March 31, 2026

Cyber Operations

Axios npm Supply Chain Attack Deploys Cross-Platform RAT

A supply chain attack compromised the widely used Axios HTTP client library on npm, affecting versions 1.14.1 and 0.30.4. The attacker hijacked a maintainer account and injected a malicious dependency called "plain-crypto-js," which delivers a remote access trojan capable of executing arbitrary commands, exfiltrating data, and persisting across Windows, macOS, and Linux systems. Socket's automated detection flagged the package within six minutes of publication. With Axios receiving approximately 100 million weekly downloads, the blast radius is significant. The attack was carefully staged: payloads for three operating systems were pre-built, both release branches were hit within 39 minutes, and every trace was designed to self-destruct.

European Commission Confirms Cloud Data Breach

The European Commission confirmed a cyberattack affecting its cloud infrastructure hosting the Europa.eu platform. The ShinyHunters extortion gang claimed responsibility, posting screenshots suggesting possession of approximately 350 GB of data including mail server contents, databases, and confidential documents. The Commission stated its internal systems were not affected. This marks the second breach of EU institutions this year, following an earlier compromise of the Commission's mobile device management platform.

Citrix NetScaler Vulnerability Under Active Exploitation

CISA added CVE-2026-3055—a critical out-of-bounds read vulnerability (CVSS 9.3) in Citrix NetScaler ADC and Gateway—to its known exploited vulnerabilities list on March 30, based on evidence of active exploitation. The flaw affects systems configured as SAML Identity Providers and can leak sensitive memory contents. Threat actors have been probing honeypots to enumerate vulnerable configurations since at least March 27.

Iran-Linked Cyber Campaigns Escalate Amid Conflict

Iranian-linked groups have mounted nearly 5,800 cyberattacks since hostilities began, according to security firm DigiCert. A recent operation targeted Israeli Android users with texts offering bomb shelter information that instead downloaded spyware granting access to cameras, location data, and all device contents. Palo Alto's Unit 42 has identified 7,381 conflict-themed phishing URLs across 1,881 unique hostnames.

Information Operations & Foreign Influence

Iran's AI Deepfake Campaign Draws Hundreds of Millions of Views

A pro-Iran disinformation campaign has generated over 145 million views and nine million interactions across social media platforms. The New York Times identified more than 110 unique deepfakes conveying pro-Iran messaging in a two-week span. The majority are produced by Iranian government-linked networks and amplified by Russian and Chinese information ecosystems. The campaign uses tens of thousands of fake accounts to portray Iran as victorious and its adversaries as weakened. X announced it would penalize creators who post unlabeled AI war content by removing them from revenue-sharing for 90 days.

Russia–China–Iran Convergence in Cognitive Warfare

A Small Wars Journal analysis published March 18 documents how Russia, Iran, and China are coordinating narrative warfare to erode Western cohesion. Russia's 2026 budget increased information operations funding by 54%, adding $458 million for state-run media. Generative AI allows a single adversary to manage thousands of personas producing unique content at scale, while China uses state-aligned media accounts to echo anti-U.S. narratives.

Espionage

Russia Expels British Diplomat on Espionage Allegations

Russia's FSB ordered the expulsion of British Embassy second secretary Albertus Gerhardus Janse van Rensburg, accusing him of economic espionage and providing false information to obtain entry to Russia. The FSB alleged he attempted to obtain sensitive information during informal meetings with Russian economic experts. The British Embassy dismissed the allegations as "completely unacceptable." Russian state TV reported he is the 16th British diplomat expelled over the past two years.

Pakistan-Linked Spy Network Dismantled in India

Indian police arrested 22 individuals operating a Pakistan-linked espionage network that used solar-powered CCTV cameras and GPS-enabled apps to monitor troop movements and critical infrastructure. The network installed surveillance equipment along the Delhi-Jammu railway corridor, with cameras recovered from Delhi Cantonment and Haryana's Sonipat found actively transmitting footage to Pakistan-based handlers. Nearly 50 such installations were planned nationwide. The Indian government has ordered a nationwide CCTV audit in response.

Russia Shifts to Vulnerable Recruits for European Operations

Following the mass expulsion of Russian intelligence officers from Europe, the GRU and FSB have shifted to recruiting financially vulnerable Europeans—including migrants, criminals, and the unemployed—for low-level sabotage and surveillance. Former Wagner Group operatives have been tasked with identifying recruits willing to carry out arson, assaults, or vandalism for small payments. More than 150 suspected hybrid incidents linked to Russia have been reported across the EU and NATO in early 2026.

Assessments & Reports

ODNI Releases 2026 Annual Threat Assessment

DNI Gabbard released the 2026 Annual Threat Assessment on March 26. The report identifies lone wolf attackers as the most likely terrorist threat to the U.S. homeland, highlights Mexican cartels and Venezuelan organized crime as top domestic concerns, and warns that nuclear-capable adversaries could collectively field more than 16,000 missiles by 2035. The assessment also flags AI and quantum computing as critical emerging technology challenges, alongside cyberthreats from China and North Korea.

https://www.sentinelone.com/vulnerability-database/cve-2026-3055/

Comme suite à la publication de la pertinente, agréable et incontournable PART 2 de l'analyse de watchTowr:
les nouveaux scans basés sur la présence de
GET /wsfed/passive?wctx

aka "This is Bad™" 😁

plutôt que sur la version, réduisent considérablement le nombre d'appliances exposées.

On passe à une petite centaine d'appliances potentiellement vulnérables sur les internets publics :gentleblob: , dont quelques-unes en Suisse selon ONYPHE. 📉

(CVE-2026-3055 couvre en réalité au moins deux vulnérabilités distinctes de memory overread — /saml/login et /wsfed/passive?wctx ce qui est, disons… discutable™" de la part de Citrix.)

#CyberVeille #Citrix #thisisbad #CVE_2026_3055

The CISA mandates federal patching of Citrix NetScaler flaw by Thursday 

The CISA has added a new Citrix NetScaler appliance vulnerability to its Known Exploited Vulnerabilities catalog and is giving federal agencies till Thursday to remediate the flaw. The vulnerability (CVE-2026-3055) is caused by inadequate input validation and can be exploited by unauthenticated remote attackers to extract sensitive data from Citrix ADC or Citrix Gateway appliances configured as…

https://itnerd.blog/2026/03/31/the-cisa-mandates-federal-patching-of-citrix-netscaler-flaw-by-thursday/

📢⚠️ Sicherheitswarnung: Version 1.0: F5 BIG-IP – Aktive Ausnutzung einer #Schwachstelle im Access Policy Manager

Am 27.03.2026 gab der Hersteller F5 ein Advisory heraus, in dem Details zu beobachteten Angriffen auf BIG-IP-Instanzen beschrieben wurden. Im Bericht enthalten waren im Wesentlichen Indicators of Compromise (IoCs), anhand derer eine Ausnutzung von CVE-2025-53521 detektiert werden kann.

Mehr Informationen gibt's hier: https://www.bsi.bund.de/dok/1195766

@certbund

F5 BIG-IP APM vulnerability (CVE-2025-53521) escalates to critical 9.8 RCE, actively exploited. Patch now, check IoCs, and secure vulnerable systems immediately.

Read: https://hackread.com/critical-f5-big-ip-flaw-upgrad-to-9-8-rce-exploited/

#CyberSecurity #F5 #Vulnerability #DDoS #RCE

⚠️ Alerte CERT-FR ⚠️
La vulnérabilité CVE-2025-53521 est activement exploitée et permet de provoquer une exécution de code arbitraire à distance dans F5 Big-IP APM.

https://www.cert.ssi.gouv.fr/alerte/CERTFR-2026-ALE-004/

Critical supply chain attack on Axios npm distributed a Remote Access Trojan (RAT) via a `plain-crypto-js` dependency. Fortinet faces active exploitation of a critical SQL injection flaw (CVE-2026-21643). Geopolitically, Iran-US tensions escalate; a Kuwaiti oil tanker was hit, and Yemen launched strikes against Israeli sites.

#AnonNews_irc #Cybersecurity #News

CVE-2026-21643 – Cette faille critique dans FortiClient EMS est exploitée ! https://www.it-connect.fr/cve-2026-21643-cette-faille-critique-dans-forticlient-ems-est-exploitee/ #ActuCybersécurité #Cybersécurité #Fortinet

Claude Wrote a Full #FreeBSD Remote Kernel #RCE with Root Shell (CVE-2026-4747): https://blog.calif.io/p/mad-bugs-claude-wrote-a-full-freebsd

"Claude Wrote a Full FreeBSD Remote Kernel RCE with Root Shell (CVE-2026-4747)"
https://github.com/califio/publications/tree/main/MADBugs/CVE-2026-4747

Langflow – À peine dévoilée, déjà exploitée : attention à cette faille critique https://www.it-connect.fr/langflow-cve-2026-33017-cyberattaques-mars-2026/ #ActuCybersécurité #Cybersécurité

🚨 CRITICAL: CVE-2026-3300 in Everest Forms Pro (all versions) enables unauthenticated RCE via "Complex Calculation" forms. Disable the feature or restrict access ASAP. No patch yet — monitor for updates. https://radar.offseq.com/threat/cve-2026-3300-cwe-94-improper-control-of-generatio-6c6e7217 #OffSeq #WordPress #CVE20263300 #RCE

Our colleague @mal had another look at OpenOLAT and found a nice RCE (CVE-2026-28228 and CVE-2026-28228). If you're interested, details can be found on our blog https://secfault-security.com/blog/openolat-ssti.html

#Ubuntu 24.04.4 で #update 。

ruby3.2 (3.2.3-1ubuntu0.24.04.7)
CVE-2025-61594へのセキュリティ対応
libruby3.2

#Mastodon v4.5 ではruby 3.4.7になっています。これは gem uri (default: 1.0.4)で、今回のCVEは uri 1.0.3 までが影響を受けるので、Mastodon v4.5 なら問題なさそうです。

pollinatee (4.33-3.1ubuntu1.3)
CVEセキュリティ対応ではない。

#prattohome