GlassWorm ने Solana ब्लॉकचेन को C2 के रूप में इस्तेमाल किया, डिवाइस कोड फ़िशिंग ने 340+ संगठनों को प्रभावित किया, TeamPCP ने OSS समझौते का विस्तार किया
GlassWorm अभियान RAT वितरण और ब्राउज़र डेटा चोरी के लिए Solana ब्लॉकचेन डेड-ड्रॉप C2 के साथ विकसित होता है। डिवाइस कोड फ़िशिंग अभियान OAuth दुरुपयोग के माध्यम से पांच देशों में 340+ Microsoft 365 संगठनों को लक्षित करता है। TeamPCP Trivy से आगे बढ़कर Docker Hub, VS Code और PyPI को समझौता करता है। Citrix CitrixBleed जैसी खामी के लिए आपातकालीन NetScaler पैच की मांग करता है। LeakBase व्यवस्थापक रूस में गिरफ्तार। PolyShell हमले 56% कमजोर Magento स्टोर को प्रभावित करते हैं।
1. GlassWorm Malware Uses Solana Blockchain Dead Drops for RAT Delivery
⚠️ CRITICAL — Novel C2 Technique Makes Takedown Nearly Impossible
The GlassWorm campaign now uses Solana blockchain transaction memos as a dead-drop resolver for C2 infrastructure, delivering a multi-stage RAT with browser data theft, keylogging, and a malicious Chrome extension.
Aikido Security researchers have documented a significant evolution in the GlassWorm campaign. The threat actors are now embedding command-and-control addresses in Solana blockchain transaction memos — a technique that makes traditional takedown efforts effectively impossible because blockchain data is immutable and decentralized.
The attack chain deploys a multi-stage framework:
- Initial Access: Rogue packages published across npm, PyPI, GitHub, and Open VSX marketplace, plus compromised maintainer accounts pushing poisoned updates
- Stage 1 — Chrome Extension RAT: A malicious extension masquerading as an offline Google Docs tool that captures keystrokes, dumps cookies and session tokens, and takes screenshots
- Stage 2 — Data Exfiltration: Steals browser credentials, cryptocurrency wallet data, and session tokens from all installed browsers
- Stage 3 — Solana C2: Reads Solana blockchain memos to dynamically resolve C2 server addresses, making infrastructure rotation trivial and takedown impossible
Why Blockchain-Based C2 Changes the Game
Traditional C2 infrastructure relies on domain names or IP addresses that defenders can blocklist, sinkhole, or seize through legal action. Blockchain memos are permanent, censorship-resistant, and publicly accessible — no registrar to contact, no hosting provider to subpoena. The attackers simply post a new Solana transaction with updated C2 coordinates whenever they need to rotate infrastructure.
This technique was previously theorized in security research but is now being deployed at scale in the wild. It represents a fundamental challenge to the incident response playbook.
Immediate Actions
- Audit all npm, PyPI, and VS Code extensions in your development environments against known GlassWorm indicators
- Monitor for Chrome extensions requesting excessive permissions — especially offline document tools
- Block outbound connections to Solana RPC endpoints from non-cryptocurrency workloads
- Verify package maintainer account security — enable MFA on all package registry accounts
- Review browser extension policies — restrict installation to approved extensions only
2. Device Code Phishing Campaign Hits 340+ Microsoft 365 Organizations
⚠️ CRITICAL — OAuth Device Code Abuse Bypasses MFA Across Five Countries
An active phishing campaign abuses Microsoft's OAuth device code flow to compromise Microsoft 365 accounts across 340+ organizations in the US, Canada, Australia, New Zealand, and Germany.
Huntress researchers have uncovered a massive device code phishing campaign that exploits Microsoft's OAuth device code authentication flow to harvest credentials and bypass multi-factor authentication. The campaign was first spotted on February 19, 2026, and has been accelerating since.
The attack combines multiple techniques for maximum effectiveness:
- Cloudflare Workers redirects: Legitimate-looking URLs that redirect victims to the device code authorization page
- Railway PaaS infrastructure: Credential harvesting backends hosted on the Railway platform, blending with legitimate development workloads
- Construction bid lures: Social engineering themes tailored to specific industries, including fake bid invitations and procurement documents
- MFA bypass: Device code flow inherently bypasses traditional MFA because the victim authenticates on their own device
Sectors Under Attack
The campaign has targeted construction, non-profits, real estate, manufacturing, financial services, healthcare, legal, and government organizations. Germany is explicitly among the targeted countries, making this directly relevant for DACH organizations.
Why Device Code Phishing Is So Effective
Unlike traditional phishing that requires victims to enter credentials on a fake login page, device code phishing asks victims to enter a code on Microsoft's legitimate login page. The URL is real. The login page is real. The MFA prompt is real. The only thing fake is the reason the victim was asked to authenticate — and by then, the attacker has a valid session token.
Immediate Actions
- Disable the device code authentication flow in Azure AD/Entra ID if your organization doesn't use it — most don't need it
- Implement Conditional Access policies to restrict device code flow to managed devices only
- Monitor Azure AD sign-in logs for
deviceCodeFlowauthentication method — any unexpected usage should trigger investigation - Brief all employees that Microsoft will never ask them to enter a device code from an unsolicited email
- Block or flag emails containing device code authorization URLs
3. TeamPCP Expands Open-Source Compromise — Docker Hub, VS Code, PyPI All Hit
⚠️ CRITICAL — Supply-Chain Attack Group Broadens to Every Major Package Ecosystem
TeamPCP, the group behind the Trivy and KICS compromises, has expanded operations to Docker Hub, Visual Studio Code extensions, PyPI, and NPM, now partnering with the Lapsus$ group.
The TeamPCP threat group continues its unprecedented campaign against open-source infrastructure. After compromising Trivy's GitHub Action tags, the group has now expanded to target every major package ecosystem simultaneously — and has reportedly teamed up with the notorious Lapsus$ group.
The scope of compromise now includes:
- GitHub Actions: Compromised tags in the Trivy vulnerability scanner CI/CD pipeline
- NPM: Malicious packages targeting Node.js developers
- PyPI: Backdoored Python packages including LiteLLM (reported yesterday)
- Docker Hub: Compromised container images that deploy credential harvesters on build
- VS Code Marketplace: Malicious extensions with code execution capabilities
The Lapsus$ Connection
The reported partnership with Lapsus$ — known for high-profile breaches at Microsoft, Nvidia, Samsung, and Uber — elevates the threat level significantly. Lapsus$ brings proven social engineering capabilities and insider recruitment tactics, while TeamPCP contributes deep expertise in CI/CD pipeline compromise. Together, they represent a formidable software supply-chain threat.
Immediate Actions
- Pin all CI/CD dependencies to specific commit SHAs — never use mutable tags like
@latestor@v1 - Implement artifact verification for all Docker images pulled from public registries
- Audit VS Code extensions installed across your development team — remove anything unnecessary
- Enable npm/PyPI package provenance verification where available
- Run SBOM analysis on all production deployments to identify compromised dependencies
4. Citrix Urges Emergency NetScaler Patch — CitrixBleed-Like Flaw
⚠️ CRITICAL — NetScaler ADC & Gateway Vulnerabilities Echo Previous Zero-Day Exploits
Citrix has patched two vulnerabilities in NetScaler ADC and NetScaler Gateway, one of which is very similar to the CitrixBleed and CitrixBleed2 flaws that were exploited as zero-days in recent years.
Citrix is urging all administrators to patch immediately. One of the two newly disclosed vulnerabilities bears a strong resemblance to CitrixBleed (CVE-2023-4966) and CitrixBleed2, both of which were exploited as zero-days with devastating consequences — including the breach of Boeing, multiple US government agencies, and financial institutions.
The similarities to CitrixBleed are concerning because:
- Same attack surface: NetScaler ADC and Gateway are internet-facing by design — they sit at the network edge
- Session token theft: The original CitrixBleed allowed attackers to steal valid session tokens, bypassing all authentication including MFA
- Rapid weaponization: When CitrixBleed was disclosed, working exploits appeared within days and mass exploitation followed within weeks
NIS2 Implications
Organizations subject to NIS2 that run NetScaler infrastructure face a compliance obligation to patch under Article 21's vulnerability management requirements. Given the similarity to a previously exploited zero-day, failing to patch promptly could be considered a negligent security posture.
Immediate Actions
- Apply Citrix patches to all NetScaler ADC and Gateway instances immediately — this is an emergency, not a scheduled maintenance item
- Review NetScaler access logs for unusual session patterns that might indicate exploitation
- If you cannot patch immediately, restrict management interface access and monitor for indicators of compromise
- Verify that NetScaler instances are running supported firmware versions
5. LeakBase Admin Arrested in Russia — 147K Users Traded Stolen Credentials
Law Enforcement Win: Russian authorities have arrested the administrator of the LeakBase cybercrime forum, a platform that hosted hundreds of millions of stolen user accounts, bank details, and corporate documents since 2021. The suspect, from the city of Taganrog, operated a marketplace with 147,000+ registered users who bought and sold stolen personal databases. Equipment was confiscated during the arrest.
This arrest is noteworthy because it happened in Russia — a country that has historically been a safe harbor for cybercriminals. While Russia has occasionally prosecuted cybercriminals who targeted Russian citizens, the arrest of a forum administrator who facilitated attacks against international targets suggests a possible shift in Russian law enforcement posture toward cybercrime.
For organizations, LeakBase's seizure means that stolen credential databases from the platform may enter wider circulation as former users migrate to alternative forums. Now is a good time to:
- Run credential monitoring against known breach databases for your organization's domains
- Enforce password rotation for any accounts that may have appeared in leaked databases
- Verify that credential stuffing protections are active on all internet-facing login pages
6. PolyShell Attacks Target 56% of Vulnerable Magento Stores
🔶 HIGH — E-Commerce Platforms Under Active Mass Exploitation
Attacks leveraging the PolyShell vulnerability in Magento Open Source and Adobe Commerce are now targeting more than half of all vulnerable stores, enabling web shell deployment and payment card skimming.
The PolyShell vulnerability in Magento Open Source and Adobe Commerce version 2 is under active mass exploitation, with attackers targeting 56% of all vulnerable stores identified online. The attacks deploy web shells that enable persistent access and payment card skimming — the classic Magecart attack pattern.
This is particularly dangerous because:
- Scale: Over half of all vulnerable stores are already being targeted — this isn't targeted; it's automated scanning and exploitation
- Payment data: Magecart-style skimmers capture credit card details in real-time as customers check out
- PCI DSS implications: Any compromised store faces potential PCI DSS non-compliance and financial liability for fraudulent transactions
- Customer trust: E-commerce breaches directly impact revenue as customers lose confidence
Immediate Actions
- Update all Magento/Adobe Commerce installations to the latest patched version immediately
- Scan for web shells in the Magento filesystem — check for recently modified PHP files outside of normal deployment patterns
- Review payment processing integrity — inspect checkout page JavaScript for injected skimming code
- Implement Content Security Policy (CSP) headers to prevent unauthorized script injection
- If compromised, notify your payment processor and engage PCI forensic investigators
7. Torg Grabber Infostealer Targets 728 Cryptocurrency Wallets
🔶 HIGH — New Infostealer Weaponizes 850+ Browser Extensions for Crypto Theft
A new infostealer called Torg Grabber targets 850 browser extensions — over 700 of them cryptocurrency wallet extensions — to steal digital assets and sensitive browser data.
The Torg Grabber malware represents a new level of specialization in information-stealing malware. By specifically targeting 728 cryptocurrency wallet browser extensions, it demonstrates the growing intersection of traditional cybercrime with cryptocurrency theft.
Beyond crypto wallets, Torg Grabber also targets:
- Password managers and autofill data
- Banking and financial service extensions
- VPN and privacy tool extensions
- Session cookies and authentication tokens
Immediate Actions
- Use hardware wallets for significant cryptocurrency holdings — browser extensions should never hold large balances
- Audit browser extensions on corporate devices — remove anything not explicitly required
- Implement browser extension allowlists via group policy
- Monitor for unexpected browser extension installations via EDR
8. Apple Releases iOS & macOS Security Patches
Patch Tuesday: Apple has released security updates for iOS, macOS 26.4, and older platforms including iOS 18.7.7, iPadOS 18.7.7, macOS Sequoia 15.7.5, and macOS Sonoma 14.8.5. The updates address multiple vulnerabilities across WebKit, kernel, and system frameworks. Organizations should prioritize deployment through MDM to ensure coverage across all managed Apple devices.
Today's Threat Landscape Summary
| Threat | Severity | Type | Action Required |
|---|---|---|---|
| GlassWorm Solana C2 | CRITICAL | Malware / C2 | Audit dev packages, block Solana RPC |
| Device Code Phishing (365) | CRITICAL | Phishing / OAuth | Disable device code flow, monitor logs |
| TeamPCP OSS Expansion | CRITICAL | Supply Chain | Pin deps to SHAs, verify artifacts |
| Citrix NetScaler Patch | CRITICAL | Vulnerability | Emergency patch immediately |
| PolyShell Magento Attacks | HIGH | Web Exploit | Update Magento, scan for web shells |
| Torg Grabber Infostealer | HIGH | Malware | Audit extensions, use hardware wallets |
| LeakBase Admin Arrested | INFO | Law Enforcement | Check credential exposure, rotate |
| Apple Security Patches | INFO | Patch | Deploy via MDM |