ๅ‰ฃ KENSAI
โ˜ฐ
โ† Back to archive

๐Ÿ›ก๏ธ KENSAI Daily Security Research

2026-03-26 โ€” Thursday
24-hour threat intelligence digest โ€ข Automated research by KENSAI
3
Breaches
4
Critical Vulns
3
Ransomware
3
Tool Releases
4
Threat Patterns

๐Ÿ“ก RSAC 2026 is Live

RSA Conference 2026 is underway โ€” Day 2 announcements rolling in. Major vendor releases, new frameworks for agentic AI governance, and updated threat reports from SentinelOne, PwC, and SANS. Key takeaway: AI is both accelerating attacks and defense tooling.

๐Ÿ”“ Major Data Breaches

HackerOne Employee Data Exposed in Navia Breach

HackerOne confirmed that personal information of hundreds of employees was stolen in a breach targeting benefits provider Navia. Sensitive PII including names, addresses, and benefits data were exfiltrated. The irony of a bug bounty platform's employees being caught in a third-party breach underscores supply chain risk.

Data Breach Third-Party Risk Source: SecurityWeek
KENSAI Take

Even security-first companies are exposed through their vendor chain. NIS2 Article 21 explicitly mandates supply chain security assessments. KENSAI's third-party risk scanning catches these gaps.

LeakBase Admin Arrested in Russia โ€” 147K Users, Hundreds of Millions of Records

Russian law enforcement arrested the administrator of the LeakBase cybercrime forum in Taganrog. The platform hosted hundreds of millions of stolen user accounts, bank details, usernames, passwords, and corporate documents. Over 147,000 registered users could buy and sell this data since 2021.

Dark Web Law Enforcement Source: The Hacker News

Dutch Finance Ministry Probing Cyber Breach

The Netherlands' Ministry of Finance is investigating a cyber breach affecting internal systems. Details remain limited, but the breach hit critical government infrastructure. Simultaneously, Crunchyroll (anime streaming) disclosed a hack stealing customer service ticket data, and Kaplan (education) reported a breach impacting 230,000+ individuals.

Government EU Source: The Record
KENSAI Take

EU government breaches accelerate the NIS2 enforcement timeline. DACH organizations should treat this as a preview of increased regulatory scrutiny in 2026.

๐Ÿšจ Critical Vulnerabilities

Citrix NetScaler โ€” CitrixBleed3 Incoming

Citrix urgently patched two vulnerabilities in NetScaler ADC and NetScaler Gateway. One flaw is "very similar" to the infamous CitrixBleed and CitrixBleed2 vulnerabilities that were exploited as zero-days. Citrix is urging immediate patching โ€” expect PoC exploits within days.

Critical Citrix NetScaler Source: BleepingComputer
KENSAI Take

CitrixBleed led to some of the largest breaches of 2023-2024. Organizations running NetScaler must patch NOW. KENSAI's external scan detects exposed NetScaler instances and version fingerprints.

TP-Link Archer NX โ€” Critical Auth Bypass

TP-Link patched a critical authentication bypass flaw in its Archer NX router series that could allow attackers to bypass authentication entirely and upload malicious firmware. Given the FCC's new ban on foreign-made routers, this compounds concerns about router supply chain security.

Critical Router / IoT Source: BleepingComputer

PolyShell โ€” Magento/Adobe Commerce Mass Exploitation

Active exploitation of the "PolyShell" vulnerability is hitting 56% of all vulnerable Magento Open Source and Adobe Commerce stores. Attackers are deploying web shells at scale. E-commerce businesses running Magento 2 must patch immediately or risk full site compromise and payment data theft.

Active Exploitation E-Commerce Source: BleepingComputer

Apple iOS/macOS 26.4 โ€” Security Patches Across Ecosystem

Apple released security fixes across iOS, macOS, and iPadOS including patches for older devices (iOS 18.7.7, macOS Sequoia 15.7.5, macOS Sonoma 14.8.5). Multiple WebKit and kernel vulnerabilities addressed.

High Apple Ecosystem Source: SecurityWeek

๐Ÿ’€ Ransomware Attacks

Port of Vigo (Spain) โ€” Maritime Operations Disrupted

A ransomware attack forced Spain's Port of Vigo to disconnect systems and switch to manual cargo management. The attack was detected early Tuesday, locking servers and demanding ransom. Port president stated: "We will not restore connections until there are absolute guarantees." No group has claimed responsibility. Ship movements continue but logistics coordination is crippled.

Ransomware Critical Infrastructure Source: The Record
KENSAI Take

Maritime/port attacks are accelerating โ€” Nagoya (2023), now Vigo (2026). Under NIS2, ports are "essential entities" requiring mandatory incident reporting within 24 hours. EU port authorities need continuous security monitoring.

Stryker (Medical Devices) โ€” Production Lines Back Online After Malware Attack

Medical device manufacturer Stryker confirmed malware involvement in a recent cyberattack that shut down production lines. Operations are now reopening. The attack highlights the ongoing targeting of healthcare/medical manufacturing supply chains.

Malware Healthcare Source: The Record

Russian Ransomware Operators Sentenced in US

Ilya Angelov (TA551/Shathak) โ€” 2 years + $100K fine for managing a botnet used in ransomware campaigns (2017-2021). Aleksei Volkov โ€” 81 months (6.75 years) for his role as an access broker in Yanluowang ransomware attacks. US DoJ continuing to pursue Russian cybercriminals with extraterritorial reach.

Law Enforcement Ransomware Sources: THN, SecurityWeek

๐Ÿ”ง Security Tool Releases

Kali Linux 2026.1 โ€” 8 New Tools + BackTrack Mode

First release of the year brings 8 new security tools, a visual theme refresh, and a new "BackTrack mode" for Kali-Undercover. A nostalgia play meets practical pentest tooling updates.

Tool Release Penetration Testing Source: BleepingComputer

GitHub โ€” AI-Powered Code Security Scanning

GitHub is expanding its Code Security tool beyond CodeQL with AI-based vulnerability detection. The new scanning covers more languages and frameworks, lowering the barrier for security-aware development. This moves SAST closer to mainstream developer workflows.

Tool Release SAST / DevSecOps Source: BleepingComputer
KENSAI Take

AI-powered SAST is becoming table stakes. KENSAI's competitive advantage: combining SAST with DAST, external scanning, and NIS2 compliance in a single platform โ€” not just code-level detection.

Onit Security โ€” $11M Raise for Exposure Management

Onit Security raised $11M to build its exposure management platform. Investment targets product development and GTM expansion into new sectors. Signals continued VC appetite for attack surface management despite market consolidation.

Funding Exposure Management Source: SecurityWeek

โšก Emerging Threat Patterns

Supply Chain Compromise Escalation โ€” TeamPCP Hits LiteLLM, Docker Hub, VS Code, PyPI

The TeamPCP threat actor (behind the Trivy/KICS compromises) has now backdoored LiteLLM versions 1.82.7โ€“1.82.8 via a CI/CD pipeline compromise. The payload is a three-stage attack: credential harvesting (SSH keys, cloud creds, K8s secrets), lateral movement toolkit, and persistent backdoor. They've also hit Docker Hub, VS Code marketplace, and NPM โ€” now reportedly collaborating with Lapsus$.

Critical Supply Chain Sources: THN, SecurityWeek
KENSAI Take

This is the most significant OSS supply chain attack of 2026 so far. CI/CD pipeline compromise โ†’ package poisoning at scale. Organizations must verify package integrity and pin versions. SBOM scanning is no longer optional.

Device Code Phishing โ€” 340+ Microsoft 365 Orgs Compromised

A massive device code phishing campaign is targeting M365 identities across 340+ organizations in the US, Canada, Australia, New Zealand, and Germany. Uses Cloudflare Workers + Railway PaaS for credential harvesting. Exploits OAuth device authorization flow to steal tokens that survive password resets. Sectors hit: construction, healthcare, legal, government, financial services.

Active Campaign Identity / OAuth Source: The Hacker News
KENSAI Take

Germany is explicitly listed as a target country. DACH organizations running M365 should audit OAuth device code policies immediately. Conditional Access policies should block device code flow where not needed.

GlassWorm โ€” Solana Blockchain as C2 Dead Drop

The GlassWorm campaign now uses Solana blockchain memos as dead drop resolvers for C2 communication. Deploys a Chrome extension masquerading as Google Docs Offline, logging keystrokes, dumping cookies/sessions, capturing screenshots, and targeting 728+ crypto wallets. Spreads via poisoned packages on npm, PyPI, GitHub, and VS Code marketplace.

Novel Technique Blockchain C2 Source: The Hacker News

AI Agents as Attack Surface โ€” "The Kill Chain Is Obsolete"

Security researchers warn that AI agents with system access represent a fundamentally new threat model. Unlike traditional kill chains where attackers must earn access step by step, compromised AI agents already have permissions, access, and legitimate reasons to traverse systems. PwC and SANS both confirm AI is accelerating attack speed and scale, with identity theft evolving into a "cybercriminal supply chain." Stolen premium AI accounts are now hot commodities on underground markets.

AI Threats Emerging Sources: THN, SecurityWeek
KENSAI Take

SecurityWeek published a piece on agentic AI governance citing OpenClaw. The AI-as-threat-surface narrative is KENSAI's content opportunity โ€” we should own this conversation for the DACH market.

๐Ÿ“‹ Notable Policy & Regulatory

FCC Bans Foreign-Made Consumer Routers

The FCC banned all new consumer routers manufactured outside the US, citing national security risks. Aligns with White House determination that all foreign-produced routers pose unacceptable threats. Major implications for TP-Link, Huawei, and other foreign manufacturers.

Regulation US Policy Source: SecurityWeek

CISA Acting Chief: Shutdown Increasing Cyber Risks, Causing Resignations

CISA's acting director warned that ongoing government shutdown dynamics are increasing cybersecurity risks and driving talent retention issues. The US government's cybersecurity posture continues to degrade as experienced personnel leave.

CISA Policy Source: The Record

UK NCSC: "Vibe Coding" Could Add Security Risks to SaaS Industry

The UK's National Cyber Security Centre warned that the "vibe coding" trend โ€” using AI to generate entire applications โ€” could reshape SaaS while introducing significant security risks. AI-generated code often lacks proper input validation, authentication checks, and secure defaults.

AI Risk UK NCSC Source: The Record