π Malicious Trivy images (0.69.4β0.69.6) confirm a supply chain breach using a compromised service account token.
Attackers pushed trojanized builds, spread an npm worm, defaced 44 repos in minutes, and deployed Kubernetes wiper payloads.
πRead β https://thehackernews.com/2026/03/trivy-hack-spreads-infostealer-via.html
Attackers pushed trojanized builds, spread an npm worm, defaced 44 repos in minutes, and deployed Kubernetes wiper payloads.
πRead β https://thehackernews.com/2026/03/trivy-hack-spreads-infostealer-via.html
π₯14π11
Microsoft says tax-season phishing now deploys RMM tools like ScreenConnect, moving beyond credential theft.
A Feb. 10 campaign hit 29,000+ users across 10,000 orgs, using IRS lures to gain persistent system access.
π IRS themes, QR tricks, and full attack chain β https://thehackernews.com/2026/03/microsoft-warns-irs-phishing-hits-29000.html
A Feb. 10 campaign hit 29,000+ users across 10,000 orgs, using IRS lures to gain persistent system access.
π IRS themes, QR tricks, and full attack chain β https://thehackernews.com/2026/03/microsoft-warns-irs-phishing-hits-29000.html
π₯14π4
Biggest security stories this week π
π₯ Trivy backdoor β CI/CD worm
π€ 4 DDoS botnets down
π± iOS DarkSword β 6 vulns
π¦ Android malware in IPTV apps
π Cisco FMC 0-day exploited
β‘ Langflow RCE in 20h
π΅οΈ FBI buys location data
π WhatsApp testing usernames
π» APT28 toolkit leak
π 373K domains seized
π― Phishing hits Pakistan energy
π§ VoidStealer bypasses Chrome ABE
π° Beast ransomware leak
π¦ Malicious npm account hijack
π£ OpenClaw devs crypto phishing
π¨π³ China PQC standards
π¨ 25+ critical CVEs exploited
Full cybersecurity recap β https://thehackernews.com/2026/03/weekly-recap-cicd-backdoor-fbi-buys.html
π₯ Trivy backdoor β CI/CD worm
π€ 4 DDoS botnets down
π± iOS DarkSword β 6 vulns
π¦ Android malware in IPTV apps
π Cisco FMC 0-day exploited
β‘ Langflow RCE in 20h
π΅οΈ FBI buys location data
π WhatsApp testing usernames
π» APT28 toolkit leak
π 373K domains seized
π― Phishing hits Pakistan energy
π§ VoidStealer bypasses Chrome ABE
π° Beast ransomware leak
π¦ Malicious npm account hijack
π£ OpenClaw devs crypto phishing
π¨π³ China PQC standards
π¨ 25+ critical CVEs exploited
Full cybersecurity recap β https://thehackernews.com/2026/03/weekly-recap-cicd-backdoor-fbi-buys.html
π₯12π4
XM Cyber mapped 8 AWS Bedrock attack paths targeting permissions and integrations, not the model itself.
One over-privileged identity can redirect logs, hijack agents, poison prompts, and pivot into connected enterprise systems.
π The 8 paths from Bedrock access to infrastructure risk β https://thehackernews.com/2026/03/we-found-eight-attack-vectors-inside.html
One over-privileged identity can redirect logs, hijack agents, poison prompts, and pivot into connected enterprise systems.
π The 8 paths from Bedrock access to infrastructure risk β https://thehackernews.com/2026/03/we-found-eight-attack-vectors-inside.html
π₯8π7
As AI reshapes the cyber workforce, leaders need clarity and practitioners need direction. Download the 2026 Cybersecurity Workforce Report.
π Download β https://thn.news/sans-workforce-2026
π Download β https://thn.news/sans-workforce-2026
π₯9β‘6π6π€―3
β οΈ North Koreaβs Contagious Interview campaign now uses malicious VS Code projects to deploy StoatWaffle.
Opening the folder can auto-run tasks.json, install Node.js if missing, and fetch stealer or RAT payloads on developer systems.
π Read β https://thehackernews.com/2026/03/north-korean-hackers-abuse-vs-code-auto.html
Opening the folder can auto-run tasks.json, install Node.js if missing, and fetch stealer or RAT payloads on developer systems.
π Read β https://thehackernews.com/2026/03/north-korean-hackers-abuse-vs-code-auto.html
π8β‘5π€―4π₯2π2
β οΈ Citrix patched a critical NetScaler flaw (CVSS 9.3) enabling unauthenticated memory leaks.
The issue exposes sensitive appliance data when SAML IDP is enabled, alongside a second bug that can mix user sessions in gateway or AAA setups.
π Read β https://thehackernews.com/2026/03/citrix-urges-patching-critical.html
The issue exposes sensitive appliance data when SAML IDP is enabled, alongside a second bug that can mix user sessions in gateway or AAA setups.
π Read β https://thehackernews.com/2026/03/citrix-urges-patching-critical.html
π5π₯4π2
π A Russian access broker was sentenced to 81 months in U.S. prison for fueling ransomware attacks.
He sold network access to groups like Yanluowang, enabling dozens of intrusions and over $9M in confirmed losses across U.S. organizations.
π Read β https://thehackernews.com/2026/03/us-sentences-russian-hacker-to-675.html
He sold network access to groups like Yanluowang, enabling dozens of intrusions and over $9M in confirmed losses across U.S. organizations.
π Read β https://thehackernews.com/2026/03/us-sentences-russian-hacker-to-675.html
π₯7π6π±4π3π3
Telegram blocked 43M+ channels in 2025, yet threat actors stayed.
Yochai Corem shows they adaptedβrebuilding in days, gating access, and shifting sensitive comms off-platform while keeping Telegram for scale.
π How criminals evolved despite Telegramβs crackdown β https://thehackernews.com/expert-insights/2026/03/telegrams-crackdown-changed-how-threat.html
Yochai Corem shows they adaptedβrebuilding in days, gating access, and shifting sensitive comms off-platform while keeping Telegram for scale.
π How criminals evolved despite Telegramβs crackdown β https://thehackernews.com/expert-insights/2026/03/telegrams-crackdown-changed-how-threat.html
π15π9π4π₯3β‘2π€2
π¨ TeamPCP expanded its supply chain attack to Checkmarx GitHub Actions, deploying the same CI credential stealer used in the Trivy breach.
Stolen tokens are reused to push malicious commits into other repos, enabling a cascading compromise across CI workflows.
π Read β https://thehackernews.com/2026/03/teampcp-hacks-checkmarx-github-actions.html
Stolen tokens are reused to push malicious commits into other repos, enabling a cascading compromise across CI workflows.
π Read β https://thehackernews.com/2026/03/teampcp-hacks-checkmarx-github-actions.html
π₯10π4β‘2
ActiveState Curated Catalog: Secure Open Source Built From Source.
Introducing the ActiveState Curated Catalog: a vetted source of truth for open-source. Instead of pulling from public registries, your team accesses a private catalog of rebuilt-from-source packages to ensure security and compliance from the start.
Start Free Course: https://thn.news/ai-code-catalogs
Introducing the ActiveState Curated Catalog: a vetted source of truth for open-source. Instead of pulling from public registries, your team accesses a private catalog of rebuilt-from-source packages to ensure security and compliance from the start.
Start Free Course: https://thn.news/ai-code-catalogs
π€5π₯4π2
This media is not supported in your browser
VIEW IN TELEGRAM
Security teams are using more toolsβbut still struggling to prioritize real risk.
Focus is shifting to exposure validation and business impact, not just alerts and scans, as highlighted at Gartnerβs first event.
π 5 key learnings shaping modern security β https://thehackernews.com/2026/03/5-learnings-from-first-ever-gartner.html
Focus is shifting to exposure validation and business impact, not just alerts and scans, as highlighted at Gartnerβs first event.
π 5 key learnings shaping modern security β https://thehackernews.com/2026/03/5-learnings-from-first-ever-gartner.html
π5π₯3π2
β οΈ ALERT: Fake resumes are infecting enterprise systems and the full attack runs in ~25 seconds.
Obfuscated VBScript deploys credential stealers and a Monero miner, using Dropbox, #WordPress C2, and SMTP for exfiltration. It selectively targets domain-joined machines.
π Read β https://thehackernews.com/2026/03/hackers-use-fake-resumes-to-steal.html
Obfuscated VBScript deploys credential stealers and a Monero miner, using Dropbox, #WordPress C2, and SMTP for exfiltration. It selectively targets domain-joined machines.
π Read β https://thehackernews.com/2026/03/hackers-use-fake-resumes-to-steal.html
π10π€―8π€5π1
β‘ Cybersecurity tools improved, but teams still struggle with basics.
Missing understanding of their own systems leads to wrong priorities, poor tool choices, and weak risk focus. More tools do not fix this.
π Why security still breaks without strong foundations β https://thehackernews.com/2026/03/the-hidden-cost-of-cybersecurity.html
Missing understanding of their own systems leads to wrong priorities, poor tool choices, and weak risk focus. More tools do not fix this.
π Why security still breaks without strong foundations β https://thehackernews.com/2026/03/the-hidden-cost-of-cybersecurity.html
π₯7π4π2
π¨ A malvertising campaign uses tax searches to deliver kernel-level EDR killers via rogue ScreenConnect installers.
Cloaking hides payloads; a signed Huawei driver is abused via BYOVD to disable Defender, Kaspersky, and SentinelOne before credential theft and lateral movement.
π Read β https://thehackernews.com/2026/03/tax-search-ads-deliver-screenconnect.html
Cloaking hides payloads; a signed Huawei driver is abused via BYOVD to disable Defender, Kaspersky, and SentinelOne before credential theft and lateral movement.
π Read β https://thehackernews.com/2026/03/tax-search-ads-deliver-screenconnect.html
π8β‘4π₯4π1
π¨ Attackers are abusing npm and GitHub to deliver malware disguised as dev tools.
Sudo password phishing during install triggers a multi-stage chain that deploys a RAT, stealing crypto wallets, credentials, SSH keys, and tokens.
π Read β https://thehackernews.com/2026/03/ghost-campaign-uses-7-npm-packages-to.html
Sudo password phishing during install triggers a multi-stage chain that deploys a RAT, stealing crypto wallets, credentials, SSH keys, and tokens.
π Read β https://thehackernews.com/2026/03/ghost-campaign-uses-7-npm-packages-to.html
π€―8π6β‘5π₯2
π Malicious LiteLLM versions 1.82.7β1.82.8 deploy credential theft, Kubernetes lateral movement, and a persistent backdoor.
Linked to the Trivy CI/CD compromise, the payload runs on import or via .pth at Python startup, spreads across nodes, and installs a systemd service.
π Full story β https://thehackernews.com/2026/03/teampcp-backdoors-litellm-versions.html
Linked to the Trivy CI/CD compromise, the payload runs on import or via .pth at Python startup, spreads across nodes, and installs a systemd service.
π Full story β https://thehackernews.com/2026/03/teampcp-backdoors-litellm-versions.html
π€―12π₯10β‘3π3π1
π₯ The FCC is banning new foreign-made consumer routers from U.S. markets over security risks.
Officials say these devices expose supply chain weaknesses and have been used in espionage and attacks on critical infrastructure.
π Read β https://thehackernews.com/2026/03/fcc-bans-new-foreign-made-routers-over.html
Officials say these devices expose supply chain weaknesses and have been used in espionage and attacks on critical infrastructure.
π Read β https://thehackernews.com/2026/03/fcc-bans-new-foreign-made-routers-over.html
π22π€6π4π±4π₯1π1π€―1
Universities run complex identity systems.
As Robert Kraczek (@OneIdentity) explains, high turnover and hybrid AD + Entra ID gaps leave orphaned accounts and excess access that attackers exploit.
π Where higher ed identity security breaks down β https://thehackernews.com/expert-insights/2026/03/why-institutions-of-higher-education.html
As Robert Kraczek (@OneIdentity) explains, high turnover and hybrid AD + Entra ID gaps leave orphaned accounts and excess access that attackers exploit.
π Where higher ed identity security breaks down β https://thehackernews.com/expert-insights/2026/03/why-institutions-of-higher-education.html
π₯5π2π1
π A device code phishing campaign is hitting 340+ Microsoft 365 orgs using OAuth abuse.
Victims enter codes on real Microsoft pages, generating access and refresh tokens attackers reuseβeven after password resets.
π Read β https://thehackernews.com/2026/03/device-code-phishing-hits-340-microsoft.html
Victims enter codes on real Microsoft pages, generating access and refresh tokens attackers reuseβeven after password resets.
π Read β https://thehackernews.com/2026/03/device-code-phishing-hits-340-microsoft.html
π8π₯6β‘5π3