⚠️ North Korea’s Contagious Interview campaign now uses malicious VS Code projects to deploy StoatWaffle.

Opening the folder can auto-run tasks.json, install Node.js if missing, and fetch stealer or RAT payloads on developer systems.

🔗 Read → https://thehackernews.com/2026/03/north-korean-hackers-abuse-vs-code-auto.html

⚠️ Citrix patched a critical NetScaler flaw (CVSS 9.3) enabling unauthenticated memory leaks.

The issue exposes sensitive appliance data when SAML IDP is enabled, alongside a second bug that can mix user sessions in gateway or AAA setups.

🔗 Read → https://thehackernews.com/2026/03/citrix-urges-patching-critical.html

🛑 A Russian access broker was sentenced to 81 months in U.S. prison for fueling ransomware attacks.

He sold network access to groups like Yanluowang, enabling dozens of intrusions and over $9M in confirmed losses across U.S. organizations.

🔗 Read → https://thehackernews.com/2026/03/us-sentences-russian-hacker-to-675.html

Telegram blocked 43M+ channels in 2025, yet threat actors stayed.

Yochai Corem shows they adapted—rebuilding in days, gating access, and shifting sensitive comms off-platform while keeping Telegram for scale.

🔗 How criminals evolved despite Telegram’s crackdown → https://thehackernews.com/expert-insights/2026/03/telegrams-crackdown-changed-how-threat.html

🚨 TeamPCP expanded its supply chain attack to Checkmarx GitHub Actions, deploying the same CI credential stealer used in the Trivy breach.

Stolen tokens are reused to push malicious commits into other repos, enabling a cascading compromise across CI workflows.

🔗 Read → https://thehackernews.com/2026/03/teampcp-hacks-checkmarx-github-actions.html

ActiveState Curated Catalog: Secure Open Source Built From Source.

Introducing the ActiveState Curated Catalog: a vetted source of truth for open-source. Instead of pulling from public registries, your team accesses a private catalog of rebuilt-from-source packages to ensure security and compliance from the start.

Start Free Course: https://thn.news/ai-code-catalogs

Security teams are using more tools—but still struggling to prioritize real risk.

Focus is shifting to exposure validation and business impact, not just alerts and scans, as highlighted at Gartner’s first event.

🔗 5 key learnings shaping modern security → https://thehackernews.com/2026/03/5-learnings-from-first-ever-gartner.html

⚠️ ALERT: Fake resumes are infecting enterprise systems and the full attack runs in ~25 seconds.

Obfuscated VBScript deploys credential stealers and a Monero miner, using Dropbox, #WordPress C2, and SMTP for exfiltration. It selectively targets domain-joined machines.

🔗 Read → https://thehackernews.com/2026/03/hackers-use-fake-resumes-to-steal.html

⚡ Cybersecurity tools improved, but teams still struggle with basics.

Missing understanding of their own systems leads to wrong priorities, poor tool choices, and weak risk focus. More tools do not fix this.

🔗 Why security still breaks without strong foundations → https://thehackernews.com/2026/03/the-hidden-cost-of-cybersecurity.html

🚨 A malvertising campaign uses tax searches to deliver kernel-level EDR killers via rogue ScreenConnect installers.

Cloaking hides payloads; a signed Huawei driver is abused via BYOVD to disable Defender, Kaspersky, and SentinelOne before credential theft and lateral movement.

🔗 Read → https://thehackernews.com/2026/03/tax-search-ads-deliver-screenconnect.html

🚨 Attackers are abusing npm and GitHub to deliver malware disguised as dev tools.

Sudo password phishing during install triggers a multi-stage chain that deploys a RAT, stealing crypto wallets, credentials, SSH keys, and tokens.

🔗 Read → https://thehackernews.com/2026/03/ghost-campaign-uses-7-npm-packages-to.html

🛑 Malicious LiteLLM versions 1.82.7–1.82.8 deploy credential theft, Kubernetes lateral movement, and a persistent backdoor.

Linked to the Trivy CI/CD compromise, the payload runs on import or via .pth at Python startup, spreads across nodes, and installs a systemd service.

🔗 Full story → https://thehackernews.com/2026/03/teampcp-backdoors-litellm-versions.html

🔥 The FCC is banning new foreign-made consumer routers from U.S. markets over security risks.

Officials say these devices expose supply chain weaknesses and have been used in espionage and attacks on critical infrastructure.

🔗 Read → https://thehackernews.com/2026/03/fcc-bans-new-foreign-made-routers-over.html

Universities run complex identity systems.

As Robert Kraczek (@OneIdentity) explains, high turnover and hybrid AD + Entra ID gaps leave orphaned accounts and excess access that attackers exploit.

🔗 Where higher ed identity security breaks down → https://thehackernews.com/expert-insights/2026/03/why-institutions-of-higher-education.html

🛑 A device code phishing campaign is hitting 340+ Microsoft 365 orgs using OAuth abuse.

Victims enter codes on real Microsoft pages, generating access and refresh tokens attackers reuse—even after password resets.

🔗 Read → https://thehackernews.com/2026/03/device-code-phishing-hits-340-microsoft.html

⚡ A Russian botnet operator tied to #ransomware attacks on U.S. firms has been sentenced.

2 years prison + $100K fine for co-running TA551, which sold access to hacked systems used by gangs like BitPaymer, leading to $14M+ in extortion.

🔗 How TA551 enabled ransomware attacks on 70+ companies → https://thehackernews.com/2026/03/russian-hacker-sentenced-to-2-years-for.html

✨ GRC Insights from Harvard Business Review.

Manual oversight can’t keep pace with today’s risk environment. Learn how organizations are using AI to connect GRC across the enterprise.

In this Harvard Business Review Analytic Services report, explore how AI is transforming GRC.

Read The Resilient Enterprise: Using AI to Connect Governance, Risk, and Compliance to explore:

• How connected platforms replace fragmented risk processes
• The role of artificial risk intelligence in proactive GRC
• How to scale AI responsibly across the enterprise

Get your copy: https://thn.news/resilient-ai-governance

👾 Breaches now start in the browser — Attackers exploit legit functionality, dump data, and demand ransom. Get Push Security’s 2026 Browser Attacks Report to see what teams can do. 🔗 https://thn.news/browser-push-2026-t

GlassWorm now delivers a multi-stage malware chain via malicious packages and hijacked accounts.

It hides C2 in Solana memos, installs a fake Google Docs Chrome extension, and steals cookies, sessions, and crypto wallet data, with added hardware wallet phishing.

🔗 Read → https://thehackernews.com/2026/03/glassworm-malware-uses-solana-dead.html

A state-backed actor used an AI agent to run cyber ops, with 80–90% handled autonomously.

Compromise an AI agent already inside your environment, and the kill chain disappears. It already has access, permissions, and normal data flows—so activity looks legitimate.

🔗 How AI agents bypass traditional detection models → https://thehackernews.com/2026/03/the-kill-chain-is-obsolete-when-your-ai.html

⚠️ Russia has arrested the alleged admin of LeakBase, a major cybercrime forum.

147,000+ users traded stolen data including credentials, bank info, and corporate records used for fraud and account takeovers.

Authorities say user accounts, messages, and IP logs have been seized.

🔗 Read → https://thehackernews.com/2026/03/leakbase-admin-arrested-in-russia-over.html