🚨 Top Stories
Trivy Supply Chain Attack Targets CI/CD Secrets
A threat actor used the open source security tool to deploy an infostealer into CI/CD workflows and steal cloud credentials, SSH keys, tokens, and other sensitive secrets.
Source: https://www.darkreading.com/application-security/trivy-supply-chain-attack-targets-ci-cd-secrets
💡 Key Takeaway: Review exposed authentication paths, verify policy enforcement across alternate login flows, and rotate credentials or tokens if abuse is plausible.
Teampcp Pushes Malicious Telnyx Versions to Pypi, Hides Stealer in WAV Files
TeamPCP, the threat actor behind the supply chain attack targeting Trivy, KICS, and litellm, has now compromised the telnyx Python package by pushing two malicious versions to steal sensitive data. The two versions, 4.87.1 and 4.87.2, published to the Python Package Index (PyPI), were designed to exfiltrate sensitive data.
Source: https://thehackernews.com/2026/03/teampcp-pushes-malicious-telnyx.html
💡 Key Takeaway: Audit dependency sources and enforce package integrity checks, especially in CI/CD paths that can expose credentials or tokens.
Nasir Security’s Hybrid Warfare Against Middle East Energy Infrastructure
Resecurity uncovers Nasir Security, an Iranian threat actor using supply chain attacks and psy-ops to target Middle East energy vendors and leak blueprints.
Source: https://securityonline.info/nasir-security-middle-east-energy-supply-chain-attack-propaganda/
💡 Key Takeaway: Treat this like a control-validation drill: confirm logging, identity protections, and data-access monitoring would let you detect and contain the same pattern internally.
🛡️ Vulnerability Spotlight
CISA: New Langflow Flaw Actively Exploited to Hijack AI Workflows
The Cybersecurity and Infrastructure Security Agency (CISA) is warning that hackers are actively exploiting a critical vulnerability identified as CVE-2026-33017, which affects the Langflow framework for building AI agents. .
💡 Key Takeaway: Treat this as a live exploitation risk: identify exposed assets, prioritize emergency remediation, and hunt for signs of compromise before patching closes the window.
Citrix Netscaler Under Active Recon for CVE-2026-3055 (CVSS 9.3) Memory Overread Bug
A recently disclosed critical security flaw impacting Citrix NetScaler ADC and NetScaler Gateway is witnessing active reconnaissance activity, according to Defused Cyber and watchTowr. The vulnerability, CVE-2026-3055 (CVSS score: 9.3), refers to a case of insufficient input
Source: https://thehackernews.com/2026/03/citrix-netscaler-under-active-recon-for.html
💡 Key Takeaway: Identify exposed systems, prioritize by reachability and privilege impact, and verify both patch status and detection coverage rather than assuming the update is enough.
CISA Flags Critical PTC Vulnerability That Had German Police Mobilized
Police in Germany physically warned organizations about the critical PTC Windchill vulnerability tracked as CVE-2026-4681.
Source: https://www.securityweek.com/cisa-flags-critical-ptc-vulnerability-that-had-german-police-mobilized/
💡 Key Takeaway: Rank affected assets by exposure and privilege, then confirm both mitigation and monitoring are in place before calling remediation complete.
📈 Trend to Watch
TA446 Deploys DarkSword Ios Exploit Kit in Targeted Spear-phishing Campaign
Proofpoint has disclosed details of a targeted email campaign in which threat actors with ties to Russia are leveraging the recently disclosed DarkSword exploit kit to target iOS devices. The activity has been attributed with high confidence to the Russian state-sponsored thre...
Source: https://thehackernews.com/2026/03/ta446-deploys-leaked-darksword-ios.html
💡 Key Takeaway: Focus on the whole intrusion chain: delivery, execution, persistence, and command-and-control should all be visible in telemetry before this becomes a missed campaign.
🏛️ Policy & Regulation Watch
Github Phishers Use Fake Openclaw Tokens to Drain Crypto Wallets
Threat actors are actively exploiting OpenClaw’s viral popularity to run a phishing campaign that targets developers on GitHub with lures of free crypto tokens. According to a disclosure by OX Security, the campaign involves fake “CLAW” token airdrops that promise thousands of...
💡 Key Takeaway: Validate email, endpoint, and egress controls together, then hunt across telemetry for execution chains, persistence, LOLBin abuse, and operator follow-on activity.
UK Sanctions Xinbi Marketplace Linked to Asian Scam Centers
The United Kingdom's Foreign, Commonwealth and Development Office (FCDO) has sanctioned Xinbi, a Chinese-language cryptocurrency-based online marketplace that sells stolen data and satellite internet equipment to scam networks in Southeast Asia. .
💡 Key Takeaway: Translate this into a concrete action this week: reduce exposure, improve detection, and validate the control that is supposed to stop this exact failure mode.
🧰 Tool / Resource of the Month
OWASP Threat Dragon
Open-source threat modeling tool for designing and analyzing application security architecture.
Source: https://github.com/OWASP/threat-dragon
💡 Key Takeaway: Prioritize internet-facing and privileged systems first, add exploit-attempt detections, and verify that compensating controls actually block code execution paths.
⚡ Quick Hits
CISA Adds CVE-2025-53521 to KEV After Active F5 BIG-IP APM Exploitation
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday added a critical security flaw impacting F5 BIG-IP Access Policy Manager (APM) to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.
Source: https://thehackernews.com/2026/03/cisa-adds-cve-2025-53521-to-kev-after.html
💡 Key Takeaway: Assume opportunistic exploitation is already underway: patch exposed assets first, review logs for related activity, and verify mitigations are really blocking abuse.
CISA Issues Three-days Patch Mandate for Critical 9.8 F5 BIG-IP RCE
CISA adds F5 BIG-IP RCE (CVE-2025-53521) to its KEV Catalog. With a 9.8 CVSS score and active exploits, federal agencies must patch by March 30, 2026.
Source: https://securityonline.info/f5-big-ip-rce-vulnerability-cve-2025-53521-cisa-kev/
💡 Key Takeaway: Handle this like an active threat, not routine maintenance: reduce exposure immediately, validate compensating controls, and look for evidence of attempted exploitation.
Bianlian Ransomware Spreads via Fake Invoice SVG Images in New Attacks
Researchers at WatchGuard have identified a new phishing campaign targeting companies in Venezuela. Using malicious SVG image files….
Source: https://hackread.com/bianlian-ransomware-fake-invoice-svg-images-attacks/
💡 Key Takeaway: Treat this as a behavior problem, not just a malware-name problem: review detections for script execution, trusted-tool abuse, persistence, and outbound connections.
DarkSword’s Github Leak Threatens to Turn Elite iPhone Hacking Into a Tool for the Masses
Cybersecurity researchers say the GitHub leak threatens to "democratize" iPhone exploits that were once reserved for nation-states, potentially putting hundreds of millions of iOS 18 devices at risk.
Source: https://cyberscoop.com/darksword-iphone-spyware-leak-ios-18-exploit-threat/
💡 Key Takeaway: Map this incident pattern to your own environment, confirm relevant detections are firing, and make sure the containment steps are documented before the same tactic lands internally.
Cloudflare-themed Clickfix Attack Drops Infiniti Stealer on Macs
The infection chain includes a fake CAPTCHA page, a Bash script, a Nuitka loader, and the Python-based infostealer.
Source: https://www.securityweek.com/cloudflare-themed-clickfix-attack-drops-infiniti-stealer-on-macs/
💡 Key Takeaway: Train users to distrust fake browser-fix prompts, block suspicious script execution where possible, and watch Macs for unexpected installer, AppleScript, or credential-theft activity.
⚔️ Actionable Defense Move of the Week
One-week Tier-zero Validation Loop
For every Tier-Zero patch this week (firewalls, MDM/EMM, VPN, IAM, backup): 1) verify the new version on-box, 2) confirm exposure is removed or allowlisted externally, 3) review 14 days of admin/auth/config logs for anomalies, and 4) rotate secrets if compromise is plausible.
💡 Key Takeaway: Patching is step one—validation plus assumed-breach log review is step two.
🧠 Final Word
Final Word
This week’s stories reinforce that identity paths and trust boundaries remain a primary operational weak point; software supply chain abuse keeps creating asymmetric risk for defenders. The broader pattern is that active exploitation pressure continues to compress patch and validation timelines. The practical takeaway is to tighten exposed control planes, validate compensating controls, and review telemetry as if exploitation attempts are already in motion.
💡 Key Takeaway: Treat identity paths like production attack surface: reduce exposure, validate every alternate flow, and review auth logs before assumptions become incidents.