Arctic Wolf has confirmed active exploitation of a maximum-severity authentication bypass flaw in Quest KACE Systems Management Appliance. Beginning the week of March 9, attackers are using CVE-2025-32975 — a CVSS 10.0 vulnerability — to impersonate users without credentials, seize administrative accounts, and execute remote commands dropping Base64-encoded payloads including Mimikatz for credential harvesting. The flaw was patched by Quest in May 2025, but unpatched internet-facing appliances remain at immediate risk. Organizations should patch immediately and restrict internet exposure of SMA systems.
Threat actor TeamPCP force-pushed 75 tags in Aqua Security's Trivy GitHub Action and 7 setup-trivy tags, injecting credential-stealing malware into CI/CD pipelines. The payload dumps Runner.Worker memory for secrets, sweeps for SSH keys, cloud credentials, and Kubernetes tokens, then exfiltrates data via a Cloudflare Tunnel to a typosquatted domain. Checkmarx's ast-github-action and kics-github-action were subsequently compromised using stolen credentials. Tracked as CVE-2026-33634 (CVSS 9.4).
Citrix released patches for CVE-2026-3055 (CVSS 9.3), an out-of-bounds read allowing unauthenticated remote attackers to extract sensitive information from appliance memory. Only appliances configured as a SAML Identity Provider are affected; default configurations are not vulnerable. A second flaw, CVE-2026-4368 (CVSS 7.7), causes user session mixup under race conditions.
The FBI issued a warning that Iranian-linked threat groups including Handala are abusing Telegram as command-and-control infrastructure to deliver Windows malware targeting journalists, dissidents, and political opponents. Attacks have included Intune-based remote device wipes, rendering victims' devices inoperable. The advisory urges organizations to restrict Telegram on managed endpoints.
Attackers compromised legitimate npm publisher credentials to republish over 29 packages under the @emilgroup namespace and @teale.io/eslint-config with malicious payloads. Altered releases install a Linux backdoor through systemd user services and use an Internet Computer canister as a rotating channel for follow-on payload delivery, making takedowns difficult.
Medical technology company Stryker continues recovery after a cyberattack attributed to pro-Iranian actors who gained access via a compromised Intune admin account, triggering remote wipes across roughly 80,000 devices. Up to 50TB of data may have been exfiltrated in the incident. The attack highlights the danger of management plane tools (MDM, Intune) as high-value targets.
In a major coordinated action, INTERPOL and partners across 72 countries seized infrastructure behind phishing, malware, and ransomware ecosystems, taking down over 45,000 malicious IPs and servers and arresting 94 individuals. The scale of the takedown signals that criminal cyber infrastructure has reached industrial levels of specialization and automation.
An ongoing defacement campaign active since February 27 has compromised roughly 15,000 hostnames across 7,500 Magento domains. High-profile victims include Toyota, ASUS, FedEx, Yamaha, and Lindt, as well as regional governments and universities. Attackers exploit an unauthenticated file upload path in exposed Magento environments to deploy plaintext defacement files.
A newly identified .NET loader dubbed SILENTCONNECT, active since March 2025, uses phishing lures disguised as meeting invitations to deliver ScreenConnect RMM software. The chain downloads C# source from Google Drive, compiles and executes it in memory via PowerShell, adds a Windows Defender exclusion, and bypasses UAC via the CMSTPLUA COM interface. It uses PEB masquerading to impersonate winhlp32.exe to evade detection.
A critical operational security failure exposed the C2 infrastructure of APT28 (FancyBear), leaking 2,800+ exfiltrated government and military emails, 240+ credential and TOTP sets, and over 11,500 harvested contacts spanning Ukraine, Romania, Bulgaria, Greece, and Serbia. The exposure provides rare intelligence into the scale of Russian state-sponsored espionage campaigns targeting Eastern European nations.
A joint FBI/CISA advisory warns that Russian intelligence actors are conducting campaigns to hijack commercial messaging apps — particularly Signal — to take over accounts, monitor communications in real time, and enable further targeted phishing. The advisory urges users to verify linked devices in Signal settings and enable registration lock features immediately.
The World Economic Forum's Global Cybersecurity Outlook 2026, based on data from 800 global leaders, finds that while AI security assessments before deployment have nearly doubled (37% to 64%), 87% of respondents flag AI-related vulnerabilities as the fastest-growing cyber threat category. The report highlights widening "cyber equity" gaps, geopolitical fragmentation, and diverging risk priorities between CEOs (fraud/phishing) and CISOs (ransomware).
International authorities seized infrastructure behind four IoT botnets — Aisuru, Kimwolf, JackSkid, and Mossad — which collectively compromised over three million devices and were responsible for record-breaking DDoS attacks. The coordinated takedown marks a significant blow to the for-hire DDoS ecosystem, though operators are likely to reconstitute using fresh infrastructure.