🛑 A Russian-linked toolkit is spreading through fake Windows shortcut files disguised as private key folders.

CTRL hides activity through RDP tunnels and local pipes, avoiding standard C2 traffic and reducing network detection signals.

🔗 Read → https://thehackernews.com/2026/03/russian-ctrl-toolkit-delivered-via.html

GitGuardian found 29M leaked secrets in 2025, up 34%—the largest jump on record.

AI services and internal systems drive exposure, while 64% of 2022 leaks remain valid; detection isn’t the issue, remediation & ownership are.

🔗 Where secrets leak & why they stay exploitable → https://thehackernews.com/2026/03/the-state-of-secrets-sprawl-2026-9.html

This week in cybersecurity...

📡 Telecom backbone backdoored
📬 FBI director's inbox owned
⛓️ Botnet hiding in blockchain
🦠 Chrome extension = infostealer
🖱️ ClickFix hits macOS
🚫 Foreign routers banned
👮 RedLine operator extradited
💸 BEC fraudster gets 7 years
📷 Deepfake-proof sensor developed
📋 30+ CVEs, some live in the wild

Full recap is live 👇 https://thehackernews.com/2026/03/weekly-recap-telecom-sleeper-cells-llm.html

📣 Nudge Security has added AI Agent Discovery to help teams manage shadow AI risks.

Employees are rapidly creating AI agents that connect to critical systems with broad permissions—often without visibility. These agents can persist even after creators leave.

Nudge Security helps by:
👉 Discovering agents across platforms like Copilot Studio, Salesforce, and more
👉 Mapping ownership, permissions, and integrations
👉 Identifying risks like exposed access, hardcoded credentials, and orphaned agents
👉 Enforcing guardrails to validate and secure usage

AI Agent Discovery is in research preview. Start a free trial to access it: https://thn.news/ai-discovery-tool

⚠️ A new malware loader is using fake “fix” prompts to trick users into running PowerShell commands.

DeepLoad runs inside legitimate Windows processes and begins stealing browser credentials and sessions early in the attack.

🔗 Read → https://thehackernews.com/2026/03/deepload-malware-uses-clickfix-and-wmi.html

Most Tier 1 delays start before the threat is even understood.

Tool switching and static triage slow investigations and hide real behavior. Unified workflows and behavior-first analysis reduce friction, speed validation, and cut unnecessary escalations.

🔗 How SOC teams cut delays at Tier 1 → https://thehackernews.com/2026/03/3-soc-process-fixes-that-unlock-tier-1.html

🛑 Two OpenAI flaws showed how AI systems can expose sensitive data.

🔸 One allowed silent leaks via a DNS side channel in ChatGPT
🔸 Another enabled GitHub token theft via Codex injection

🔗 What these vulnerabilities exposed about AI security → https://thehackernews.com/2026/03/openai-patches-chatgpt-data.html

⚡ WARNING - Axios npm (83M weekly downloads) was compromised, turning installs into a malware delivery path.

Versions 1.14.1 and 0.30.4 pulled a fake dependency that dropped a cross-platform RAT, then erased evidence. Published using stolen maintainer credentials.

🔗 What happened and how the attack worked → https://thehackernews.com/2026/03/axios-supply-chain-attack-pushes-cross.html

Most AppSec teams say they fix critical bugs. Data shows otherwise.

In Semgrep's report, Braden Riggs finds top teams fix 63% of critical issues, while most fix just 13%. Same tools and alerts—the gap is execution, not detection.

🔗 What 50k repos reveal about real vulnerability fixes → https://thehackernews.com/expert-insights/2026/03/which-code-vulnerabilities-actually-get.html

Silver Fox is spreading AtlasCross RAT via fake Zoom, Signal, and Teams sites.

Signed installers from typo domains bypass checks, disable security tools, and run the RAT in memory for remote access and data theft across Asia.

🔗 Full details → https://thehackernews.com/2026/03/silver-fox-expands-asia-cyber-campaign.html

⚠️ A flaw in Google Cloud Vertex AI could expose sensitive data across projects.

Default service agent permissions allow attackers to steal credentials from AI agents, access storage buckets, and move inside cloud environments.

🔗 Details here → https://thehackernews.com/2026/03/vertex-ai-vulnerability-exposes-google.html

AI is shrinking cyberattacks to hours.

Threat actors use AI to automate phishing, find vulnerabilities, and chain exploits faster than human response. Traditional security is too slow.

Defenders are moving to continuous AI-driven testing and fixes.

🔗 Why speed now defines cybersecurity → https://thehackernews.com/2026/03/the-ai-arms-race-why-unified-exposure.html

AI is redefining cyber roles, hiring, and skills.

See where teams are rebuilding and where careers are heading by downloading your copy of 2026 Workforce Research Report.

🔗 Download → https://thn.news/sans-workforce-research

⚠️ A zero-day in TrueConf let attackers spread malware through its own update system.

CVE-2026-3502 (CVSS 7.8) was exploited by compromising on-prem servers, pushing tampered updates to all connected clients in government networks across Southeast Asia.

🔗 How the TrueChaos campaign weaponized software updates → https://thehackernews.com/2026/03/trueconf-zero-day-exploited-in-attacks.html

🔥 Google has opened Android verification to all developers.

Developer verification is now live globally, letting devs confirm identity and register apps ahead of enforcement.

From Sept 30, 2026, only verified apps install in select markets, expanding globally in 2027.

🔗 Timeline and what devs must do next → https://thehackernews.com/2026/03/android-developer-verification-rollout.html

🔥 Anthropic accidentally exposed 512,000 lines of Claude Code via an npm packaging error.

The code reveals internal systems like multi-agent workflows, guardrails, and automation—giving attackers a clear map to study and exploit.

🔗 Read → https://thehackernews.com/2026/04/claude-code-tleaked-via-npm-packaging.html

⚠️ Google links the Axios npm compromise to North Korean group UNC1069.

Attackers hijacked the maintainer account and pushed malicious versions that executed during install via a hidden dependency, deploying a cross-platform backdoor (Windows, macOS, Linux) and then removing traces.

🔗 Read → https://thehackernews.com/2026/04/google-attributes-axios-npm-supply.html

Vulnerability management is shifting from periodic scans to continuous monitoring.

Exploitation can start within hours, making CVSS scores and patch cycles too slow. Teams now need continuous visibility, threat context, and real-time detection to manage actual risk.

🔗 Why proactive vulnerability management is replacing scans → https://thehackernews.com/expert-insights/2026/03/wazuh-for-proactive-vulnerability.html

🛑 Chrome 0-day Warning!

Tracked as CVE-2026-5281, this WebGPU (Dawn) use-after-free bug allows code execution via a crafted page if the renderer is compromised.

It’s the 4th exploited Chrome browser zero-day in 2026.

🔗 Read → https://thehackernews.com/2026/04/new-chrome-zero-day-cve-2026-5281-under.html

Cyberattacks are shifting away from malware.

84% now use built-in tools like PowerShell and WMIC to move inside systems without raising alarms. These actions look normal, making detection harder while excess access creates hidden risk.

🔗 Why attackers now use your own tools → https://thehackernews.com/2026/04/3-reasons-attackers-are-using-your.html

🚨 Microsoft identified a campaign using WhatsApp to deliver malicious VBS files.

The attack renames Windows tools, uses cloud payloads and installs AnyDesk to enable stealthy persistence and remote access while blending into normal activity.

🔗 Read → https://thehackernews.com/2026/04/microsoft-warns-of-whatsapp-delivered.html