Researchers found 2,863 live Google API keys publicly exposed that could authenticate to Gemini endpoints once the API was enabled in a project.

Keys meant for billing could access files, cached data, and run LLM calls, racking up charges.

🔗 Read → https://thehackernews.com/2026/02/thousands-of-public-google-cloud-api.html

A malicious website could take over your OpenClaw AI agent without any click beyond visiting the page.

Oasis Security's ClawJacked chain exploits localhost WebSocket trust: brute-force gateway password, silently pair as trusted device, gain admin control to interact, enumerate, exfil data.

🔗 Read → https://thehackernews.com/2026/02/clawjacked-flaw-lets-malicious-sites.html

⚠️ Contagious Interview resurfaced with 26 malicious npm packages.

They decode steganographic C2 data from Pastebin essays, then deploy VS Code persistence, keylogging, browser and crypto wallet theft, and a cross-platform RAT. Infrastructure spans 31 Vercel deployments.

🔗 Read → https://thehackernews.com/2026/03/north-korean-hackers-publish-26-npm.html

🛑 Microsoft fixed CVE-2026-21513 (CVSS 8.8) in February after confirming zero-day exploitation in MSHTML.

A flaw in ieframe.dll let attackers bypass Mark-of-the-Web and IE ESC, enabling potential code execution.

Akamai linked a malicious LNK sample to infrastructure associated with APT28.

🔗 Read → https://thehackernews.com/2026/03/apt28-tied-to-cve-2026-21513-mshtml-0.html

⚡ Bot traffic often looks legitimate. It’s HTTPS, well-formed, and hits your own APIs.

SafeLine is a self-hosted reverse-proxy WAF built to detect business-logic abuse alongside SQLi and XSS. The vendor claims 99.45% detection accuracy, with rate limiting and anti-bot challenges built in.

🔗 Read → https://thehackernews.com/2026/03/how-to-protect-your-saas-from-bot.html

Strategic Framework for Communicating AI Security

This free, editable template helps security leaders communicate AI risk, posture, and priorities in a way the board understands, using real metrics, risk narratives, and strategic framing.

🔗 Get the Template → https://thn.news/ai-board-template

Cloud, AI, SD-WAN, VPNs, developer tools, telecom, and critical sectors under strain.

⚠️ Zero-days exploited.
🤖 AI models scraped.
☁️ Cloud keys exposed.
🛰️ C2 hidden in trusted services.
🎯 Critical CVEs piling up.
📡 80K+ VPN scans in days.

This week’s recap shows where risk is quietly expanding: https://thehackernews.com/2026/03/weekly-recap-sd-wan-0-day-critical-cves.html

🔐 Chrome is testing Merkle Tree Certificates (MTCs) to prepare HTTPS for the post-quantum era.

Instead of embedding post-quantum keys in bulky X.509 chains, a CA signs one “Tree Head” covering millions of certs. Browsers get a compact proof of inclusion, reducing TLS handshake data.

🔗 Read → https://thehackernews.com/2026/03/google-develops-merkle-tree.html

⚠️ A new Google Chrome flaw (CVE-2026-0628, CVSS 8.8) could let a malicious extension inject code into the Gemini side panel due to weak WebView policy enforcement.

Successful exploitation enabled privilege escalation and potential access to the camera, microphone, screenshots, and local files.

🔗 Details → https://thehackernews.com/2026/03/new-chrome-vulnerability-let-malicious.html

A threat group known as SloppyLemming used Rust malware for the first time in attacks on Pakistani and Bangladeshi government and infrastructure networks.

Arctic Wolf links the activity to spear-phishing, ClickOnce abuse, and a BurrowShell implant that masks traffic as Windows Update.

🔗 Details → https://thehackernews.com/2026/03/sloppylemming-targets-pakistan-and.html

⚠️ Google says CVE-2026-21385 is being exploited in the wild.

The high-severity flaw affects a Qualcomm graphics component in Android and involves a buffer over-read caused by an integer overflow. Activity appears limited and targeted.

🔗 Details → https://thehackernews.com/2026/03/google-confirms-cve-2026-21385-in.html

AI is being sold as the fix for lean security teams. The reality is more nuanced.

Small teams face rising threats and limited staff. AI can improve detection and triage, but it also demands integration, tuning, and oversight. Many tools add noise instead of clarity.

For lean teams, the question is outcomes, not AI labels.

🔗 Inside: build vs MDR tradeoffs and Forrester’s findings → https://thehackernews.com/expert-insights/2026/03/ai-in-cybersecurity-is-it-worth-effort.html

⚠️ A new phishing wave uses malicious OAuth apps to bypass email and browser defenses, #Microsoft warns.

Victims click links tied to fake app scopes, get redirected through legitimate identity providers, and end up downloading ZIP files that trigger PowerShell, MSI installs, and DLL sideloading.

🔗 Read → https://thehackernews.com/2026/03/microsoft-warns-oauth-redirect-abuse.html

🚨 A new phishing suite called "Starkiller" proxies real login pages to bypass MFA.

It runs headless Chrome in Docker, loads the legitimate site, and relays everything live. Keystrokes and session tokens pass through attacker infrastructure, enabling account takeover.

🔗 How the AitM setup works → https://thehackernews.com/2026/03/starkiller-phishing-suite-uses-aitm.html

Nearly 70% of enterprises already run AI agents in production, but governance isn’t keeping pace.

MCP-based agents can access apps, reuse tokens, and execute workflows without fitting into normal IAM lifecycles. That leaves stale credentials, over-scoped access, and weak audit trails.

Gartner calls for supervisory guardrails.

🔗 Where AI becomes identity risk → https://thehackernews.com/2026/03/ai-agents-next-wave-identity-dark.html

⚠️ 600+ FortiGate devices breached in an AI-assisted campaign.

Team Cymru traced it to #CyberStrikeAI, an open-source Go tool bundling 100+ security utilities, run from 21 IPs across Asia and beyond.

The maintainer shows ties to #China’s vulnerability ecosystem.

🔗 Details → https://thehackernews.com/2026/03/open-source-cyberstrikeai-deployed-in.html

Threat actors deployed modified Havoc C2 after posing as IT support.

They spam-bombed targets, called them directly to gain remote access, sent victims to a fake Outlook “anti-spam” page to steal credentials, then used DLL sideloading and legit RMM tools to move to nine endpoints in 11 hours.

🔗 Read → https://thehackernews.com/2026/03/fake-tech-support-spam-deploys.html

🛑 A command-injection bug in VMware Aria Operations is now in CISA’s KEV catalog.

The flaw — CVE-2026-22719 (CVSS 8.1) — could let unauthenticated attackers run arbitrary commands during migration workflows.

🔗 Details → https://thehackernews.com/2026/03/cisa-adds-actively-exploited-vmware.html

🐉 Silver Dragon APT is breaching government networks in Europe and Southeast Asia via server exploits and phishing.

Researchers link the activity to the APT41 ecosystem, using BamboLoader and DNS tunneling to maintain covert access.

🔗 Read → https://thehackernews.com/2026/03/apt41-linked-silver-dragon-targets.html

AI in the SOC is shifting from alert triage to full investigations, writes Jon Hencinski of Prophet Security.

In one case, an AI system ran 265 queries across 6 data sources to confirm a compromised AWS credential used for cloud reconnaissance—work normally done by senior analysts.

🔗 How the investigation reconstructed the attack → https://thehackernews.com/expert-insights/2026/03/ai-soc-investigation-has-moved-beyond.html

🖥️ Malicious Packagist packages posing as Laravel helpers install a remote access trojan.

The malware connects to a C2 server, runs shell commands, uploads files, captures screenshots, and retries every 15 seconds to stay persistent.

🔗 Malware behavior and package names → https://thehackernews.com/2026/03/fake-laravel-packages-on-packagist.html