Security & IT News

Attacks leveraging the 'PolyShell' vulnerability in version 2 of Magento Open Source and Adobe Commerce installations are underway, targeting more than half of all vulnerable stores. [...]

Apple released the next version of its operating system, patching 85 different vulnerabilities across all of them. None of the vulnerabilities are currently being exploited. The last three macOS generations are covered, as are the last two versions of iOS/iPadOS. For tvOS, watchOS, and visionOS, only the current version received patches. This update also includes the recently released Background Security Improvements. Some older watchOS versions received updates, but these updates do not address any security issues. iOS 26.4 and iPadOS 26.4 iOS 18.7.7 and iPadOS 18.7.7 macOS Tahoe 26.4 macOS Sequoia 15.7.5 macOS Sonoma 14.8.5 tvOS 26.4 watchOS 26.4 visionOS 26.4 Safari 26.4 Xcode 26.4 CVE-2025-43376: A remote attacker may be able to view leaked DNS queries with Private Relay turned on. Affects WebKit x CVE-2025-43534: A user with physical access to an iOS device may be able to bypass Activation Lock. Affects iTunes Store x CVE-2026-20607: An app may be able to access protected user data. Affects libxpc x x x CVE-2026-20631: A user may be able to elevate privileges. Affects PackageKit x CVE-2026-20632: An app may be able to access sensitive user data. Affects Music x CVE-2026-20633: An app may be able to access user-sensitive data. Affects Archive Utility x x x CVE-2026-20637: An app may be able to cause unexpected system termination. Affects AppleKeyStore x x x CVE-2026-20639: Processing a maliciously crafted string may lead to heap corruption. Affects configd x x CVE-2026-20643: Processing maliciously crafted web content may bypass Same Origin Policy. Affects WebKit x x x x x CVE-2026-20651: An app may be able to access sensitive user data. Affects Messages x CVE-2026-20657: Parsing a maliciously crafted file may lead to an unexpected app termination. Affects Vision x x x CVE-2026-20660: A remote user may be able to write arbitrary files. Affects CFNetwork x CVE-2026-20665: Processing maliciously crafted web content may prevent Content Security Policy from being enforced. Affects WebKit x x x x x x x CVE-2026-20668: An app may be able to access sensitive user data. Affects Focus x x x CVE-2026-20684: An app may bypass Gatekeeper checks. Affects AppleScript x CVE-2026-20687: An app may be able to cause unexpected system termination or write kernel memory. Affects Kernel x x x x x x CVE-2026-20688: An app may be able to break out of its sandbox. Affects Printing x x x x x CVE-2026-20690: Processing an audio stream in a maliciously crafted media file may terminate the process. Affects CoreMedia x x x x x x x x CVE-2026-20691: A maliciously crafted webpage may be able to fingerprint the user. Affects WebKit Sandboxing x x x x x CVE-2026-20692: Hide IP Address and Block All Remote Content may not apply to all mail content. Affects Mail x x x x CVE-2026-20693: An attacker with root privileges may be able to delete protected system files. Affects PackageKit x x x CVE-2026-20694: An app may be able to access user-sensitive data. Affects MigrationKit x x

The spyware founder's comments are the most direct suggestion yet from anyone inside Intellexa that the Mitsotakis government authorized the hacking of dozens of phones belonging to senior Greek government ministers, opposition leaders, military officials, and journalists.

Mirai malware evolves into hundreds of variants, driving botnet growth, including Aisuru and KimWolf, powering large-scale attacks, and increasing risks to vulnerable IoT devices worldwide.

Threat actors are evading phishing detection in campaigns targeting Microsoft accounts by abusing the no-code app-building platform Bubble to generate and host malicious web apps. [...]

A new info-stealing malware called Torg Grabber is stealing sensitive data from 850 browser extensions, more than 700 of them for cryptocurrency wallets. [...]

Introduction This diary provides indicators from the SmartApeSG (ZPHP, HANEYMANEY) campaign I saw on Tuesday, 2026-03-24. SmartApeSG is one of many campaigns that use the ClickFix technique. This past week, I've seen NetSupport RAT as follow-up malware from Remcos RAT pushed by this campaign. But this time, I also saw indicators for StealC malware and Sectop RAT (ArecheClient2) after NetSupport RAT appeared on my infected lab host. Not all of the follow-up malware appears shortly after the initial Remcos RAT malware. Here's the timeline for malware from my SmartApeSG activity on Tuesday 2026-03-24: 17:11 UTC - Ran ClickFix script from SmartApeSG fake CAPTCHA page 17:12 UTC - Remcos RAT post-infection traffic starts 17:16 UTC - NetSupport RAT post-infection traffic starts 18:18 UTC - StealC post-infection traffic starts 19:36 UTC - Sectop RAT post-infection traffic starts While the NetSupport RAT activity happened approximately 4 minutes after the Remcos RAT activity, the StealC traffic didn't happen until approximately 1 hour after the NetSupport RAT activity started. And the traffic for Sectop RAT happened approximately 1 hour and 18 minutes after the StealC activity started. Images from the infection Shown above: Page from a legitimate but compromised website with injected script for the fake CAPTCHA page. Shown above: Fake CAPTCHA page with ClickFix instructions. This image shows the malicious script injected into a user's clipboard. Shown above: Traffic from the infection filtered in Wireshark. Indicators of Compromise Associated domains and IP addresses: fresicrto[.]top - Domain for server hosting fake CAPTCHA page urotypos[.]com - Called by ClickFix instructions, this domain is for a server hosting the initial malware 95.142.45[.]231:443 - Remcos RAT C2 server 185.163.47[.]220:443 - NetSupport RAT C2 server 89.46.38[.]100:80 - StealC C2 server 195.85.115[.]11:9000 - Sectop RAT (ArechClient2) C2 server Example of HTA file retrieved by ClickFix script: SHA256 hash: 212d8007a7ce374d38949cf54d80133bd69338131670282008940f1995d7a720 File size: 47,714 bytes File type: HTML document text, ASCII text, with very long lines (6272) Retrieved from: hxxps[:]//urotypos[.]com/cd/temp Saved location: C:\Users\[username]\AppData\Local\post.hta Note: ClickFix script deletes the file after retrieving and running it Example of ZIP archive for Remcos RAT retrieved by the above HTA file: SHA256 hash: a6a748c0606fb9600fdf04763523b7da20b382b054b875fdd1ef1c36fc16079a File size: 85,328,653 bytes File type: Zip archive data, at least v2.0 to extract, compression method=deflate Retrieved from: hxxps[:]//urotypos[.]com/ls/production Saved location: C:\Users\[username]\AppData\Local\361118191\361118191.pdf ZIP archive containing NetSupport RAT package: SHA256 hash: 6e26ff49387088178319e116700b123d27216d98ba3ae1ce492544cb9acd38f0 File size: 9,171,647 bytes File type: Zip archive data, at least v2.0 to extract, compression method=deflate File name: UpdateIn

The alleged administrator of the LeakBase cybercrime forum has been arrested by Russian law enforcement authorities, state media reported Thursday. According to TASS and MVD Media, a news website linked to the Russian Interior Ministry, the suspect is a resident of the city of Taganrog. The suspect is said to have been detained for creating and managing a criminal site that allowed stolen

The FCC has officially added foreign-made consumer routers to its restricted Covered List, citing major cybersecurity risks. Find out what it means for your current devices.

Russian state-owned media reported that police in Russia arrested the administrator of LeakBase, a large hacking forum.

Cloud Android phones fuel financial fraud, evading detection and enabling dropper accounts

Identity attacks no longer hinge on who a cyberattacker compromises, but on what that identity can access. As organizations manage growing numbers of human, non-human, and agentic identities, their access fabric multiplies across apps, resources, and environments, which increases both operational complexity for identity teams and risk exposure for security teams. Redefining identity security for the modern enterprise Read the blog ↗ The challenge isn’t just scale, it’s fragmentation. From our latest Secure Access report , research shows that 32% of organizations say their access management solutions are duplicative, and 40% say they have too many different vendors. That fragmentation for security vendors makes it harder to maintain consistent access controls and correlate risk across identities. When risk is distributed across dozens of disconnected accounts and permissions, visibility fragments and blind spots emerge—creating ideal conditions for cyberattackers to move laterally without detection. Securing identity in this reality requires more than incremental improvements. It calls for a shift from fragmented controls to an integrated, end-to-end approach that treats identity as a shared control plane that is informed by a continuous, foundational security signal. Why fragmentation fails—and what must replace it With the traditional model of identity security—built on siloed directories, disconnected access policies, and bolt-on threat detection—cyberattackers don’t have to break defenses, they just move between them. Permissions go uncorrelated, access policies drift as environments evolve, and lateral movement hides in the gaps. What is a Security Operations Center? Learn more ↗ For defenders, this creates a dangerous imbalance. Identity signals flood the security operations center (SOC) without the context to act, while identity teams enforce access without visibility into active cyberthreats. Risk accumulates across systems, but responsibility—and insight—remains fragmented. Fixing this doesn’t require more alerts or point solutions. It requires an integrated fabric that brings together all of the identities, access, and signals. A modern identity security solution must unify three critical layers: The identity infrastructure : The systems and services that underpin every access decision. This includes the identity provider, authentication services, single sign-on (SSO), user and group management, and the systems that establish and maintain trust across the enterprise. Without this foundation, there is no authoritative source of truth for who an identity is, what it can access, or how it should be governed. It’s the layer many security vendors lack—and the one Microsoft delivers at global scale. The identity control plane : Where privileged identity management and access decisions are enforced in real time, based on dynamic risk signals, behavioral context, and policy intent. This is where identity and security converge to adapt access as

Citrix has patched two NetScaler ADC and NetScaler Gateway vulnerabilities, one of which is very similar to the CitrixBleed and CitrixBleed2 flaws exploited in zero-day attacks in recent years. [...]

Cybersecurity company’s annual report issues warning over a “mass-marketed impersonation crisis” over attackers abusing legitimate credentials

Top Klaviyo alternatives offer advanced analytics, automation, and insights to help e-commerce brands improve campaigns, boost revenue, and track performance.

AI translation fixes multilingual content chaos by improving consistency, workflows, and speed, helping teams reduce errors and scale global content faster.

Cybersecurity researchers have flagged a new evolution of the GlassWorm campaign that delivers a multi-stage framework capable of comprehensive data theft and installing a remote access trojan (RAT), which deploys an information-stealing Google Chrome extension masquerading as an offline version of Google Docs. "It logs keystrokes, dumps cookies and session tokens, captures screenshots, and

AI accounts are becoming part of the cybercrime supply chain, sold like email accounts or VPS access. Flare Systems shows how underground markets bundle and resell premium AI access at scale. [...]

If it’s online, it’s a target Web applications are no longer just business enablers, they’re often the front door to an organization. They can often generate revenue, enforce identity, connect systems and hold customer and business data. “ 75% of successful Vector Command breaches were conducted through web apps. ” – Principal Security Consultant, Vector Command Team at Rapid7 From SaaS platforms and identity providers to customer portals and internal tools, attackers increasingly rely on web applications as their initial access point. In fact, application-driven attacks account for a significant percentage of real-world breaches. But testing web applications for real risk isn’t the same as scanning for bugs; that’s where Vector Command (Rapid7’s continuous managed red team service) comes in. Figure 1: Vector Command Advanced How Vector Command approaches web applications Vector Command evaluates web applications the same way real attackers do, by asking a single question: Can this application be used to meaningfully compromise the organization? Rather than attempting to enumerate every possible vulnerability, Vector Command focuses on exploitation paths that lead to real outcomes, such as: Account takeover Session hijacking Abuse of SaaS trust relationships Access to internal systems through vulnerabilities, such as malicious file uploads, injection issues, or misconfigurations in common web frameworks Lateral movement across applications Exfiltration of source code, if found during a breach Testing begins without authentication against externally facing applications, the external attack surface, or to put it another way, what a potential threat actor can see. If legitimate paths exist – self-registration, broken authentication and authorization controls, misconfigurations exposing unintended application functionality, or overall poor site hygiene leaking information that needs further research – those paths are pursued as part of a broader attack chain. The result isn’t a long list of low-risk findings, but rather a clear picture of what actually works. Figure 2: Sample Vector Command findings, by status What Vector Command does not do Vector Command is intentionally not a replacement for a full web application penetration test, although Rapid7 does offer this service. It does not: Guarantee full application coverage. Perform DAST or SAST scanning. Enumerate non-exploitable low-severity or theoretical vulnerabilities. Review source code unless it’s obtained during an attack. If your goal is to understand every potential flaw in an application, a dedicated web app penetration test is the right approach. However if your goal is to understand whether your sprawling stack of externally facing applications can be used to break into your organization, Vector Command is designed for that purpose. A real-world example: when the ticketing system becomes the attack path In one recent Vector Command engagement, attackers didn’t exploit a zero-day or compl

Kali Linux 2026.1, the first release of the year, is now available for download, featuring 8 new tools, a theme refresh, and a new BackTrack mode for Kali-Undercover. [...]