Cybersecurity researchers discovered a sophisticated payment skimmer targeting e-commerce sites through the PolyShell vulnerability in Magento and Adobe Commerce platforms. The malware uses WebRTC data channels to steal credit card information, cleverly bypassing Content Security Policy protections that normally block such attacks.

Mass exploitation began March 19, 2026, affecting 56.7% of vulnerable stores. The skimmer connects to command servers via encrypted WebRTC channels, receives second-stage payloads, and executes them while evading detection. One victim was a major car manufacturer worth over $100 billion.

Adobe released a beta fix March 10, but it hasn't reached stable release yet.

Source: The Hacker News

The TeamPCP hacking group has executed a sweeping supply chain attack targeting major open source platforms including Docker Hub, VS Code, NPM, and PyPI. Starting with Aqua Security's Trivy scanner in February, the hackers compromised access tokens and expanded to hit over 64 NPM packages, Checkmarx's VS Code plugins (36,000+ downloads), and LiteLLM Python library (95 million monthly downloads).

The attacks used sophisticated techniques like modified GitHub Action tags and malicious package versions to steal credentials from over 500,000 infected machines, exfiltrating approximately 300GB of data. TeamPCP has now partnered with the notorious Lapsus$ extortion group for monetization, openly boasting about their operations on Telegram and threatening to steal "terabytes of trade secrets."

Organizations using affected tools should immediately rotate all credentials and rebuild systems from clean states.

Source: Security Week

Cybercriminals are running a sophisticated campaign called "TroyDen's Lure Factory" that spreads malware through over 300 fake GitHub packages targeting developers and gamers. The attack centers on a bogus OpenClaw Docker deployer but includes various lures like game cheats, crypto bots, and VPN crackers.

The malware uses a clever two-part design with a renamed Lua runtime and encrypted script that evades detection when analyzed separately. Once both components run together, it takes screenshots, steals credentials, and sends data to servers in Frankfurt.

Netskope researchers discovered the campaign in March and notified GitHub, though some malicious repositories remain active. The attackers appear to use AI assistance, evidenced by systematically generated package names using obscure scientific terminology.

Source: Dark Reading

Foster City declared a state of emergency Monday night following a March 19 ransomware attack that continues to paralyze the city's computer network. The 33,000 residents are largely in the dark about what information may have been compromised, as city officials remain tight-lipped about details.

While 911 services and emergency response remain operational, City Hall is only offering limited services. The city council held their emergency meeting without Zoom access due to the ongoing network shutdown.

Only one resident, Yiming Luo, attended to voice concerns about the lack of transparency. Mayor Art Kiesel declined on-camera interviews, and councilmembers have been advised not to speak publicly about the attack. The emergency declaration makes Foster City eligible for expedited state and county assistance.

Source: CBS News Bay Area

Cybercriminals compromised Trivy, a popular open-source security tool from Aqua Security, in a sophisticated supply-chain attack that began in late February. The attackers exploited GitHub Actions misconfigurations to steal privileged access tokens and published malicious releases on March 19.

Mandiant reports over 1,000 organizations are already impacted, with numbers potentially reaching 10,000 as the attack spreads. The breach gave attackers access to sensitive credentials across multiple environments, setting the stage for widespread follow-on attacks.

Experts warn the threat groups behind this campaign are "exceptionally aggressive" with extortion tactics and are actively collaborating to weaponize their access. Organizations should expect months of breach disclosures and downstream compromises as this attack continues evolving.

Source: CyberScoop

CISA added a critical Craft CMS vulnerability (CVE-2025-32432) to its Known Exploited Vulnerabilities catalog after confirming active attacks in the wild. The code injection flaw allows remote attackers to execute arbitrary code on servers without authentication, potentially giving them complete control over affected systems.

Threat actors can modify websites, steal database records, or use compromised servers as launching points for deeper network attacks. Federal agencies must patch by April 3, 2026, under BOD 22-01, while CISA urges all organizations using the popular content management system to treat this as high priority and apply security updates immediately.

Source: Cybersecurity News

The Trivy supply chain attack has escalated with new compromised Docker images discovered on March 22, 2026. After initially compromising Aqua Security's vulnerability scanner version 0.69.4 on March 19, attackers uploaded malicious versions 0.69.5 and 0.69.6 to Docker Hub without corresponding GitHub releases.

Socket researchers confirmed both images contain TeamPCP infostealer malware with credential-stealing capabilities. The attack expanded beyond Docker images when attackers briefly exposed Aqua Security's internal GitHub organization, renaming dozens of repositories in a two-minute automated burst.

Version 0.69.3 remains the last clean release, while 0.69.4 through 0.69.6 are confirmed compromised. Organizations using Trivy in CI/CD pipelines should review recent activity and treat recent scans as potentially compromised. Aqua's commercial products remain unaffected.

Source: Infosecurity Magazine

Microsoft has identified a major phishing campaign that compromised 29,000 users during tax season using fake IRS emails. The attackers sent convincing tax-themed messages that appeared to come from legitimate tax authorities, tricking victims into revealing their login credentials.

Once successful, hackers deployed Remote Monitoring and Management (RMM) malware on compromised systems, giving them ongoing access to victims' computers. The timing exploits people's heightened attention to tax-related communications during filing season.

Microsoft is actively tracking this threat as part of its intelligence operations, highlighting how phishing remains an effective attack method for both stealing credentials and installing malware.

Source: The Hacker News

Cybercriminals compromised the popular Trivy GitHub Action by force-pushing malicious code to 75 out of 76 existing version tags, turning trusted references into malware distribution points. The attack targets CI/CD pipelines globally, with over 10,000 GitHub workflows at risk.

The sophisticated infostealer dumps memory from GitHub runners, scrapes filesystems for SSH keys and database credentials, then encrypts stolen data with AES-256 before exfiltrating it. The malware even creates fake repositories using victims' own GitHub tokens as backup exfiltration channels.

Only version @0.35.0 remains safe. Organizations must immediately stop using version tags and pin to the secure commit SHA instead.

Source: Cyber Security News

Arctic Wolf detected attackers exploiting CVE-2025-32975, a critical authentication bypass vulnerability in Quest KACE Systems Management Appliance (SMA). The flaw, patched in May 2025, lets hackers impersonate legitimate users and gain full administrative control of unpatched systems exposed to the internet.

The attacks began around March 2026, targeting organizations including those in education. Attackers used the vulnerability for initial access before achieving complete system takeover. KACE SMA is widely used for managing endpoints, software distribution, and patching across networks.

Arctic Wolf couldn't identify the attackers or their motives but suspects opportunistic targeting of internet-exposed appliances. Organizations must immediately patch outdated Quest KACE systems.

Source: SecurityWeek