Previous brief: Cyber Threat Brief — March 19 2026
1. GlassWorm Supply Chain Phase 3: Sleeper Extensions Activate, Shift to GitHub-Hosted VSIX Delivery
Summary
The GlassWorm supply chain campaign escalated significantly on March 18, 2026, when previously dormant “sleeper” extensions on the Open VSX registry activated and began delivering malicious payloads. This represents a novel evolution: at least one extension (lauracode.wrap-selected-code) was updated to download and force-install a malicious VSIX directly from GitHub Releases, moving the payload delivery outside the Open VSX registry and beyond the Eclipse Foundation’s takedown capability. Concurrently, hijacked npm packages (@aifabrix/miso-client v4.7.2 and @iflow-mcp/watercrawl-watercrawl-mcp v1.3.0–1.3.4) buried malware three dependency layers deep across packages with 134,000 combined monthly downloads. Across all vectors (GitHub repos, npm, Open VSX), researchers have collectively identified 433 compromised components in March 2026. The campaign is attributed to Russian-speaking threat actors based on code comments and locale-checking evasion (skips execution on Russian-locale systems). The malware deploys a multi-stage RAT that force-installs a malicious Chrome extension to log keystrokes, steal cookies, and exfiltrate data. C2 uses Solana blockchain transaction memos as a dead drop resolver, making takedown effectively impossible.
What’s New (Last 24 Hours)
- Sleeper extensions on Open VSX activated March 17–18, converting benign extensions into malicious extension packs via
extensionPack and extensionDependencies manifest fields
- Novel delivery method: VSIX payloads now hosted on GitHub Releases (outside Open VSX takedown reach), force-installed into every detected editor using
--install-extension --force
- Malicious GitHub Releases URL:
github[.]com/francesca898/dqwffqw/releases/download/vsx/autoimport-smart-tool-2.5.8.vsix
- Compromised npm packages published March 12:
@aifabrix/miso-client v4.7.2 and @iflow-mcp/watercrawl-watercrawl-mcp v1.3.0–1.3.4
- Invisible Unicode obfuscation (PUA ranges U+FE00–U+FE0F and U+E0100–U+E01EF) renders malicious code invisible in all mainstream editors
- Extensions from the March 18 wave remain live on Open VSX as of March 20
Actionable Intel
| Artifact | Type | ATT&CK Technique | Data Source | How to Use |
|---|
Marker variable lzcdrtfxyqiplpd in source code | IOC | T1195.002 – Supply Chain Compromise: Compromise Software Supply Chain | Code scanning, SAST | Search all codebases and cloned repos for this string |
~/init.json persistence file | IOC / File | T1547.004 – Boot or Logon Autostart Execution | EDR File Create, Sysmon Event 11 | Alert on creation of ~/init.json in developer home directories |
Unexpected ~/node-v22* directories | IOC / File | T1059.007 – JavaScript | EDR File Create | Alert on Node.js installations outside standard package manager paths |
Suspicious i.js files in cloned repos | IOC / File | T1204.002 – User Execution: Malicious File | Code scanning | Scan recently cloned projects for i.js files |
GitHub VSIX URL: github[.]com/francesca898/dqwffqw/releases/ | IOC / Network | T1105 – Ingress Tool Transfer | Web proxy, DNS logs | Block or alert on requests to this GitHub user/repo |
| Solana RPC polling every 5–10 seconds from developer workstations | Network / C2 | T1102.002 – Web Service: Bidirectional Communication | Web proxy, network flow | Alert on repeated Solana RPC endpoint connections from non-crypto workstations |
--install-extension --force CLI invocations by extensions | Process | T1059 – Command and Scripting Interpreter | EDR Process Create | Alert on VS Code CLI spawning with —install-extension from extension host processes |
| Git commits where committer date >> author date | TTP | T1195.002 – Supply Chain Compromise | Git audit logs | Audit repositories for anomalous commit timestamp patterns |
Potential Detection Coverage Based on MITRE ATT&CK Technique
MITRE ATT&CK Mapping
| Tactic | Technique |
|---|
| Initial Access | T1195.002 – Supply Chain Compromise: Compromise Software Supply Chain |
| Execution | T1059.007 – Command and Scripting Interpreter: JavaScript, T1204.002 – User Execution: Malicious File |
| Persistence | T1547.004 – Boot or Logon Autostart Execution, T1176 – Browser Extensions |
| Credential Access | T1555.003 – Credentials from Web Browsers, T1528 – Steal Application Access Token |
| Command and Control | T1102.002 – Web Service: Bidirectional Communication (Solana C2) |
| Exfiltration | T1041 – Exfiltration Over C2 Channel |
| Defense Evasion | T1027 – Obfuscated Files or Information (Unicode obfuscation) |
Sources
2. PolyShell: Unauthenticated File Upload Flaw in All Magento/Adobe Commerce 2.x Enables RCE and Account Takeover
Summary
Security firm Sansec disclosed “PolyShell,” a critical unrestricted file upload vulnerability affecting every Magento Open Source and Adobe Commerce version 2 installation through 2.4.9-alpha2. The vulnerable code has existed since the very first Magento 2 release. Magento’s REST API accepts file uploads as part of cart item custom options — when a product option has type file, the API processes a file_info object containing base64-encoded file data and writes it to pub/media/custom_options/quote/ on the server without adequate validation. The attack uses a polyglot file (executable code disguised as an image) to bypass content-type checks. Depending on web server configuration, this enables unauthenticated remote code execution via PHP upload or account takeover via stored XSS. Adobe fixed this in the 2.4.9 pre-release branch as part of APSB25-94, but no isolated patch exists for current production versions. Sansec reports the exploit method is already circulating. A related mass defacement campaign affecting approximately 15,000 hostnames commenced February 27, 2026, though direct attribution to PolyShell is unconfirmed.
What’s New (Last 24 Hours)
- Sansec published full technical disclosure of PolyShell on March 19, 2026
- Exploit methodology is publicly circulating — automated exploitation expected imminently
- No isolated patch for production Magento 2.x versions; only 2.4.9 pre-release contains the fix
- Mass defacement campaign (15,000 hostnames, 7,500 domains) ongoing since February 27 may be leveraging the same upload vector
- No active RCE exploitation observed by Sansec yet, but the disclosure window is now open
Actionable Intel
| Artifact | Type | ATT&CK Technique | Data Source | How to Use |
|---|
POST requests to REST API with file_info containing PHP/polyglot payloads | Network / Exploit | T1190 – Exploit Public-Facing Application | WAF logs, web server access logs | Create WAF rule to inspect file_info objects in cart API requests for executable content |
New files in pub/media/custom_options/quote/ directory | File / Webshell | T1505.003 – Web Shell | FIM (File Integrity Monitoring), Sysmon Event 11 | Monitor this specific directory for any new file creation; alert immediately |
HTTP requests to pub/media/custom_options/quote/*.php | Network | T1505.003 – Web Shell | Web server access logs | Alert on any HTTP request attempting to execute files in the custom_options directory |
| Base64-encoded PHP content in REST API request bodies | Network | T1027 – Obfuscated Files or Information | WAF, web proxy | Deploy WAF rule to detect base64-encoded PHP patterns (e.g., PD9waHA = <?php) in API payloads |
Plaintext .txt file uploads to web-accessible directories (defacement indicator) | File | T1491.002 – Defacement: External Defacement | FIM, web server logs | Monitor for unexpected text file creation in web-accessible Magento directories |
Potential Detection Coverage Based on MITRE ATT&CK Technique
MITRE ATT&CK Mapping
| Tactic | Technique |
|---|
| Initial Access | T1190 – Exploit Public-Facing Application |
| Execution | T1059.004 – Unix Shell (via PHP webshell) |
| Persistence | T1505.003 – Server Software Component: Web Shell |
| Defense Evasion | T1036 – Masquerading (polyglot file as image), T1027 – Obfuscated Files or Information |
| Impact | T1491.002 – Defacement: External Defacement |
Sources
Summary of Previously Covered Threats (No Significant Updates)
The following threats from prior briefs had no new actionable artifacts or significant developments in the last 24 hours:
- CVE-2026-20131 / CVE-2026-20079 (Cisco FMC / Interlock Ransomware) — Covered March 19. Additional media coverage on March 20 (Help Net Security) but no new IOCs, TTPs, or detection content beyond Amazon MadPot disclosure.
- CVE-2026-20963 (Microsoft SharePoint RCE) — Covered March 19. Federal deadline March 21. No new exploitation reports.
- CVE-2025-66376 (Zimbra XSS / APT28 Operation GhostMail) — Covered March 19. Federal deadline April 1. No new IOCs.
- DarkSword iOS Exploit Kit — Covered March 19. No new malware families or targeting changes.
- CVE-2026-3909 / CVE-2026-3910 (Chrome Skia/V8) — Covered March 18. Federal deadline March 27. No new TTPs or IOCs.
- CVE-2026-32746 (GNU InetUtils telnetd) — Covered March 18. No patch until April 1. No new exploitation reports.
- CVE-2025-47813 / CVE-2025-47812 (Wing FTP Server) — Covered March 17–18. No new artifacts.
- LeakNet ClickFix + Deno BYOR Campaign — Covered March 18. No new IOCs.
- Payload Ransomware (Babuk derivative) — Covered March 18. No new victims or TTPs.
- ACRStealer / HijackLoader — Covered March 18. No new IOCs.
- Konni APT EndRAT via KakaoTalk — Covered March 18. No new C2 or targeting changes.