Ravie LakshmananMar 23, 2026Cybersecurity / Hacking

Another week, another reminder that the internet is still a mess. Systems people thought were secure are being broken in simple ways, showing many still ignore basic advisories.

This edition covers a mix of issues: supply chain attacks hitting CI/CD setups, long-abused IoT devices being shut down, and exploits moving quickly from disclosure to real attacks. There are also new malware tricks showing attackers are becoming more patient and creative.

It’s a mix of old problems that never go away and new methods that are harder to detect. There are quiet state-backed activities, exposed data from open directories, growing mobile threats, and a steady stream of zero-days and rushed patches.

Grab a coffee, and at least skim the CVE list. Some of these are the kind you don’t want to discover after the damage is done.

⚡ Threat of the Week

Trivy Vulnerability Scanner Breached in for Supply Chain Attack — Attackers have backdoored the widely used open-source Trivy vulnerability scanner, injecting credential-stealing malware into official releases and GitHub Actions used by thousands of CI/CD workflows. The breach has triggered a cascade of additional supply-chain compromises stemming from impacted projects and organizations not rotating their secrets, resulting in the distribution of a self-propagating worm referred to as CanisterWorm. Trivy, developed by Aqua Security, is one of the most widely used open-source vulnerability scanners, with over 32,000 GitHub stars and more than 100 million Docker Hub downloads. The Trivy compromise is the latest in a growing pattern of attacks targeting GitHub Actions and developers in general. GitHub changed the default behavior of pull_request_target workflows in December 2025 to reduce the risk of exploitation.

🔔 Top News

• DoJ Takes Down DDoS Botnets — A cluster of IoT botnets behind some of the largest DDoS attacks ever recorded — AISURU, Kimwolf, JackSkid, and Mossad — were wiped as part of a broad law enforcement operation. The botnets largely spread across routers, IP cameras, and digital video recorders that are often shipped with weak credentials and rarely patched. Authorities removed the command-and-control servers used to commandeer the infected nodes. Together, operators of the four botnets had amassed more than 3 million devices, which they then sold access to other criminal hackers, who then used them to target victims with DDoS attacks to knock websites and internet services offline or mask other illicit activity. Some of these DDoS attacks were aimed at U.S. Department of Defense systems and other high-value targets. No arrests were announced, but two suspects associated with AISURU/Kimwolf are said to be based in Canada and Germany. All four botnets disrupted by the operation are variants of Mirai, which had its source code leaked in 2016 and has served as the starting point for other botnets. The U.S. Justice Department said some victims of the DDoS attacks lost hundreds of thousands of dollars through remediation expenses or ransom demands from hackers who would only stop overloading websites for a price.
• Google Debuts New Advanced Flow for Sideloading on Android — Google’s advanced flow for Android changes how apps from unverified developers are installed, adding friction to combat scams and malware. The feature is aimed at experienced users and allows sideloading through a one-time setup. The advanced flow adds a 24-hour delay and verification steps intended to disrupt coercive pressure and give users time to make decisions. It’s designed to address scenarios where attackers pressure individuals to install unsafe software and play on the urgency of the operation to push them to bypass security warnings and disable protections before they can pause or seek help.
• Critical Langflow Flaw Comes Under Attack — A critical security flaw impacting Langflow has come under active exploitation within 20 hours of public disclosure, highlighting the speed at which threat actors weaponize newly published vulnerabilities. The security defect, tracked as CVE-2026-33017 (CVSS score: 9.3), is a case of missing authentication combined with code injection that could result in remote code execution. Cloud security firm Sysdig said that the attacks weaponize the vulnerability to steal sensitive data from compromised systems. “The real-world proof is definitive: threat actors exploited it in the wild within 20 hours of the advisory going public, with no public PoC code available,” Aviral Srivastava, who discovered the vulnerability, told The Hacker News. “They built working exploits just from reading the advisory description. That’s the hallmark of trivial exploitation when multiple independent attackers can weaponize a vulnerability from a description alone, within hours.”
• Interlock Ransomware Exploited Cisco FMC Flaw as 0-Day — An Interlock ransomware campaign exploited a critical security flaw in Cisco Secure Firewall Management Center (FMC) Software as a zero-day well over a month before it was publicly disclosed. The vulnerability in question is CVE-2026-20131 (CVSS score: 10.0), a case of insecure deserialization of user-supplied Java byte stream, which could allow an unauthenticated, remote attacker to bypass authentication and execute arbitrary Java code as root on an affected device. “This wasn’t just another vulnerability exploit; Interlock had a zero-day in their hands, giving them a week’s head start to compromise organizations before defenders even knew to look,” Amazon, which spotted the activity, said.
• Yet Another iOS Exploit Kit Comes to Light — A new watering hole attack against iPhone users has been found to deliver a previously undocumented iOS exploit kit codenamed DarkSword. While some of the attacks targeted users in Ukraine, the kit has also been put to use by two other clusters that singled out Saudi Arabian users in November 2025, as well as users in Turkey and Malaysia. It’s worth noting that these exploits would not be effective on devices where Lockdown Mode is active or on the iPhone 17 with Memory Integrity Enforcement (MIE) enabled. The kit used a total of six exploits in iOS to deliver various malware families designed for surveillance and intelligence gathering. Apple has since addressed all of them. “Completely written in JavaScript, DarkSword comprises six vulnerabilities across two exploit chains that were patched in stages ending with iOS 26.3,” iVerify said. “Starting in WebKit and moving down to the kernel, it achieves full iPhone compromise with elegant techniques never publicly seen before.” The discovery of DarkSword makes it the second mass attack targeting iOS devices. What’s more, the Russian threat actor that deployed DarkSword demonstrated poor operational security. They left the full JavaScript code unobfuscated, unprotected, and easily accessible. The findings also point to a secondary market where such exploits are being acquired by threat actors of varied motivations to actively infect unpatched iOS users on a large scale.
• Perseus Banking Malware Targets Android — A newly discovered Android malware is masking itself within television streaming apps in order to steal users’ passwords and banking data and spy on their personal notes, researchers have found. The malware, dubbed Perseus by researchers at ThreatFabric, is being actively distributed in the wild and primarily targets users in Turkey and Italy. To infect devices, attackers disguise the malware inside apps that appear to offer IPTV services — platforms that stream television content over the internet. These apps are also widely used to stream pirated content and are often downloaded outside official marketplaces like Google Play, making users more accustomed to installing them manually and less likely to view the process as suspicious. Once installed, Perseus can monitor nearly everything a user does in real time. It uses overlay attacks — placing fake login screens over legitimate apps — and keylogging capabilities to capture credentials as they are entered. The malware’s most unusual feature is its focus on personal note-taking applications. “Notes often contain sensitive information such as passwords, recovery phrases, financial details, or private thoughts, making them a valuable target for attackers,” ThreatFabric said.

‎️‍🔥 Trending CVEs

New vulnerabilities show up every week, and the window between disclosure and exploitation keeps getting shorter. The flaws below are this week’s most critical — high-severity, widely used software, or already drawing attention from the security community.

Check these first, patch what applies, and don’t wait on the ones marked urgent — CVE-2026-21992 (Oracle), CVE-2026-33017 (Langflow), CVE-2026-32746 (GNU InetUtils telnetd), CVE-2026-32297, CVE-2026-32298 (Angeet ES3 KVM), CVE-2026-3888 (Ubuntu), CVE-2026-20643 (Apple WebKit), CVE-2026-4276 (LibreChat RAG API), CVE-2026-24291 aka RegPwn (Microsoft Windows), CVE-2026-21643 (Fortinet FortiClient), CVE-2026-3864 (Kubernetes), CVE-2026-32635 (Angular), CVE-2026-25769 (Wazuh), CVE-2026-3564 (ConnectWise ScreenConnect), CVE-2026-22557, CVE-2026-22558 (Ubiquiti), CVE-2025-14986 (Temporal), CVE-2026-31381, CVE-2026-31382 (Gainsight Assist), CVE-2026-26189 (Trivy), CVE-2026-4439, CVE-2026-4440, CVE-2026-4441 (Google Chrome), CVE-2026-33001, CVE-2026-33002 (Jenkins), CVE-2026-21570 (Atlassian Bamboo Center), and CVE-2026-21884 (Atlassian Crowd Data Center).

🎥 Cybersecurity Webinars

• Learn How to Automate Exposure Management with OpenCTI & OpenAEV → Discover how to automate continuous, threat-informed testing using open-source tools like OpenCTI and OpenAEV to validate your security controls against real attacker behavior without increasing your budget. See a live demo on how to verify your security works, identify real gaps, and integrate it into your SOC workflow at no extra cost.
• Identity Maturity Cracking in 2026: See the New Data + How to Catch Up Fast → Identity programs are under massive pressure in 2026 – disconnected apps, AI agents, and credential sprawl are creating real risks and audit challenges. Join this webinar for new Ponemon Institute 2026 research from over 600 leaders, showing the scale of the problem and practical steps to close gaps, reduce friction, and catch up quickly.

📰 Around the Cyber World

• WhatsApp Tests Usernames Instead of Phone Numbers — WhatsApp is planning to introduce usernames and unique IDs instead of phone numbers, allowing users to send messages and make voice or video calls without sharing numbers. The optional privacy feature is expected to roll out globally by June 2026, with users and businesses able to reserve unique handles. “We’re excited to bring usernames to WhatsApp in the future to help people connect with new friends, groups, and businesses without having to share their phone numbers,” the company said in a statement shared with The Economic Times. The feature has been under test since early January 2026. Signal introduced a similar feature in early 2024.
• FBI Details SE Asia Scam Centers — The U.S. Federal Bureau of Investigation (FBI) detailed its work with Thai authorities to shut down scam centers proliferating in Southeast Asia. The schemes, which primarily target retirees, small-business owners, and people seeking companionship, have been described as a blend of cyber fraud, money laundering, and human trafficking, causing billions of dollars in annual losses. These scam centers operate in a manner that’s similar to how legitimate corporations do. “Recruiters advertise high-paying jobs abroad. Workers are flown to foreign countries only to discover that the positions do not exist,” the FBI said. “Passports are confiscated. Armed guards patrol the grounds. Under threat of violence, workers are forced to pose as potential romantic partners or savvy investment advisers, cultivating trust with victims over weeks or months.” Recent crackdowns in countries like Cambodia have freed thousands of workers from scam compounds, but the FBI warned that these breakthroughs can be temporary, as criminal networks always tend to relocate, rebrand, or shift tactics in response to law enforcement actions.
• APT28 Exposed Server Leaks SquirrelMail XSS Payload — A second exposed open directory discovered on a server (“203.161.50[.]145”) associated with APT28 (aka Fancy Bear) has offered insights into the threat actor’s espionage campaigns targeting government and military organizations across Ukraine, Romania, Bulgaria, Greece, Serbia, and North Macedonia. According to Ctrl-Alt-Intel, the directory contained command-and-control (C2) source code, scripts to steal emails, credentials, address books, and 2FA tokens from Roundcube mailboxes, telemetry logs, and exfiltrated data. The stolen data consists of 2,870 emails from government and military mailboxes, 244 sets of stolen credentials, 143 Sieve forwarding rules (to silently forward every incoming email to an attacker-controlled mailbox), and 11,527 contact email addresses. One of the newly identified tools is an XSS payload targeting the SquirrelMail webmail software, highlighting the threat actor’s continued focus on leveraging XSS flaws to steal data from email inboxes. It’s worth noting that the server was attributed to APT28 by the Computer Emergency Response Team of Ukraine (CERT-UA) as far back as September 2024. “Fancy Bear developed a modular, multi-platform exploitation toolkit where a victim simply opening a malicious email – with no further clicks – could result in their credentials stolen, their 2FA bypassed, emails within their mailbox exfiltrated, and a silent forwarding rule established that persists indefinitely,” Ctrl-Alt-Intel said.
• Analysis of a Beast Ransomware Server — An analysis of an open directory on a server (“5.78.84[.]144”) associated with Beast, a ransomware-as-a-service (RaaS) that’s suspected to be the successor to Monster ransomware, has uncovered the various tools used by the threat actors and the different stages of their attack lifecycle. These included Advanced IP Scanner and Advanced Port Scanner to map internal networks and find open remote desktop protocol (RDP) or server message block (SMB) ports. Also identified were programs to locate sensitive files for exfiltration and flag which servers hold the most data, as well as Mimikatz, LaZagne, and Automim (for credential harvesting), AnyDesk (for persistence), PsExec (for lateral movement), and MEGASync (for data exfiltration). Beast ransomware operations paused in November 2025 and resumed in January 2026.
• GrapheneOS Opposes the Unified Attestation Initiative — GrapheneOS has come out strongly against Unified Attestation, stating it “serves no truly useful purpose beyond giving itself an unfair advantage while pretending it has something to do with security.” The Unified Attestation initiative is an open-source, decentralized alternative to the Google Play Integrity API to provide device and app integrity checks for custom ROMs without requiring Google Play Services. “We strongly oppose the Unified Attestation initiative and call for app developers supporting privacy, security, and freedom on mobile to avoid it,” GraphenseOS said. “Companies selling phones should not be deciding which operating systems people are allowed to use for apps.”
• VoidStealer Uses Chrome Debugger to Steal Secrets — An information stealer known as VoidStealer has observed using a novel debugger-based Application-Bound Encryption (ABE) bypass technique that leverages hardware breakpoints to extract the “v20_master_key” directly from browser memory and use it to decrypt sensitive data stored in the browser. VoidStealer is a malware-as-a-service (MaaS) infostealer that began being marketed on several dark web forums in mid-December 2025. The ABE bypass technique was introduced in version 2.0 of the stealer announced on March 13, 2026. “The bypass requires neither privilege escalation nor code injection, making it a stealthier approach compared to alternative ABE bypass methods,” Gen Digital said. VoidStealer is assessed to have adopted the technique from the open-source ElevationKatz project.
• FBI Says it is Buying Americans’ location Data — FBI director Kash Patel admitted that the agency is buying location data that can be used to track people’s movements without a warrant. “We do purchase commercially available information that’s consistent with the Constitution and the laws under the Electronic Communications Privacy Act, and it has led to some valuable intelligence for us,” Patel said at a hearing before the Senate Intelligence Committee.
• Iranian Botnet Exposed via Open Directory — An Open Directory on “185.221.239[.]162:8080” has been found to contain several payloads, including a Python-based botnet script, a compiled DDoS binary, multiple C-language denial-of-service files, and IP addresses associated with SSH credentials. “A Python script called ohhhh.py reads credentials in a host:port|username|password format and opens 500 concurrent SSH sessions, compiling and launching the bot client on each host automatically,” Hunt.io said. “The exposed .bash_history captured three distinct phases of work: standing up the tunnel network, building and testing DDoS tooling against live targets, and iterative botnet development across multiple script versions.” The activity has not been linked to any state-directed campaign.
• OpenClaw Developers in Phishing Attack — OpenClaw’s combination of flexibility, local control, and a fast-growing ecosystem has made it popular among developers in a very short time. While that unprecedented adoption speed has exposed organizations to new security risks of its own (i.e., vulnerabilities and the presence of malicious skills on ClawHub and SkillsMP), threat actors are also capitalizing on the brand name and reputation to set up fake GitHub accounts for a phishing campaign that lures unsuspecting developers with promises of free $CLAW tokens and trick them into connect their cryptocurrency wallet. “The threat actor creates fake GitHub accounts, opens issue threads in attacker-controlled repositories, and tags dozens of GitHub developers,” OX Security researchers Moshe Siman Tov Bustan and Nir Zadok said. “The posts claim that recipients have won $5,000 worth of CLAW tokens and can collect them by visiting a linked site and connecting their crypto wallet.” The linked site (“token-claw[.]xyz”) is a near-identical clone of openclaw.ai rigged with a wallet-draining “Connect your wallet” button designed to conduct cryptocurrency theft.
• New Campaign Targets Energy Operations Personnel in Pakistan — A targeted campaign against operations personnel at energy firms linked to projects in Pakistan has leveraged phishing emails mimicking invitations to the upcoming Pakistan Energy Exhibition & Conference (PEEC). The messages, sent from compromised accounts from a Pakistani university and a government organization, aim to deceive victims into opening PDF attachments with a fake Adobe Acrobat Reader update prompt. Clicking the update leads to the download of a ClickOnce application resource that drops the Havoc Demon C2 framework. “The redirect chain was also wrapped in geofencing and browser fingerprinting, limiting access to intended targets,” Proofpoint said. “That likely reduced the exposure to automated analysis while keeping the delivery path tightly scoped.” The activity has been codenamed UNK_VaporVibes. It’s assessed to share overlaps with activity publicly associated with SloppyLemming.
• Over 373K Dark Web Sites Down — International law enforcement agencies announced the takedown of one of the largest known networks of fraudulent platforms on the dark web, uncovering hundreds of thousands of fake websites used to scam users seeking child sexual abuse content. A 10-day international operation led by German authorities and supported by Europol shut down more than 373,000 dark web domains run by a 35-year-old man based in China, who had been operating a sprawling network of fraudulent platforms since at least 2021. While the sites advertised child abuse material and cybercrime-as-a-service offerings, nothing was actually delivered after victims made a payment in Bitcoin. The fraudulent scheme netted the operator an estimated €345,000 from around 10,000 people. Authorities from 23 countries participated in the operation, and have since identified 440 customers whose purchases are now under active investigation.
• Malicious npm Packages Steal Secrets — Two malicious npm packages, sbx-mask and touch-adv, have been found to steal secrets from victims’ computers. While one invokes the malicious code via the postinstall script, the other executes it when application code is invoked by the developer after importing it. “The evidence strongly suggests account takeover of a legitimate publisher, rather than intentional malicious activity,” Sonatype said. “Hijacked publisher accounts are particularly concerning as, over time, maintainers build trust with the users of their components. Attackers aim to take advantage of that trust in order to steal valuable, or profitable, information.”
• China to Have Its Own Post-Quantum Cryptography in 3 Years — China is reportedly planning to develop its own national post-quantum cryptography standards within the next three years, according to a report from Reuters. The U.S. finalized ​its first set of post-quantum cryptography standards in 2024 and is aiming to achieve full industry migration by 2035.
• What’s Next for Tycoon2FA? — A recent law enforcement operation dismantled the infrastructure associated with the Tycoon2FA phishing-as-a-service (PhaaS) platform. However, a new analysis from Bridewell has revealed that some of the 2FA phishing CAPTCHA pages are still live. The lingering activity, the cybersecurity company noted, stems from the fact that these pages operate on a massive network of compromised third-party sites, legitimate SaaS platforms, and thousands of disposable domains. “Operators and affiliates are highly agile and will attempt to rebuild, migrate to new infrastructure, or pivot to competing PhaaS platforms,” it added. “The live CAPTCHA pages we are seeing may belong to surviving criminal affiliates attempting to keep their individual campaigns breathing on secondary proxy networks.”

🔧 Cybersecurity Tools

• MESH → It is an open-source tool from BARGHEST that enables remote mobile forensics and network monitoring over an encrypted, peer-to-peer mesh network resistant to censorship. It connects Android/iOS devices behind firewalls or CGNAT using a modified Tailscale-like protocol (no central servers needed), supports ADB wireless debugging, libimobiledevice, PCAP capture, and Suricata IDS—allowing secure, direct access for live logical acquisitions in restricted or hostile environments.
• enject → It is a lightweight Rust tool that protects .env secrets from AI assistants like Copilot or Claude. It replaces real values in your .env file with placeholders (e.g., en://api_key). Secrets stay encrypted in a per-project store (AES-256-GCM, master password protected). When you run enject run — <command>, it decrypts them only in memory at runtime, then wipes them—never leaving plaintext on disk. Open-source, macOS/Linux, perfect for safe local development.

Disclaimer: For research and educational use only. Not security-audited. Review all code before use, test in isolated environments, and ensure compliance with applicable laws.

Conclusion

And that’s the week. The real pattern isn’t any one story; it’s the gap. The gap between a flaw and detection. Between a patch and a deployment. Between knowing and doing. Most of this week’s damage happened in that gap, and it’s not new.

Before you move on: update your mobile devices, review anything touching your CI/CD pipeline, and don’t store crypto wallet recovery phrases in notes apps.