Issue #191 - March 23, 2026
- Mar 23
- 3 min read
FBI Links Signal Phishing Attacks to Russian Intelligence Services
Source: BleepingComputer
The FBI issued a public service announcement directly attributing widespread campaigns that hijack Signal and WhatsApp accounts to Russian intelligence-linked threat actors, making it the first formal US government attribution of these attacks. Rather than breaking end-to-end encryption, the campaign exploits legitimate device-linking features to silently add attacker-controlled devices to victims' accounts, allowing full access to messages and contacts. The FBI confirmed that thousands of accounts have already been compromised, with high-value targets including current and former US government officials, military personnel, politicians, and journalists.
Trivy Supply Chain Attack Triggers Self-Spreading CanisterWorm Across 47 npm Packages
Source: The Hacker News
Threat actors behind the supply-chain compromise targeting the widely-used Trivy open-source vulnerability scanner have expanded their campaign, deploying a previously undocumented self-propagating worm called CanisterWorm that has already spread to 47 downstream npm packages. The worm uses a tamperproof ICP canister on the Internet Computer blockchain as a dead drop resolver to retrieve C2 instructions — a novel persistence technique that complicates takedown efforts. The same group, tracked as TeamPCP, also compromised GitHub Actions workflows maintained by cloud security firm Checkmarx, using stolen credentials from the Trivy breach to poison additional repositories.
Critical Langflow Flaw CVE-2026-33017 Triggers Attacks Within 20 Hours of Disclosure
Source: The Hacker News
A critical unauthenticated remote code execution vulnerability in Langflow — a widely-used open-source AI platform with over 56,000 downloads — came under active exploitation within just 20 hours of its public disclosure, before any proof-of-concept code was published. Tracked as CVE-2026-33017 with a CVSS score of 9.3, the flaw allows attackers to pass arbitrary Python code to an exec() function with no sandboxing via a single weaponized HTTP request. CISA added the flaw to its Known Exploited Vulnerabilities catalog on March 25, requiring federal agencies to patch by April 8, 2026, as cloud security firm Sysdig confirmed active exploitation stealing data from compromised systems.
M-Trends 2026: Initial Access Handoff Shrinks From Hours to 22 Seconds
Source: SecurityWeek
Google's M-Trends 2026 report — based on over 500,000 hours of Mandiant incident response investigations conducted in 2025 — reveals that the median time between an attacker gaining initial access and handing off to a secondary threat group has collapsed from more than 8 hours in 2022 to just 22 seconds in 2025. Mandiant attributes this to closer collaboration between initial access brokers and downstream groups, with automated malware delivery increasingly replacing manual forum-based brokering. The report also found that exploits remained the leading initial access vector for the sixth consecutive year, while voice phishing climbed to second place, appearing in 11% of all investigations.
Tycoon2FA Phishing Service Resumes Activity Post-Takedown
Source: Infosecurity Magazine
Despite a coordinated law enforcement action on March 4 in which Europol and partners from six countries seized 330 domains forming the core infrastructure of the Tycoon2FA phishing-as-a-service platform, the service has fully rebounded to pre-disruption activity levels. CrowdStrike's Falcon Complete team observed that campaign volumes dropped to just 25% on March 4 and 5, before rapidly recovering as operators rebuilt using new domains, fresh hosting, and IPv6 infrastructure. The incident highlights the limits of infrastructure-only takedowns when no arrests follow, with attackers continuing to target Microsoft 365 and Google accounts using adversary-in-the-middle techniques that bypass MFA.