Security researchers at ReliaQuest have discovered DeepLoad, a sophisticated malware that steals passwords and credentials the moment it infects a system. The malware uses AI-generated code buried under thousands of lines of junk code to fool security scanners, then injects itself into legitimate Windows processes like LockAppHost.exe.

DeepLoad spreads through ClickFix social engineering tricks that prompt users to run fake "fix" commands. Once installed, it captures both stored browser passwords and live keystrokes through a malicious browser extension. The malware creates persistent triggers in Windows Management Instrumentation that can relaunch attacks days after apparent cleanup.

In one case, DeepLoad spread to USB drives within 10 minutes, disguising itself as familiar installers like Chrome and Firefox. Standard cleanup methods fail because the malware uses advanced persistence mechanisms that survive reboots and partial detection.

Source: Dark Reading

A major security flaw at Companies House allowed logged-in users to view and potentially edit other companies' confidential information, including directors' home addresses and emails. The breach, discovered Thursday by John Hewitt from Ghost Mail, occurred after a WebFiling system update in October 2025.

Companies House CEO Andy King apologized and confirmed the issue was fixed by Monday, with no current reports of data being accessed. However, unauthorized filings may have been possible during the breach period.

The incident has been reported to the Information Commissioner's Office and National Cyber Security Centre. UK businesses are urged to check their company details and will receive emails explaining how to verify their information.

Source: BBC

The popular Telnyx Python SDK became the latest victim of TeamPCP's ongoing supply chain attack campaign that began March 19. Two malicious versions (4.87.1 and 4.87.2) were uploaded to PyPI, targeting Windows, macOS, and Linux systems. The library, which has over 670,000 monthly downloads, enables cloud-based voice solutions.

The attack uses a clever technique: hiding malicious code inside valid WAV audio files that pass security checks. On Windows, it drops executables in startup folders, while on macOS and Linux, it runs scripts to steal session keys. All stolen data gets encrypted with RSA encryption matching previous TeamPCP attacks.

Users who installed these versions should assume their machines are compromised and immediately rotate all credentials, API keys, and SSH keys. GitGuardian estimates the campaign has affected over 470 repositories and 1,900 packages, with the actual scope likely much larger when considering private repositories.

Source: Security Week

CISA warned US organizations Thursday about a critical vulnerability (CVE-2026-4681) in PTC's Windchill software that allows remote attackers to execute code without authentication. The flaw affects the company's product lifecycle management tools used by industrial organizations.

The vulnerability sparked unprecedented action in Germany, where police were deployed across multiple states to physically visit companies and warn them about the risk. Officers reportedly showed up at some businesses in the middle of the night to deliver urgent security alerts.

PTC hasn't released patches yet but provided temporary mitigations and indicators to detect attacks. While there's no evidence of active exploitation, the dramatic German response suggests threat actors may soon target this vulnerability.

Source: Security Week

Cybersecurity researchers are warning that hackers are actively scouting Citrix NetScaler systems before launching attacks exploiting CVE-2026-3055, a critical vulnerability with a 9.3 severity score. The flaw affects NetScaler ADC and Gateway appliances configured as SAML Identity Providers, commonly used in enterprise single sign-on environments.

Threat intelligence firms watchTowr and Defused Cyber detected attackers using POST requests to probe the /cgi/GetAuthMethods endpoint, systematically identifying vulnerable configurations. This reconnaissance allows hackers to build targeted lists of susceptible systems without triggering the actual exploit.

The vulnerability enables unauthenticated attackers to extract sensitive data through memory overread, similar to previous "CitrixBleed" exploits. Security experts warn the window between current probing and mass exploitation is rapidly closing, urging immediate patching.

Source: Cybersecurity News

St Anne's Catholic School in Southampton shut down for four days after hackers launched a ransomware attack on its IT systems. The cyber criminals used malicious software that threatens to delete files unless a ransom is paid.

Headteacher Julian Waterfield messaged parents Sunday about the breach, saying the IT team immediately contained the attack and reported it to authorities including police, the Information Commissioner's Office, and the National Cyber Security Centre.

The school plans to reopen Friday, with Waterfield stating there's currently no evidence that student or staff data was compromised. However, he warned parents they'll be contacted immediately if that changes.

Both the ICO and NCSC confirmed they're providing support and guidance to the school during the investigation.

Source: BBC

Cybercriminals from TeamPCP have escalated their attacks by compromising the legitimate Telnyx Python package on PyPI, affecting versions 4.87.1 and 4.87.2. The attackers gained access by stealing a maintainer's credentials, then injected malware that steals SSH private keys and bash history files from developers' systems.

Unlike typical typosquatting attacks, this breach targeted an official, trusted package used by the Telnyx cloud communications platform. The malicious code executes automatically during installation, making it particularly dangerous for developers and automated systems.

Socket and Endor Labs researchers discovered the attack on March 27, noting that TeamPCP has recently partnered with Vect ransomware group. Organizations should immediately audit their systems and rotate any exposed credentials.

Source: Infosecurity Magazine

CISA added a critical code injection flaw in Langflow to its Known Exploited Vulnerabilities catalog on March 25, 2026. The vulnerability, CVE-2026-33017, allows unauthenticated attackers to execute malicious code on the popular AI workflow platform without any credentials.

Langflow is an open-source tool used to build AI and large language model workflows in enterprise environments. The flaw bypasses all access controls, letting hackers inject scripts directly into workflows and potentially steal sensitive data or attack connected systems.

Federal agencies must patch by April 8, 2026. Organizations unable to update should discontinue using Langflow immediately until a permanent fix is available.

Source: Cybersecurity News

Foster City is slowly getting back online after a ransomware attack knocked out the city's network more than a week ago. Officials announced Friday that phone and email services are working again, though they're still working to restore virtual city services.

The cyberattack was discovered March 19 by IT staff, prompting the city council to declare a state of emergency Monday to speed up recovery efforts. City Hall remains open with limited services during regular hours.

While the city hasn't revealed what sensitive information might have been compromised, they stressed that emergency services like 911 and police dispatch stayed fully operational throughout the incident.

Source: CBS News San Francisco

Financial management company Hightower Holding disclosed a cyberattack that compromised personal data of 131,483 individuals in early January 2026. Hackers infiltrated the company's systems between January 8-9 using stolen user credentials, accessing files containing names, Social Security numbers, and driver's license numbers.

The parent company of Hightower Advisors provides wealth management and retirement planning services through multiple subsidiaries. While Hightower says there's no evidence the stolen information has been used for identity theft or fraud, they're offering affected customers 12 months of free credit monitoring.

The company hasn't identified which cybercriminal group was responsible for the attack.

Source: SecurityWeek