剣 KENSAI
← All posts · security · 2026-03-26 · 11 min

GlassWorm ने Solana ब्लॉकचेन को C2 के रूप में इस्तेमाल किया, डिवाइस कोड फ़िशिंग ने 340+ संगठनों को प्रभावित किया, TeamPCP ने OSS समझौते का विस्तार किया

GlassWorm अभियान RAT वितरण और ब्राउज़र डेटा चोरी के लिए Solana ब्लॉकचेन डेड-ड्रॉप C2 के साथ विकसित होता है। डिवाइस कोड फ़िशिंग अभियान OAuth दुरुपयोग के माध्यम से पांच देशों में 340+ Microsoft 365 संगठनों को लक्षित करता है। TeamPCP Trivy से आगे बढ़कर Docker Hub, VS Code और PyPI को समझौता करता है। Citrix CitrixBleed जैसी खामी के लिए आपातकालीन NetScaler पैच की मांग करता है। LeakBase व्यवस्थापक रूस में गिरफ्तार। PolyShell हमले 56% कमजोर Magento स्टोर को प्रभावित करते हैं।


1. GlassWorm Malware Uses Solana Blockchain Dead Drops for RAT Delivery

⚠️ CRITICAL — Novel C2 Technique Makes Takedown Nearly Impossible

The GlassWorm campaign now uses Solana blockchain transaction memos as a dead-drop resolver for C2 infrastructure, delivering a multi-stage RAT with browser data theft, keylogging, and a malicious Chrome extension.

Aikido Security researchers have documented a significant evolution in the GlassWorm campaign. The threat actors are now embedding command-and-control addresses in Solana blockchain transaction memos — a technique that makes traditional takedown efforts effectively impossible because blockchain data is immutable and decentralized.

The attack chain deploys a multi-stage framework:

Why Blockchain-Based C2 Changes the Game

Traditional C2 infrastructure relies on domain names or IP addresses that defenders can blocklist, sinkhole, or seize through legal action. Blockchain memos are permanent, censorship-resistant, and publicly accessible — no registrar to contact, no hosting provider to subpoena. The attackers simply post a new Solana transaction with updated C2 coordinates whenever they need to rotate infrastructure.

This technique was previously theorized in security research but is now being deployed at scale in the wild. It represents a fundamental challenge to the incident response playbook.

Immediate Actions


2. Device Code Phishing Campaign Hits 340+ Microsoft 365 Organizations

⚠️ CRITICAL — OAuth Device Code Abuse Bypasses MFA Across Five Countries

An active phishing campaign abuses Microsoft's OAuth device code flow to compromise Microsoft 365 accounts across 340+ organizations in the US, Canada, Australia, New Zealand, and Germany.

Huntress researchers have uncovered a massive device code phishing campaign that exploits Microsoft's OAuth device code authentication flow to harvest credentials and bypass multi-factor authentication. The campaign was first spotted on February 19, 2026, and has been accelerating since.

The attack combines multiple techniques for maximum effectiveness:

Sectors Under Attack

The campaign has targeted construction, non-profits, real estate, manufacturing, financial services, healthcare, legal, and government organizations. Germany is explicitly among the targeted countries, making this directly relevant for DACH organizations.

Why Device Code Phishing Is So Effective

Unlike traditional phishing that requires victims to enter credentials on a fake login page, device code phishing asks victims to enter a code on Microsoft's legitimate login page. The URL is real. The login page is real. The MFA prompt is real. The only thing fake is the reason the victim was asked to authenticate — and by then, the attacker has a valid session token.

Immediate Actions


3. TeamPCP Expands Open-Source Compromise — Docker Hub, VS Code, PyPI All Hit

⚠️ CRITICAL — Supply-Chain Attack Group Broadens to Every Major Package Ecosystem

TeamPCP, the group behind the Trivy and KICS compromises, has expanded operations to Docker Hub, Visual Studio Code extensions, PyPI, and NPM, now partnering with the Lapsus$ group.

The TeamPCP threat group continues its unprecedented campaign against open-source infrastructure. After compromising Trivy's GitHub Action tags, the group has now expanded to target every major package ecosystem simultaneously — and has reportedly teamed up with the notorious Lapsus$ group.

The scope of compromise now includes:

The Lapsus$ Connection

The reported partnership with Lapsus$ — known for high-profile breaches at Microsoft, Nvidia, Samsung, and Uber — elevates the threat level significantly. Lapsus$ brings proven social engineering capabilities and insider recruitment tactics, while TeamPCP contributes deep expertise in CI/CD pipeline compromise. Together, they represent a formidable software supply-chain threat.

Immediate Actions


4. Citrix Urges Emergency NetScaler Patch — CitrixBleed-Like Flaw

⚠️ CRITICAL — NetScaler ADC & Gateway Vulnerabilities Echo Previous Zero-Day Exploits

Citrix has patched two vulnerabilities in NetScaler ADC and NetScaler Gateway, one of which is very similar to the CitrixBleed and CitrixBleed2 flaws that were exploited as zero-days in recent years.

Citrix is urging all administrators to patch immediately. One of the two newly disclosed vulnerabilities bears a strong resemblance to CitrixBleed (CVE-2023-4966) and CitrixBleed2, both of which were exploited as zero-days with devastating consequences — including the breach of Boeing, multiple US government agencies, and financial institutions.

The similarities to CitrixBleed are concerning because:

NIS2 Implications

Organizations subject to NIS2 that run NetScaler infrastructure face a compliance obligation to patch under Article 21's vulnerability management requirements. Given the similarity to a previously exploited zero-day, failing to patch promptly could be considered a negligent security posture.

Immediate Actions


5. LeakBase Admin Arrested in Russia — 147K Users Traded Stolen Credentials

Law Enforcement Win: Russian authorities have arrested the administrator of the LeakBase cybercrime forum, a platform that hosted hundreds of millions of stolen user accounts, bank details, and corporate documents since 2021. The suspect, from the city of Taganrog, operated a marketplace with 147,000+ registered users who bought and sold stolen personal databases. Equipment was confiscated during the arrest.

This arrest is noteworthy because it happened in Russia — a country that has historically been a safe harbor for cybercriminals. While Russia has occasionally prosecuted cybercriminals who targeted Russian citizens, the arrest of a forum administrator who facilitated attacks against international targets suggests a possible shift in Russian law enforcement posture toward cybercrime.

For organizations, LeakBase's seizure means that stolen credential databases from the platform may enter wider circulation as former users migrate to alternative forums. Now is a good time to:


6. PolyShell Attacks Target 56% of Vulnerable Magento Stores

🔶 HIGH — E-Commerce Platforms Under Active Mass Exploitation

Attacks leveraging the PolyShell vulnerability in Magento Open Source and Adobe Commerce are now targeting more than half of all vulnerable stores, enabling web shell deployment and payment card skimming.

The PolyShell vulnerability in Magento Open Source and Adobe Commerce version 2 is under active mass exploitation, with attackers targeting 56% of all vulnerable stores identified online. The attacks deploy web shells that enable persistent access and payment card skimming — the classic Magecart attack pattern.

This is particularly dangerous because:

Immediate Actions


7. Torg Grabber Infostealer Targets 728 Cryptocurrency Wallets

🔶 HIGH — New Infostealer Weaponizes 850+ Browser Extensions for Crypto Theft

A new infostealer called Torg Grabber targets 850 browser extensions — over 700 of them cryptocurrency wallet extensions — to steal digital assets and sensitive browser data.

The Torg Grabber malware represents a new level of specialization in information-stealing malware. By specifically targeting 728 cryptocurrency wallet browser extensions, it demonstrates the growing intersection of traditional cybercrime with cryptocurrency theft.

Beyond crypto wallets, Torg Grabber also targets:

Immediate Actions


8. Apple Releases iOS & macOS Security Patches

Patch Tuesday: Apple has released security updates for iOS, macOS 26.4, and older platforms including iOS 18.7.7, iPadOS 18.7.7, macOS Sequoia 15.7.5, and macOS Sonoma 14.8.5. The updates address multiple vulnerabilities across WebKit, kernel, and system frameworks. Organizations should prioritize deployment through MDM to ensure coverage across all managed Apple devices.


Today's Threat Landscape Summary

Threat Severity Type Action Required
GlassWorm Solana C2 CRITICAL Malware / C2 Audit dev packages, block Solana RPC
Device Code Phishing (365) CRITICAL Phishing / OAuth Disable device code flow, monitor logs
TeamPCP OSS Expansion CRITICAL Supply Chain Pin deps to SHAs, verify artifacts
Citrix NetScaler Patch CRITICAL Vulnerability Emergency patch immediately
PolyShell Magento Attacks HIGH Web Exploit Update Magento, scan for web shells
Torg Grabber Infostealer HIGH Malware Audit extensions, use hardware wallets
LeakBase Admin Arrested INFO Law Enforcement Check credential exposure, rotate
Apple Security Patches INFO Patch Deploy via MDM