This week: a pro-Iranian group hacked the FBI Director's personal email. North Korean hackers got hired for remote IT jobs. TeamPCP backdoored yet another PyPI package. And an iPhone exploit kit has evolved directly from the zero-click campaign that hit Russian targets back in 2023.

In the "things we didn't need" column: GlassWorm now uses the Solana blockchain to route its malware payloads, a new infostealer bypasses Chrome's Application-Bound Encryption, and a QR code phishing campaign somehow slipped past SPF, DKIM, AND DMARC at scale — 1.6 million emails delivered, no alarm raised.

It's a lot. Click through for 34 stories across 6 categories, and maybe patch your NetScaler while you're at it.

#FWU #fridaywrapup #SupplyChainSecurity #NationStateHackers #PatchNow #Malware #DataBreach #Ransomware

Major Cyberattacks & Incidents

From pharmaceutical giants to anime streaming platforms, this week’s breach roster spans nearly every sector — and the body count keeps climbing.

• 🏛️ The European Commission is investigating a security breach after a threat actor gained unauthorized access to its Amazon cloud infrastructure, raising concerns about the security of EU executive data. (Published on March 27, 2026, BleepingComputer). Read More

• 💼 Hightower Holding disclosed a breach that exposed names, Social Security numbers, and driver’s license numbers for 130,000 individuals after hackers infiltrated the firm’s environment. (Published on March 26, 2026, SecurityWeek). Read More

• ⚖️ Ilya Angelov, a member of the cybercrime group tracked as TA-551 (Shathak/Gold Cabin/Monster Libra), received a two-year US prison sentence for his role in the prolific criminal operation. (Published on March 25, 2026, SecurityWeek). Read More

• ❓ OVHcloud’s founder denied claims by a hacker alleging a 600TB theft affecting millions of hosted sites, with cybersecurity experts also questioning the credibility of the evidence provided. (Published on March 24, 2026, Hackread). Read More

• 🐛 Bug bounty platform HackerOne is notifying hundreds of employees that their personal data was stolen after threat actors compromised Navia, one of its US-based benefits administrators. (Published on March 24, 2026, BleepingComputer). Read More

• 💊 The Lapsus$ extortion group claims to have breached pharmaceutical giant AstraZeneca, allegedly stealing internal code repositories, employee credentials, and sensitive company data. (Published on March 24, 2026, SecurityWeek). Read More

• 🚗 Mazda Motor Corporation disclosed a security incident detected last December that exposed personal data belonging to employees and business partners of the automaker. (Published on March 23, 2026, BleepingComputer). Read More

• 📺 Popular anime streaming platform Crunchyroll is investigating a breach after hackers claimed to have stolen personal information for approximately 6.8 million users of the service. (Published on March 23, 2026, BleepingComputer). Read More

Espionage & Data Extraction

Nation-state actors had an unusually busy week — an FBI director’s inbox, an evolved iPhone exploit framework, and North Korean operatives hiding in plain sight as remote IT workers.

• 🇮🇷 A pro-Iranian hacking group claimed responsibility for breaching FBI Director Kash Patel’s personal account, making emails and documents from the account available for public download. (Published on March 27, 2026, SecurityWeek). Read More

• 📱 The Coruna iOS exploit kit is an evolution of the framework used in Operation Triangulation — the 2023 espionage campaign that silently compromised iPhones via zero-click iMessage exploits. (Published on March 26, 2026, BleepingComputer). Read More

• 🇰🇵 North Korea’s WaterPlum/Contagious Interview group weaponized VS Code tasks.json files to distribute the new StoatWaffle malware, targeting developers through malicious Visual Studio Code projects. (Published on March 23, 2026, The Hacker News). Read More

• 🕵️ LevelBlue research reveals how a suspected North Korean operative successfully landed a remote IT job to fund national weapons programs, only to be exposed after a VPN configuration slip. (Published on March 23, 2026, Hackread). Read More

Malware & Vulnerabilities

Supply-chain attacks, router bypasses, and a payment skimmer that routes around your defenses via WebRTC — the vulnerability landscape this week has something for everyone.

• 🎵 The TeamPCP supply-chain threat actor compromised the Telnyx Python package on PyPI, hiding data-stealing code inside WAV audio files across two malicious versions (4.87.1 and 4.87.2). (Published on March 27, 2026, The Hacker News). Read More

• 💻 A large-scale campaign is flooding GitHub project Discussions with fake Visual Studio Code security alerts, tricking developers into downloading malware disguised as urgent platform security updates. (Published on March 27, 2026, BleepingComputer). Read More

• 🔓 A now-patched bug in Open VSX’s pre-publish scanning pipeline allowed malicious VS Code extensions to pass security vetting and go live in the registry undetected, with a single boolean flag as the culprit. (Published on March 27, 2026, The Hacker News). Read More

• ⚡ A critical Langflow RCE vulnerability allowing unauthenticated code execution was exploited within hours of disclosure, prompting CISA to formally flag the flaw for urgent remediation. (Published on March 27, 2026, CSO Online). Read More

• 👻 ReversingLabs identified a Ghost campaign using convincing fake npm install progress bars to trick developers into entering sudo passwords, enabling crypto wallet theft from compromised machines. (Published on March 27, 2026, Hackread). Read More

• 💳 A new payment skimmer uses WebRTC data channels — instead of traditional HTTP requests or image beacons — to load payloads and exfiltrate payment data from e-commerce sites, bypassing Content Security Policy controls. (Published on March 26, 2026, The Hacker News). Read More

• 🕳️ CVE-2026-3055, an out-of-bounds read flaw in NetScaler ADC and Gateway, has been flagged by experts as CitrixBleed2-level severity, requiring immediate patching of all customer-managed devices. (Published on March 25, 2026, CSO Online). Read More

• 🪱 GlassWorm has evolved into a multi-stage framework using Solana blockchain dead drops to deliver a RAT and deploy a malicious Chrome extension disguised as an offline app to steal browser data and crypto. (Published on March 25, 2026, The Hacker News). Read More

• 📡 TP-Link patched a critical authentication bypass flaw in its Archer NX router series that could allow unauthenticated attackers to upload malicious firmware and seize full control of the device. (Published on March 25, 2026, BleepingComputer). Read More

• 🔑 The TeamPCP group backdoored the massively popular LiteLLM Python package on PyPI to steal credentials and auth tokens, claiming to have exfiltrated data from hundreds of thousands of compromised devices. (Published on March 24, 2026, BleepingComputer). Read More

• 🔓 Citrix released patches for CVE-2026-3055 (CVSS 9.3), a critical NetScaler ADC and Gateway flaw allowing unauthenticated data exfiltration from affected applications across customer-managed deployments. (Published on March 24, 2026, The Hacker News). Read More

• 🍪 VoidStealer uses a novel debugger-based technique to bypass Chrome’s Application-Bound Encryption (ABE), stealing saved passwords and cookies in a method researchers say hasn’t been seen in the wild before. (Published on March 23, 2026, CSO Online). Read More

• 🛠️ QNAP released patches for four vulnerabilities demonstrated at Pwn2Own that could allow attackers to access sensitive information, execute arbitrary code, or trigger unexpected system behavior on affected devices. (Published on March 23, 2026, SecurityWeek). Read More

Cybersecurity Tools & Techniques

This week’s phishing roundup covers QR codes that dodge every email security standard, fake resumes, fake token giveaways, and IRS impersonators — tax season is a gift for attackers.

• 📲 A massive QR code phishing campaign dubbed Quish Splash evaded SPF, DKIM, and DMARC controls to successfully deliver 1.6 million malicious emails to unsuspecting recipients without detection. (Published on March 26, 2026, Hackread). Read More

• 🫧 Threat actors are abusing the no-code Bubble platform to build convincing phishing pages targeting Microsoft accounts, leveraging the legitimate app builder to evade standard phishing detection tooling. (Published on March 25, 2026, BleepingComputer). Read More

• 💸 OX Security uncovered a phishing campaign targeting GitHub developers with fake OpenClaw token giveaways, tricking victims into connecting their cryptocurrency wallets and immediately draining them. (Published on March 25, 2026, Hackread). Read More

• 🌍 An active device code phishing campaign has compromised over 340 Microsoft 365 organizations across five countries since February 2026, abusing OAuth authentication flows to silently steal access tokens. (Published on March 25, 2026, The Hacker News). Read More

• 📄 An ongoing phishing campaign targeting French-speaking enterprises delivers obfuscated VBScript files disguised as CV documents that install cryptocurrency miners and infostealers on victim machines. (Published on March 24, 2026, The Hacker News). Read More

• 💰 Microsoft warns of active tax-season phishing campaigns that have hit 29,000 users with IRS-themed emails, delivering remote management malware to establish persistent access and harvest credentials. (Published on March 23, 2026, The Hacker News). Read More

DDoS, Outages & Infrastructure

Botnets are multiplying and attacks are surging — the infrastructure threat landscape is growing broader and louder.

• 🤖 Mirai has spawned hundreds of variants — including Aisuru and KimWolf — fueling large-scale botnet growth and increasing attack risks against vulnerable IoT devices globally. (Published on March 25, 2026, Hackread). Read More

• 📈 Gcore’s latest Radar report documents a 150% year-on-year surge in DDoS attack volume, reflecting the rapid expansion of botnet infrastructure and the continued commoditization of volumetric attacks. (Published on March 24, 2026, Hackread). Read More

AI & Policy

One story this week — but it’s a notable one: a zero-click flaw in an AI browser extension that turned every website into a potential attack vector.

• 🤖 Researchers disclosed a now-patched flaw in Anthropic’s Claude Chrome Extension that allowed any website to silently inject malicious prompts into the assistant without any user interaction via cross-site scripting. (Published on March 26, 2026, The Hacker News). Read More

Stay informed and secure in the tech and cybersecurity world. Have a great weekend, and remember to patch and protect your systems!