Threat Briefs

1 new threat: TeamPCP supply chain attack backdoors LiteLLM PyPI package (versions 1.82.7–1.82.8) with credential stealer, K8s lateral movement, and systemd persistence. Status updates on Citrix NetScaler CVE-2026-3055 and Cisco FMC CVE-2026-20131.

3 new threats: Citrix NetScaler SAML IDP memory leak (CVE-2026-3055, CVSS 9.3), Oracle Identity Manager pre-auth RCE (CVE-2026-21992, CVSS 9.8), VMware Aria Operations command injection KEV deadline today (CVE-2026-22719). Status update on Cisco FMC CVE-2026-20131.

1 qualifying update: DarkSword iOS exploit kit campaign expansion with newly published IOC domains and GHOSTBLADE infostealer details targeting crypto wallets and messaging apps. CISA deadlines: SharePoint CVE-2026-20963 due today, Qualcomm CVE-2026-21385 due tomorrow.

1 qualifying threat: CVE-2026-2631 Datalogics Ecommerce Delivery WordPress plugin unauthenticated privilege escalation (CVSS 9.8) with weaponized PoC enabling mass exploitation of ~15K installations. CISA deadline for Cisco FMC CVE-2026-20131 arrives today.

3 qualifying threats: CVE-2026-33017 Langflow unauthenticated RCE exploited within 20 hours of disclosure, plus CISA KEV additions for Craft CMS (CVE-2025-32432) and Laravel Livewire (CVE-2025-54068) unauthenticated RCE vulnerabilities under active exploitation.

Daily threat brief covering 2 new threats: GlassWorm supply chain Phase 3 with sleeper VS Code extensions activating and GitHub-hosted VSIX delivery evading takedowns, and PolyShell unauthenticated file upload flaw affecting all Magento/Adobe Commerce 2.x with RCE and account takeover potential.

Daily threat brief covering 4 threats: Interlock ransomware exploiting Cisco FMC zero-day CVE-2026-20131 (CVSS 10.0) with 36-day pre-disclosure exploitation, Microsoft SharePoint RCE CVE-2026-20963 added to CISA KEV, APT28 exploiting Zimbra XSS CVE-2025-66376 in Operation GhostMail, and DarkSword iOS exploit kit used by multiple state-sponsored actors across 4 countries.

Daily threat brief covering 8 threats: CVE-2026-32746 critical unpatched telnetd RCE, LeakNet ransomware ClickFix+Deno BYOR chain, Claude Fraud AI dev tool campaign, Payload ransomware Babuk derivative, Chrome zero-days CVE-2026-3909/3910, Wing FTP info-disclosure CISA KEV, ACRStealer HijackLoader evolution, and Konni APT EndRAT via KakaoTalk hijacking.

Today's brief covers four threats with fresh technical intel: Wing FTP Server exploit chain actively exploited (CISA KEV), Hive0163/Slopoly AI-generated C2 malware with Interlock ransomware, DRILLAPP/Laundry Bear Edge-abusing espionage backdoor targeting Ukraine, and Chrome double zero-day (Skia + V8) in active exploitation.

Chrome zero-days under active exploitation hit CISA KEV, CrackArmor drops 9 AppArmor LPE flaws on 12.6M Linux systems, a clever new ClickFix variant bypasses Defender via WebDAV + trojanized Electron app, and a FiveM gaming backdoor with 3,856 infected servers gets fully reverse-engineered.

Chrome zero-days actively exploited, Hive0163 Slopoly AI-assisted malware, INC ransomware pre-encryption exfiltration playbook, n8n RCE in CISA KEV, SocksEscort/AVrecon botnet takedown, and CrackArmor Linux privilege escalation.

Chrome dual zero-day exploit pair (Skia + V8), CrackArmor Linux LPE cluster, Hive0163 AI-generated Slopoly backdoor in Interlock ransomware chain, MicroStealer corporate credential theft, and n8n CISA KEV RCE update.

Daily detection engineering threat brief covering n8n RCE KEV, UNC6426 nx npm supply chain to AWS admin escalation, KadNap router botnet, CISA triple KEV (SolarWinds/Ivanti/Workspace One), and March 2026 Patch Tuesday LPE hotspots.

Microsoft March 2026 Patch Tuesday (2 zero-days, CVE-2026-26144 Copilot exfil), CISA KEV triple-add (SolarWinds WHD, Ivanti EPM, VMware Workspace One), APT28 dual-implant campaign (BEARDSHELL + COVENANT), and Zombie ZIP AV bypass technique (CVE-2026-0866).

Daily Detection Engineering Threat Brief covering new Metasploit exploit modules (GestioIP RCE, SPIP Saisies RCE, GL.iNet router exploit chain) and a possible malicious ScreenConnect C2 domain.

Daily Detection Engineering Threat Brief covering Grafana SQL Expressions RCE, Mythic C2 active IOCs, and new KQL detection queries for persistence and defense evasion.

Daily detection-engineering-focused threat brief covering new YARA-detectable APT36 (Translucent Werewolf) Linux .desktop launcher tradecraft (Google Drive payload fetch + WebSocket C2).

Daily detection-engineering-focused threat brief covering Cisco Secure FMC critical auth bypass + insecure Java deserialization RCE exposure triage, Metasploit PoCs for pyquokka Arrow Flight gRPC pickle RCE and smolagents RemotePythonExecutor rogue Jupyter pickle RCE, and a Sliver C2 reverse-weaponization kill-switch PoC.

Daily detection-engineering-focused threat brief covering Cisco Catalyst SD-WAN pre-auth RCE PoC (wildfly WAR/JSP drop) and Tactical RMM Jinja2 SSTI RCE via reporting template preview endpoint.

Daily detection-engineering-focused threat brief covering Dohdoor DoH backdoor, SloppyLemming BurrowShell APT, DeepSeek-Claw malicious npm, VMware Aria Operations KEV, Juniper Junos OS Evolved pre-auth RCE, Cisco SD-WAN PoC, MajorDoMo Metasploit modules, and fresh MuddyWater C2 IOCs.

New Metasploit modules for GL.iNet router brute-force+RCE and Barracuda ESG XLS RCE, a macOS infostealer tradecraft bundle with concrete C2/contact endpoints, and a new Nuclei template capturing an EKC Tournament Manager WordPress traversal pattern.

APT37's Ruby Jumper air-gap bridging toolkit, new Prosperous Werewolf (Trinper/LeetAgent) YARA artifacts, and an MCP indirect prompt injection PoC enabling unauthorized filesystem access.

Daily threat intelligence for detection engineers: ICS/HVAC vulnerabilities, gaming trojan campaign, OpenClaw security bypass

Cisco SD-WAN CVSS 10.0 zero-day exploited since 2023 gets CISA Emergency Directive; Google/Mandiant disrupt Chinese APT using Google Sheets as C2; Steaelite RAT unifies double extortion in one panel; Windows CLFS PoC drops.

FileZen KEV exploitation, SolarWinds Serv-U 4-CVE RCE cluster, Lazarus/Medusa healthcare extortion, VMware Aria Operations RCE, and the IBM X-Force + Sophos intelligence drops.

CrowdStrike GTR 2026, ClickFix + Matanbuchus 3.0 + AstarionRAT pre-ransomware chain, Silver Fox/ValleyRAT via fake AV site, APT28 Operation MacroMaze, seven MCP server RCEs, Dragos OT 2026 report, and Apache ActiveMQ → LockBit intrusion analysis.

SANDWORM_MODE npm supply chain worm poisons AI coding assistants; MuddyWater launches Operation Olalampo with new Rust backdoor; SolarWinds Web Help Desk RCE hits CISA KEV.

AI-augmented FortiGate campaign, Sentry SAML zero-day, Phobos affiliate arrest, USB air-gap cryptominer, and D-Link RCE cluster with public exploits.

CISA adds two actively exploited Roundcube webmail vulnerabilities to KEV catalog, including a 10-year-old deserialization RCE weaponized within 48 hours and an SVG-based XSS flaw.

BeyondTrust exploitation update with VShell/SparkRAT, VS Code extension vulnerabilities affecting 128M downloads, Cline AI supply chain attack, Remcos RAT real-time surveillance, and ClearFake/PS1Bot detection opportunities.

VoIP RCE with Metasploit exploit, Dell RecoverPoint zero-day exploited by China-nexus UNC6201, Keenadu Android supply chain backdoor, CRESCENTHARVEST Iranian espionage, and DPRK MetaMask wallet tampering.

Dell RecoverPoint zero-day exploited since 2024, CISA adds 4 KEVs, AI assistants weaponized as C2 proxies, Ivanti EPMM exploitation expands

BridgePay ransomware disrupts US municipalities, Odido breach exposes 6.2M, Phobos ransomware arrest in Poland

Chrome zero-day under active exploitation, infostealers now targeting AI agent configurations, and malware campaigns weaponizing Google Groups

DNS-based ClickFix delivers stealers via nslookup; CANFAIL malware targets Ukraine; macOS MacSync stealer via Claude artifacts

BeyondTrust post-exploitation TTPs revealed; Microsoft patches 6 zero-days; Ivanti EPMM under attack; Lazarus poisons npm/PyPI; AgreeToSteal Outlook add-in

BeyondTrust pre-auth RCE with public PoC, Notepad++ supply chain, Windows Notepad markdown RCE, Warlock ransomware via SmarterMail, Apple dyld zero-day.