Ticker feed

St Anne's Catholic School in Southampton shut down for four days after hackers launched a ransomware attack on its IT systems. The cyber criminals used malicious software that threatens to delete files unless a ransom is paid.

Headteacher Julian Waterfield messaged parents Sunday about the breach, saying the IT team immediately contained the attack and reported it to authorities including police, the Information Commissioner's Office, and the National Cyber Security Centre.

The school plans to reopen Friday, with Waterfield stating there's currently no evidence that student or staff data was compromised. However, he warned parents they'll be contacted immediately if that changes.

Both the ICO and NCSC confirmed they're providing support and guidance to the school during the investigation.

Source: BBC

Cybercriminals from TeamPCP have escalated their attacks by compromising the legitimate Telnyx Python package on PyPI, affecting versions 4.87.1 and 4.87.2. The attackers gained access by stealing a maintainer's credentials, then injected malware that steals SSH private keys and bash history files from developers' systems.

Unlike typical typosquatting attacks, this breach targeted an official, trusted package used by the Telnyx cloud communications platform. The malicious code executes automatically during installation, making it particularly dangerous for developers and automated systems.

Socket and Endor Labs researchers discovered the attack on March 27, noting that TeamPCP has recently partnered with Vect ransomware group. Organizations should immediately audit their systems and rotate any exposed credentials.

Source: Infosecurity Magazine

CISA added a critical code injection flaw in Langflow to its Known Exploited Vulnerabilities catalog on March 25, 2026. The vulnerability, CVE-2026-33017, allows unauthenticated attackers to execute malicious code on the popular AI workflow platform without any credentials.

Langflow is an open-source tool used to build AI and large language model workflows in enterprise environments. The flaw bypasses all access controls, letting hackers inject scripts directly into workflows and potentially steal sensitive data or attack connected systems.

Federal agencies must patch by April 8, 2026. Organizations unable to update should discontinue using Langflow immediately until a permanent fix is available.

Source: Cybersecurity News

Foster City is slowly getting back online after a ransomware attack knocked out the city's network more than a week ago. Officials announced Friday that phone and email services are working again, though they're still working to restore virtual city services.

The cyberattack was discovered March 19 by IT staff, prompting the city council to declare a state of emergency Monday to speed up recovery efforts. City Hall remains open with limited services during regular hours.

While the city hasn't revealed what sensitive information might have been compromised, they stressed that emergency services like 911 and police dispatch stayed fully operational throughout the incident.

Source: CBS News San Francisco

Financial management company Hightower Holding disclosed a cyberattack that compromised personal data of 131,483 individuals in early January 2026. Hackers infiltrated the company's systems between January 8-9 using stolen user credentials, accessing files containing names, Social Security numbers, and driver's license numbers.

The parent company of Hightower Advisors provides wealth management and retirement planning services through multiple subsidiaries. While Hightower says there's no evidence the stolen information has been used for identity theft or fraud, they're offering affected customers 12 months of free credit monitoring.

The company hasn't identified which cybercriminal group was responsible for the attack.

Source: SecurityWeek

Cybersecurity researchers discovered a sophisticated payment skimmer targeting e-commerce sites through the PolyShell vulnerability in Magento and Adobe Commerce platforms. The malware uses WebRTC data channels to steal credit card information, cleverly bypassing Content Security Policy protections that normally block such attacks.

Mass exploitation began March 19, 2026, affecting 56.7% of vulnerable stores. The skimmer connects to command servers via encrypted WebRTC channels, receives second-stage payloads, and executes them while evading detection. One victim was a major car manufacturer worth over $100 billion.

Adobe released a beta fix March 10, but it hasn't reached stable release yet.

Source: The Hacker News

The TeamPCP hacking group has executed a sweeping supply chain attack targeting major open source platforms including Docker Hub, VS Code, NPM, and PyPI. Starting with Aqua Security's Trivy scanner in February, the hackers compromised access tokens and expanded to hit over 64 NPM packages, Checkmarx's VS Code plugins (36,000+ downloads), and LiteLLM Python library (95 million monthly downloads).

The attacks used sophisticated techniques like modified GitHub Action tags and malicious package versions to steal credentials from over 500,000 infected machines, exfiltrating approximately 300GB of data. TeamPCP has now partnered with the notorious Lapsus$ extortion group for monetization, openly boasting about their operations on Telegram and threatening to steal "terabytes of trade secrets."

Organizations using affected tools should immediately rotate all credentials and rebuild systems from clean states.

Source: Security Week

Cybercriminals are running a sophisticated campaign called "TroyDen's Lure Factory" that spreads malware through over 300 fake GitHub packages targeting developers and gamers. The attack centers on a bogus OpenClaw Docker deployer but includes various lures like game cheats, crypto bots, and VPN crackers.

The malware uses a clever two-part design with a renamed Lua runtime and encrypted script that evades detection when analyzed separately. Once both components run together, it takes screenshots, steals credentials, and sends data to servers in Frankfurt.

Netskope researchers discovered the campaign in March and notified GitHub, though some malicious repositories remain active. The attackers appear to use AI assistance, evidenced by systematically generated package names using obscure scientific terminology.

Source: Dark Reading

Foster City declared a state of emergency Monday night following a March 19 ransomware attack that continues to paralyze the city's computer network. The 33,000 residents are largely in the dark about what information may have been compromised, as city officials remain tight-lipped about details.

While 911 services and emergency response remain operational, City Hall is only offering limited services. The city council held their emergency meeting without Zoom access due to the ongoing network shutdown.

Only one resident, Yiming Luo, attended to voice concerns about the lack of transparency. Mayor Art Kiesel declined on-camera interviews, and councilmembers have been advised not to speak publicly about the attack. The emergency declaration makes Foster City eligible for expedited state and county assistance.

Source: CBS News Bay Area

Cybercriminals compromised Trivy, a popular open-source security tool from Aqua Security, in a sophisticated supply-chain attack that began in late February. The attackers exploited GitHub Actions misconfigurations to steal privileged access tokens and published malicious releases on March 19.

Mandiant reports over 1,000 organizations are already impacted, with numbers potentially reaching 10,000 as the attack spreads. The breach gave attackers access to sensitive credentials across multiple environments, setting the stage for widespread follow-on attacks.

Experts warn the threat groups behind this campaign are "exceptionally aggressive" with extortion tactics and are actively collaborating to weaponize their access. Organizations should expect months of breach disclosures and downstream compromises as this attack continues evolving.

Source: CyberScoop