Issue #192 - March 30, 2026
- Mar 30
- 2 min read
New EvilTokens Service Fuels Microsoft Device Code Phishing Attacks
Source: BleepingComputer
A new phishing-as-a-service platform called EvilTokens has emerged on Telegram, providing cybercriminals with a turnkey Microsoft device code phishing kit that abuses the OAuth 2.0 device authorization flow to harvest both short-lived access tokens and long-lasting refresh tokens — granting persistent account access without triggering password-based alerts. The kit includes pre-built phishing templates impersonating DocuSign, Adobe Acrobat Sign, SharePoint, and OneDrive, with AI-generated lures targeting finance, HR, and logistics staff. By late March 2026, over 1,000 domains were confirmed hosting EvilTokens pages across the US, Canada, Australia, France, and the UAE, with campaigns already hitting 340-plus organizations.
Axios NPM Package Breached in North Korean Supply Chain Attack
Source: SecurityWeek
On March 31, 2026, threat actors attributed by Google's Threat Intelligence Group to North Korean operator UNC1069 hijacked the npm account of the lead Axios maintainer and published two backdoored versions of the library — which has over 100 million weekly downloads — containing a malicious dependency that silently deployed a cross-platform remote access trojan to macOS, Windows, and Linux systems. The poisoned packages were live for approximately three hours before being removed, with roughly 3% of the Axios userbase affected. Security teams are advised to treat any system that ran npm install during the attack window as fully compromised and rotate all associated credentials.
CERT-UA Impersonation Campaign Spread AGEWHEEZE Malware to 1 Million Emails
Source: The Hacker News
Threat actors tracked as UAC-0255 conducted a large-scale phishing campaign on March 26–27, 2026, impersonating Ukraine's Computer Emergency Response Team (CERT-UA) to distribute a Go-based remote access trojan called AGEWHEEZE. The attackers sent emails to one million ukr.net mailboxes posing as official CERT-UA security software, along with a fraudulent website mimicking the agency's portal. Targeted sectors included state organizations, medical centers, financial institutions, educational establishments, and software development firms.
Critical Citrix NetScaler Vulnerability Exploited in the Wild
Source: Infosecurity Magazine
A critical memory overread vulnerability in Citrix NetScaler ADC and NetScaler Gateway — tracked as CVE-2026-3055 with a CVSS v4.0 score of 9.3 — came under active in-the-wild exploitation as of March 27, 2026, just four days after its public disclosure. The flaw allows unauthenticated remote attackers to leak potentially sensitive information from appliance memory by sending crafted SAML request payloads. CISA ordered federal agencies to patch by April 3, 2026, and Citrix and the UK NCSC urged immediate remediation across all affected enterprise appliances.
Cisco Patches Critical and High-Severity Vulnerabilities
Source: SecurityWeek
Cisco released patches for multiple critical and high-severity vulnerabilities, including a critical authentication bypass in its Integrated Management Controller (IMC) allowing unauthenticated attackers to modify administrator passwords via crafted HTTP requests and gain full system access. Additional critical flaws address authentication bypass and arbitrary command execution, while high-severity bugs in Evolved Programmable Network Manager and SSM On-Prem enable information disclosure and privilege escalation. Organizations running Cisco infrastructure are urged to apply updates immediately, particularly for internet-facing management interfaces.