ๅ‰ฃ KENSAI
โ˜ฐ
โ† Back to archive

๐Ÿ›ก๏ธ Daily Security Research Brief

Saturday, March 28, 2026 โ€” 04:00 CET ยท Auto-generated from OSINT sources

TL;DR: TeamPCP continues its rampage โ€” now with a destructive wiper targeting Iran via supply chain compromise of the Telnyx PyPI package. The EU Commission suffered an AWS cloud breach. CISA warns of active exploitation of Langflow (CVE-2026-33017). China-linked Red Menshen caught deep in telecom backbone infrastructure. Four massive IoT botnets dismantled by DOJ. LangChain/LangGraph vulnerabilities expose enterprise AI secrets. RSAC 2026 announcements include quantum-resistant hardware from Dell and HP.

Threat Level: Elevated โ€” active supply chain attacks and state-sponsored operations

๐Ÿ”ด Supply Chain Attacks & Malware

CRITICAL supply chain pypi

TeamPCP Compromises Telnyx PyPI Package โ€” Stealer Hidden in WAV Files

The TeamPCP threat group โ€” previously behind supply chain attacks on Trivy, KICS, and litellm โ€” has now compromised the official telnyx Python package on PyPI. Malicious versions 4.87.1 and 4.87.2 conceal credential-harvesting code within a .WAV audio file using steganography. The attack chain targets Windows, Linux, and macOS, injecting malware through telnyx/_client.py on import. The package is currently quarantined.

Action: Downgrade to version 4.87.0 immediately. Audit any systems that imported telnyx after March 27.

Sources: BleepingComputer, The Hacker News, Aikido, Socket, StepSecurity

CRITICAL wiper geopolitical

TeamPCP Deploys CanisterWorm Wiper Targeting Iran

TeamPCP has pivoted from financial crime to geopolitical destruction. The same infrastructure used in the Trivy supply chain attack now deploys a wiper payload called CanisterWorm that activates if a system's timezone matches Iran or Farsi is the default language. On Kubernetes clusters, it destroys data across all nodes; otherwise it wipes the local machine. The worm spreads through exposed Docker APIs, Kubernetes clusters, Redis servers, and React2Shell vulnerability.

Action: Audit exposed cloud control planes. Flare reports Azure (61%) and AWS (36%) account for 97% of TeamPCP compromises.

Source: KrebsOnSecurity, Aikido

HIGH social engineering github

Fake VS Code Security Alerts on GitHub Spread Malware

A large-scale campaign targets developers via fake Visual Studio Code security alerts posted in GitHub Discussions across various projects. The alerts trick users into downloading malware disguised as security patches.

Action: Verify any VS Code security alerts through official channels only. Report suspicious GitHub Discussions.

Source: BleepingComputer

๐Ÿ›๏ธ Major Breaches

CRITICAL cloud breach government

European Commission AWS Cloud Environment Breached

The European Commission is investigating a security breach after a threat actor gained access to its Amazon cloud environment. The EU's main executive body has confirmed the incident and is assessing the scope and impact.

Source: BleepingComputer

HIGH data breach phishing

Dutch National Police Breached via Phishing

The Dutch National Police (Politie) disclosed a security breach resulting from a successful phishing attack. Officials say the impact was limited and citizens' data was not affected.

Source: BleepingComputer

data breach financial

Hightower Holdings Breach Impacts 130,000 Individuals

The financial holdings company confirmed hackers stole names, Social Security numbers, and driver's license numbers from its environment, affecting approximately 130,000 people.

Source: SecurityWeek

data breach hacktivism

Pro-Iranian Group Claims Hack of FBI Director Kash Patel's Account

A pro-Iranian hacking group claims to have compromised FBI Director Kash Patel's personal account and is making emails and documents available for download.

Source: SecurityWeek

โš ๏ธ Critical Vulnerabilities

CRITICAL actively exploited AI

CVE-2026-33017 โ€” Langflow RCE (CISA KEV)

CISA has added CVE-2026-33017 to its Known Exploited Vulnerabilities catalog. The critical flaw in the Langflow framework for building AI agents is being actively exploited in the wild to hijack AI workflows. Immediate patching is required.

Source: BleepingComputer, CISA

HIGH AI frameworks

LangChain & LangGraph โ€” Three Vulnerabilities Expose Enterprise Data

Three security vulnerabilities in LangChain and LangGraph expose filesystem files, environment secrets, and conversation history. With combined weekly downloads exceeding 84 million on PyPI, the exposure surface is massive. Each flaw offers an independent data exfiltration path.

Source: The Hacker News, Cyera

HIGH ICS/OT

CVE-2026-4681 โ€” PTC Windchill Critical Vulnerability (German Police Alert)

CISA flagged a critical PTC Windchill vulnerability that was serious enough for German police to physically notify affected organizations. Details suggest significant risk to manufacturing and engineering environments.

Source: SecurityWeek, CISA

networking ios

Cisco IOS & TP-Link Router Patches

Cisco patched multiple high/medium-severity flaws in IOS software covering DoS, secure boot bypass, info disclosure, and privilege escalation. TP-Link patched high-severity router vulns enabling authentication bypass, arbitrary command execution, and configuration file decryption.

Source: SecurityWeek

HIGH DNS

BIND High-Severity Vulnerabilities Patched

BIND DNS resolver updates address high-severity vulnerabilities where specially crafted domains could trigger out-of-memory conditions and memory leaks.

Source: SecurityWeek

HIGH mobile espionage

Coruna iOS Exploit Kit โ€” Updated Operation Triangulation

A new iOS exploit kit dubbed "Coruna" contains an updated version of the kernel exploit used in Operation Triangulation three years ago, suggesting continued development of sophisticated mobile surveillance capabilities.

Source: SecurityWeek

๐Ÿ•ต๏ธ Threat Actor Activity

CRITICAL APT China

Red Menshen (Earth Bluecrow) โ€” Deep Inside Telecom Backbone

China-linked threat actor Red Menshen has been found embedded deep within telecom network infrastructure using kernel-level implants, passive backdoors (BPFDoor), credential-harvesting utilities, and cross-platform command frameworks. Rapid7 describes these as "some of the stealthiest digital sleeper cells" ever encountered in telecommunications. The campaign targets government espionage via telecom providers across the Middle East and Asia since at least 2021.

Sources: The Hacker News, SecurityWeek, Rapid7

law enforcement botnet

DOJ Dismantles Four IoT Botnets โ€” 3M+ Devices Compromised

The U.S. DOJ, along with Canadian and German authorities, took down four major botnets: Aisuru (200K+ attack commands), JackSkid (90K+ attacks), Kimwolf (25K+ attacks), and Mossad (~1K attacks). Combined, they compromised over 3 million IoT devices including routers and webcams, launching record-breaking DDoS attacks against targets including DoD infrastructure.

Source: KrebsOnSecurity, DOJ

law enforcement infostealer

RedLine Malware Admin Extradited to US

Hambardzum Minasyan of Armenia, alleged to be involved in the development and administration of the RedLine infostealer malware, has been extradited to the United States to face charges.

Source: SecurityWeek

๐Ÿ”ง Tools & Defenses

AI safety bug bounty

OpenAI Launches Abuse & Safety Bug Bounty Program

OpenAI has launched a new bug bounty program specifically for abuse and safety risks, rewarding reports of design or implementation issues that could lead to material harm from AI systems.

Source: SecurityWeek

quantum hardware

Dell & HP Ship Quantum-Resistant Device Security

Both Dell and HP announced new quantum-resistant security capabilities for PCs and printers at RSAC 2026, getting ahead of the post-quantum cryptography transition. Google has set 2029 as its quantum readiness deadline.

Source: SecurityWeek

Windows

Windows 11 KB5079391 โ€” Smart App Control Improvements

Microsoft released a preview cumulative update for Windows 11 24H2/25H2 with 29 changes including improvements to Smart App Control security features.

Source: BleepingComputer

๐Ÿ“Š Emerging Patterns

Key Trends This Week

๐ŸŽฏ AI Infrastructure Under Siege: Langflow actively exploited (CVE-2026-33017), LangChain/LangGraph vulns exposing enterprise data, and supply chain attacks targeting AI toolchains. Organizations building with AI frameworks are now prime targets.

๐Ÿ”— Supply Chain Industrialization: TeamPCP represents a new class of threat actor that "industrializes" known attack techniques at cloud scale. Their pivot from financial extortion to geopolitical wipers (CanisterWorm vs Iran) shows the escalation potential of supply chain compromises.

๐Ÿ“ก Telecom as Espionage Platform: Red Menshen's years-long embedding in telecom backbone infrastructure reinforces that nation-state actors continue to view telcos as strategic intelligence collection points.

๐Ÿ›ก๏ธ Post-Quantum Arms Race: Dell, HP, and Google are setting timelines for quantum-resistant security, signaling the industry is moving from research to deployment phase.

๐Ÿค– IoT Botnet Whack-a-Mole: Despite the takedown of four major botnets (3M+ devices), the underlying problem of exposed IoT devices remains unsolved.