GlassWorm now delivers a multi-stage malware chain via malicious packages and hijacked accounts.

It hides C2 in Solana memos, installs a fake Google Docs Chrome extension, and steals cookies, sessions, and crypto wallet data, with added hardware wallet phishing.

🔗 Read → https://thehackernews.com/2026/03/glassworm-malware-uses-solana-dead.html

A state-backed actor used an AI agent to run cyber ops, with 80–90% handled autonomously.

Compromise an AI agent already inside your environment, and the kill chain disappears. It already has access, permissions, and normal data flows—so activity looks legitimate.

🔗 How AI agents bypass traditional detection models → https://thehackernews.com/2026/03/the-kill-chain-is-obsolete-when-your-ai.html

⚠️ Russia has arrested the alleged admin of LeakBase, a major cybercrime forum.

147,000+ users traded stolen data including credentials, bank info, and corporate records used for fraud and account takeovers.

Authorities say user accounts, messages, and IP logs have been seized.

🔗 Read → https://thehackernews.com/2026/03/leakbase-admin-arrested-in-russia-over.html

⚠️ A new Magento skimmer uses WebRTC data channels instead of HTTP to steal payment data.

It pulls payloads and exfiltrates card details over encrypted UDP, bypassing CSP and staying invisible to most monitoring tools.

Attacks are exploiting the PolyShell RCE flaw at scale.

🔗 Read → https://thehackernews.com/2026/03/webrtc-skimmer-bypasses-csp-to-steal.html

⚡ WEBINAR — Your dashboard says “all good.” Attackers see gaps.

Stop guessing. Learn to validate your defenses against real attacks as experts demonstrate testing with real threat behavior to uncover gaps and prove what works.

🔗 See how it works → https://thehackernews.com/2026/03/webinar-stop-guessing-learn-to-validate.html

ThreatsDay Bulletin: quick hits from a very busy week...

🔐 PQC push
🤖 AI bug finds
💿 Pirated backdoors
🧩 Wallet drainer
📱 Firmware backdoor
🎣 Phish kits rebound
📅 RMM via invites
🧠 Fileless stealer
📦 npm key theft
📊 Ranking bug abuse
🖥️ MSSQL scanner
📄 Forms malware
💬 Web3 RAT lures
☎️ Cloud fraud phones
🌐 IIS outdated
📷 CCTV abuse
🔀 TDS scams
💻 PS ransomware
🕵️ NK op exposed
🧬 Polyfill link
⚖️ Case dismissed
🔓 Password powers
📱 Android RAT

🔗 Full roundup → https://thehackernews.com/2026/03/threatsday-bulletin-pqc-push-ai-vuln.html

🚨 Coruna turns a 2023 #iOS espionage exploit into a broader attack kit.

Kaspersky confirms it reuses and evolves the Triangulation kernel exploit, now updated for newer chips and iOS versions and still actively maintained.

Now bundled into 23 exploits across 5 chains and used beyond targeted ops, it shows #iPhone exploitation is scaling.

🔗 How Coruna evolved and is being deployed → https://thehackernews.com/2026/03/coruna-ios-kit-reuses-2023.html

Learn to Secure Containers | Free Certification.

Transform your team into experts in practical container security. This free, self-paced course covers everything from selecting secure base images and scanning for vulnerabilities to protecting your production environment.

Complete the course to earn a shareable certification badge.

Start Free Course: https://thn.news/container-security-academy

⚠️ A flaw in Claude’s Chrome extension let attackers inject prompts by just visiting a page.

No clicks. A hidden iframe + XSS chain made the extension treat attacker input as real user commands, enabling data theft and actions like sending emails.

🔗 How the silent prompt injection worked → https://thehackernews.com/2026/03/claude-extension-flaw-enabled-zero.html

🛑 A China-linked group has embedded kernel-level sleeper implants in telecom networks since 2021.

Its BPFDoor backdoor runs inside the OS, triggers via crafted packets, and enables long-term monitoring of government networks and users.

🔗 Read → https://thehackernews.com/2026/03/china-linked-red-menshen-uses-stealthy.html

A flaw in ClawHub let attackers fake download counts to rank #1.

An exposed backend function had no auth or limits, allowing anyone to inflate downloads and push malicious skills to the top—creating false trust and enabling code execution at scale.

🔗 How attackers manipulated ClawHub rankings and spread malicious skills → https://thehackernews.com/2026/03/threatsday-bulletin-pqc-push-ai-vuln.html#bug-lets-attackers-fake-rankings

⚠️ Three flaws in LangChain and LangGraph expose files, secrets, and chat history.

Path traversal, unsafe deserialization, and SQL injection create separate paths to access sensitive data in enterprise AI apps.

🔗 Full breakdown of each CVE and impact → https://thehackernews.com/2026/03/langchain-langgraph-flaws-expose-files.html

🚨 A pro-Ukraine group has carried out 70+ cyberattacks on Russian firms since 2025.

Bearlyfy mixes extortion and sabotage, shifting from small companies to large enterprises with six-figure demands. It now uses custom GenieLocker ransomware.

🔗 Read → https://thehackernews.com/2026/03/bearlyfy-hits-70-russian-firms-with.html

Attackers are hijacking TikTok for Business accounts using AitM phishing pages.

Fake login flows use Cloudflare Turnstile to evade detection, then steal credentials for account takeover and malvertising.

🔗 Full breakdown of the TikTok phishing chain → https://thehackernews.com/2026/03/aitm-phishing-targets-tiktok-business.html

🛑 Open VSX flaw let attackers publish malicious VS Code extensions by bypassing scans.

Single boolean bug treated scan failures as “nothing to scan,” so extensions passed under load and went live.

🔗 How scan failures were misread and checks skipped → https://thehackernews.com/2026/03/open-vsx-bug-let-malicious-vs-code.html

Cybersecurity is now tied to geopolitics.

State-backed cyber operations target telecoms, infrastructure, and governments, while hacktivist groups increasingly align with national interests.

🔗 How cyber conflict is reshaping global security → https://thehackernews.com/2026/03/we-are-at-war.html

🚨 A supply chain attack hit the telnyx Python package—versions 4.87.1 and 4.87.2 were backdoored to steal credentials.

Malware hidden in .WAV files runs on import, exfiltrates data, persists on Windows, and runs fileless on Linux/macOS before deleting traces.

🔗 Read → https://thehackernews.com/2026/03/teampcp-pushes-malicious-telnyx.html

🛑 Apple is sending #iPhone Lock Screen alerts warning users about active web-based attacks targeting outdated iOS.

Coruna and DarkSword exploit kits target older iOS via compromised sites, expanding risk beyond targeted attacks.

🔗 Read → https://thehackernews.com/2026/03/apple-sends-lock-screen-alerts-to.html

🛑 Russian-linked TA446 is using DarkSword iOS exploit kit in targeted phishing emails.

Spoofed “discussion invites” trigger exploits only on iPhones and deliver GHOSTBLADE malware, expanding from credential theft to device compromise across government, academia, and policy targets.

🔗 How DarkSword is used in these attacks → https://thehackernews.com/2026/03/ta446-deploys-leaked-darksword-ios.html

⚠️ CISA flagged active exploitation of an F5 BIG-IP APM flaw.CVE-2025-53521 (CVSS 9.3) enables RCE, reclassified from DoS after new findings.

Exploitation is confirmed in the wild, with a federal patch deadline set.

🔗 Read → https://thehackernews.com/2026/03/cisa-adds-cve-2025-53521-to-kev-after.html

🚨 Attackers are probing Citrix NetScaler for CVE-2026-3055 (CVSS 9.3).

Honeypots show requests to /cgi/GetAuthMethods to identify SAML IdP setups, which are required for exploitation.

🔗 How attackers are mapping vulnerable NetScaler targets → https://thehackernews.com/2026/03/citrix-netscaler-under-active-recon-for.html