03/25/2026-04/01/2026 Axios npm Package, N8n Patches Critical Remote Code Execution Vulnerability, LiteLLM PyPI Compromise And More.

1. Axios npm Package Backdoored in Major North Korea-Linked Supply Chain Attack

Google has formally attributed the Axios npm supply chain compromise to UNC1069, a financially motivated North Korean threat cluster active since 2018. Attackers seized the package maintainer’s npm account and pushed two trojanized versions — 1.14.1 and 0.30.4 — that introduced a malicious dependency, plain-crypto-js, as a payload delivery vehicle. A postinstall hook silently executed an obfuscated JavaScript dropper (SILKBELL), which fetched platform-specific second-stage implants for Windows, macOS, and Linux. The backdoor, WAVESHAPER.V2, beacons to its C2 server every 60 seconds and supports remote command execution, directory enumeration, and arbitrary binary injection. After execution, the dropper deleted itself and replaced its package.json with a clean stub to hinder forensic analysis.

Action: Audit dependency trees for [email protected], [email protected], or plain-crypto-js. Pin Axios to 1.14.0 in your lockfile, block C2 domain sfrclak[.]com (IP: 142.11.206[.]73), and rotate all credentials from affected environments immediately.

2. Two Chrome Zero-Days Exploited in the Wild: What CVE-2026-3909 and CVE-2026-3910 Mean for Your Business

Google patched two actively exploited Chrome zero-days — CVE-2026-3909 and CVE-2026-3910 — both carrying a CVSS score of 8.8 and discovered internally on March 10, 2026. CVE-2026-3909 is an out-of-bounds write in Skia, Chrome’s 2D graphics engine, capable of causing memory corruption or remote code execution via a malicious webpage. CVE-2026-3910 is an inappropriate implementation flaw in V8, Chrome’s JavaScript engine, allowing arbitrary code execution inside the browser sandbox — again, triggered simply by visiting a crafted page. CISA added both to its Known Exploited Vulnerabilities catalog on March 13, requiring federal agencies to patch by March 27. These are the second and third actively exploited Chrome zero-days of 2026. Chromium-based runtimes used in headless deployments for PDF generation or CI pipelines are equally affected.

Action: Update Chrome to 146.0.7680.75 or later (146.0.7680.76 on macOS) across all workstations and headless environments. A browser restart is required — do not assume auto-update has completed.

3. N8n Patches Critical Remote Code Execution Vulnerability (CVE-2026-33660)

CVE-2026-33660, publicly disclosed on March 25, 2026, affects n8n’s Merge node when its “Combine by SQL” mode is used. The AlaSQL sandbox did not sufficiently restrict certain SQL statements, allowing an authenticated attacker to read local files on the n8n host and achieve remote code execution.The vulnerability has a CVSS score of 9.4 and requires only low-level privileges — specifically, the ability to create or modify workflows — with no user interaction needed.This is at least the third RCE through AlaSQL in n8n’s Merge node in 2026, following CVE-2026-27497 and CVE-2026-27577. The fix in versions 2.14.1, 2.13.3, and 1.123.27 moves execution into an isolated-vm sandbox, eliminating the entire class of attack.n8n workflows routinely hold credentials for databases, APIs, and cloud services, making a compromised instance a high-value pivot point.

Action: Upgrade n8n immediately to 2.14.1, 2.13.3, or 1.123.27. If patching is not immediately possible, add n8n-nodes-base.merge to the NODES_EXCLUDE environment variable to disable the Merge node, and restrict workflow-editing permissions to fully trusted users only.

4. TeamPCP Pushes Malicious Telnyx Versions to PyPI, Hides Stealer in WAV Files

TeamPCP, the threat actor behind the recent LiteLLM and Trivy compromises, struck again on March 27, 2026, pushing two malicious versions of the Telnyx Python package (4.87.1 and 4.87.2) to PyPI. The malware hid its payload inside .WAV audio files using steganography — a technique previously seen in this group’s tooling — to evade network inspection and EDR detection. On Windows, the payload achieves persistence by dropping an executable into the Startup folder as msbuild.exe. On Linux and macOS, it performs a smash-and-grab credential harvest, exfiltrating secrets as tpcp.tar.gz to 83.142.209[.]203:8080 before self-destructing. Endor Labs researchers believe TeamPCP likely obtained Telnyx’s PyPI token through the earlier LiteLLM compromise, where environment variables and CI secrets were swept from affected systems.

Action: Audit environments for telnyx==4.87.1 or 4.87.2, downgrade to 4.87.0, block C2 IP 83.142.209[.]203, check Windows Startup folders for msbuild.exe, and rotate all secrets from any pipeline that imported the package.

5. LiteLLM PyPI Compromise Triggers Mercor Breach — AI Supply Chain Under Fire

Threat actors known as TeamPCP targeted LiteLLM, a popular open-source API gateway that lets developers talk to over 100 different large language models. The attackers gained initial access by compromising the Trivy vulnerability scanner through a misconfigured GitHub Actions workflow, then stole the PyPI publishing token for LiteLLM and pushed two malicious versions, 1.82.7 and 1.82.8, directly to the public registry. The malware was designed to harvest credentials and establish persistent system access, targeting SSH keys, .env files, cloud credentials, and AI API keys.
Mercor, an AI recruiting and training-data startup, has confirmed it was “one of thousands of companies” hit by the attack. The attackers were only caught because of a small bug in their code that caused a massive memory leak.

Action: If your stack uses LiteLLM, immediately upgrade beyond version 1.82.8 and audit all environments that ran it during late March. Harden GitHub Actions workflows by pinning action versions to commit SHAs and storing PyPI tokens as short-lived OIDC-based credentials rather than long-lived secrets.

6. LangChain, LangGraph Flaws Expose Files, Secrets, Databases in Widely Used AI Frameworks

Three vulnerabilities in LangChain and LangGraph — collectively downloaded over 84 million times on PyPI last week — expose filesystem data, environment secrets, and conversation history. CVE-2026-34070 (CVSS 7.5) is a path traversal flaw in LangChain’s prompt-loading API that allows arbitrary file reads without validation. CVE-2025-68664 (CVSS 9.3) is a deserialization vulnerability that leaks API keys and environment secrets by tricking the application into treating attacker-supplied input as a pre-serialized LangChain object. CVE-2025-67644 (CVSS 7.3) is an SQL injection flaw in LangGraph’s SQLite checkpoint implementation, enabling arbitrary queries against the conversation history database. Because LangChain sits at the center of a large dependency web, vulnerable code paths propagate through every downstream wrapper and integration that inherits them.

Action: Upgrade immediately: langchain-core >=1.2.22 (CVE-2026-34070), langchain-core 0.3.81 or 1.2.5 (CVE-2025-68664), and langgraph-checkpoint-sqlite 3.0.1 (CVE-2025-67644). Audit any LangChain-based agentic workflows that handle secrets or privileged data.

03/18/2026-03/25/2026 CVE-2025-29927 Exploited in the Wild, Critical NetScaler Flaw, Firefox 149 Patches Three Critical Memory Corruption Flaws And More.

1. Next.js Middleware Authorization Bypass CVE-2025-29927 Exploited in the Wild

On March 21, 2025, researchers published an advisory for CVE-2025-29927, a vulnerability in Next.js middleware that allows authorization bypass through a specially crafted HTTP request containing the internal header x-middleware-subrequest. The flaw affects Next.js versions prior to 12.3.5, 13.5.9, 14.2.25, and 15.2.3, and carries a CVSS score of 9.1 with an EPSS exploitation probability of 92.56%. The x-middleware-subrequest header was originally designed as an internal mechanism to prevent infinite recursive loops. By spoofing this header, external attackers can bypass middleware entirely, skipping authentication, authorization cookie validation, and Content Security Policy enforcement. Vercel-hosted deployments are automatically protected, but self-hosted applications using the next start command with output: standalone are vulnerable. Malicious IP addresses were observed attempting to exploit this vulnerability in GreyNoise Visualizer shortly after disclosure. 

Action: Upgrade to Next.js 12.3.5, 13.5.9, 14.2.25, or 15.2.3. As a short-term mitigation for self-hosted deployments, configure your reverse proxy (Nginx, Cloudflare, AWS ELB) to strip the x-middleware-subrequest header from all inbound requests. Never rely solely on middleware for authentication — enforce access controls at the route or controller level as well.

2. Citrix Urges Patching Critical NetScaler Flaw Allowing Unauthenticated Data Leaks

Citrix has released patches for two vulnerabilities in NetScaler ADC and NetScaler Gateway, including a critical issue that could expose sensitive data.

CVE-2026-3055 (CVSS 9.3) involves insufficient input validation, leading to a memory overread. According to Rapid7, attackers could exploit this flaw remotely without authentication to access sensitive data in memory. However, it only affects systems configured as a SAML Identity Provider (SAML IdP), so default setups are not impacted.

CVE-2026-4368 (CVSS 7.7) is a race condition that may cause user session mix-ups. This requires the appliance to function as a gateway (e. g., SSL VPN or ICA Proxy) or an AAA server.

The flaws impact multiple NetScaler versions, and users should update immediately. Although no active exploitation is confirmed, past NetScaler bugs have been widely abused, making rapid patching essential.

3. Firefox 149 Patches Three Critical Memory Corruption Flaws Including a 9.8 CVE in the JavaScript Engine

CVE-2026-4715 is a critical vulnerability in the Graphics: Canvas2D component of Firefox and Firefox ESR, disclosed on March 24, 2026, with a CVSS score of 9.1. The flaw stems from uninitialized memory, meaning certain memory regions may be used without being properly cleared. This could allow attackers to leak sensitive data or potentially achieve arbitrary code execution.

The issue affects core graphics rendering, so it can likely be triggered through specially crafted web pages. Since the vulnerability is remotely exploitable without authentication, attackers would only need to trick users into visiting a malicious site. It impacts Firefox versions before 149 and Firefox ESR before 140.9. While no public proof-of-concept exists yet, exploitation is considered highly plausible. Users are strongly advised to update to Firefox 149 or Firefox ESR 140.9 or later to mitigate the risk and ensure protection.

4. Trivy Supply Chain Attack Triggers Self-Spreading CanisterWorm Across 47 npm Packages

The CanisterWorm campaign — attributed to the cloud-focused group TeamPCP — began March 20 when Socket researchers found a compromised npm publisher account injecting malicious code across packages. By March 21, the scope had expanded to 135 affected packages, with attackers leveraging existing trust relationships to have malicious code execute automatically during routine installs without requiring any changes from developers. A mutation discovered in @teale.io/eslint-config has proven especially dangerous: unlike the original deploy.js script that required the attacker to run manually with stolen tokens, the new variant incorporates self-propagation directly into index.js via a findNpmTokens() function that executes automatically, stealing npm tokens and using them to infect every package the token can reach. The campaign uses a decentralized Solana blockchain dead-drop for C2, making infrastructure takedowns ineffective. In parallel, two React Native packages — react-native-international-phone-number and react-native-country-select — were compromised on March 16 with obfuscated preinstall hooks targeting approximately 135,000 monthly downloads combined.

Action: Audit package-lock.json and yarn.lock for any packages from the CanisterWorm indicator list published by Socket. Treat any CI environment that ran npm install on affected packages as potentially compromised. Rotate npm tokens, GitHub tokens, and cloud credentials stored in those environments, and block outbound connections to known CanisterWorm C2 infratructure.

5. API Attack Rates Double Year-over-Year; Akamai Report Flags Behavior-Based Threats as New Normal

Akamai’s State of the Internet report published March 19, 2026, captures a sustained and worsening API threat environment. The average number of API attacks per enterprise per day reached 258 in 2025, more than double the 121 recorded in 2024, and most organizations reported at least one API-related security incident during the year. The shift is qualitative, not just quantitative: behavior-based threats — those that exploit how requests flow through workflows rather than relying on known signatures — now account for a growing share of API traffic, with attackers increasingly focused on degrading performance, driving up infrastructure costs, and exploiting AI-driven automation at scale.Wallarm’s concurrent 2026 API ThreatStats report adds structural context: in 2025, APIs accounted for 11,053 of 67,058 published security bulletins — 17% of all reported vulnerabilities — and 36% of all identified AI vulnerabilities also qualify as API vulnerabilities.Configuration and access control failures remain the most common root causes, dominated by security misconfiguration, broken authorization, and unsafe API consumption patterns.

Action: Add schema validation and strict object-level authorization checks to every API endpoint — not just your authentication layer. Instrument your API gateway to alert on anomalous request rates per endpoint, not just aggregate traffic. If your stack integrates AI tooling or MCP servers, audit those API surfaces explicitly, as they represent the fastest-growing overlap between AI and API attack surfaces.

03/11/2026-03/18/2026 Wing FTP Server Flaw, Python Repositories Compromised, Flaws in Linux AppArmor And More.

1. AI Flaws in Amazon Bedrock, LangSmith, and SGLang Enable Data Exfiltration and RCE

Cybersecurity researchers have uncovered a new data exfiltration method targeting AI code execution environments via DNS queries. BeyondTrust found that Amazon Bedrock AgentCore Code Interpreter allows outbound DNS requests even in sandbox mode, enabling attackers to bypass network isolation.This behavior can be abused to create command-and-control channels, execute commands, and exfiltrate sensitive data—especially if the system’s IAM role has excessive permissions. Attackers can send instructions through DNS records, retrieve payloads, and establish persistent access.

Although reported in 2025, Amazon considers this intended functionality and recommends using VPC mode and DNS firewalls for stronger isolation.
Separately, a flaw in LangSmith (CVE-2026-25750) allowed token theft and account takeover via malicious links, now patched. Meanwhile, critical vulnerabilities in SGLang could enable remote code execution through unsafe deserialization, highlighting growing security risks in AI infrastructure.

2. CISA Flags Wing FTP Server Flaw as Actively Exploited in Attacks

CISA has warned U.S. agencies to secure Wing FTP Server against an actively exploited vulnerability that could be used in remote code execution (RCE) attacks.
Tracked as CVE-2025-47813, the flaw allows low-privileged attackers to reveal the application’s installation path through error messages. While not critical alone, it can be chained with other vulnerabilities, including an RCE flaw (CVE-2025-47812) and a password disclosure bug.

These issues were patched in version 7.4.4, but attackers began exploiting them shortly after disclosure. Proof-of-concept code has also been released, increasing the risk.

CISA added the flaw to its Known Exploited Vulnerabilities catalog and gave federal agencies two weeks to patch. Although the directive targets government systems, all organizations are strongly urged to update immediately to prevent ongoing attacks.

3. Python Repositories Compromised in GlassWorm Aftermath

Threat actors are exploiting credentials stolen in the GlassWorm campaign to compromise GitHub accounts and inject malware into Python repositories. Discovered by StepSecurity, the attacks began around March 8 and target Django apps, ML projects, PyPI packages, and Streamlit dashboards, likely aiming to steal cryptocurrency and sensitive data.Using stolen credentials, attackers modify repositories by rebasing legitimate commits, inserting obfuscated malicious code, and force-pushing changes. This method, called ForceMemo, hides traces by keeping original commit messages and author dates intact.The malware avoids Russian-language systems and retrieves instructions from a Solana blockchain address, then downloads and executes encrypted payloads while maintaining persistence.

Hundreds of repositories have been affected. The campaign builds on GlassWorm, a malware strain first seen in 2025 that steals credentials and crypto assets. It has since evolved into a multi-platform threat, also targeting VS Code extensions and NPM packages using more stealthy delivery techniques.

4. Nine CrackArmor Flaws in Linux AppArmor Enable Root Escalation, Bypass Container Isolation

Cybersecurity researchers from Qualys have disclosed nine vulnerabilities in the Linux AppArmor module, collectively called CrackArmor. These flaws, present since 2017, allow unprivileged users to bypass protections, escalate privileges to root, and weaken container isolation. The issues stem from “confused deputy” vulnerabilities, where attackers manipulate trusted processes to perform malicious actions. By exploiting AppArmor profile handling, attackers can bypass namespace restrictions, execute arbitrary code, and even disable security controls. The flaws also enable denial-of-service attacks, kernel memory exposure, and techniques like KASLR bypass. In some cases, attackers could modify critical files (e. g., /etc/passwd) or gain full system control.

The vulnerabilities affect Linux kernels since version 4.11 across distributions like Ubuntu, Debian, and SUSE. With millions of systems impacted, immediate kernel patching is strongly recommended, as temporary mitigations are insufficient to fully address the risks.

5. CISA Adds n8n RCE Flaw to List of Known Exploited Vulnerabilities

CISA has added a critical remote code execution flaw in n8n to its Known Exploited Vulnerabilities catalog, requiring federal agencies to patch within two weeks. Tracked as CVE-2025-68613, the flaw was disclosed in December 2025 and allows authenticated attackers to execute arbitrary code with the same privileges as the n8n process. This could lead to full system compromise, unauthorized data access, and execution of system-level commands.The vulnerability affects versions from 0.211.0 up to patched releases (1.120.4, 1.121.1, 1.122.0) and received a CVSS score up to 9.9. Exploits show that workflow expressions can access the Node.js environment, enabling command execution via the UI or API. Over 24,000 instances remain exposed. Due to active exploitation risks, agencies must patch by March 25, 2026.