AI comes with potential risks and vulnerabilities, but you can protect your workers and your organization. One of the best places to start is with a comprehensive AI usage policy.

This template provides:

✅ A definition of artificial intelligence
✅ A breakdown of acceptable and prohibited AI use
✅ Customizable guidelines for training, human oversight, accountability, and amendments

🔗 Get your AI employee usage policy template → https://thn.news/ai-policy-guide

⚠️ Amazon says Interlock #ransomware exploited a Cisco firewall flaw rated 10.0 CVSS as a zero-day weeks before disclosure.

Attackers gained root access via insecure deserialization, then deployed RATs, proxies, and persistence tools.

🔗 Read → https://thehackernews.com/2026/03/interlock-ransomware-exploits-cisco-fmc.html

North Korean operatives used AI-powered fake identities to land remote IT jobs at global firms and redirect salaries to state programs, per U.S. sanctions.

Tools like Faceswap, VPN tunneling, and crypto laundering helped sustain access and evade detection over time.

🔗 Read → https://thehackernews.com/2026/03/ofac-sanctions-dprk-it-worker-network.html

⚠️ CISA flags active exploitation across Zimbra and SharePoint, with federal patch deadlines now in motion.

One flaw enables remote code execution. The other turns email rendering into an attack vector.

In parallel, a Cisco zero-day was used weeks before disclosure—showing how fast attackers are moving.

🔗 Read → https://thehackernews.com/2026/03/cisa-warns-of-zimbra-sharepoint-flaw.html

🛑 Shai-Hulud 2.0 ran code before security scans, quietly breaking CI/CD at the source.

As Jonny Rivera from ActiveState explains, it stole cloud credentials and turned GitHub runners into attacker-controlled botnets—long before detection kicked in.

Fix: control what enters the pipeline.

🔗 How curated catalogs stop pre-install attacks → https://thehackernews.com/expert-insights/2026/03/the-curated-catalog-biggest-defense.html

🚨 WARNING - A new #iOS exploit kit, DarkSword, has been active since late 2025 across multiple threat groups.

It targets #iPhone on iOS 18.4–18.7, chaining zero-days to gain full access and rapidly extract data—files, messages, credentials, and crypto wallets—then wipe traces within minutes.

🔗 DarkSword details here → https://thehackernews.com/2026/03/darksword-ios-exploit-kit-uses-6-flaws.html

⚡ Claude Code runs with full user permissions, acting before security tools can see it.

Files, commands, data—executed with no real audit trail. Learn how Ceros enforces runtime controls and logs every action with identity.

🔗 Tool execution trails and MCP risks explained → https://thehackernews.com/2026/03/how-ceros-gives-security-teams.html

🛑 Perseus, a new #Android malware, enables full device takeover via Accessibility abuse. It runs live remote sessions, steals banking credentials, and scans notes apps for sensitive data.

It spreads through IPTV-style apps delivered via phishing and sideloading.

🔗 Read → https://thehackernews.com/2026/03/new-perseus-android-banking-malware.html

⚡ 25,000 U.S. businesses already use macOS, and the number keeps growing. Yet macOS threats are still flying under the radar for most security teams.

Attackers know this. 👀 And they're quietly adding more cross-platform threats to take advantage of it, targeting sensitive data.

That's exactly why #ANYRUN just levelled up. The sandbox now supports #macOS alongside #Windows, #Linux, and #Android — one unified place, full visibility, faster verdicts.

👉 Close the gap before it becomes a costly one: https://thn.news/mac-threat-analysis

This week in ThreatsDay Bulletin… it’s the quiet stuff you shouldn’t ignore 👇

🔓 FortiGate RaaS
⚙️ ITSM → RCE
🦠 New C2 malware
🔗 Deep link exec
📡 Citrix spikes
💬 Teams → access
🎣 ClickFix backdoor
🎮 Game-borne stealers
💳 Live chat phishing
🌍 Expanding APT ops
🤖 1.75M bad apps blocked
🔐 28M+ secrets leaked

Read before you miss something important → https://thehackernews.com/2026/03/threatsday-bulletin-fortigate-raas.html

⚡ WEBINAR: Security spend is rising. Breaches aren’t slowing. The gap is proof your defenses work.

Continuous validation tests controls against real attacker behavior. Automate CTI-driven testing. Feed results into SOC workflows.

🔗 Live demo + practical setup → https://thehacker.news/automate-testing-security-posture

🔥 54 EDR killers now use BYOVD, abusing 34 signed drivers to reach kernel access.

Ransomware operators deploy them first to disable defenses, not evade detection inside the encryptor. Evasion has moved out—into dedicated tools built to break EDR reliably.

🔗 Tools, tactics, and defensive gaps explained → https://thehackernews.com/2026/03/54-edr-killers-use-byovd-to-exploit-34.html

Speagle malware is abusing Cobra DocGuard to quietly steal data. It sends exfiltration through a legitimate DocGuard server, blending into normal traffic and avoiding detection.

It only runs on systems with DocGuard installed, signaling targeted espionage activity.

🔗 How it hides, steals, and wipes traces → https://thehackernews.com/2026/03/speagle-malware-hijacks-cobra-docguard.html

⚠️ WARNING - Apple warns outdated iPhones are now exposed to mass-scale exploit kits like Coruna and DarkSword.

Compromised websites can silently trigger infections and steal sensitive data from unpatched devices.

🔗 Read → https://thehackernews.com/2026/03/apple-warns-older-iphones-vulnerable-to.html

🛑 The U.S. disrupted IoT botnets behind record DDoS attacks, including a 31.4 Tbps spike in seconds.

These networks hijacked millions of TVs, routers, and cameras, then sold that power for attacks and extortion.

🔗Learn more → https://thehackernews.com/2026/03/doj-disrupts-3-million-device-iot.html

⚡ Google adding a 24-hour delay for installing #Android apps from unverified developers.

Users must enable developer mode, reboot, and confirm again after a day. This is meant to stop #malware and scams that trick users into disabling Play Protect or giving access.

🔗 Details here → https://thehackernews.com/2026/03/google-adds-24-hour-wait-for-unverified.html

⚠️ A critical Magento flaw lets attackers upload files without login and take over stores.

The issue, PolyShell, uses the REST API to upload hidden malicious files as images. This can lead to remote code execution or stored XSS.

No fix for current versions yet.

🔗 Read → https://thehackernews.com/2026/03/magento-polyshell-flaw-enables.html

AI is making cyber attacks look normal. Phishing and malware now act like real users, not obvious threats.

That breaks rule-based and signature defenses. Attackers use valid logins and stay within limits. Security now shifts to identity and real-time context.

🔗 How AI attacks bypass detection and what replaces it → https://thehackernews.com/2026/03/the-importance-of-behavioral-analytics.html

⚠️ Langflow CVE-2026-33017 was exploited in 20 hours of disclosure.

An exposed API runs attacker-supplied Python with no auth, enabling full server takeover. Real attacks show credential theft, file access, and staged payload delivery.

🔗 Read → https://thehackernews.com/2026/03/critical-langflow-flaw-cve-2026-33017.html

CursorJack abuses cursor:// links to trigger arbitrary command execution via MCP installs with executable configs.

One click plus user approval can run local commands or link to a malicious server.

🔗 Deep link abuse flow, MCP risk, and PoC details → https://thehackernews.com/2026/03/threatsday-bulletin-fortigate-raas.html#deep-link-abuse-enables-command-execution

🛑 ALERT - Trivy, a popular open-source vulnerability scanner, was compromised after attackers hijacked 75 version tags in #GitHub Actions to deliver an infostealer.

It ran in CI pipelines, stealing creds and tokens, then exfiltrating data or staging it via stolen GitHub PATs.

🔗 Attack flow, impacted versions, fixes → https://thehackernews.com/2026/03/trivy-security-scanner-github-actions.html