🚨 Top Stories
Glassworm Supply-chain Attack Abuses 72 Open VSX Extensions to Target Developers
Cybersecurity researchers have flagged a new iteration of the GlassWorm campaign that they say represents a "significant escalation" in how it propagates through the Open VSX registry. "Instead of requiring every malicious listing to embed the loader directly, the threat actor...
Source: https://thehackernews.com/2026/03/glassworm-supply-chain-attack-abuses-72.html
💡 Key Takeaway: Focus on the whole intrusion chain: delivery, execution, persistence, and command-and-control should all be visible in telemetry before this becomes a missed campaign.
Rapid7 Guidance on Observed Microsoft Teams Phishing Campaigns
The Rapid7 MDR team is currently monitoring an increase in phishing campaigns where threat actors (TAs) impersonate internal IT departments via Microsoft Teams. The primary objective is to persuade users to launch Quick Assist, granting the TA remote access to deploy malware,...
Source: https://www.rapid7.com/blog/post/dr-guidance-on-observed-microsoft-teams-phishing-campaigns
💡 Key Takeaway: Treat this as a behavior problem, not just a malware-name problem: review detections for script execution, trusted-tool abuse, persistence, and outbound connections.
Backdoored React Native Packages Target Developers with Crypto-stealing Malware
Aikido uncovers a supply chain attack via AstrOOnauta, backdooring two popular React Native packages to steal crypto wallets and developer credentials.
Source: https://securityonline.info/silent-sabotage-backdoored-react-native-packages-target-developers/
💡 Key Takeaway: Treat this as a software supply-chain hygiene issue: review dependency trust paths, validate package provenance, and monitor developer environments for follow-on compromise.
🛡️ Vulnerability Spotlight
Google Fixes Two Chrome Zero-days Exploited in the Wild Affecting Skia and V8
Google on Thursday released security updates for its Chrome web browser to address two high-severity vulnerabilities that it said have been exploited in the wild. The list of vulnerabilities is as follows - CVE-2026-3909 (CVSS score: 8.8) - An out-of-bounds write vulnerability...
Source: https://thehackernews.com/2026/03/google-fixes-two-chrome-zero-days.html
💡 Key Takeaway: Treat this as a live exploitation risk: identify exposed assets, prioritize emergency remediation, and hunt for signs of compromise before patching closes the window.
Veeam Warns Admins to Patch Now as Critical RCE Flaws Hit Backup & Replication
Backup vendor Veeam has released security updates to patch multiple vulnerabilities in its widely used Backup and Replication platform, including three critical flaws that could allow authenticated users to execute code on backup servers. Detailed in the company’s advisory KB4...
💡 Key Takeaway: Protect the recovery plane like Tier Zero: patch quickly, restrict admin access, and verify backup integrity plus restore workflows before you need them.
📈 Trend to Watch
Threat Actor Targeting VPN Users in New Credential Theft Campaign
Storm-2561 is distributing fake VPN clients through SEO poisoning, deploying trojans, and stealing login information.
Source: https://www.securityweek.com/threat-actor-targeting-vpn-users-in-new-credential-theft-campaign/
💡 Key Takeaway: Review exposed authentication paths, verify policy enforcement across alternate login flows, and rotate credentials or tokens if abuse is plausible.
🏛️ Policy & Regulation Watch
Commercial Spyware Opponents Fear US Policy Shifting
Rescinded sanctions and reactivated contracts have created confusion about the Trump administration's spyware policy and where it draws the line.
Source: https://www.darkreading.com/threat-intelligence/commercial-spyware-opponents-fear-us-policy-shifting
💡 Key Takeaway: Validate email, endpoint, and egress controls together, then hunt across telemetry for execution chains, persistence, LOLBin abuse, and operator follow-on activity.
🧰 Tool / Resource of the Week
OWASP Threat Dragon
Open-source threat modeling tool for designing and analyzing application security architecture.
Source: https://github.com/OWASP/threat-dragon
💡 Key Takeaway: Prioritize internet-facing and privileged systems first, add exploit-attempt detections, and verify that compensating controls actually block code execution paths.
Betterleaks, a New Open-source Secrets Scanner to Replace Gitleaks
A new open-source tool called Betterleaks can scan directories, files, and git repositories and identify valid secrets using default or customized rules. [...].
💡 Key Takeaway: Remote execution risk means exposure triage comes first: isolate reachable systems, validate blocking controls, and monitor aggressively for exploit activity.
⚡ Quick Hits
Google Warns of Two Actively Exploited Chrome Zero Days
Threat actors are exploiting two high severity zero day vulnerabilities in the Chrome browser that experts say IT teams must patch immediately. Google has issued emergency patches for the two holes, CVE-2026-3909 and CVE-2026-3910.
💡 Key Takeaway: Assume opportunistic exploitation is already underway: patch exposed assets first, review logs for related activity, and verify mitigations are really blocking abuse.
CISA Flags Actively Exploited n8n RCE Bug as 24,700 Instances Remain Exposed
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added a critical security flaw impacting n8n to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation.
Source: https://thehackernews.com/2026/03/cisa-flags-actively-exploited-n8n-rce.html
💡 Key Takeaway: Handle this like an active threat, not routine maintenance: reduce exposure immediately, validate compensating controls, and look for evidence of attempted exploitation.
Malicious Packagist Themes Target Vietnamese Ophimcms Sites with Trojanized JS
Socket uncovers a Packagist supply chain attack targeting Vietnamese OphimCMS streaming sites with trojanized themes linked to sanctioned entity FUNNULL.
Source: https://securityonline.info/streaming-sabotage-malicious-packagist-themes-vietnamese-ophimcms/
💡 Key Takeaway: Translate this into a concrete action this week: reduce exposure, improve detection, and validate the control that is supposed to stop this exact failure mode.
CISA Flags Wing FTP Server Flaw as Actively Exploited in Attacks
CISA warned U.S. government agencies to secure their Wing FTP Server instances against an actively exploited vulnerability that may be chained in remote code execution attacks.
💡 Key Takeaway: Treat this as an active exposure-management problem: identify reachable systems, patch or mitigate by risk tier, and review telemetry for evidence of attempted exploitation.
Authorities Takedown Global Proxy Network Socksescort
The botnet, which compromised routers and IoT devices in 163 countries, claimed about 369,000 victims and $5.8 million from its cybercriminal customers, officials said.
Source: https://cyberscoop.com/socksescort-proxy-network-botnet-takedown/
💡 Key Takeaway: Use this item to drive one practical change now: shrink the attack surface, tighten monitoring, or validate a control you have been assuming works.
⚔️ Actionable Defense Move of the Week
One-week Tier-zero Validation Loop
For every Tier-Zero patch this week (firewalls, MDM/EMM, VPN, IAM, backup): 1) verify the new version on-box, 2) confirm exposure is removed or allowlisted externally, 3) review 14 days of admin/auth/config logs for anomalies, and 4) rotate secrets if compromise is plausible.
Source: https://www.infosec.watch/
💡 Key Takeaway: Patching is step one—validation plus assumed-breach log review is step two.
🧠 Final Word
Final Word
This week’s stories reinforce that identity paths and trust boundaries remain a primary operational weak point; backup and recovery infrastructure is still part of the live attack surface. The broader pattern is that software supply chain abuse keeps creating asymmetric risk for defenders. The practical takeaway is to tighten exposed control planes, validate compensating controls, and review telemetry as if exploitation attempts are already in motion.