๐ก๏ธ Daily Security Research Brief
Saturday, March 28, 2026 โ 04:00 CET ยท Auto-generated from OSINT sources
TL;DR: TeamPCP continues its rampage โ now with a destructive wiper targeting Iran via supply chain compromise of the Telnyx PyPI package. The EU Commission suffered an AWS cloud breach. CISA warns of active exploitation of Langflow (CVE-2026-33017). China-linked Red Menshen caught deep in telecom backbone infrastructure. Four massive IoT botnets dismantled by DOJ. LangChain/LangGraph vulnerabilities expose enterprise AI secrets. RSAC 2026 announcements include quantum-resistant hardware from Dell and HP.
Threat Level: Elevated โ active supply chain attacks and state-sponsored operations
๐ด Supply Chain Attacks & Malware
TeamPCP Compromises Telnyx PyPI Package โ Stealer Hidden in WAV Files
The TeamPCP threat group โ previously behind supply chain attacks on Trivy, KICS, and litellm โ has now compromised the official telnyx Python package on PyPI. Malicious versions 4.87.1 and 4.87.2 conceal credential-harvesting code within a .WAV audio file using steganography. The attack chain targets Windows, Linux, and macOS, injecting malware through telnyx/_client.py on import. The package is currently quarantined.
Action: Downgrade to version 4.87.0 immediately. Audit any systems that imported telnyx after March 27.
Sources: BleepingComputer, The Hacker News, Aikido, Socket, StepSecurity
TeamPCP Deploys CanisterWorm Wiper Targeting Iran
TeamPCP has pivoted from financial crime to geopolitical destruction. The same infrastructure used in the Trivy supply chain attack now deploys a wiper payload called CanisterWorm that activates if a system's timezone matches Iran or Farsi is the default language. On Kubernetes clusters, it destroys data across all nodes; otherwise it wipes the local machine. The worm spreads through exposed Docker APIs, Kubernetes clusters, Redis servers, and React2Shell vulnerability.
Action: Audit exposed cloud control planes. Flare reports Azure (61%) and AWS (36%) account for 97% of TeamPCP compromises.
Source: KrebsOnSecurity, Aikido
Fake VS Code Security Alerts on GitHub Spread Malware
A large-scale campaign targets developers via fake Visual Studio Code security alerts posted in GitHub Discussions across various projects. The alerts trick users into downloading malware disguised as security patches.
Action: Verify any VS Code security alerts through official channels only. Report suspicious GitHub Discussions.
Source: BleepingComputer
๐๏ธ Major Breaches
European Commission AWS Cloud Environment Breached
The European Commission is investigating a security breach after a threat actor gained access to its Amazon cloud environment. The EU's main executive body has confirmed the incident and is assessing the scope and impact.
Source: BleepingComputer
Dutch National Police Breached via Phishing
The Dutch National Police (Politie) disclosed a security breach resulting from a successful phishing attack. Officials say the impact was limited and citizens' data was not affected.
Source: BleepingComputer
Hightower Holdings Breach Impacts 130,000 Individuals
The financial holdings company confirmed hackers stole names, Social Security numbers, and driver's license numbers from its environment, affecting approximately 130,000 people.
Source: SecurityWeek
Pro-Iranian Group Claims Hack of FBI Director Kash Patel's Account
A pro-Iranian hacking group claims to have compromised FBI Director Kash Patel's personal account and is making emails and documents available for download.
Source: SecurityWeek
โ ๏ธ Critical Vulnerabilities
CVE-2026-33017 โ Langflow RCE (CISA KEV)
CISA has added CVE-2026-33017 to its Known Exploited Vulnerabilities catalog. The critical flaw in the Langflow framework for building AI agents is being actively exploited in the wild to hijack AI workflows. Immediate patching is required.
Source: BleepingComputer, CISA
LangChain & LangGraph โ Three Vulnerabilities Expose Enterprise Data
Three security vulnerabilities in LangChain and LangGraph expose filesystem files, environment secrets, and conversation history. With combined weekly downloads exceeding 84 million on PyPI, the exposure surface is massive. Each flaw offers an independent data exfiltration path.
Source: The Hacker News, Cyera
CVE-2026-4681 โ PTC Windchill Critical Vulnerability (German Police Alert)
CISA flagged a critical PTC Windchill vulnerability that was serious enough for German police to physically notify affected organizations. Details suggest significant risk to manufacturing and engineering environments.
Source: SecurityWeek, CISA
Cisco IOS & TP-Link Router Patches
Cisco patched multiple high/medium-severity flaws in IOS software covering DoS, secure boot bypass, info disclosure, and privilege escalation. TP-Link patched high-severity router vulns enabling authentication bypass, arbitrary command execution, and configuration file decryption.
Source: SecurityWeek
BIND High-Severity Vulnerabilities Patched
BIND DNS resolver updates address high-severity vulnerabilities where specially crafted domains could trigger out-of-memory conditions and memory leaks.
Source: SecurityWeek
Coruna iOS Exploit Kit โ Updated Operation Triangulation
A new iOS exploit kit dubbed "Coruna" contains an updated version of the kernel exploit used in Operation Triangulation three years ago, suggesting continued development of sophisticated mobile surveillance capabilities.
Source: SecurityWeek
๐ต๏ธ Threat Actor Activity
Red Menshen (Earth Bluecrow) โ Deep Inside Telecom Backbone
China-linked threat actor Red Menshen has been found embedded deep within telecom network infrastructure using kernel-level implants, passive backdoors (BPFDoor), credential-harvesting utilities, and cross-platform command frameworks. Rapid7 describes these as "some of the stealthiest digital sleeper cells" ever encountered in telecommunications. The campaign targets government espionage via telecom providers across the Middle East and Asia since at least 2021.
Sources: The Hacker News, SecurityWeek, Rapid7
DOJ Dismantles Four IoT Botnets โ 3M+ Devices Compromised
The U.S. DOJ, along with Canadian and German authorities, took down four major botnets: Aisuru (200K+ attack commands), JackSkid (90K+ attacks), Kimwolf (25K+ attacks), and Mossad (~1K attacks). Combined, they compromised over 3 million IoT devices including routers and webcams, launching record-breaking DDoS attacks against targets including DoD infrastructure.
Source: KrebsOnSecurity, DOJ
RedLine Malware Admin Extradited to US
Hambardzum Minasyan of Armenia, alleged to be involved in the development and administration of the RedLine infostealer malware, has been extradited to the United States to face charges.
Source: SecurityWeek
๐ง Tools & Defenses
OpenAI Launches Abuse & Safety Bug Bounty Program
OpenAI has launched a new bug bounty program specifically for abuse and safety risks, rewarding reports of design or implementation issues that could lead to material harm from AI systems.
Source: SecurityWeek
Dell & HP Ship Quantum-Resistant Device Security
Both Dell and HP announced new quantum-resistant security capabilities for PCs and printers at RSAC 2026, getting ahead of the post-quantum cryptography transition. Google has set 2029 as its quantum readiness deadline.
Source: SecurityWeek
Windows 11 KB5079391 โ Smart App Control Improvements
Microsoft released a preview cumulative update for Windows 11 24H2/25H2 with 29 changes including improvements to Smart App Control security features.
Source: BleepingComputer
๐ Emerging Patterns
Key Trends This Week
๐ฏ AI Infrastructure Under Siege: Langflow actively exploited (CVE-2026-33017), LangChain/LangGraph vulns exposing enterprise data, and supply chain attacks targeting AI toolchains. Organizations building with AI frameworks are now prime targets.
๐ Supply Chain Industrialization: TeamPCP represents a new class of threat actor that "industrializes" known attack techniques at cloud scale. Their pivot from financial extortion to geopolitical wipers (CanisterWorm vs Iran) shows the escalation potential of supply chain compromises.
๐ก Telecom as Espionage Platform: Red Menshen's years-long embedding in telecom backbone infrastructure reinforces that nation-state actors continue to view telcos as strategic intelligence collection points.
๐ก๏ธ Post-Quantum Arms Race: Dell, HP, and Google are setting timelines for quantum-resistant security, signaling the industry is moving from research to deployment phase.
๐ค IoT Botnet Whack-a-Mole: Despite the takedown of four major botnets (3M+ devices), the underlying problem of exposed IoT devices remains unsolved.