Cybercriminals are exploiting credentials stolen from the VS Code GlassWorm attacks to inject malware into hundreds of Python repositories on GitHub. The campaign, dubbed ForceMemo by StepSecurity, targets Django apps, ML research code, and PyPI packages by rebasing legitimate commits with obfuscated malicious code.

The malware uses an innovative approach, connecting to a Solana blockchain address to receive encrypted instructions while leaving minimal traces of compromise. Attackers skip Russian-language systems, suggesting Eastern European origins.

This represents an escalation of the GlassWorm campaign that began in October 2025, initially targeting VS Code extensions with over 35,000 downloads. The threat has now expanded across GitHub, NPM, and VS Code marketplaces in a coordinated multi-platform attack affecting hundreds of developer accounts.

Source: Security Week

Attackers are exploiting the customer support platform LiveChat to conduct sophisticated phishing campaigns that steal credit card details and personal data. Cofense researchers discovered two attack methods: fake PayPal refund emails and generic order confirmation messages that redirect victims to LiveChat pages mimicking legitimate customer support.

Once connected, human operators impersonating Amazon or PayPal agents use social engineering tactics to extract credentials, MFA codes, and financial information through seemingly trustworthy conversations. The personal interaction makes victims less cautious, increasing success rates.

This marks the first recorded abuse of LiveChat for phishing, essentially creating an online version of voice phishing attacks that feel like real customer service interactions.

Source: Dark Reading

Microsoft is disabling hands-free deployment in Windows Deployment Services after discovering CVE-2026-0386, a critical vulnerability that lets attackers steal credentials and execute code during network OS installations. The flaw affects Windows Server 2008 through 2025, exposing the Unattend.xml configuration file over unauthenticated channels.

Starting January 13, 2026, administrators can manually disable the feature. By April 2026, Microsoft will automatically block it entirely unless organizations explicitly re-enable it through registry settings.

The vulnerability carries SYSTEM-level privileges and poses supply chain risks in enterprise environments. Microsoft recommends migrating to secure alternatives like Intune or Configuration Manager before the April deadline.

Source: Cybersecurity News

The Iran-linked hacker group Handala attacked Michigan-based Stryker Corporation, a major medical device manufacturer, claiming retaliation for the bombing of Iran's Minab school. The Wednesday cyberattack disrupted thousands of employees' Microsoft systems globally, causing Stryker's stock to drop 3%.

Handala claimed to have wiped systems and stolen 50 terabytes of data, calling Stryker a "Zionist-rooted corporation." The company says there's no ransomware detected and the incident appears contained, though full restoration timeline remains unknown.

Cybersecurity experts warn this marks escalation as Iran's conflict spreads to US cyber targets, with more attacks likely coming.

Source: The Guardian

The massive 2024 Polyfill supply chain attack that compromised over 100,000 websites has been linked to North Korean hackers, not just Chinese actors as initially believed. The attack began when Chinese company Funnull acquired the popular Polyfill.io service and injected malicious code that redirected mobile users to gambling sites.

New evidence from Hudson Rock shows Funnull was likely a front for North Korean operations. Security researchers discovered this after analyzing data stolen from a North Korean hacker's infected computer, which contained credentials for Polyfill control panels and conversations about the attack.

The ultimate goal was reportedly to funnel users to gambling sites owned by China's Suncity Group, which laundered cryptocurrency back to North Korea. This fits a pattern of North Korean cyber operations that have stolen over $2 billion in cryptocurrency.

Source: Security Week

Cybercriminals launched a coordinated attack wave in early 2026, exploiting three critical FortiGate firewall vulnerabilities to breach enterprise networks. The attacks leveraged CVE-2025-59718 and CVE-2025-59719 (both rated 9.8 severity), which allow hackers to gain admin access using fake SAML tokens, plus a zero-day flaw CVE-2026-24858 that enabled login through attackers' own FortiCloud accounts.

Once inside, attackers extracted firewall configurations and decrypted embedded service account credentials for Active Directory systems. In one case, hackers maintained access for two months undetected, creating fake admin accounts and deploying remote access tools. They ultimately stole domain controller databases containing all user passwords.

Fortinet has released patches, but organizations must immediately update firmware, rotate all LDAP credentials, and strengthen firewall monitoring to prevent further breaches.

Source: Cybersecurity News

Iranian-linked hacker group Handala attacked Michigan-based Stryker Corporation, a major medical device manufacturer, claiming it was retaliation for the bombing of Iran's Minab school. The Wednesday cyberattack disrupted thousands of employees' Microsoft systems, causing what the company called "global disruption" with no timeline for full restoration.

Stryker's stock dropped 3% following news of the breach. The hackers claimed they wiped thousands of systems and extracted 50 terabytes of data, though Stryker says there's no evidence of ransomware or malware.

Cybersecurity experts warn this marks an escalation as Iran's conflict spreads to US cyber targets, with more attacks likely coming.

Source: The Guardian

Medical technology company Stryker confirmed Thursday that an Iran-linked cyberattack severely disrupted its global operations, affecting order processing, manufacturing, and shipping worldwide. The $25 billion company was forced to shut down offices in dozens of countries and send staff home in Ireland, its largest hub outside the US.

The Handala hacker group claimed responsibility, saying they wiped over 200,000 devices and stole 50TB of data. Rather than using traditional malware, the attackers exploited Microsoft Intune, a cloud management service, to remotely wipe systems across Stryker's network.

Handala, believed to be a front for Iranian intelligence services, has ramped up attacks since the Israel-Gaza conflict began, targeting companies perceived as Israeli allies.

Source: Security Week

Google rushed out an urgent Chrome update after discovering two high-severity zero-day vulnerabilities being actively exploited by attackers. The company updated Chrome to version 146.0.7680.75/76, addressing flaws in both the Skia graphics engine (CVE-2026-3909) and V8 JavaScript engine (CVE-2026-3910).

Both vulnerabilities allow attackers to execute malicious code on victims' systems by crafting weaponized webpages. Google's internal security team discovered the exploits on March 10, 2026, and confirmed they're already being used in real-world attacks.

Users should update immediately by going to Chrome's menu, selecting Help > About Google Chrome, and letting it auto-update. Organizations need to prioritize deploying this patch across their networks without delay.

Source: Cybersecurity News

The Community College of Beaver County closed its campus Monday after cyberattackers encrypted all college data and demanded ransom payments. The ransomware attack hit on the first day of spring break, blocking access to grades, transcripts, and financial information.

Vice President Leslie Tennant said the IT department discovered a ransom note Monday morning, prompting administrators to lock down all computers and devices. Students and staff are banned from using laptops or logging into VPN networks, even from home.

The college is working with its insurance company to identify the attackers and potentially lift the encryption. School is scheduled to reopen next Monday, giving officials one week to resolve the crisis before classes resume.

Source: CBS Pittsburgh