Co, cutting off their crypto payments and disrupting operations linked to large-scale fraud and human rights abuses.
Russia arrests suspected owner of LeakBase cyber‑crime forum
Russian police arrested the suspected owner of LeakBase, a major cybercrime forum used for buying and selling stolen data and hacking tools, following its seizure by the FBI and international law‑enforcement operation “Operation Leak” that shut down the platform in March 2026.
Armenian suspect extradited to the U.S. for alleged role in RedLine infostealer malware operations
Armenian suspect Hambardzum Minasyan has been extradited to the U.S. and charged with running the RedLine infostealer malware, a major cyber‑crime platform that steals data from corporate systems. He allegedly set up virtual servers, domains, cryptocurrency accounts and file‑sharing sites used by affiliates to distribute the malware. Minasyan faces charges including access‑device fraud, computer‑fraud and abuse, money laundering conspiracy, and could receive up to 30 years in prison. U.S. authorities have also targeted Russian developer Maxim Alexandrovich Rudometov, who may face a maximum of 35 years. The U.S. Department of State has offered up to $10 million for tips on state‑sponsored hackers linked to RedLine. The Dutch police seized RedLine’s infrastructure in 2024 as part of Operation Magnus.
GitHub adds AI‑powered bug detection to expand security coverage
GitHub is adding AI‑powered scanning to its Code Security tool, creating a hybrid model that combines traditional CodeQL analysis with broader coverage for languages like Shell/Bash, Dockerfiles, Terraform and PHP. The new AI detections aim to uncover security issues that static analysis alone misses, and will be available in public preview early Q2 2026. This move reflects a shift toward embedding AI‑augmented security directly into the development workflow, supported by features such as Copilot Autofix which speeds up issue resolution.
PolyShell Attacks Target 56 % of All Vulnerable Magento Stores
PolyShell attacks are now exploiting 56% of all vulnerable Magento Open Source and Adobe Commerce stores, with hackers launching attacks just days after the flaw was disclosed. The vulnerability lies in Magento’s REST API, allowing polyglot file uploads that can lead to remote code execution or XSS if server settings permit. Adobe released a patch (2.4.9‑beta1) on March 10, but it remains unavailable for stable releases. Sansec has identified active attack IPs and revealed that some attackers are also deploying a WebRTC-based payment card skimmer capable of bypassing strict CSP controls, which was detected on a major automotive e‑commerce site. Defenders are urged to apply the latest patches and monitor for indicators of compromise.
Bubble AI App Builder Abused to Steal Microsoft Account Credentials
Threat actors are using the no‑code AI app builder Bubble to create and host malicious web apps that mimic Microsoft login pages, allowing them to steal Microsoft 365 credentials. Because these sites run on Bubble’s trusted *.bubble.io domain, email security tools don’t flag the links, letting users access the phishing page. The generated apps contain large JavaScript bundles and Shadow DOM structures that evade automated analysis, making it hard for defenders to detect the malicious intent. Kaspersky warns that this technique is likely to spread through phishing‑as‑a‑service kits, increasing the stealth of attacks against Microsoft accounts.
New Torg Grabber Infostealer Targets 728 Crypto Wallets
New infostealer malware “Torg Grabber” is actively stealing data from 850 browser extensions, targeting 728 crypto wallet add‑ons (including MetaMask, TrustWallet, Coinbase, Binance, etc.) and also capturing credentials from 103 password manager/2FA extensions. It spreads via a ClickFix clipboard hijack that runs malicious PowerShell, uses evolving exfiltration methods (now HTTPS through Cloudflare), anti‑analysis techniques, and can bypass Chrome’s App‑Bound Encryption. The malware profiles the host, takes screenshots, steals desktop files, and can execute shellcode from its C2. Researchers note rapid development with new samples and domains weekly.
Citrix urges admins to patch NetScaler flaws as soon as possible
Citrix has released patches for two critical vulnerabilities (CVE‑2026‑3055 and CVE‑2026‑4368) affecting NetScaler ADC and Gateway appliances, which could allow remote attackers to read memory or cause session mix‑ups. The flaws are similar to the previously exploited CitrixBleed variants, raising concerns that exploit code may soon appear in the wild. Citrix urges customers to apply the updates immediately and provides guidance for identifying affected instances. Over 30,000 NetScaler ADC and more than 2,300 Gateway devices are exposed online, but it is unclear how many remain vulnerable.
Paid AI Accounts Are Now a Hot Underground Commodity
Paid AI platform accounts are now a thriving underground commodity, with fraud‑oriented forums and Telegram groups selling discounted or bundled subscriptions to services like ChatGPT, Claude, Microsoft Copilot, Perplexity, and API keys. Threat actors acquire these accounts through exposed credentials, account takeovers, bulk creation, trial abuse, or resold subscriptions, often targeting users in sanctioned regions who face payment restrictions. The resale market offers cheaper, “no‑limits” access that fuels large‑scale phishing, social engineering, and automated fraud campaigns. Organizations can mitigate risk by enforcing MFA, monitoring anomalous usage, rotating API keys, restricting sensitive data sharing, and staying alert to underground listings.
Kali Linux 2026.1 Released with 8 New Tools and a New BackTrack Mode
Kali Linux 2026.1 has been released, bringing 25 new packages, 183 updates, and a kernel upgrade to 6.18. The update introduces eight notable tools—AdaptixC2, Atomic-Operator, Fluxion, GEF, MetasploitMCP, SSTImap, WPProbe, and XSStrike—alongside a refreshed theme with new wallpapers and an improved installer interface. A new “BackTrack mode” for Kali Undercover lets users emulate the classic BackTrack look, while NetHunter receives bug fixes and permission checks. Users can upgrade via apt or download fresh ISO images; instructions are provided for WSL 2 support and post‑upgrade verification.
TP‑Link Warns Users to Patch Critical Router Authentication Bypass Flaw
TP‑Link has released firmware updates for its Archer NX series (NX200, NX210, NX500, NX600) to fix a critical authentication bypass flaw (CVE‑2025‑15517) that lets attackers upload malicious firmware and change settings without credentials. The update also removes a hardcoded key (CVE‑2025‑15605), patches two command‑injection bugs (CVE‑2025‑15518/15519), and the company urges users to install the new firmware immediately, warning that failure to do so leaves devices vulnerable.
Russian Botnet Manager Sentenced to 2 Years Over BitPaymer Ransomware Attacks
Russian cybercriminal Ilya Angelov, who ran the “Mario Kart” botnet used to launch BitPaymer ransomware against 72 U.S. companies, pleaded guilty and was sentenced to two years in prison after traveling to the United States. The botnet distributed malware via massive spam campaigns, infecting thousands of computers daily between 2017‑2021 and selling access to other criminal groups, resulting in over $14 million in extortion payments. Angelov’s case follows similar prosecutions of Russian cybercriminals involved in ransomware operations.
PTC warns of imminent threat from critical Windchill, FlexPLM RCE bug
PTC has issued an emergency alert for a critical remote‑code execution flaw (CVE‑2026‑4681) affecting its Windchill and FlexPLM product lifecycle management software, which could be exploited via deserialization of trusted data. German federal police have dispatched officers to notify affected companies, underscoring the urgency. No patch is yet available; PTC recommends applying an Apache/IIS rule to block access to the vulnerable servlet path, prioritizing internet‑facing instances, and temporarily disconnecting or shutting down services if mitigation isn’t possible. The vendor has released indicators of compromise and detection guidance but reports no confirmed exploitation so far, though credible evidence suggests imminent threat from a third‑party group.
LiteLLM PyPI Package Compromised in TeamPCP Supply‑Chain Attack
TeamPCP has compromised the popular LiteLLM Python package on PyPI, pushing malicious versions 1.82.7 and 1.82.8 that inject an infostealer into the library’s import process. The payload harvests credentials (SSH keys, cloud tokens, Kubernetes secrets, crypto wallets, etc.), attempts lateral movement in Kubernetes clusters, installs a persistent systemd backdoor, and exfiltrates data to attacker‑controlled domains. Roughly 500,000 devices are reported infected. Both malicious releases have been removed; users should check for affected versions, rotate all credentials, inspect for persistence artifacts, review Kubernetes pods, and monitor outbound traffic to known malicious endpoints.
Firefox now has a free built-in VPN with 50GB monthly data limit
Firefox 149 introduces a free built‑in VPN that lets users hide their location and IP address for up to 50 GB of browser traffic each month. The VPN is activated via a toggle in the browser, can be limited to specific sites, and only routes Firefox traffic—not system-wide traffic like Mozilla’s commercial VPN. It’s available initially in the U.S., UK, Germany, and France, with notifications when the limit approaches. Alongside the VPN, Firefox 149 adds Split View for side‑by‑side tabs, automatically blocks malicious sites through SafeBrowsing, and patches over 40 security vulnerabilities.
Microsoft fixes bug causing Classic Outlook sync issues with Gmail
Microsoft has resolved a bug that caused Gmail and Yahoo accounts to fail syncing in classic Outlook, generating error codes 0x800CCC0F and 0x80070057. The issue was fixed on February 26, 2026, though some users may still experience problems until their OAuth token expires; a temporary workaround is to delete the relevant registry entries for the affected email address.
Dutch Ministry of Finance discloses cyber breach affecting employees
Dutch Ministry of Finance confirmed a cyberattack on March 19 that breached some internal systems, affecting certain employees but not critical tax or customs services. The breach was detected by a third party and investigated, with access blocked; details on the number of affected staff or data stolen remain undisclosed.
Mazda exposes employee and partner data in security breach
Mazda Motor Corporation announced a security breach that exposed data for 692 employees and business partners, including user IDs, full names, email addresses, company names, and partner IDs. The incident involved an unauthorized access to a warehouse management system used for parts from Thailand; no customer data was affected. Mazda promptly reported the breach to Japan’s Personal Information Protection Commission, implemented additional security measures, and is monitoring for potential phishing or scam risks. No ransomware group has publicly claimed responsibility, though Clop previously listed Mazda on its leak site. The company advises impacted individuals to remain vigilant.
Tycoon2FA phishing platform returns after recent police disruption
Tycoon2FA, a phishing‑as‑a‑service platform targeting Microsoft 365 and Gmail accounts with two‑factor authentication bypassing techniques, was disrupted by Europol and Microsoft on March 4, 2026, involving the seizure of 330 domains. The takedown temporarily reduced daily campaign volumes to about 25% of pre‑disruption levels, but within days the platform returned to its previous activity level, using largely unchanged tactics and infrastructure. CrowdStrike notes that some old infrastructure remained active while new phishing domains and IPs were quickly registered after the law enforcement operation, allowing cybercriminals to recover and continue their operations. The disruption was short‑lived due to limited arrests or physical seizures, underscoring the resilience of phishing‑as‑a‑service operators.
TeamPCP Deploys Iran‑Targeted Wiper in Kubernetes Attacks
TeamPCP has launched a new attack targeting Kubernetes clusters and Iranian systems, deploying a malicious script that wipes machines when it detects Iran’s timezone or locale. The campaign uses the same command‑and‑control, backdoor code, and drop path as seen in the CanisterWorm incidents, but adds a geopolitically targeted destructive payload. In Kubernetes environments, it installs a DaemonSet that mounts the host filesystem and runs Alpine containers named “kamikaze” to delete all top‑level directories and reboot the host. On non‑Kubernetes Iranian machines, the malware deletes all files, including system data, using rm -rf with no‑preserve‑root and attempts passwordless sudo if root privileges are unavailable. When conditions aren’t met, the malware exits harmlessly. Recent variants also use SSH propagation, parsing authentication logs for credentials, and stolen private keys to spread, with indicators such as outbound SSH connections with “StrictHostKeyChecking+no” and privileged Alpine containers via an unauthenticated Docker API. The attack reflects a growing trend of geopolitically targeted wipers that leverage Kubernetes lateral movement and advanced detection techniques.
Crunchyroll Investigates Massive Data Breach: 6.8 Million Users’ Personal Info Stolen
Crunchyroll is investigating a breach after hackers claimed to steal personal data from about 6.8 million users. The attackers allegedly compromised an employee of Telus International, a BPO company, by infecting their computer and accessing Crunchyroll’s Okta SSO account. They used the credentials to download support ticket records from Zendesk, revealing user names, emails, IPs, locations, and ticket contents—some credit card details were included only when customers shared them in tickets. The breach reportedly lasted 24 hours, and the hackers sent extortion demands of $5 million, but Crunchyroll did not respond. BPOs are increasingly targeted because they handle customer support and internal authentication for multiple companies.
Trivy supply‑chain attack spreads to Docker, GitHub repos
Trivy, a popular vulnerability scanner from Aqua Security, was compromised in a supply‑chain attack that extended to Docker Hub and GitHub. TeamPCP hackers gained access to Aqua’s GitHub organization by exploiting an unsecured service account (Argon‑DevOps‑Mgt) that had long‑lived personal access tokens. They injected malicious code into Trivy, pushed altered Docker images with tags 0.69.5 and 0.69.6, and tampered with dozens of repositories, adding a “TeamPCP Owns Aqua Security” banner. Despite the breach, Aqua confirmed that its commercial version of Trivy was unaffected but warned users to verify integrity of Docker images and GitHub releases. The incident highlights risks in supply‑chain security and the need for stronger access controls, MFA, and immutable tags.
Varonis Atlas: Securing AI and the Data That Powers It
Varonis announces the general availability of Varonis Atlas, an end‑to‑end AI security platform that lets enterprises discover, monitor, protect and govern all AI systems—from hosted services to custom LLMs and embedded AI—within a single solution built on the Varonis Data Security Platform. Atlas continuously inventories AI assets (including shadow AI), assesses posture for vulnerabilities and data exposure, performs live pen‑tests against production endpoints, enforces real‑time guardrails to prevent leaks or malicious behavior, tracks compliance with regulations such as the EU AI Act and NIST AI RMF, manages third‑party AI risk, monitors full end‑to‑end activity, and provides detection & response capabilities that integrate with SIEM/SOAR. The platform unifies data security context with AI operations to give organizations a fast path to safe, trustworthy AI at scale.
How to Fine-Tune Open Models Locally With Unsloth Studio
A practical technical guide to evaluating Unsloth Studio for local model fine-tuning, including environment choices, data preparation, base-model selection, training workflow design, export planning, and deployment caveats.
What Unsloth Offers for Local Model Training and Inference
Unsloth combines a local-first interface, model training workflows, dataset preparation, and export tooling so teams can run and fine-tune open models without defaulting to hosted AI platforms.
FBI Links Signal Phishing Attacks to Russian Intelligence Services
FBI warns that Russian intelligence-linked actors are hijacking accounts on encrypted messaging apps like Signal and WhatsApp through phishing campaigns, compromising thousands of users worldwide—especially high-value targets such as U.S. officials, military personnel, politicians, and journalists. The attacks bypass end‑to‑end encryption by tricking users into linking devices or sharing verification codes, enabling attackers to read messages, impersonate victims, and launch further phishing. Users are urged to be wary of unexpected support requests, QR codes, and device linking.
Oracle pushes emergency fix for critical Identity Manager RCE flaw
Oracle released an out‑of‑band patch for a critical CVE‑2026‑21992 vulnerability in its Identity Manager and Web Services Manager, allowing unauthenticated remote code execution over HTTP with no user interaction. The fix applies to versions 12.2.1.4.0 and 14.1.2.1.0 of both products, carries a severity score of 9.8, and Oracle strongly urges customers to apply the patch immediately.
Police take down 373,000 fake CSAM sites in Operation Alice
Police and Europol have dismantled 373,000 fake child sexual abuse material (CSAM) sites under Operation Alice, shutting down a Chinese‑based scam platform that advertised counterfeit CSAM packages costing between €17–€215 and attracted around 10,000 users who paid about $400,000. The investigation seized 287 servers—105 in Germany—and issued an arrest warrant for the operator, while Europol highlights its broader child‑protection initiatives such as Help4U and “Stop Child Abuse – Trace an Object.”
CISA orders federal agencies to patch Cisco Secure FMC vulnerability by Sunday.
CISA has ordered all federal agencies to patch the high‑severity CVE‑2026‑20131 vulnerability in Cisco Secure Firewall Management Center (FMC) by Sunday, March 22, after the flaw was found to allow remote attackers to execute Java code as root via insecure deserialization. The vulnerability is actively exploited by ransomware groups such as Interlock since January 2026, and CISA has added it to its Known Exploited Vulnerabilities catalog. Federal agencies have only three days to apply the patch or stop using the product; other organizations are urged to act promptly.
How CISOs Can Survive the Era of Geopolitical Cyberattacks
CISOs must shift from pure prevention to resilience against geopolitically motivated “wiper” attacks that aim to disrupt rather than ransom. Iran’s recent destructive campaigns illustrate a pattern: attackers gain access via stolen VPN credentials, then move laterally through administrative tools (RDP, PowerShell, SMB, SSH), escalating privileges and deploying multiple wiping methods simultaneously. Defenders can mitigate this by limiting credential-based network reach, enforcing MFA on administrative services, default‑deny policies for admin ports, restricting privileged accounts to the systems they manage, detecting tunneling or unusual east‑west traffic, and rapidly containing affected hosts with automated isolation and ring‑fencing. The core lesson is that preventing lateral movement and controlling privileged access—combined with visibility into who can access what—reduces blast radius and enables organizations to survive geopolitical cyber conflicts.
Musician admits to $10 M streaming royalty fraud using AI bots
North Carolina musician Michael Smith pleaded guilty to fraudulently collecting over $10 million in streaming royalties by generating thousands of AI‑created songs and using bot accounts to stream them billions of times on Spotify, Apple Music, Amazon Music, and YouTube Music. He used VPNs and automated bots to inflate listening stats between 2017 and 2024, earning an estimated $1.2 million per year from half a cent per stream. Smith will pay roughly $8 million in forfeiture and faces up to five years in prison for conspiracy to commit wire fraud.
FBI Seizes Handala Data‑Leak Sites After Stryker Cyberattack
The FBI has seized the two public domains used by the Handala hacktivist group—handala-redwanted.to and handala-hack.to—after the group carried out a destructive cyberattack on medical technology company Stryker, wiping about 80,000 devices via Intune. The seizure was authorized by a Maryland district court warrant, citing alleged foreign state involvement and malicious activity. Handala, an Iranian-linked pro‑Palestinian group linked to Iran’s MOIS, has acknowledged the seizures and plans to rebuild its online infrastructure while continuing operations. Microsoft and CISA have issued guidance on securing Intune to prevent similar attacks.
Russian hackers exploit Zimbra flaw in Ukrainian govt attacks
Russian state‑backed hackers from APT28 are exploiting a newly patched Zimbra Collaboration Suite vulnerability (CVE‑2025‑66376) to target Ukrainian government entities, notably the State Hydrology Agency. The flaw allows unauthenticated attackers to execute remote code via stored cross‑site scripting in emails, enabling stealthy credential harvesting and data exfiltration over DNS and HTTPS. CISA has added this exploit to its catalog of active vulnerabilities and ordered federal agencies to patch within two weeks. Security researchers report that the attack chain uses a single email with obfuscated JavaScript, no attachments or links, exploiting the XSS flaw to gain access to users’ mailbox contents and backup 2FA codes. This is part of a broader trend of Russian‑state groups targeting Zimbra servers for espionage.
Aura confirms data breach exposing 900,000 marketing contacts
Aura confirms that a voice‑phishing attack exposed nearly 900,000 customer records—names, email addresses, home addresses and phone numbers—from a marketing tool acquired in 2021. The breach involved 20,000 current and 15,000 former customers, with no SSNs or financial data compromised. ShinyHunters claimed to have stolen 12 GB of PII, but Aura has not commented on that claim. The company is conducting an internal review, notifying law enforcement, and will send personalized alerts to affected individuals.
ConnectWise Releases Patch to Fix Cryptographic Signature Vulnerability in ScreenConnect™
ConnectWise alerts that a cryptographic signature verification flaw (CVE‑2026‑3564) in ScreenConnect versions before 26.1 can allow attackers to hijack sessions by extracting ASP.NET machine keys, enabling unauthorized access and privilege escalation. The vendor has patched the issue in version 26.1 with encrypted key storage and improved handling; cloud users are automatically upgraded while on‑premises admins must update immediately. Although researchers have observed attempts to abuse disclosed machine key material in the wild, no confirmed exploitation or indicators of compromise have been reported yet. ConnectWise advises tightening access controls, monitoring logs for unusual authentication activity, protecting backups, and keeping extensions up to date to mitigate risk.
Apple pushes first Background Security Improvements update to fix WebKit flaw
Apple released its first Background Security Improvements update, fixing the WebKit flaw CVE‑2026‑20643 that lets malicious web content bypass Safari’s Same Origin Policy. The patch applies to iOS 26.3.1, iPadOS 26.3.1, macOS 26.3.1 and 26.3.2 without a full OS upgrade, demonstrating Apple’s new lightweight out‑of‑band security feature that delivers small fixes between major releases.
GlassWorm malware hits 400+ code repos on GitHub, npm, VSCode, OpenVSX
GlassWorm, a supply‑chain malware campaign, has infected over 400 open‑source components across GitHub, npm, VSCode and OpenVSX repositories. In March 2026 researchers identified 433 compromised packages—200 Python repos, 151 JS/TS repos, 72 VSCode extensions and 10 npm packages—all injected with invisible Unicode characters to conceal malicious code that harvests cryptocurrency wallet data, developer credentials, SSH keys, and other sensitive information. The attackers use a single Solana blockchain address for command‑and‑control, consistently updating payload URLs every five seconds. Initial compromise occurs via forced pushes on compromised GitHub accounts, after which malicious packages are published on npm and VSCode/OpenVSX with obfuscated code. The malware skips execution on Russian‑locale systems but is likely operated by Russian‑speaking actors. Developers are advised to scan for the marker variable “lzcdrtfxyqiplpd,” check for unexpected Node.js installations, suspicious i.js files, and anomalies in commit histories to detect compromises.
Europe sanctions Chinese and Iranian firms for cyberattacks
EU Council sanctions three Chinese and one Iranian companies, plus two individuals, for cyberattacks targeting EU devices and critical infrastructure, including hacking over 65,000 devices, compromising SMS services, hijacking billboards, and selling personal data of Charlie Hebdo subscribers; the sanctions impose asset freezes, travel bans, and restrictions on EU entities.
Top 5 Things CISOs Need to Do Today to Secure AI Agents
CISOs must secure AI agents by treating them as first‑class digital identities with clear ownership, authentication, defined permissions and activity logging; move from fragile guardrails to tight access control that limits what systems, data, actions and conditions an agent can use; eliminate shadow AI through continuous discovery and visibility of all machine‑and non‑human identities; enforce security based on the agent’s intended purpose rather than static permission inheritance; and maintain full lifecycle governance—monitor ownership, access alignment, credential rotation, review, and decommissioning—to prevent risk accumulation over time. The overarching principle is that identity—and its controlled, intent‑driven management—is the only scalable foundation for securing autonomous AI agents.
Stryker attack wiped tens of thousands of devices, no malware needed
Stryker’s recent cyberattack, allegedly linked to the Handala hacktivist group, caused a remote wipe of tens of thousands of employee devices via Microsoft Intune, without deploying malware or encrypting data. The attack was limited to Stryker’s internal Microsoft environment and did not affect its medical products; however, electronic ordering systems went offline and customers must place orders manually through sales reps while restoration efforts focus on resuming shipping and transactional services.
Microsoft Exchange Online outage blocks access to mailboxes
Microsoft’s Exchange Online is experiencing an outage that blocks users from accessing mailboxes and calendars across all connection methods, including Outlook on the web, desktop, ActiveSync, and IMAP4. The issue was first reported at 06:42 UTC, with telemetry showing a decrease in incidents but customers still report problems. Additionally, Office.com’s web portal is down, displaying an error message, and a separate outage affecting Microsoft Copilot sign‑in pages and chat services is underway. Microsoft is working on configuration changes to resolve these disruptions.
Shadow AI is Everywhere. Here’s How to Find and Secure It
Shadow AI is becoming ubiquitous across organizations, and IT security teams now need to secure and govern it rather than just approve its use. Nudge Security offers a comprehensive solution that automatically discovers all AI applications and user accounts in an organization (even those added before implementation), monitors real‑time usage, detects sensitive data sharing, tracks integrations with SaaS services, and alerts on policy violations. It also enforces an AI acceptable use policy through nudges, notifications, and acknowledgment tracking. With lightweight integration via IdP and optional browser extension, Nudge provides visibility, control, and automation for AI governance without requiring a dedicated team, allowing organizations to protect data while enabling productive AI adoption.
Microsoft pulls Samsung app blocking Windows C: drive from Store
Microsoft has removed the Samsung Galaxy Connect app from the Microsoft Store because it was causing “C: is not accessible – Access denied” errors on certain Samsung Galaxy Book 4 and Desktop models running Windows 11, blocking access to files and applications such as Outlook, Office, browsers, system utilities, and Quick Assist. The issue affects a wide range of devices (e.g., NP750XGJ, NP754XGK, DM500SGA, etc.). Microsoft and Samsung have temporarily removed the app, republished a stable previous version to mitigate recurrence, and are still working on a fix. Users impacted are advised to contact Samsung for device‑specific assistance. In addition, Microsoft released an out‑of‑band hotpatch to address a security flaw in the Routing and Remote Access Service (RRAS) on Windows 11 Enterprise devices.
OpenAI says ChatGPT ads are not rolling out globally for now
OpenAI confirmed that ChatGPT ads are currently only available in the United States and have not yet rolled out globally, despite mentions of ads in the updated privacy policy. The company emphasized a phased approach to learn from real‑world usage before expanding worldwide, noting that ads appear below answers for logged‑in users on Free and Go plans in the US, do not influence responses, and are separate from the chat model with no access to user conversations.
Microsoft Releases Windows 11 OOB HotPatch to Fix RRAS RCE Flaw
Microsoft released an out‑of‑band hotpatch (KB5084597) for Windows 11 Enterprise devices that use hotpatch updates instead of the regular Patch Tuesday cumulative updates. The patch fixes three CVE‑2026 vulnerabilities in the Windows Routing and Remote Access Service (RRAS) management tool, which could allow remote code execution when connecting to a malicious server. It applies to Windows 11 25H2, 24H2, and Enterprise LTSC 2024 systems and is cumulative, including all fixes from the March 2026 Patch Tuesday update. The hotpatch is delivered via in‑memory patching for devices enrolled in the Hotpatch program managed through Windows Autopatch, so no reboot is required.
AppsFlyer Web SDK hijacked to spread crypto‑stealing JavaScript code
AppsFlyer’s Web SDK was hijacked in a supply‑chain attack that injected malicious JavaScript designed to steal cryptocurrency by intercepting wallet addresses entered on websites and redirecting them to attacker-controlled accounts. The compromised payload, discovered by Profero researchers, ran between March 9–11 2026 and affected the official domain websdk.appsflyer.com. AppsFlyer confirmed a temporary exposure due to a domain registrar incident but reported that its mobile SDK remained safe; the company is investigating further and advising users to review logs, downgrade to known‑good SDK versions, and monitor for suspicious requests. The attack targeted major crypto platforms such as Bitcoin, Ethereum, Solana, Ripple, and TRON, potentially impacting thousands of businesses using AppsFlyer’s analytics services.
Microsoft investigates classic Outlook sync and connection issues
Microsoft is investigating several issues affecting the classic Outlook desktop client, including “Cannot connect to server” errors when creating groups with Exchange Web Services enabled, sync errors (0x800CCC0F/0x80070057) for Gmail and Yahoo accounts after password changes, a bug that hides the mouse pointer in Outlook and other Microsoft 365 apps, and an earlier issue preventing access to encrypted emails. The company is working on fixes—particularly replacing group functionality with REST APIs—and advises users to use the new Outlook client or OWA, delete problematic registry entries, or restart the computer as temporary workarounds until updates are released.
Google fixes two new Chrome zero‑days exploited in attacks
Google released emergency updates for Chrome, patching two high‑severity zero‑day vulnerabilities (CVE‑2026‑3909 and CVE‑2026‑3910) that were actively exploited in attacks. The first flaw involves an out‑of‑bounds write in the Skia graphics library, allowing attackers to crash or execute code; the second is an inappropriate implementation issue in the V8 JavaScript/WebAssembly engine. Google identified both issues within two days of reporting and rolled out fixes to Windows (146.0.7680.75), macOS (146.0.7680.76), and Linux (146.0.7680.75). The updates are immediately available, but users may need a few weeks for the out‑of‑band update to reach all systems. This is the second and third actively exploited Chrome zero‑day patched in 2026, following CVE‑2026‑2441 addressed earlier in February.
Google paid $17.1 million for vulnerability reports in 2025
Google paid over $17 million in 2025 to 747 security researchers through its Vulnerability Reward Program, marking a record high and more than a 40% increase from the previous year. The company has awarded a total of $81.6 million since the program launched in 2010, with the largest single reward last year being $250,000. In 2025, Google introduced new bug bounty programs for AI systems, OSV‑SCALIBR, and expanded categories for Chrome and Android, earning over $2.9 million for Android, $3.7 million for Chrome, and $3.6 million for Cloud. The company emphasized its commitment to collaborating with external security researchers to strengthen Google’s products and services.
Apple patches older iPhones and iPads against Coruna exploits
Apple released security updates to patch older iPhones and iPads against vulnerabilities exploited by the Coruna exploit kit, which has been used in cyberespionage and crypto-theft attacks since 2025. The updates backport fixes for several kernel and WebKit use‑after‑free issues (CVE‑2023‑41974, CVE‑2024‑23222, CVE‑2023‑43000, CVE‑2023‑43010) to devices running iOS 15.8.7/16.7.15 and iPadOS 15.8.7/16.7.15, including models such as iPhone 6s, 7, SE (1st gen), 8, X, and various iPads. The U.S. Cybersecurity Agency (CISA) has added these vulnerabilities to its known-exploited list and urged federal agencies to patch devices by March 26, citing the risks of kernel privilege escalation and remote code execution. Apple also fixed a zero‑day CVE‑2026‑20700 earlier in the year, used in sophisticated attacks targeting specific individuals.
SQLi flaw in Elementor Ally plugin impacts 250k+ WordPress sites
SQL injection vulnerability in Elementor’s Ally plugin (CVE‑2026‑2313) threatens over 250,000 WordPress sites. The flaw allows unauthenticated attackers to inject SQL via a URL parameter in the `get_global_remediations()` method, enabling data theft and time‑based blind SQL injections. The issue is fixed in version 4.1.0 released on February 23, but only about 36% of sites have upgraded, leaving many still vulnerable. WordPress also released a new patch (6.9.2) addressing several security flaws; administrators should update both the plugin and WordPress immediately.
CISA orders feds to patch n8n RCE flaw exploited in attacks
CISA has ordered federal agencies to patch an actively exploited remote‑code‑execution flaw in the open‑source workflow platform n8n (CVE‑2025‑68613) by March 25, citing the vulnerability’s potential to compromise sensitive data and system operations. The n8n team released a fix in version 1.122.0 and advised administrators to apply it immediately or restrict workflow permissions as interim mitigation. Shadowserver reports over 40,000 unpatched instances online, with significant exposure in North America and Europe. CISA urges all network defenders to secure their systems against this threat as soon as possible.
Meta adds new WhatsApp, Facebook, and Messenger anti‑scam tools
Meta has rolled out new anti‑scam tools across WhatsApp, Facebook and Messenger. The updates include device‑linking warnings on WhatsApp that alert users to suspicious QR code requests, Facebook friend‑request alerts based on limited mutual connections or mismatched locations, and expanded scam detection in Messenger with AI reviews for fake job offers and other deceptive patterns. Meta’s AI systems now scan text, images and contextual signals to spot celebrity impersonations, brand spoofing and malicious links. In 2025 the company removed over 159 million scam ads and shut down more than 10.9 million accounts linked to criminal scams, and it partnered with global law‑enforcement agencies to dismantle large Southeast Asian scam networks.
New ‘BlackSanta’ EDR killer spotted targeting HR departments
New Russian‑speaking threat actor has been targeting HR departments for over a year with a sophisticated malware campaign that delivers the “BlackSanta” EDR killer. The attack likely starts via spear‑phishing emails containing ISO files disguised as resumes, hosted on cloud services such as Dropbox. Inside the ISO, a Windows shortcut launches PowerShell, which extracts hidden data from an image using steganography and then downloads a ZIP with legitimate SumatraPDF and a malicious DLL (DWrite.dll) to sideload. The malware performs system fingerprinting, checks for sandbox or debugging tools, modifies Windows Defender settings, and uses process hollowing to execute additional payloads. BlackSanta itself silences endpoint security by adding exclusions for .dls and .sys files, disabling telemetry, and terminating antivirus/EDR processes at the kernel level. Additional drivers like RogueKiller and IObitUnlocker are used to gain elevated privileges and further suppress security tools. The campaign has been running unnoticed for a year, with multiple IP addresses and infrastructure linked to the same threat actor.
New BeatBanker Android malware poses as Starlink app to hijack devices
BeatBanker is a new Android malware that masquerades as a Starlink app on fake Google Play Store sites, tricking users into installing it. The threat combines banking trojan functions with Monero mining and can steal credentials, tamper with crypto transactions, and provide full device control via the BTMOB RAT. It evades analysis by decrypting hidden code, displays a fake update screen to gain permissions, and maintains persistence by continuously playing an inaudible MP3 file. The malware uses a modified XMRig miner for ARM devices, sending device status via Firebase Cloud Messaging to manage mining activity stealthily. Kaspersky found infections in Brazil but warns that the threat could spread elsewhere, urging users to avoid sideloading APKs and review permissions carefully.
Microsoft Releases Windows 10 KB5078885 Extended Security Update – Fixes Zero‑Days and Device Shut‑Down Issue
Microsoft released Windows 10 KB5078885, an extended security update that fixes 79 vulnerabilities—including two zero‑day exploits—and resolves issues such as devices unable to shut down or hibernate with Secure Launch enabled, folder renaming problems, and GPU stability bugs. The update updates Windows 10 to build 19045.7058 (or 19044.7058 for Enterprise LTSC 2021) and is available via the standard Update mechanism for users in the ESU program. It also continues the rollout of new Secure Boot certificates to replace expiring ones, ensuring ongoing boot security.
CISA flags Ivanti EPM vulnerability as actively exploited – federal agencies must patch within 3 weeks
CISA has flagged the high‑severity Ivanti Endpoint Manager (EPM) vulnerability CVE‑2026‑1603 as actively exploited, ordering U.S. federal agencies to patch within three weeks. The flaw allows remote attackers to bypass authentication and steal credentials via low‑complexity cross‑site scripting attacks without user interaction. Although Ivanti released a patch in February 2026 that also addressed an SQL injection flaw, the agency’s alert indicates the vulnerability is now being used in the wild, despite no reported exploitation from Ivanti. The Shadowserver platform tracks over 700 Internet‑exposed EPM instances, primarily in North America, but their current vulnerability status remains unclear. CISA added CVE‑2026‑1603 to its Known Exploited Vulnerabilities catalog and issued a binding directive for federal agencies to patch by March 23. This follows previous advisories on other actively exploited Ivanti EPM flaws, underscoring the ongoing risk of endpoint management software vulnerabilities.
Windows 10 KB5075039 Update Fixes Broken Recovery Environment
Microsoft released the KB5075039 Windows Recovery Environment (WinRE) update for Windows 10 to resolve a long‑standing issue that prevented the recovery environment from starting after installing the October 2025 update KB5068164. The new patch fixes WinRE so it can launch correctly, but users must ensure their WinRE partition is at least 256 MB in size; if not, they need to resize the partition (with backup recommended).
ClawJacked Attack: Malicious Websites Hijack OpenClaw AI Agent to Steal Data
OpenClaw, a popular self‑hosted AI platform, suffered a high‑severity “ClawJacked” vulnerability that allowed malicious websites to brute‑force local gateway login via WebSocket connections to localhost. The flaw bypasses rate limiting and auto‑approves device pairings from the loopback address, enabling attackers to gain admin access, steal credentials, read logs, and execute commands on connected devices. Researchers demonstrated password cracking at hundreds of attempts per second, exposing even user‑chosen passwords. OpenClaw fixed the issue in version 2026.2.26 released within 24 hours; users should update immediately to prevent hijacking.
QuickLens Chrome Extension Steals Crypto – A ClickFix Attack Revealed
Chrome extension “QuickLens – Search Screen with Google Lens” was removed from the Chrome Web Store after a malicious update (v5.8) pushed malware that stole cryptocurrency and user data, including wallet seed phrases, credentials, and sensitive form information. The update stripped security headers, injected scripts via a command‑and‑control server, displayed fake “Google Update” prompts leading to ClickFix attacks that downloaded an executable named googleupdate.exe. Users who installed the extension should uninstall it, scan for malware, reset passwords, and move crypto funds to new wallets. Chrome now automatically disables the extension for affected users.
Previously harmless Google API keys now expose Gemini AI data
Google’s new Gemini AI has turned previously harmless public Google API keys into powerful access points for the AI assistant, allowing attackers to read private data and incur high usage costs. TruffleSecurity uncovered nearly 3,000 exposed keys across many sites, including major firms, and warned that these keys can be used to call Gemini’s API and exploit its paid services. After reporting the issue, Google classified it as a privilege escalation flaw, implemented proactive blocking of leaked keys from accessing Gemini, and advised developers to audit and rotate any publicly exposed keys immediately.
1Campaign platform helps malicious Google ads evade detection
A new cybercrime tool called 1Campaign lets attackers run malicious Google ads that pass the platform’s automated checks and stay online for long periods while hiding from security scanners. The cloaking service filters visitors in real time—only showing phishing or crypto‑drainer pages to genuine users, blocking traffic from cloud providers, VPNs, and other suspicious sources—and allows operators to target specific regions, ISPs, and device types. By manipulating browser fingerprints and routing through a diverse IP pool, the platform evades static URL scanning and can impersonate legitimate brands in ads, making it difficult for security researchers to detect and stop these malicious campaigns.
Microsoft Adds Copilot Data Controls to All Storage Locations
Microsoft is expanding its data‑loss prevention controls to block the Microsoft 365 Copilot AI assistant from processing confidential Word, Excel and PowerPoint documents regardless of where they are stored—whether on local devices or in SharePoint/OneDrive. The update will be deployed through the Augmentation Loop (AugLoop) Office component between late March and late April 2026, automatically enabling the restriction for organizations that already have DLP policies set to block Copilot from handling sensitivity‑labeled content. This change follows a bug that had allowed Copilot to summarize confidential emails in users’ Sent Items and Drafts folders despite active DLP protections.
Microsoft says bug in classic Outlook hides the mouse pointer
Microsoft has confirmed a bug in the classic Outlook desktop client that causes the mouse pointer to disappear while users navigate the interface, making the app unusable for some. The issue, which also affects other Microsoft 365 apps like OneNote, was first reported online nearly two months ago. Microsoft is investigating and advising affected users to open a support case with their M365 administrator and submit diagnostic logs. While no permanent fix timeline has been released, three temporary workarounds are available: clicking an email in the message list, switching to PowerPoint and back, or restarting the computer. The Outlook team will provide updates as more information becomes available.
Stay Updated
Get weekly insights on developer tools, product updates, and tech guides straight to your inbox.