Cybersecurity News | Daily Recap [26 Mar 2026]

Malware & Infostealers

• AI is accelerating phishing, automated reconnaissance and malware development while identity compromise has become a commodified supply chain—forcing defenders to prioritize identity protection and proactive credential detection – AI & Identity, AI Kill Chain, Paid AI Accounts, Fraud Chain
• Law enforcement and researchers report ongoing takedowns and evolving campaigns: RedLine admin extradited to the US, the Torg Grabber infostealer now targets 728 crypto wallets, and GlassWorm uses rogue packages and Solana dead-drops to deliver a RAT and steal browser/crypto data – RedLine Admin, Torg Grabber, GlassWorm RAT

Law Enforcement

• Russian police arrested the alleged operator of LeakBase in Russia as part of “Operation Leak,” seizing the domain and conducting about 100 cross-border enforcement actions to collect evidence – LeakBase Arrest, LeakBase Arrest
• A Russian cybercriminal received a 2-year US sentence for running a botnet that enabled ransomware affecting over 70 US companies and producing roughly $14 million in ransom payments, with links to loaders like Emotet, IcedID, Qbot and Ursnif – MarioKart Sentence

Vulnerabilities & Exploits

• The maintained Coruna iOS exploit framework—linked to Operation Triangulation—packages 5 exploit chains using 23 vulnerabilities to target modern Apple chips and has been repurposed toward broader crypto‑theft campaigns – Coruna iOS
• Citrix urges admins to patch NetScaler ADC and Gateway flaws immediately—notably CVE-2026-3055 and CVE-2026-4368—as thousands of exposed instances could be quickly abused once patches are reverse‑engineered – Citrix Patch
• Attackers exploited the PolyShell Magento flaw to hit roughly 56.7% of vulnerable stores, delivering a novel WebRTC-based skimmer that exfiltrates card data over DTLS/UDP to evade CSP and detection – PolyShell Magento

Supply Chain & Packages

• A supply‑chain compromise of the open-source LiteLLM Python package (versions 1.82.7/1.82.8) on PyPI contained code to exfiltrate cloud credentials, API keys and wallets and install a persistent downloader, risking thousands of affected cloud environments—treat exposed secrets as compromised – LiteLLM Supply

Security Tools & Industry

• GitHub is adding AI-powered bug detection to complement CodeQL—expanding coverage to Shell, Dockerfiles, Terraform, PHP and more with a hybrid AI/CodeQL model and a public preview expected in early Q2 2026 – GitHub AI
• Israeli startup Onit Security raised $11 million to scale an agentic exposure management platform that maps vulnerabilities to business decisions and automates remediation prioritization – Onit Funding
• Kali Linux 2026.1 released with eight new tools, a kernel upgrade to 6.18, a new BackTrack mode and installer/ISO updates for the first release of the year – Kali 2026.1

Consumer Apps & Phishing

• WhatsApp rolled out AI-powered reply features, image touch-up, full iOS/Android chat transfer and iOS multi-account support plus anti‑scam protections and lockdown options after warnings of state-backed targeting – WhatsApp AI
• Threat actors abused the no-code Bubble platform to host credential‑stealing apps on trusted *.bubble.io domains, bypassing email security and stealing Microsoft account credentials via complex JavaScript/Shadow DOM tricks – Bubble Phishing

Infrastructure & Operational Risk

• CISA’s acting chief warned that a DHS shutdown has furloughed about 60% of CISA staff, increasing systemic cyber risk, reducing information sharing, and causing retention issues ahead of major events – CISA Shutdown
• A ransomware attack disrupted digital systems at Spain’s Port of Vigo, forcing manual cargo handling after affected servers were isolated while authorities investigate and demand security guarantees before restoring connections – Port Ransom

Cybersecurity News | Daily Recap – hendryadrian.com