← Back to Blog
Security Briefing 12 min read March 26, 2026

GlassWorm Uses Solana Blockchain as C2, Device Code Phishing Hits 340+ Orgs, TeamPCP Expands OSS Compromise

GlassWorm campaign evolves with Solana blockchain dead-drop C2 for RAT delivery and browser data theft. Device code phishing campaign targets 340+ Microsoft 365 organizations across five countries via OAuth abuse. TeamPCP expands beyond Trivy to compromise Docker Hub, VS Code, and PyPI. Citrix urges emergency NetScaler patch for CitrixBleed-like flaw. LeakBase admin arrested in Russia. PolyShell attacks hit 56% of vulnerable Magento stores.


1. GlassWorm Malware Uses Solana Blockchain Dead Drops for RAT Delivery

⚠️ CRITICAL — Novel C2 Technique Makes Takedown Nearly Impossible

The GlassWorm campaign now uses Solana blockchain transaction memos as a dead-drop resolver for C2 infrastructure, delivering a multi-stage RAT with browser data theft, keylogging, and a malicious Chrome extension.

Aikido Security researchers have documented a significant evolution in the GlassWorm campaign. The threat actors are now embedding command-and-control addresses in Solana blockchain transaction memos — a technique that makes traditional takedown efforts effectively impossible because blockchain data is immutable and decentralized.

The attack chain deploys a multi-stage framework:

Why Blockchain-Based C2 Changes the Game

Traditional C2 infrastructure relies on domain names or IP addresses that defenders can blocklist, sinkhole, or seize through legal action. Blockchain memos are permanent, censorship-resistant, and publicly accessible — no registrar to contact, no hosting provider to subpoena. The attackers simply post a new Solana transaction with updated C2 coordinates whenever they need to rotate infrastructure.

This technique was previously theorized in security research but is now being deployed at scale in the wild. It represents a fundamental challenge to the incident response playbook.

Immediate Actions


2. Device Code Phishing Campaign Hits 340+ Microsoft 365 Organizations

⚠️ CRITICAL — OAuth Device Code Abuse Bypasses MFA Across Five Countries

An active phishing campaign abuses Microsoft's OAuth device code flow to compromise Microsoft 365 accounts across 340+ organizations in the US, Canada, Australia, New Zealand, and Germany.

Huntress researchers have uncovered a massive device code phishing campaign that exploits Microsoft's OAuth device code authentication flow to harvest credentials and bypass multi-factor authentication. The campaign was first spotted on February 19, 2026, and has been accelerating since.

The attack combines multiple techniques for maximum effectiveness:

Sectors Under Attack

The campaign has targeted construction, non-profits, real estate, manufacturing, financial services, healthcare, legal, and government organizations. Germany is explicitly among the targeted countries, making this directly relevant for DACH organizations.

Why Device Code Phishing Is So Effective

Unlike traditional phishing that requires victims to enter credentials on a fake login page, device code phishing asks victims to enter a code on Microsoft's legitimate login page. The URL is real. The login page is real. The MFA prompt is real. The only thing fake is the reason the victim was asked to authenticate — and by then, the attacker has a valid session token.

Immediate Actions


3. TeamPCP Expands Open-Source Compromise — Docker Hub, VS Code, PyPI All Hit

⚠️ CRITICAL — Supply-Chain Attack Group Broadens to Every Major Package Ecosystem

TeamPCP, the group behind the Trivy and KICS compromises, has expanded operations to Docker Hub, Visual Studio Code extensions, PyPI, and NPM, now partnering with the Lapsus$ group.

The TeamPCP threat group continues its unprecedented campaign against open-source infrastructure. After compromising Trivy's GitHub Action tags, the group has now expanded to target every major package ecosystem simultaneously — and has reportedly teamed up with the notorious Lapsus$ group.

The scope of compromise now includes:

The Lapsus$ Connection

The reported partnership with Lapsus$ — known for high-profile breaches at Microsoft, Nvidia, Samsung, and Uber — elevates the threat level significantly. Lapsus$ brings proven social engineering capabilities and insider recruitment tactics, while TeamPCP contributes deep expertise in CI/CD pipeline compromise. Together, they represent a formidable software supply-chain threat.

Immediate Actions


4. Citrix Urges Emergency NetScaler Patch — CitrixBleed-Like Flaw

⚠️ CRITICAL — NetScaler ADC & Gateway Vulnerabilities Echo Previous Zero-Day Exploits

Citrix has patched two vulnerabilities in NetScaler ADC and NetScaler Gateway, one of which is very similar to the CitrixBleed and CitrixBleed2 flaws that were exploited as zero-days in recent years.

Citrix is urging all administrators to patch immediately. One of the two newly disclosed vulnerabilities bears a strong resemblance to CitrixBleed (CVE-2023-4966) and CitrixBleed2, both of which were exploited as zero-days with devastating consequences — including the breach of Boeing, multiple US government agencies, and financial institutions.

The similarities to CitrixBleed are concerning because:

NIS2 Implications

Organizations subject to NIS2 that run NetScaler infrastructure face a compliance obligation to patch under Article 21's vulnerability management requirements. Given the similarity to a previously exploited zero-day, failing to patch promptly could be considered a negligent security posture.

Immediate Actions


5. LeakBase Admin Arrested in Russia — 147K Users Traded Stolen Credentials

Law Enforcement Win: Russian authorities have arrested the administrator of the LeakBase cybercrime forum, a platform that hosted hundreds of millions of stolen user accounts, bank details, and corporate documents since 2021. The suspect, from the city of Taganrog, operated a marketplace with 147,000+ registered users who bought and sold stolen personal databases. Equipment was confiscated during the arrest.

This arrest is noteworthy because it happened in Russia — a country that has historically been a safe harbor for cybercriminals. While Russia has occasionally prosecuted cybercriminals who targeted Russian citizens, the arrest of a forum administrator who facilitated attacks against international targets suggests a possible shift in Russian law enforcement posture toward cybercrime.

For organizations, LeakBase's seizure means that stolen credential databases from the platform may enter wider circulation as former users migrate to alternative forums. Now is a good time to:


6. PolyShell Attacks Target 56% of Vulnerable Magento Stores

🔶 HIGH — E-Commerce Platforms Under Active Mass Exploitation

Attacks leveraging the PolyShell vulnerability in Magento Open Source and Adobe Commerce are now targeting more than half of all vulnerable stores, enabling web shell deployment and payment card skimming.

The PolyShell vulnerability in Magento Open Source and Adobe Commerce version 2 is under active mass exploitation, with attackers targeting 56% of all vulnerable stores identified online. The attacks deploy web shells that enable persistent access and payment card skimming — the classic Magecart attack pattern.

This is particularly dangerous because:

Immediate Actions


7. Torg Grabber Infostealer Targets 728 Cryptocurrency Wallets

🔶 HIGH — New Infostealer Weaponizes 850+ Browser Extensions for Crypto Theft

A new infostealer called Torg Grabber targets 850 browser extensions — over 700 of them cryptocurrency wallet extensions — to steal digital assets and sensitive browser data.

The Torg Grabber malware represents a new level of specialization in information-stealing malware. By specifically targeting 728 cryptocurrency wallet browser extensions, it demonstrates the growing intersection of traditional cybercrime with cryptocurrency theft.

Beyond crypto wallets, Torg Grabber also targets:

Immediate Actions


8. Apple Releases iOS & macOS Security Patches

Patch Tuesday: Apple has released security updates for iOS, macOS 26.4, and older platforms including iOS 18.7.7, iPadOS 18.7.7, macOS Sequoia 15.7.5, and macOS Sonoma 14.8.5. The updates address multiple vulnerabilities across WebKit, kernel, and system frameworks. Organizations should prioritize deployment through MDM to ensure coverage across all managed Apple devices.


Today's Threat Landscape Summary

Threat Severity Type Action Required
GlassWorm Solana C2 CRITICAL Malware / C2 Audit dev packages, block Solana RPC
Device Code Phishing (365) CRITICAL Phishing / OAuth Disable device code flow, monitor logs
TeamPCP OSS Expansion CRITICAL Supply Chain Pin deps to SHAs, verify artifacts
Citrix NetScaler Patch CRITICAL Vulnerability Emergency patch immediately
PolyShell Magento Attacks HIGH Web Exploit Update Magento, scan for web shells
Torg Grabber Infostealer HIGH Malware Audit extensions, use hardware wallets
LeakBase Admin Arrested INFO Law Enforcement Check credential exposure, rotate
Apple Security Patches INFO Patch Deploy via MDM

Are Your Developer Tools Compromised?

Today's GlassWorm and TeamPCP campaigns show that your development pipeline is the new attack surface. KENSAI scans your web applications, APIs, and infrastructure for vulnerabilities — including supply-chain risks.

Start Your Free Security Scan →

Published by the KENSAI Threat Intelligence Team · March 26, 2026

Stay informed. Stay protected. Read more briefings →

Related Articles

FortiGate凭证窃取、KadNap僵尸网络感染1.4万路由器、微软修补2个零日漏洞网络安全 CVE-2026-35039: Privilege Escalation in Npm Security CVE-2026-34992: Missing Encryption in Go Security