03/11/2026-03/18/2026 Wing FTP Server Flaw, Python Repositories Compromised, Flaws in Linux AppArmor And More.

1. AI Flaws in Amazon Bedrock, LangSmith, and SGLang Enable Data Exfiltration and RCE

Cybersecurity researchers have uncovered a new data exfiltration method targeting AI code execution environments via DNS queries. BeyondTrust found that Amazon Bedrock AgentCore Code Interpreter allows outbound DNS requests even in sandbox mode, enabling attackers to bypass network isolation.This behavior can be abused to create command-and-control channels, execute commands, and exfiltrate sensitive data—especially if the system’s IAM role has excessive permissions. Attackers can send instructions through DNS records, retrieve payloads, and establish persistent access.

Although reported in 2025, Amazon considers this intended functionality and recommends using VPC mode and DNS firewalls for stronger isolation.
Separately, a flaw in LangSmith (CVE-2026-25750) allowed token theft and account takeover via malicious links, now patched. Meanwhile, critical vulnerabilities in SGLang could enable remote code execution through unsafe deserialization, highlighting growing security risks in AI infrastructure.

2. CISA Flags Wing FTP Server Flaw as Actively Exploited in Attacks

CISA has warned U.S. agencies to secure Wing FTP Server against an actively exploited vulnerability that could be used in remote code execution (RCE) attacks.
Tracked as CVE-2025-47813, the flaw allows low-privileged attackers to reveal the application’s installation path through error messages. While not critical alone, it can be chained with other vulnerabilities, including an RCE flaw (CVE-2025-47812) and a password disclosure bug.

These issues were patched in version 7.4.4, but attackers began exploiting them shortly after disclosure. Proof-of-concept code has also been released, increasing the risk.

CISA added the flaw to its Known Exploited Vulnerabilities catalog and gave federal agencies two weeks to patch. Although the directive targets government systems, all organizations are strongly urged to update immediately to prevent ongoing attacks.

3. Python Repositories Compromised in GlassWorm Aftermath

Threat actors are exploiting credentials stolen in the GlassWorm campaign to compromise GitHub accounts and inject malware into Python repositories. Discovered by StepSecurity, the attacks began around March 8 and target Django apps, ML projects, PyPI packages, and Streamlit dashboards, likely aiming to steal cryptocurrency and sensitive data.Using stolen credentials, attackers modify repositories by rebasing legitimate commits, inserting obfuscated malicious code, and force-pushing changes. This method, called ForceMemo, hides traces by keeping original commit messages and author dates intact.The malware avoids Russian-language systems and retrieves instructions from a Solana blockchain address, then downloads and executes encrypted payloads while maintaining persistence.

Hundreds of repositories have been affected. The campaign builds on GlassWorm, a malware strain first seen in 2025 that steals credentials and crypto assets. It has since evolved into a multi-platform threat, also targeting VS Code extensions and NPM packages using more stealthy delivery techniques.

4. Nine CrackArmor Flaws in Linux AppArmor Enable Root Escalation, Bypass Container Isolation

Cybersecurity researchers from Qualys have disclosed nine vulnerabilities in the Linux AppArmor module, collectively called CrackArmor. These flaws, present since 2017, allow unprivileged users to bypass protections, escalate privileges to root, and weaken container isolation. The issues stem from “confused deputy” vulnerabilities, where attackers manipulate trusted processes to perform malicious actions. By exploiting AppArmor profile handling, attackers can bypass namespace restrictions, execute arbitrary code, and even disable security controls. The flaws also enable denial-of-service attacks, kernel memory exposure, and techniques like KASLR bypass. In some cases, attackers could modify critical files (e. g., /etc/passwd) or gain full system control.

The vulnerabilities affect Linux kernels since version 4.11 across distributions like Ubuntu, Debian, and SUSE. With millions of systems impacted, immediate kernel patching is strongly recommended, as temporary mitigations are insufficient to fully address the risks.

5. CISA Adds n8n RCE Flaw to List of Known Exploited Vulnerabilities

CISA has added a critical remote code execution flaw in n8n to its Known Exploited Vulnerabilities catalog, requiring federal agencies to patch within two weeks. Tracked as CVE-2025-68613, the flaw was disclosed in December 2025 and allows authenticated attackers to execute arbitrary code with the same privileges as the n8n process. This could lead to full system compromise, unauthorized data access, and execution of system-level commands.The vulnerability affects versions from 0.211.0 up to patched releases (1.120.4, 1.121.1, 1.122.0) and received a CVSS score up to 9.9. Exploits show that workflow expressions can access the Node.js environment, enabling command execution via the UI or API. Over 24,000 instances remain exposed. Due to active exploitation risks, agencies must patch by March 25, 2026.

03/04/2026-03/11/2026 CISA Flags SolarWinds, Ivanti, and Workspace One Vulnerabilities, GhostClaw Poses As OpenClaw To Steal Sensitive Developer Data And More.

1. Five Malicious Rust Crates and AI Bot Exploit CI/CD Pipelines to Steal Developer Secrets

Cybersecurity researchers discovered five malicious Rust crates disguised as time-related utilities that secretly steal sensitive data from developers. The packages—chrono_anchor, dnp3times, time_calibrator, time_calibrators, and time-sync—were uploaded to the crates.io between late February and early March 2026. Although presented as tools to calibrate local time without Network Time Protocol, the crates actually search for .env files and send their contents to attacker-controlled servers. These files often store API keys, tokens, and other secrets, making them valuable targets. Four of the packages simply collect and transmit the data, while chrono_anchor hides the malicious logic using obfuscation to avoid detection. The stolen information is sent to a look-alike domain, timeapis[.]io. The crates have now been removed, but developers who installed them should assume their secrets were exposed, rotate credentials, and review CI/CD pipelines. The campaign highlights how even simple supply-chain attacks can cause serious damage inside developer environments.

2. CISA Flags SolarWinds, Ivanti, and Workspace One Vulnerabilities as Actively Exploited

CISA has added three vulnerabilities to its KEV Catalog after confirming active exploitation. The flaws affect Omnissa Workspace ONE UEM, SolarWinds Web Help Desk, and Ivanti Endpoint Manager. One vulnerability allows server-side request forgery that could expose sensitive data, while another enables attackers to execute commands on affected systems. The third flaw allows authentication bypass that may leak stored credentials. Security researchers report that attackers are already exploiting the SolarWinds Web Help Desk flaw to gain initial access, with activity linked to the Warlock ransomware group. CISA has ordered U.S. federal agencies to patch the SolarWinds vulnerability by March 12, 2026, and the remaining flaws by March 23, 2026 to reduce security risks.

3. GhostClaw Poses As OpenClaw To Steal Sensitive Developer Data

Security researchers discovered a malicious npm package posing as the OpenClaw Installer. Instead of installing a legitimate tool, it deploys a malware framework designed to steal developer secrets, browser data, crypto wallet files, and system credentials while installing a persistent remote access tool. The package appears harmless at first, but its real behavior is hidden in setup and postinstall scripts. During installation, it silently installs itself globally and launches a convincing fake installer in the terminal with progress bars and setup messages. Afterward, it displays a fake Keychain prompt requesting the user’s system password. If entered correctly, the malware gains access to protected data. The script then downloads an encrypted second-stage payload called GhostLoader, which acts as both an infostealer and a remote access trojan. It steals credentials, cloud profiles, and browser data, sends them to attacker servers, and maintains persistent system access.

4. OpenAI Rolls Out Codex Security Vulnerability Scanner

OpenAI has introduced a new AI-powered vulnerability scanner called Codex Security (previously Aardvark). Currently in research preview, the tool has been tested in private beta by companies such as Netgear. It is now available to ChatGPT Pro, Enterprise, Business, and Edu users with free access for one month.

Codex Security analyzes code repositories to understand system context and build a threat model based on trusted components, system roles, and potential exposures. It then searches for vulnerabilities, ranks them by real-world risk, and suggests patches.

During testing over 30 days, the tool scanned 1.2 million commits and detected nearly 800 critical vulnerabilities and more than 10,000 high-severity issues. Problems were found in major open-source projects including Chromium, OpenSSL, and PHP.

5. UNC6426 Exploits nx npm Supply-Chain Attack to Gain AWS Admin Access in 72 Hours

A threat actor known as UNC6426 breached a company’s cloud environment within 72 hours after exploiting a supply-chain attack involving the Nx npm package. The attack began when a developer’s GitHub token was stolen.

Using the token, the attacker accessed the victim’s cloud environment and abused a trust relationship between GitHub and Amazon Web Services through OpenID Connect. This allowed them to create a new administrator role and gain full cloud control.

The attackers then accessed Amazon S3 buckets to steal files and later destroyed parts of the production environment. The compromise was linked to a malicious script that installed a credential-stealing tool called QUIETVAULT, which collected tokens and sensitive data.

The incident highlights how supply-chain attacks targeting developer tools can quickly escalate into full cloud breaches if permissions are misconfigured.

02/25/2026-03/04/2026 Actively Exploited VMware Aria Operations Flaw, 26 Suspicious npm Packages in New Cyber Campaign And More.

1. CISA Adds Actively Exploited VMware Aria Operations Flaw CVE-2026-22719 to KEV Catalog

 CISA has added a newly disclosed flaw affecting VMware Aria Operations to its KEV catalog, citing active attacks. Tracked as CVE-2026-22719 (CVSS 8.1), the high-severity bug is a command injection issue that allows unauthenticated attackers to execute arbitrary commands, potentially leading to remote code execution during support-assisted product migration. The vulnerability was patched alongside CVE-2026-22720 (stored XSS) and CVE-2026-22721 (privilege escalation). Affected products include VMware Cloud Foundation and VMware vSphere Foundation 9.x (fixed in 9.0.2.0) and VMware Aria Operations 8.x (fixed in 8.18.6). Customers unable to patch immediately can run the “aria-ops-rce-workaround.sh” script as root on each virtual appliance node. Broadcom acknowledged reports of in-the-wild exploitation but said it cannot independently confirm them. Federal Civilian Executive Branch agencies must apply fixes by March 24, 2026.

2. Fake Next.js Job Interview Tests Backdoor Developer’s Devices

A coordinated campaign is targeting software developers with job-themed lures, using malicious repositories disguised as legitimate Next.js projects and coding assessments. The operation aims to achieve remote code execution (RCE), steal sensitive data, and deploy additional payloads on compromised machines. According to Microsoft, attackers created fake web apps and hosted them on platforms like Bitbucket. When developers clone and open the projects, embedded malicious JavaScript executes automatically. The code downloads a backdoor from a remote server and runs it in memory via Node.js. To boost infection rates, the repositories include multiple triggers: a VS Code task that runs on folder open, a trojanized asset activated by “npm run dev,” and a backend module that exfiltrates environment variables and executes attacker-supplied code. The infection deploys staged payloads that profile hosts, connect to command-and-control servers, execute remote tasks, and enable file exfiltration. Developers are urged to enable Workspace Trust, apply security controls, and limit stored secrets.

3. North Korean-Linked Hackers Target Developers Through 26 Suspicious npm Packages in New Cyber Campaign

Cybersecurity researchers have warned of a new threat campaign allegedly tied to North Korean actors, involving 26 malicious packages uploaded to the npm registry. The packages were disguised as legitimate development tools and used typosquatting to mimic popular libraries, increasing the chances of accidental installation. Believed to be a variant of the “Contagious Interview” campaign, the operation reportedly used Pastebin-based steganography to hide command-and-control (C2) addresses inside seemingly harmless text files. Each package executed an installation script that launched a payload from “vendor/scrypt-js/version.js,” which decoded hidden server domains by stripping zero-width Unicode characters and extracting embedded data. The malware supported Windows, macOS, and Linux, and used WebSocket communication to receive commands. It included modules for data theft, VS Code persistence, keylogging, browser credential harvesting, and crypto wallet targeting, while scanning repositories for exposed secrets. The activity has been tentatively linked to the North Korea-associated group Famous Chollima. Developers are urged to verify npm packages carefully.

4. New Chrome Vulnerability Let Malicious Extensions Escalate Privileges via Gemini Panel

Cybersecurity researchers have detailed a patched high-severity flaw in Google Chrome that could have enabled privilege escalation and access to local files. Tracked as CVE-2026-0628 (CVSS 8.8), the issue stemmed from insufficient policy enforcement in the WebView tag and was fixed in version 143.0.7499.192/.193 for Windows, Mac, and Linux in January 2026. Discovered by Palo Alto Networks Unit 42 researcher Gal Weizman, the flaw—codenamed “Glic Jack”—affected Chrome’s Gemini Live side panel, which loads content via a WebView component. Attackers could trick users into installing a malicious extension with basic permissions, allowing script injection into the Gemini panel. Successful exploitation could have granted access to the camera, microphone, screenshots, and local files. The bug exposed risks tied to embedding AI agents directly into browsers, where privileged components may introduce new attack surfaces despite existing extension security controls.

5. Malicious StripeApi NuGet Package Mimicked Official Library and Stole API Tokens

Cybersecurity researchers have uncovered a malicious package on the NuGet Gallery impersonating a legitimate library from Stripe to target the financial sector. The package, named StripeApi.Net, mimicked the official Stripe.net library, which has over 75 million downloads. Uploaded on February 16, 2026, by a user called “StripePayments,” it copied the legitimate package’s icon and nearly identical documentation, subtly altering the name to “Stripe-net.” The attacker also inflated download numbers to more than 180,000 across 506 versions to boost credibility. According to ReversingLabs, the package preserved most legitimate functionality but modified key methods to steal sensitive data, including Stripe API tokens, and exfiltrate them to a remote server. Because applications continued to compile and run normally, developers were unlikely to notice the compromise. The package was reported and removed before causing significant harm.