North Korean Hackers Abuse VS Code Auto-Run Tasks to Deploy StoatWaffle Malware
https://thehackernews.com/2026/03/north-korean-hackers-abuse-vs-code-auto.html
The North Korean threat actors behind the Contagious Interview campaign, also tracked as WaterPlum, have been attributed to a malware family tracked as StoatWaffle that's distributed via malicious Microsoft Visual Studio Code (VS Code) projects.
The use of VS Code "tasks.json" to distribute malware is a relatively new tactic adopted by the threat actor since December 2025, with the attacks
https://thehackernews.com/2026/03/north-korean-hackers-abuse-vs-code-auto.html
The North Korean threat actors behind the Contagious Interview campaign, also tracked as WaterPlum, have been attributed to a malware family tracked as StoatWaffle that's distributed via malicious Microsoft Visual Studio Code (VS Code) projects.
The use of VS Code "tasks.json" to distribute malware is a relatively new tactic adopted by the threat actor since December 2025, with the attacks
Citrix Urges Patching Critical NetScaler Flaw Allowing Unauthenticated Data Leaks
https://thehackernews.com/2026/03/citrix-urges-patching-critical.html
Citrix has released security updates to address two vulnerabilities in NetScaler ADC and NetScaler Gateway, including a critical flaw that could be exploited to leak sensitive data from the application.
The vulnerabilities are listed below -
CVE-2026-3055 (CVSS score: 9.3) - Insufficient input validation leading to memory overread
CVE-2026-4368 (CVSS score: 7.7) - Race condition leading to user
https://thehackernews.com/2026/03/citrix-urges-patching-critical.html
Citrix has released security updates to address two vulnerabilities in NetScaler ADC and NetScaler Gateway, including a critical flaw that could be exploited to leak sensitive data from the application.
The vulnerabilities are listed below -
CVE-2026-3055 (CVSS score: 9.3) - Insufficient input validation leading to memory overread
CVE-2026-4368 (CVSS score: 7.7) - Race condition leading to user
The Hidden Cost of Cybersecurity Specialization: Losing Foundational Skills
https://thehackernews.com/2026/03/the-hidden-cost-of-cybersecurity.html
Cybersecurity has changed fast. Roles are more specialized, and tooling is more advanced. On paper, this should make organizations more secure. But in practice, many teams struggle with the same basic problems they faced years ago: unclear risk priorities, misaligned tooling decisions, and difficulty explaining security issues in terms the business understands.
These challenges do not
https://thehackernews.com/2026/03/the-hidden-cost-of-cybersecurity.html
Cybersecurity has changed fast. Roles are more specialized, and tooling is more advanced. On paper, this should make organizations more secure. But in practice, many teams struggle with the same basic problems they faced years ago: unclear risk priorities, misaligned tooling decisions, and difficulty explaining security issues in terms the business understands.
These challenges do not
Hackers Use Fake Resumes to Steal Enterprise Credentials and Deploy Crypto Miner
https://thehackernews.com/2026/03/hackers-use-fake-resumes-to-steal.html
An ongoing phishing campaign is targeting French-speaking corporate environments with fake resumes that lead to the deployment of cryptocurrency miners and information stealers.
"The campaign uses highly obfuscated VBScript files disguised as resume/CV documents, delivered through phishing emails," Securonix researchers Shikha Sangwan, Akshay Gaikwad, and Aaron Beardslee said in a report shared
https://thehackernews.com/2026/03/hackers-use-fake-resumes-to-steal.html
An ongoing phishing campaign is targeting French-speaking corporate environments with fake resumes that lead to the deployment of cryptocurrency miners and information stealers.
"The campaign uses highly obfuscated VBScript files disguised as resume/CV documents, delivered through phishing emails," Securonix researchers Shikha Sangwan, Akshay Gaikwad, and Aaron Beardslee said in a report shared
5 Learnings from the First-Ever Gartner Market Guide for Guardian Agents
https://thehackernews.com/2026/03/5-learnings-from-first-ever-gartner.html
On February 25, 2026, Gartner published its inaugural Market Guide for Guardian Agents, marking an important milestone for this emerging category. For those unfamiliar with the various Gartner report types, “a Market Guide defines a market and explains what clients can expect it to do in the short term. With the focus on early, more chaotic markets, a Market Guide does not rate or position
https://thehackernews.com/2026/03/5-learnings-from-first-ever-gartner.html
On February 25, 2026, Gartner published its inaugural Market Guide for Guardian Agents, marking an important milestone for this emerging category. For those unfamiliar with the various Gartner report types, “a Market Guide defines a market and explains what clients can expect it to do in the short term. With the focus on early, more chaotic markets, a Market Guide does not rate or position
Tax Search Ads Deliver ScreenConnect Malware Using Huawei Driver to Disable EDR
https://thehackernews.com/2026/03/tax-search-ads-deliver-screenconnect.html
A large-scale malvertising campaign active since January 2026 has been observed targeting U.S.-based individuals searching for tax-related documents to serve rogue installers for ConnectWise ScreenConnect that drop a tool named HwAudKiller to blind security programs using the bring your own vulnerable driver (BYOVD) technique.
"The campaign abuses Google Ads to serve rogue ScreenConnect (
https://thehackernews.com/2026/03/tax-search-ads-deliver-screenconnect.html
A large-scale malvertising campaign active since January 2026 has been observed targeting U.S.-based individuals searching for tax-related documents to serve rogue installers for ConnectWise ScreenConnect that drop a tool named HwAudKiller to blind security programs using the bring your own vulnerable driver (BYOVD) technique.
"The campaign abuses Google Ads to serve rogue ScreenConnect (
TeamPCP Backdoors LiteLLM Versions 1.82.7–1.82.8 Likely via Trivy CI/CD Compromise
https://thehackernews.com/2026/03/teampcp-backdoors-litellm-versions.html
TeamPCP, the threat actor behind the recent compromises of Trivy and KICS, has now compromised a popular Python package named litellm, pushing two malicious versions containing a credential harvester, a Kubernetes lateral movement toolkit, and a persistent backdoor.
Multiple security vendors, including Endor Labs and JFrog, revealed that litellm versions 1.82.7 and 1.82.8 were published on
https://thehackernews.com/2026/03/teampcp-backdoors-litellm-versions.html
TeamPCP, the threat actor behind the recent compromises of Trivy and KICS, has now compromised a popular Python package named litellm, pushing two malicious versions containing a credential harvester, a Kubernetes lateral movement toolkit, and a persistent backdoor.
Multiple security vendors, including Endor Labs and JFrog, revealed that litellm versions 1.82.7 and 1.82.8 were published on
Cloud workload security: Mind the gaps
https://www.welivesecurity.com/en/business-security/cloud-workload-security-mind-gaps/
As IT infrastructure expands, visibility and control often lag behind – until an incident forces a reckoning
https://www.welivesecurity.com/en/business-security/cloud-workload-security-mind-gaps/
As IT infrastructure expands, visibility and control often lag behind – until an incident forces a reckoning
FCC Bans New Foreign-Made Routers Over Supply Chain and Cyber Risk Concerns
https://thehackernews.com/2026/03/fcc-bans-new-foreign-made-routers-over.html
The U.S. Federal Communications Commission (FCC) said on Monday that it was banning the import of new, foreign-made consumer routers, citing "unacceptable" risks to cyber and national security.
The action was designed to safeguard Americans and the underlying communications networks the country relies on, FCC Chairman Brendan Carr said in a post on X. The development means that new models of
https://thehackernews.com/2026/03/fcc-bans-new-foreign-made-routers-over.html
The U.S. Federal Communications Commission (FCC) said on Monday that it was banning the import of new, foreign-made consumer routers, citing "unacceptable" risks to cyber and national security.
The action was designed to safeguard Americans and the underlying communications networks the country relies on, FCC Chairman Brendan Carr said in a post on X. The development means that new models of
Device Code Phishing Hits 340+ Microsoft 365 Orgs Across Five Countries via OAuth Abuse
https://thehackernews.com/2026/03/device-code-phishing-hits-340-microsoft.html
Cybersecurity researchers are calling attention to an active device code phishing campaign that's targeting Microsoft 365 identities across more than 340 organizations in the U.S., Canada, Australia, New Zealand, and Germany.
The activity, per Huntress, was first spotted on February 19, 2026, with subsequent cases appearing at an accelerated pace since then. Notably, the campaign leverages
https://thehackernews.com/2026/03/device-code-phishing-hits-340-microsoft.html
Cybersecurity researchers are calling attention to an active device code phishing campaign that's targeting Microsoft 365 identities across more than 340 organizations in the U.S., Canada, Australia, New Zealand, and Germany.
The activity, per Huntress, was first spotted on February 19, 2026, with subsequent cases appearing at an accelerated pace since then. Notably, the campaign leverages
Russian Hacker Sentenced to 2 Years for TA551 Botnet-Driven Ransomware Attacks
https://thehackernews.com/2026/03/russian-hacker-sentenced-to-2-years-for.html
The U.S. Department of Justice (DoJ) said a Russian national has been sentenced to two years in prison for managing a botnet that was used to launch ransomware attacks against U.S. companies.
Ilya Angelov, 40, of Tolyatti, Russia, was also fined $100,000. Angelov, who went by the online aliases "milan" and "okart," is said to have co-managed a Russia-based cybercriminal group known as TA551 (aka
https://thehackernews.com/2026/03/russian-hacker-sentenced-to-2-years-for.html
The U.S. Department of Justice (DoJ) said a Russian national has been sentenced to two years in prison for managing a botnet that was used to launch ransomware attacks against U.S. companies.
Ilya Angelov, 40, of Tolyatti, Russia, was also fined $100,000. Angelov, who went by the online aliases "milan" and "okart," is said to have co-managed a Russia-based cybercriminal group known as TA551 (aka
The Kill Chain Is Obsolete When Your AI Agent Is the Threat
https://thehackernews.com/2026/03/the-kill-chain-is-obsolete-when-your-ai.html
In September 2025, Anthropic disclosed that a state-sponsored threat actor used an AI coding agent to execute an autonomous cyber espionage campaign against 30 global targets. The AI handled 80-90% of tactical operations on its own, performing reconnaissance, writing exploit code, and attempting lateral movement at machine speed.
This incident is worrying, but there's a scenario that should
https://thehackernews.com/2026/03/the-kill-chain-is-obsolete-when-your-ai.html
In September 2025, Anthropic disclosed that a state-sponsored threat actor used an AI coding agent to execute an autonomous cyber espionage campaign against 30 global targets. The AI handled 80-90% of tactical operations on its own, performing reconnaissance, writing exploit code, and attempting lateral movement at machine speed.
This incident is worrying, but there's a scenario that should
GlassWorm Malware Uses Solana Dead Drops to Deliver RAT and Steal Browser, Crypto Data
https://thehackernews.com/2026/03/glassworm-malware-uses-solana-dead.html
Cybersecurity researchers have flagged a new evolution of the GlassWorm campaign that delivers a multi-stage framework capable of comprehensive data theft and installing a remote access trojan (RAT), which deploys an information-stealing Google Chrome extension masquerading as an offline version of Google Docs.
"It logs keystrokes, dumps cookies and session tokens, captures screenshots, and
https://thehackernews.com/2026/03/glassworm-malware-uses-solana-dead.html
Cybersecurity researchers have flagged a new evolution of the GlassWorm campaign that delivers a multi-stage framework capable of comprehensive data theft and installing a remote access trojan (RAT), which deploys an information-stealing Google Chrome extension masquerading as an offline version of Google Docs.
"It logs keystrokes, dumps cookies and session tokens, captures screenshots, and
LeakBase Admin Arrested in Russia Over Massive Stolen Credential Marketplace
https://thehackernews.com/2026/03/leakbase-admin-arrested-in-russia-over.html
The alleged administrator of the LeakBase cybercrime forum has been arrested by Russian law enforcement authorities, state media reported Thursday.
According to TASS and MVD Media, a news website linked to the Russian Interior Ministry, the suspect is a resident of the city of Taganrog. The suspect is said to have been detained for creating and managing a criminal site that allowed stolen
https://thehackernews.com/2026/03/leakbase-admin-arrested-in-russia-over.html
The alleged administrator of the LeakBase cybercrime forum has been arrested by Russian law enforcement authorities, state media reported Thursday.
According to TASS and MVD Media, a news website linked to the Russian Interior Ministry, the suspect is a resident of the city of Taganrog. The suspect is said to have been detained for creating and managing a criminal site that allowed stolen
Virtual machines, virtually everywhere – and with real security gaps
https://www.welivesecurity.com/en/business-security/virtual-machines-virtually-everywhere-real-security-gaps/
Cloud VMs offer unmatched speed, scale and flexibility – all of which could eventually count for little if they’re left to fend for themselves
https://www.welivesecurity.com/en/business-security/virtual-machines-virtually-everywhere-real-security-gaps/
Cloud VMs offer unmatched speed, scale and flexibility – all of which could eventually count for little if they’re left to fend for themselves
WebRTC Skimmer Bypasses CSP to Steal Payment Data from E-Commerce Sites
https://thehackernews.com/2026/03/webrtc-skimmer-bypasses-csp-to-steal.html
Cybersecurity researchers have discovered a new payment skimmer that uses WebRTC data channels as a means to receive payloads and exfiltrate data, effectively bypassing security controls.
"Instead of the usual HTTP requests or image beacons, this malware uses WebRTC data channels to load its payload and exfiltrate stolen payment data," Sansec said in a report published this week.
The attack,
https://thehackernews.com/2026/03/webrtc-skimmer-bypasses-csp-to-steal.html
Cybersecurity researchers have discovered a new payment skimmer that uses WebRTC data channels as a means to receive payloads and exfiltrate data, effectively bypassing security controls.
"Instead of the usual HTTP requests or image beacons, this malware uses WebRTC data channels to load its payload and exfiltrate stolen payment data," Sansec said in a report published this week.
The attack,
China-Linked Red Menshen Uses Stealthy BPFDoor Implants to Spy via Telecom Networks
https://thehackernews.com/2026/03/china-linked-red-menshen-uses-stealthy.html
A long-term and ongoing campaign attributed to a China-nexus threat actor has embedded itself in telecom networks to conduct espionage against government networks.
The strategic positioning activity, which involves implanting and maintaining stealthy access mechanisms within critical environments, has been attributed to Red Menshen, a threat cluster that's also tracked as Earth Bluecrow,
https://thehackernews.com/2026/03/china-linked-red-menshen-uses-stealthy.html
A long-term and ongoing campaign attributed to a China-nexus threat actor has embedded itself in telecom networks to conduct espionage against government networks.
The strategic positioning activity, which involves implanting and maintaining stealthy access mechanisms within critical environments, has been attributed to Red Menshen, a threat cluster that's also tracked as Earth Bluecrow,
LangChain, LangGraph Flaws Expose Files, Secrets, Databases in Widely Used AI Frameworks
https://thehackernews.com/2026/03/langchain-langgraph-flaws-expose-files.html
Cybersecurity researchers have disclosed three security vulnerabilities impacting LangChain and LangGraph that, if successfully exploited, could expose filesystem data, environment secrets, and conversation history.
Both LangChain and LangGraph are open-source frameworks that are used to build applications powered by Large Language Models (LLMs). LangGraph is built on the foundations of
https://thehackernews.com/2026/03/langchain-langgraph-flaws-expose-files.html
Cybersecurity researchers have disclosed three security vulnerabilities impacting LangChain and LangGraph that, if successfully exploited, could expose filesystem data, environment secrets, and conversation history.
Both LangChain and LangGraph are open-source frameworks that are used to build applications powered by Large Language Models (LLMs). LangGraph is built on the foundations of
Apple Sends Lock Screen Alerts to Outdated iPhones Over Active Web-Based Exploits
https://thehackernews.com/2026/03/apple-sends-lock-screen-alerts-to.html
Apple is now sending Lock Screen notifications to iPhones and iPads running older versions of iOS and iPadOS to alert users of web-based attacks and urge them to install the update.
The development was first reported by MacRumors.
"Apple is aware of attacks targeting out-of-date iOS software, including the version on your iPhone. Install this critical update to protect your iPhone," the
https://thehackernews.com/2026/03/apple-sends-lock-screen-alerts-to.html
Apple is now sending Lock Screen notifications to iPhones and iPads running older versions of iOS and iPadOS to alert users of web-based attacks and urge them to install the update.
The development was first reported by MacRumors.
"Apple is aware of attacks targeting out-of-date iOS software, including the version on your iPhone. Install this critical update to protect your iPhone," the
CISA Adds CVE-2025-53521 to KEV After Active F5 BIG-IP APM Exploitation
https://thehackernews.com/2026/03/cisa-adds-cve-2025-53521-to-kev-after.html
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday added a critical security flaw impacting F5 BIG-IP Access Policy Manager (APM) to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.
The vulnerability in question is CVE-2025-53521 (CVSS v4 score: 9.3), which could allow a threat actor to achieve remote code execution.
"When a
https://thehackernews.com/2026/03/cisa-adds-cve-2025-53521-to-kev-after.html
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday added a critical security flaw impacting F5 BIG-IP Access Policy Manager (APM) to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.
The vulnerability in question is CVE-2025-53521 (CVSS v4 score: 9.3), which could allow a threat actor to achieve remote code execution.
"When a
TA446 Deploys DarkSword iOS Exploit Kit in Targeted Spear-Phishing Campaign
https://thehackernews.com/2026/03/ta446-deploys-leaked-darksword-ios.html
Proofpoint has disclosed details of a targeted email campaign in which threat actors with ties to Russia are leveraging the recently disclosed DarkSword exploit kit to target iOS devices.
The activity has been attributed with high confidence to the Russian state-sponsored threat group known as TA446, which is also tracked by the broader cybersecurity community under the monikers Callisto,
https://thehackernews.com/2026/03/ta446-deploys-leaked-darksword-ios.html
Proofpoint has disclosed details of a targeted email campaign in which threat actors with ties to Russia are leveraging the recently disclosed DarkSword exploit kit to target iOS devices.
The activity has been attributed with high confidence to the Russian state-sponsored threat group known as TA446, which is also tracked by the broader cybersecurity community under the monikers Callisto,