Ticker feed

CISA added a critical Craft CMS vulnerability (CVE-2025-32432) to its Known Exploited Vulnerabilities catalog after confirming active attacks in the wild. The code injection flaw allows remote attackers to execute arbitrary code on servers without authentication, potentially giving them complete control over affected systems.

Threat actors can modify websites, steal database records, or use compromised servers as launching points for deeper network attacks. Federal agencies must patch by April 3, 2026, under BOD 22-01, while CISA urges all organizations using the popular content management system to treat this as high priority and apply security updates immediately.

Source: Cybersecurity News

The Trivy supply chain attack has escalated with new compromised Docker images discovered on March 22, 2026. After initially compromising Aqua Security's vulnerability scanner version 0.69.4 on March 19, attackers uploaded malicious versions 0.69.5 and 0.69.6 to Docker Hub without corresponding GitHub releases.

Socket researchers confirmed both images contain TeamPCP infostealer malware with credential-stealing capabilities. The attack expanded beyond Docker images when attackers briefly exposed Aqua Security's internal GitHub organization, renaming dozens of repositories in a two-minute automated burst.

Version 0.69.3 remains the last clean release, while 0.69.4 through 0.69.6 are confirmed compromised. Organizations using Trivy in CI/CD pipelines should review recent activity and treat recent scans as potentially compromised. Aqua's commercial products remain unaffected.

Source: Infosecurity Magazine

Microsoft has identified a major phishing campaign that compromised 29,000 users during tax season using fake IRS emails. The attackers sent convincing tax-themed messages that appeared to come from legitimate tax authorities, tricking victims into revealing their login credentials.

Once successful, hackers deployed Remote Monitoring and Management (RMM) malware on compromised systems, giving them ongoing access to victims' computers. The timing exploits people's heightened attention to tax-related communications during filing season.

Microsoft is actively tracking this threat as part of its intelligence operations, highlighting how phishing remains an effective attack method for both stealing credentials and installing malware.

Source: The Hacker News

Cybercriminals compromised the popular Trivy GitHub Action by force-pushing malicious code to 75 out of 76 existing version tags, turning trusted references into malware distribution points. The attack targets CI/CD pipelines globally, with over 10,000 GitHub workflows at risk.

The sophisticated infostealer dumps memory from GitHub runners, scrapes filesystems for SSH keys and database credentials, then encrypts stolen data with AES-256 before exfiltrating it. The malware even creates fake repositories using victims' own GitHub tokens as backup exfiltration channels.

Only version @0.35.0 remains safe. Organizations must immediately stop using version tags and pin to the secure commit SHA instead.

Source: Cyber Security News

Arctic Wolf detected attackers exploiting CVE-2025-32975, a critical authentication bypass vulnerability in Quest KACE Systems Management Appliance (SMA). The flaw, patched in May 2025, lets hackers impersonate legitimate users and gain full administrative control of unpatched systems exposed to the internet.

The attacks began around March 2026, targeting organizations including those in education. Attackers used the vulnerability for initial access before achieving complete system takeover. KACE SMA is widely used for managing endpoints, software distribution, and patching across networks.

Arctic Wolf couldn't identify the attackers or their motives but suspects opportunistic targeting of internet-exposed appliances. Organizations must immediately patch outdated Quest KACE systems.

Source: SecurityWeek

The Interlock ransomware gang exploited a critical Cisco firewall vulnerability (CVE-2026-20131) as early as January 26, weeks before Cisco disclosed and patched it on March 4. Amazon Web Services researchers discovered this through honeypots and a misconfigured Interlock server that exposed their complete attack toolkit.

The vulnerability affects Cisco's Secure Firewall Management Center software, allowing remote attackers to execute code as root. Interlock used sophisticated tools including PowerShell scripts, remote-access Trojans, and memory-resident backdoors to maintain persistent access to compromised networks.

This case highlights the danger of zero-day exploits, where even well-maintained systems remain vulnerable until patches become available. Cisco users should immediately upgrade to fixed releases.

Source: Dark Reading

Foster City officials discovered a ransomware attack on their computer networks early Thursday morning, prompting plans to declare a state of emergency. The cyberattack has shut down all public services except emergency responses - 911 and police dispatch remain operational.

City Manager Stefan Chatwin said they're working with cybersecurity experts to restore systems and investigate the breach's scope. Officials don't yet know if public information was accessed, but they're urging anyone who's done business with the city to change passwords as a precaution.

The emergency declaration would unlock additional financial support from outside agencies. This continues a troubling trend for Bay Area cities - Oakland, Hayward, and St. Helena have all suffered similar ransomware attacks in recent years.

Source: CBS News San Francisco

Cybercriminals exploited a critical vulnerability in Langflow, an open-source AI framework, within 20 hours of its disclosure on March 17. The bug (CVE-2026-33017) scored 9.3 on the severity scale and allows attackers to execute malicious code without authentication using just one HTTP request.

Sysdig researchers watched as hackers built working exploits directly from the security advisory, then scanned the internet for vulnerable systems. The attackers successfully harvested credentials, API keys, and database access from exposed instances.

This lightning-fast exploitation reflects a troubling trend: median time-to-exploit dropped from 771 days in 2018 to mere hours in 2024. Meanwhile, organizations typically take 20 days to deploy patches, leaving them dangerously exposed.

Source: Infosecurity Magazine

While the US and Israel openly showcase their conventional military strikes against Iran, they're staying quiet about extensive cyber operations that may be equally important to their campaign.

US Central Command Admiral Brad Cooper hinted at cyber's role, mentioning strikes "from seabed to space and cyber-space." Intelligence sources suggest Israeli hackers infiltrated Iran's CCTV and traffic cameras to track Ayatollah Ali Khamenei's movements before recent strikes. US officials claim Iranian military communications have been severely disrupted.

Meanwhile, Iran has been surprisingly quiet in cyberspace, with only one major attack reported - Iranian hackers targeting US medical tech company Stryker with "wiper" malware that erased data. This silence is puzzling given Iran's reputation as a capable cyber power, raising questions about whether they've been incapacitated or overestimated.

Source: BBC

Security researchers have uncovered DarkSword, a sophisticated iPhone exploit chain targeting iOS versions 18.4-18.7 that's being used by both espionage actors and financially motivated criminals. The attack requires just one click on a malicious website to fully compromise devices within seconds, stealing sensitive data including cryptocurrency wallets.

Google's Threat Intelligence Group found the exploit has been deployed by commercial surveillance vendors and suspected state-sponsored groups against users in Saudi Arabia, Turkey, Malaysia, and Ukraine since November 2025. What makes DarkSword unusual is its dual-purpose design - it serves both traditional espionage and financial theft.

The exploit chain uses six vulnerabilities to achieve remote code execution and privilege escalation. While Apple has patched these flaws in iOS 18.7.6 and iOS 26.3.1, researchers estimate over 200 million users remain vulnerable due to delayed updates.

Source: Dark Reading