Cyber Threat Intelligence 30 March 2026
-
Vulnerabilities
- LangDrained: 3 Paths To Your Data Through LangChain, The World’s Most Popular AI Framework
"When we think about AI security, our minds often jump to futuristic threats: rogue autonomous agents, complex model jailbreaks, or clever prompt injections. We imagine attackers outsmarting the AI itself. But over the past few months, our research team has discovered that the biggest threat to your enterprise AI data might not be as complex as you think. In fact, it hides in the invisible, foundational plumbing that connects your AI to your business. This layer is vulnerable to some of the oldest tricks in the hacker playbook."
https://www.cyera.com/research/langdrained-3-paths-to-your-data-through-the-worlds-most-popular-ai-framework
https://thehackernews.com/2026/03/langchain-langgraph-flaws-expose-files.html - CISA Adds One Known Exploited Vulnerability To Catalog
"CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
CVE-2025-53521 F5 BIG-IP Remote Code Execution Vulnerability"
https://www.cisa.gov/news-events/alerts/2026/03/27/cisa-adds-one-known-exploited-vulnerability-catalog
https://thehackernews.com/2026/03/cisa-adds-cve-2025-53521-to-kev-after.html
https://securityaffairs.com/190076/uncategorized/u-s-cisa-adds-a-flaw-in-f5-big-ip-amp-to-its-known-exploited-vulnerabilities-catalog.html
https://www.helpnetsecurity.com/2026/03/28/big-ip-apm-vulnerability-cve-2025-53521-exploited/ - Open Sesame: How a Fail-Open Bug In Open VSX's New Scanner Let Malware Walk Right In
"Open VSX, the extension marketplace behind Cursor, Windsurf, and the broader VS Code fork ecosystem, recently rolled out a pre-publish scanning pipeline. That's a big deal, and the right move. Malware detection, secret scanning, binary analysis, name-squatting prevention. Exactly the kind of infrastructure the ecosystem desperately needed. Here's the thing. The pipeline had a single boolean return value that meant both "no scanners are configured" and "all scanners failed to run." The caller couldn't tell the difference. So when scanners failed under load, Open VSX treated it as "nothing to scan for" and waved the extension right through."
https://www.koi.ai/blog/open-sesame-how-a-fail-open-bug-in-open-vsxs-new-scanner-let-malware-walk-right-in
https://thehackernews.com/2026/03/open-vsx-bug-let-malicious-vs-code.html - 800,000 WordPress Sites Affected By Arbitrary File Read Vulnerability In Smart Slider 3 WordPress Plugin
"On February 23, 2026, we received a submission for an Arbitrary File Read vulnerability in Smart Slider 3, a WordPress plugin with an estimated more than 800,000 active installations. This vulnerability makes it possible for an authenticated attacker, with subscriber-level permissions or higher, to read arbitrary files on the server, which may contain sensitive information. Props to Dmitrii Ignatyev who discovered and responsibly reported this vulnerability through the Wordfence Bug Bounty Program. This researcher earned a bounty of $2,208.00 for this discovery."
https://www.wordfence.com/blog/2026/03/800000-wordpress-sites-affected-by-arbitrary-file-read-vulnerability-in-smart-slider-3-wordpress-plugin/
https://www.bleepingcomputer.com/news/security/file-read-flaw-in-smart-slider-plugin-impacts-500k-wordpress-sites/
Malware
- Popular Telnyx Package Compromised On PyPI By TeamPCP
"This morning's telnyx compromise is the latest move in what is now a weeks-long TeamPCP supply chain campaign crossing multiple ecosystems. Trivy. Checkmarx. LiteLLM. And now Telnyx on PyPI, uploaded hours ago at 03:51 UTC on March 27. The pattern is consistent: steal credentials from a trusted security tool, use those credentials to push malicious versions of whatever that tool had access to, collect whatever's running in the next environment, repeat."
https://www.aikido.dev/blog/telnyx-pypi-compromised-teampcp-canisterworm
https://socket.dev/blog/telnyx-python-sdk-compromised
https://www.endorlabs.com/learn/teampcp-strikes-again-telnyx-compromised-three-days-after-litellm
https://thehackernews.com/2026/03/teampcp-pushes-malicious-telnyx.html
https://www.bleepingcomputer.com/news/security/backdoored-telnyx-pypi-package-pushes-malware-hidden-in-wav-audio/
https://www.infosecurity-magazine.com/news/teampcp-targets-telnyx-pypi-package/
https://www.helpnetsecurity.com/2026/03/27/teampcp-telnyx-supply-chain-compromise/ - Dutch Police Discloses Security Breach After Phishing Attack
"The Dutch National Police (Politie) says a security breach resulting from a successful phishing attack has had a limited impact and hasn't affected citizens' data. It also stated that the incident is still under investigation by the agency's security experts and that the attackers' access to compromised systems has been blocked. "The police have been the target of a phishing attack. The police's Security Operations Center detected the incident very quickly and immediately blocked access," the police said in a Wednesday press release."
https://www.bleepingcomputer.com/news/security/dutch-police-discloses-security-breach-after-phishing-attack/ - Widespread GitHub Campaign Uses Fake VS Code Security Alerts To Deliver Malware
"A large-scale phishing campaign is targeting developers directly inside GitHub, using fake Visual Studio Code security alerts posted through Discussions to trick users into installing malicious software. Here's one example, saved to the Internet Archive, as we assume these will quickly be taken down:"
https://socket.dev/blog/widespread-github-campaign-uses-fake-vs-code-security-alerts-to-deliver-malware
https://www.bleepingcomputer.com/news/security/fake-vs-code-alerts-on-github-spread-malware-to-developers/ - China’s APT41 And The Expanding Enterprise Attack Surface: What Security Teams Must Prepare For
"The modern enterprise attack surface is no longer confined to corporate networks and endpoints; it now stretches across cloud workloads, supply chains, remote devices, and even operational technology environments. Within this fragmented landscape, the activities of the APT41 threat group stand out as a signal of how hackers and adversaries are adapting. Known for blending state-sponsored espionage with financially motivated operations, APT41 represents a dual-purpose threat model that security teams can no longer afford to treat as an edge case."
https://cyble.com/blog/apt41-enterprise-attack-surface-cyber-risk/ - New BianLian Ransomware Activity Detected: SVG Phishing Campaign Targeting Venezuelan Companies
"WatchGuard telemetry identified some malicious files being downloaded by victims, and almost all of them originated in Venezuela, indicating a possible malicious campaign targeting companies in this country. The malicious files are distributed via phishing emails that have a SVG file with a filename in Spanish, generally indicating invoices, receipts, or budgets. SVG stands for Scalable Vector Graphics, a file format for two-dimensional vector images. It allows images to be scaled without loss of quality, making it ideal for web graphics like logos and illustrations."
https://www.watchguard.com/wgrd-security-hub/secplicity-blog/new-bianlian-ransomware-activity-detected-svg-phishing-campaign
https://hackread.com/bianlian-ransomware-fake-invoice-svg-images-attacks/ - Bogus Avast Website Fakes Virus Scan, Installs Venom Stealer Instead
"A fake website impersonating Avast antivirus is tricking people into infecting their own computers. The site looks legitimate, runs what appears to be a virus scan, and claims your system is full of threats. But the results are fake: when you’re prompted to “fix” the problem, the download you’re given is actually Venom Stealer—a type of malware designed to steal passwords, session cookies, and cryptocurrency wallet data. This is a classic scare-and-fix scam: create panic, then offer a solution. In this case, the “solution” abuses the trusted Avast brand to deliver the attack."
https://www.malwarebytes.com/blog/threat-intel/2026/03/bogus-avast-website-fakes-virus-scan-installs-venom-stealer-instead - NICKEL ALLEY Strategy: Fake It ‘til You Make It
"Counter Threat Unit
(CTU) researchers continue to investigate trends in Contagious Interview campaign activity conducted by NICKEL ALLEY, a threat group operating on behalf of the North Korean government. The group notoriously targets professionals in the technology sector by advertising fake job opportunities, deceiving prospective candidates through a fake job interview process, and ultimately delivering malware. In targeted attacks, NICKEL ALLEY often creates a fake LinkedIn company page to build credibility and maintains a coordinating GitHub account for malware delivery. In some instances, the threat actors have used the popular ‘ClickFix’ tactic to deliver malware via fake job skills assessment tasks. Additionally, the group has conducted opportunistic attacks by compromising npm package repositories and establishing typosquatted npm packages. Figure 1 highlights NICKEL ALLEY’s three areas of focus."
https://www.sophos.com/en-us/blog/nickel-alley-strategy-fake-it-til-you-make-it - Citrix NetScaler Under Active Recon For CVE-2026-3055 (CVSS 9.3) Memory Overread Bug
"A recently disclosed critical security flaw impacting Citrix NetScaler ADC and NetScaler Gateway is witnessing active reconnaissance activity, according to Defused Cyber and watchTowr. The vulnerability, CVE-2026-3055 (CVSS score: 9.3), refers to a case of insufficient input validation leading to memory overread, which an attacker could exploit to leak potentially sensitive information. Per Citrix, successful exploitation of the flaw hinges on the appliance being configured as a SAML Identity Provider (SAML IDP)."
https://thehackernews.com/2026/03/citrix-netscaler-under-active-recon-for.html
https://securityaffairs.com/190131/hacking/urgent-alert-netscaler-bug-cve-2026-3055-probed-by-attackers-could-leak-sensitive-data.html - TA446 Deploys DarkSword iOS Exploit Kit In Targeted Spear-Phishing Campaign
"Proofpoint has disclosed details of a targeted email campaign in which threat actors with ties to Russia are leveraging the recently disclosed DarkSword exploit kit to target iOS devices. The activity has been attributed with high confidence to the Russian state-sponsored threat group known as TA446, which is also tracked by the broader cybersecurity community under the monikers Callisto, COLDRIVER, and Star Blizzard (formerly SEABORGIUM). It's assessed to be affiliated with Russia's Federal Security Service (FSB). The hacking group is known for spear-phishing campaigns aimed at harvesting credentials from targets of interest. However, attacks mounted by the threat actor over the past year have targeted victims' WhatsApp accounts, as well as leveraged various custom malware families to steal sensitive data."
https://thehackernews.com/2026/03/ta446-deploys-leaked-darksword-ios.html - A Cunning Predator: How Silver Fox Preys On Japanese Firms This Tax Season
"Japan has entered its annual tax filing and organizational change season, a period when companies generate a high volume of legitimate financial and HR‑related communications. A threat actor known as Silver Fox is actively exploiting this busy period by conducting a targeted spearphishing campaign against Japanese manufacturers and other businesses. The ongoing campaign uses convincing phishing lures related to tax compliance violations, salary adjustments, job position changes, and employee stock ownership plans. All emails share the same goal – trick the recipients into opening malicious links or attachments. As employees actually expect to receive emails about these subjects this time of year, they’re more likely to trust and act on such messages without a second thought. Needless to say, this significantly increases the risk of compromise."
https://www.welivesecurity.com/en/business-security/cunning-predator-how-silver-fox-preys-japanese-firms-tax-season/
Breaches/Hacks/Leaks
- European Commission Investigating Breach After Amazon Cloud Account Hack
"The European Commission, the European Union's main executive body, is investigating a security breach after a threat actor gained access to the Commission's Amazon cloud environment. Although the EU's executive cabinet has yet to disclose the incident publicly, BleepingComputer has learned that the breach affected at least one of the Commission's AWS (Amazon Web Services) accounts. "AWS did not experience a security event, and our services operated as designed," an AWS spokesperson told BleepingComputer after publishing time."
https://www.bleepingcomputer.com/news/security/european-commission-investigating-breach-after-amazon-cloud-account-hack/
https://securityaffairs.com/190067/data-breach/the-european-commission-confirmed-a-cyberattack-affecting-part-of-its-cloud-systems.html
https://hackread.com/shinyhunters-350gb-data-breach-european-commission/
https://securityaffairs.com/190095/data-breach/shinyhunters-claims-the-hack-of-the-european-commission.html - ShinyHunters Walk Away From BreachForums, Leak 300,000-User Database
"The infamous ShinyHunters hacker group has stepped away from BreachForums, calling it a “waste of time” after the FBI seizure in October 2025. At the same time, the group has released an updated database affecting more than 300,000 BreachForums users. Early checks indicate that even recently created accounts are included in the leak. Analysis of the leaked data by Hackread.com confirms that it contains full account profiles, not just basic user credentials."
https://hackread.com/shinyhunters-breachforums-leak-300000-user-database/ - Pro-Iranian Hacking Group Claims Credit For Hack Of FBI Director Kash Patel’s Personal Account
"A pro-Iranian hacking group claimed Friday to have hacked an account of FBI Director Kash Patel and has posted online what appear to be years-old photographs of him, along with a work resume and other personal documents. Many of those records appeared to be more than a decade old. “Kash Patel, the current head of the FBI, who once saw his name displayed with pride on the agency’s headquarters, will now find his name among the list of successfully hacked victims,” said a message posted Friday from the group Handala."
https://www.securityweek.com/pro-iranian-hacking-group-claims-credit-for-hack-of-fbi-director-kash-patels-personal-account/
https://therecord.media/fbi-confirms-theft-of-directors-personal-emails-iran-group
https://thehackernews.com/2026/03/iran-linked-hackers-breach-fbi.html
https://www.bleepingcomputer.com/news/security/fbi-confirms-hack-of-director-patels-personal-email-inbox/
https://cyberscoop.com/handala-hackers-target-fbi-director-kash-patel-email/
https://www.bankinfosecurity.com/handala-hacks-fbi-director-kash-patels-personal-email-a-31244
https://hackread.com/iran-handala-hackers-fbi-chief-kash-patel-gmail-breach/
https://securityaffairs.com/190088/intelligence/iran-linked-group-handala-hacked-fbi-director-kash-patels-personal-email-account.html
General News
- Security Boffins Scoured The Web And Found Hundreds Of Valid API Keys
"Computer security boffins have conducted an analysis of 10 million websites and found almost 2,000 API credentials strewn across 10,000 webpages. The researchers detail their findings in a preprint paper titled "Keys on Doormats: Exposed API Credentials on the Web," and say they conducted the study because much of the attention on exposed credentials has focused on scouring code repositories and source code. They argue that dynamic analysis of production websites is essential to understand the scope of the problem."
https://www.theregister.com/2026/03/27/security_boffins_harvest_bumper_crop/
https://arxiv.org/abs/2603.12498 - Security Leaders Say The Next Two Years Are Going To Be ‘insane’
"Every RSA Conference has its buzzwords. Cloud. Ransomware. Zero trust. Plastered across the 87-acre Moscone Center complex on every booth, banner and bar. This year was AI, with vendors pitching AI-powered solutions to every security problem imaginable. But 2026 stood out for a different reason: Industry leaders spent the conference warning about disruption from the very technology everyone was selling."
https://cyberscoop.com/ai-cyberattacks-two-years-insane-vulnerabilities-kevin-mandia-alex-stamos-morgan-adamski-rsac-2026/ - Wartime Usage Of Compromised IP Cameras Highlight Their Danger
"Compromised Internet-connected cameras — once the fodder of botnet operators and online voyeurs — have become an important military asset in recent conflicts, with Russian and Ukrainian forces hacking cameras to gather intelligence on the other side, Iran using compromised devices for targeted strikes, and a joint US-Israeli mission reportedly relying on connected cameras for the successful strike on Iran's leader. In the latest incident, Israel and the US reportedly hijacked Iran's network of traffic cameras, which the government used to surveil protesters and to track the movements of Iranian leader Ayatollah Ali Khamenei prior to targeting him with an air strike, killing him on Feb. 28, according to reports this month by the Financial Times and the Associated Press. Following that attack, Iran responded by increasing its attempts to gain eyes in Israel, Qatar, Bahrain, Kuwait, the United Arab Emirates, and Cyprus, according to a report from Israeli cybersecurity firm Check Point Software."
https://www.darkreading.com/cyber-risk/wartime-usage-of-compromised-ip-cameras-highlight-their-danger - Disrupting Cybercrime Networks At Scale Requires Sustained Global Collaboration
"Cybercrime today operates less like isolated criminal activity and more like a globalized digital economy in which specialized actors provide services, infrastructure, and expertise that allow attacks to scale efficiently across borders. Ransomware groups rely on initial access brokers to obtain footholds into enterprise networks, malware developers package tools for sale in underground marketplaces, and money-laundering networks specialize in converting illicit gains into financial assets that can move through global financial systems. Taken together, these roles form an industrialized criminal supply chain that mirrors many characteristics of legitimate digital economies. More, the rise of shadow agents is poised to accelerate growth of the cybercriminal ecosystem."
https://www.fortinet.com/blog/industry-trends/disrupting-cybercrime-networks-at-scale-requires-sustained-global-collaboration - Quantum Frontiers May Be Closer Than They Appear
"Google’s introducing a 2029 timeline to secure the quantum era with post-quantum cryptography (PQC) migration. Last month, we called to secure the quantum era before a future quantum computer can break current encryption. This new timeline reflects migration needs for the PQC era in light of progress on quantum computing hardware development, quantum error correction, and quantum factoring resource estimates. As a pioneer in both quantum and PQC, it’s our responsibility to lead by example and share an ambitious timeline. By doing this, we hope to provide the clarity and urgency needed to accelerate digital transitions not only for Google, but also across the industry."
https://blog.google/innovation-and-ai/technology/safety-security/cryptography-migration-timeline/
https://www.darkreading.com/application-security/google-2029-deadline-quantum-safe-cryptography
https://cyberscoop.com/google-moves-post-quantum-encryption-timeline-to-2029/
https://www.infosecurity-magazine.com/news/quantum-encryption-q-day-closer/
https://www.bankinfosecurity.com/googles-2029-quantum-deadline-wake-up-call-a-31247
https://hackread.com/google-2029-deadline-quantum-computers-encryption/
https://www.helpnetsecurity.com/2026/03/26/google-pqc-migration-timeline-2029/
อ้างอิง
Electronic Transactions Development Agency (ETDA)
- LangDrained: 3 Paths To Your Data Through LangChain, The World’s Most Popular AI Framework
