Adobe Reader Zero Day Exploited for Months Through Malicious PDF Files
Researchers say a malicious PDF has been exploiting an Adobe Reader zero day in the wild since at least December, including against fully patched installations. The document appears to fingerprint the environment, abuse privileged Acrobat APIs to steal local data, and potentially stage follow on remote code execution or sandbox escape activity.
Source: BleepingComputer

Smart Slider 3 Pro Compromised Through the Official Update Channel
Attackers compromised Nextend’s update infrastructure and pushed a trojanized Smart Slider 3 Pro release through the official channel for WordPress and Joomla sites. Any site that updated to version 3.5.1.35 should be treated as potentially compromised because the malicious build installed multiple backdoors rather than merely exposing a software flaw.
Source: Patchstack

Fortinet Rushes Fixes for an Exploited FortiClient EMS Zero Day
Fortinet released emergency fixes for CVE-2026-35616 in FortiClient EMS after confirming in the wild exploitation. The bug is a critical unauthenticated access control issue that can lead to remote code execution through crafted requests.
Source: SecurityWeek

Iranian Actors Target Rockwell and Allen Bradley PLCs
US agencies warned that Iranian affiliated actors are actively targeting internet exposed Rockwell Automation and Allen Bradley PLCs in critical infrastructure. The activity includes unauthorized access to engineering projects and manipulation of HMI or SCADA data, with the advisory linking the intrusions to operational disruption and financial loss.
Source: Censys

Google Warns of UNC6783 Targeting BPOs for Downstream Data Theft
Google says UNC6783 is targeting business process outsourcing providers and help desks that support high value enterprises, then using that foothold to steal data from downstream customers. The campaign relies on social engineering and phishing, including theft of support tickets and identity related data that can support extortion or follow on access.
Source: SecurityWeek

Attackers Expand Social Engineering Campaign Against Node.js Maintainers
Socket reported that the social engineering operation behind the Axios compromise is also targeting other high impact Node.js and npm maintainers. The concern is not a single package incident but a scalable playbook aimed at high trust maintainers whose accounts can push malicious code into widely used dependencies.
Source: Socket

React2Shell Exploited for Large Scale Credential Harvesting in Next.js Apps
Talos described UAT-10608 as a large scale automated credential harvesting operation exploiting React2Shell in vulnerable Next.js applications. After initial access, the actors harvest credentials, SSH keys, cloud tokens, and environment secrets, turning each compromise into a map of the victim’s broader infrastructure.
Source: Cisco Talos

Device Code Phishing Surges as New Kits Spread Online
Device code phishing has surged as attackers abuse the OAuth device authorization flow to trick users into authorizing attacker controlled sessions on legitimate login pages. New kits have pushed the technique toward mainstream criminal use because stolen tokens can bypass normal password capture flows and extend account access beyond the initial phishing event.
Source: BleepingComputer

Apache ActiveMQ Patches a 13 Year Old Remote Code Execution Flaw
Apache ActiveMQ Classic patched CVE-2026-34197, an RCE issue in the Jolokia bridge that had been lurking for 13 years. In some versions it can become effectively unauthenticated when combined with a separate exposure flaw, turning a management feature into an internet facing execution path.
Source: Horizon3.ai

Storm 1175 Compresses the Window for Medusa Ransomware Attacks
Microsoft says Storm 1175 is exploiting newly disclosed web facing vulnerabilities at high speed to deploy Medusa ransomware, sometimes within 24 hours of initial access. The group’s focus on the short patch gap means exposed edge systems can move from N day exposure to exfiltration and encryption before normal response cycles catch up.
Source: Microsoft Security Blog

Chinese Hackers Found Deep Within Telecom Backbone Infrastructure
Researchers uncovered a China linked state actor deploying kernel implants and passive backdoors within global telecommunications backbone infrastructure for long term persistence. The operation appears designed for high level espionage and sustained access to critical environments.
Source: SecurityWeek

ShadowPrompt Vulnerability Enables Silent Hijacking of Claude Chrome Extension
A vulnerability in the Claude Chrome extension allowed any website to inject instructions into the AI assistant without user interaction. By chaining an overly permissive origin allowlist with a DOM based XSS flaw, attackers could execute arbitrary actions with user level privileges.
Source: Koi AI

Citrix Warns of Critical NetScaler Flaw Allowing Session Token Theft
Citrix patched a critical vulnerability tracked as CVE-2026-3055 that could allow unauthenticated attackers to steal sensitive data such as session tokens. The flaw is similar to previous CitrixBleed issues and requires immediate patching.
Source: BleepingComputer

GlassWorm Malware Hides RAT Inside Malicious Chrome Extension
The GlassWorm campaign uses a multi stage infection chain to deploy a persistent RAT, including a malicious Chrome extension disguised as Google Docs Offline. The malware captures keystrokes, cookies, session tokens, and screenshots while communicating with a command and control server hidden in a blockchain.
Source: Aikido Security

Critical GitLab Flaws Enable App Impersonation and AI Token Exposure
GitLab released patches for multiple high severity vulnerabilities that could allow attackers to impersonate applications, execute unauthorized actions, and perform denial of service attacks. The flaws also pose a risk of exposing AI related tokens and compromising account integrity.
Source: SecurityOnline

2025 IT Sector Cyber Threat Report Highlights Evolving Threat Landscape
The IT ISAC report outlines key cyber threat trends targeting the IT sector, emphasizing the role of collaborative intelligence sharing in identifying and mitigating attacks. The report provides insight into threat actors, techniques, and defensive strategies aimed at strengthening resilience across critical infrastructure ecosystems.
Source: IT-ISAC

Fake npm Install Logs Used to Deliver Remote Access Trojans
A campaign linked to North Korea targets developers through fake job interviews and coding tests, distributing malicious npm packages that deploy remote access trojans. The attack leverages social engineering to compromise developer environments and gain persistent access.
Source: ReversingLabs

GhostClaw Campaign Expands to GitHub and AI Workflows
The GhostClaw malware campaign has expanded beyond npm packages to include GitHub repositories and AI based workflows, delivering macOS infostealers. Researchers identified new infection vectors and infrastructure, showing increased sophistication in targeting developers.
Source: Jamf

Tycoon2FA Phishing Platform Quickly Recovers After Law Enforcement Disruption
The Tycoon2FA phishing as a service platform has resumed operations shortly after a coordinated law enforcement takedown. Despite domain seizures and disruption efforts, the service returned to normal activity levels within days, highlighting the resilience of cybercrime infrastructure.
Source: BleepingComputer

Critical Cisco Firewall Vulnerability Actively Exploited in the Wild
A critical remote code execution vulnerability in Cisco Secure Firewall Management Center, tracked as CVE-2026-20131, is being actively exploited. The flaw allows unauthenticated attackers to execute arbitrary code and gain root privileges, prompting urgent remediation actions including inclusion in CISA’s KEV catalog.
Source: Zscaler ThreatLabz

Aura Discloses Data Breach Impacting 900,000 Records
Security firm Aura disclosed a data breach caused by a phone phishing attack targeting an employee, which allowed attackers to access the account for approximately one hour. The company responded by terminating access, activating its incident response plan, and engaging external experts and law enforcement.
Source: SecurityWeek

Apple Fixes WebKit Vulnerability Allowing Same Origin Policy Bypass
Apple released security updates addressing a WebKit vulnerability that could be exploited to bypass the same origin policy using specially crafted web content. The flaw affects iOS, iPadOS, and macOS and has been mitigated through improved input validation.
Source: The Hacker News

New ClickFix Scam Tricks Users Into Mapping Attacker Controlled Drives
A new ClickFix variant manipulates users into executing malicious commands through the Windows Run dialog. The attack uses fake CAPTCHA pages that instruct users to paste and run commands already copied to their clipboard, effectively granting attackers access without traditional malware.
Source: Hackread

Critical ScreenConnect Flaw Exposes Server Level Cryptographic Keys
A vulnerability tracked as CVE-2026-3564 could allow attackers to access sensitive cryptographic material on the server due to improper handling of secrets in older versions. This could lead to unauthorized control over affected systems.
Source: SecurityOnline

KVM Devices Highlighted as Overlooked Security Risk
Research shows that compromising KVM devices can give attackers full control over connected systems at a level below the operating system. This allows bypassing security controls such as EDR, disk encryption, and Secure Boot.
Source: Eclypsium

NCI Warns of Increased Threats to Critical Infrastructure Amid Middle East Conflict
A joint advisory from NCI highlights that the ongoing conflict in the Middle East raises risks for critical infrastructure globally. Organizations may face increased cyberattacks from Iranian state actors, hacktivists, and aligned cybercriminal groups. There is also a risk of physical attacks targeting public spaces and critical infrastructure. Organizations are advised to increase preparedness and monitoring.
Source: NCI Advisory

Poisoned Typeface Shows How Fonts Can Compromise AI Systems
Researchers demonstrated how custom fonts and CSS can embed malicious instructions visible to users while AI systems process benign content. This technique enables prompt injection and could lead to data leakage or execution of malicious code, affecting all tested AI assistants.
Source: LayerX Security

Critical File Browser Flaw Grants Automatic Admin Privileges
A vulnerability tracked as CVE-2026-32760 with a CVSS score of 10 allows any newly registered user to gain full administrative privileges due to a logic flaw in the registration process. This could result in complete system takeover without technical complexity.
Source: SecurityOnline

LeakNet Ransomware Uses ClickFix and Deno for Stealthy Attacks
The LeakNet ransomware group uses the ClickFix technique for initial access and leverages the Deno runtime to execute malicious payloads directly in memory. This reduces forensic traces on disk and makes detection more difficult.
Source: BleepingComputer

Authlib Flaws Enable Token Forgery and Authentication Bypass
Three critical vulnerabilities in the widely used Authlib library could allow attackers to bypass authentication, forge JWT tokens, and decrypt sensitive data. Given the library’s extensive use, the impact on global web infrastructure could be significant.
Source: SecurityOnline

Google Fixes Two Chrome Zero Days Exploited in the Wild
Google released security updates addressing two Chrome zero day vulnerabilities that were actively exploited in the wild. The flaws affect the Skia and V8 components of the browser. Both vulnerabilities were discovered and reported internally by Google on March 10, 2026, and technical details about their exploitation have not been disclosed to prevent further abuse by threat actors.
Source: The Hacker News

Storm 2561 Uses SEO Poisoning to Distribute Fake VPN Clients for Credential Theft
Microsoft identified a credential theft campaign distributing fake VPN clients through SEO poisoning. Users searching for legitimate enterprise software are redirected to malicious ZIP files hosted on attacker controlled websites, which deploy digitally signed trojans masquerading as trusted VPN clients while harvesting VPN credentials. Microsoft attributes the activity to the cybercriminal actor Storm 2561, active since May 2025.
Source: Microsoft Security Blog

400,000 WordPress Sites Impacted by SQL Injection in Ally Plugin
A SQL injection vulnerability affecting the Ally WordPress plugin, installed on more than 400,000 sites, could allow attackers to extract sensitive data from databases including password hashes. The vulnerability was reported through the Wordfence Bug Bounty Program only five days after the flaw was introduced into the code.
Source: Wordfence

Veeam Warns of Critical Flaws Exposing Backup Servers to RCE Attacks
Veeam released patches for multiple vulnerabilities in its Backup and Replication solution, including four critical remote code execution flaws. Three of the vulnerabilities allow low privileged domain users to execute remote code on vulnerable backup servers, creating a serious risk to systems responsible for protecting critical organizational data.
Source: BleepingComputer

Glassworm Returns With Invisible Unicode Attacks on GitHub and npm
Researchers observed a renewed wave of activity from the threat actor Glassworm, using hidden Unicode characters to compromise GitHub repositories, npm packages, and the VS Code ecosystem. The technique allows malicious code to remain visually hidden during code review while still executing in affected environments. Several notable repositories were reported as impacted.
Source: Aikido Security

Critical n8n Vulnerabilities Could Allow Server Takeover
Two critical vulnerabilities in the open source workflow automation platform n8n could have enabled unauthenticated remote code execution and sandbox escape, potentially exposing all credentials stored in the n8n database. The first flaw, tracked as CVE-2026-27493 with a CVSS score of 9.5, is a second order expression injection issue affecting Form nodes. Successful exploitation could allow an attacker to inject arbitrary commands and retrieve command output from the server.
Source: SecurityWeek

Iranian MOIS Actors Increasingly Linked With Cybercrime Ecosystem
Researchers report that Iranian state linked actors associated with the Ministry of Intelligence and Security are increasingly interacting with the cybercrime ecosystem rather than merely impersonating criminal groups. Instead of only using ransomware branding as cover, some operations appear to rely on criminal malware, infrastructure, and affiliate style models. This shift may expand operational reach while complicating attribution.
Source: Check Point Research

Iran Conflict Drives Increased Espionage Activity in the Middle East
Following U.S. and Israeli strikes on Iran on February 28, 2026, cybersecurity researchers observed heightened cyber activity linked to Iranian aligned actors. Despite temporary internet disruptions inside Iran, espionage groups such as TA453 continued credential phishing campaigns targeting organizations including a U.S. think tank. The activity indicates ongoing intelligence collection operations during the regional conflict.
Source: Proofpoint

Compromised WordPress Sites Used to Deliver Global Credential Stealing Malware
Rapid7 researchers identified a widespread campaign where legitimate WordPress websites were compromised and used to deliver malware through a fake Cloudflare human verification prompt. The campaign deploys a multi stage infection chain designed to steal credentials and cryptocurrency wallet data from Windows systems, which can later be used for financial fraud or targeted attacks.
Source: Rapid7

Pacific Cybersecurity Agencies Warn of Rising INC Ransom Attacks
Cybersecurity agencies from Australia, New Zealand, and Tonga warned about increasing ransomware activity linked to the INC Ransom group. The advisory highlights the group’s distributed affiliate model, allowing multiple operators to launch attacks using shared tools and infrastructure, making it a growing threat to organizations across the Pacific region.
Source: Cyble

Malicious Packagist Packages Disguised as Laravel Utilities Deploy Encrypted RAT
Researchers identified a remote access trojan distributed through multiple malicious Packagist packages posing as Laravel utilities. Packages such as nhattuanbl/lara-helper and nhattuanbl/simple-queue contain identical malicious payloads, while another package automatically installs the RAT through a dependency chain. The campaign demonstrates how supply chain attacks can target PHP developer ecosystems through trusted package repositories.
Source: Socket

Silver Dragon APT Targets Organizations in Southeast Asia and Europe
Check Point researchers are tracking the APT group Silver Dragon, believed to operate under the broader Chinese nexus APT41 umbrella. The group targets organizations in Europe and Southeast Asia using exploitation of internet facing servers and phishing emails with malicious attachments. To maintain persistence, attackers hijack legitimate Windows services so malware activity blends into normal system processes.
Source: Check Point Research

Critical FreeScout Vulnerability Allows Full Server Compromise
A critical vulnerability in the open source help desk platform FreeScout tracked as CVE-2026-28289 enables zero click remote code execution. The flaw bypasses a previously patched vulnerability and allows attackers to manipulate file processing through a malicious .htaccess upload, ultimately enabling full server compromise.
Source: SecurityWeek

VMware Aria Operations Vulnerability Exploited in the Wild
CISA warned that CVE-2026-22719, a high severity command injection vulnerability in VMware Aria Operations, is being actively exploited. The flaw allows unauthenticated attackers to execute arbitrary commands during support assisted product migration processes, potentially leading to remote code execution on affected systems.
Source: SecurityWeek

Critical RCE Flaw in Qwik Framework Enables Server Takeover
A critical vulnerability tracked as CVE-2026-27971 in the Qwik web framework allows attackers to take over servers with a single crafted request. The flaw resides in the framework’s server side communication layer and poses a significant risk to applications built on the platform due to the potential for remote code execution.
Source: SecurityOnline

OAuth Redirection Abuse Enables Phishing and Malware Delivery
Microsoft observed phishing campaigns abusing OAuth’s by design redirection mechanisms to target government and public sector organizations. Attackers leveraged silent OAuth authentication flows and intentionally invalid scopes to redirect victims to attacker controlled infrastructure without stealing tokens. Microsoft Defender detected malicious activity across email, identity, and endpoint signals, and Microsoft Entra disabled the identified OAuth applications. Related OAuth abuse activity remains ongoing and requires continued monitoring.
Source: Microsoft Security Blog

Web Based Indirect Prompt Injection Observed Targeting AI Agents
Researchers documented real world cases of indirect prompt injection where attackers embed hidden instructions into website content later processed by large language models and AI agents. Instead of directly interacting with the model, adversaries exploit features such as webpage summarization and automated content analysis, causing the AI system to unknowingly execute malicious prompts. The potential impact scales with the sensitivity and privileges of the affected AI environment.
Source: Unit 42

Amazon Confirms Drone Strikes Damaged AWS Data Centers in Middle East
Amazon confirmed that three AWS data centers in the United Arab Emirates and one in Bahrain were damaged by drone strikes, resulting in a significant outage impacting multiple cloud services. The disruption affected the AWS Middle East UAE region ME CENTRAL 1 and the AWS Middle East Bahrain region ME SOUTH 1, with services still experiencing impact following the incident.
Source: BleepingComputer

SloppyLemming Targets Pakistan and Bangladesh Governments Using Dual Malware Chains
The threat cluster SloppyLemming has been linked to attacks against government entities and critical infrastructure operators in Pakistan and Bangladesh. The campaign used two separate infection chains to deploy the BurrowShell malware and a Rust based keylogger. Researchers noted that the use of Rust represents an evolution in the actor’s tooling compared to earlier campaigns relying on more traditional frameworks.
Source: The Hacker News

Google Confirms Exploitation of Qualcomm Android Component Vulnerability
Google disclosed that CVE 2026 21385, a high severity vulnerability affecting an open source Qualcomm component used in Android devices, has been exploited in the wild. The flaw involves a buffer over read in the graphics component and is described as memory corruption linked to an integer overflow. The issue was reported in December 2025 and customers were notified in early February 2026.
Source: The Hacker News

Chrome Gemini Panel Vulnerability Allowed Extension Hijacking
Researchers disclosed CVE-2026-0628, a high severity vulnerability in Google Chrome’s Gemini Live feature that could allow malicious browser extensions with basic permissions to hijack the Gemini panel and access local files. The flaw could have enabled privilege escalation by tapping into the browser environment. Google was notified responsibly and released a fix in early January before public disclosure.
Source: Unit 42

APT28 Linked to MSHTML Zero Day Exploited Before Patch Tuesday
The Russia linked threat actor APT28 is believed to have exploited CVE-2026-21513, a high severity MSHTML security feature bypass vulnerability with a CVSS score of 8.8, before it was patched in Microsoft’s February 2026 Patch Tuesday release. The flaw allowed attackers to bypass security protections over a network and may have been used in targeted operations.
Source: SecurityWeek

StegaBin Campaign Uses Malicious npm Packages and Pastebin Steganography
Researchers identified 26 malicious npm packages deploying a multi stage credential harvesting operation targeting developers. The campaign, dubbed StegaBin, hides command and control infrastructure within Pastebin content using character level steganography. The infection chain ultimately installs a remote access trojan and a nine module infostealer toolkit targeting developer assets including SSH keys, git repositories, browser credentials, and locally stored secrets.
Source: Socket

Thousands of Google Cloud API Keys Exposed with Gemini Access
Research revealed nearly 3,000 publicly exposed Google Cloud API keys embedded in client side code. Although typically used as billing project identifiers, these keys could be abused to authenticate to sensitive Gemini endpoints and access private data once APIs were enabled, highlighting risks tied to key exposure in web applications.
Source: The Hacker News

ClawJacked Flaw Enabled Hijacking of Local OpenClaw AI Agents
A high severity vulnerability in OpenClaw allowed malicious websites to connect to locally running AI agents via a WebSocket gateway bound to localhost. Under specific conditions involving social engineering, attackers could gain control of the agent without plugins or additional extensions. The issue has since been fixed by the vendor.
Source: The Hacker News