The Hacker News

⚠️ A new malware loader is using fake “fix” prompts to trick users into running PowerShell commands. DeepLoad runs inside legitimate Windows processes and begins stealing browser credentials and sessions early in the attack. 🔗 Read → https://thehackernews.com/2026/03/deepload-malware-uses-clickfix-and-wmi.html

📣 Nudge Security has added AI Agent Discovery to help teams manage shadow AI risks. Employees are rapidly creating AI agents that connect to critical systems with broad permissions—often without visibility. These agents can persist even after creators leave. Nudge Security helps by: 👉 Discovering agents across platforms like Copilot Studio, Salesforce, and more 👉 Mapping ownership, permissions, and integrations 👉 Identifying risks like exposed access, hardcoded credentials, and orphaned agents 👉 Enforcing guardrails to validate and secure usage AI Agent Discovery is in research preview. Start a free trial to access it: https://thn.news/ai-discovery-tool

This week in cybersecurity... 📡 Telecom backbone backdoored 📬 FBI director's inbox owned ⛓️ Botnet hiding in blockchain 🦠 Chrome extension = infostealer 🖱️ ClickFix hits macOS 🚫 Foreign routers banned 👮 RedLine operator extradited 💸 BEC fraudster gets 7 years 📷 Deepfake-proof sensor developed 📋 30+ CVEs, some live in the wild Full recap is live 👇https://thehackernews.com/2026/03/weekly-recap-telecom-sleeper-cells-llm.html

GitGuardian found 29M leaked secrets in 2025, up 34%—the largest jump on record. AI services and internal systems drive exposure, while 64% of 2022 leaks remain valid; detection isn’t the issue, remediation & ownership are. 🔗 Where secrets leak & why they stay exploitable → https://thehackernews.com/2026/03/the-state-of-secrets-sprawl-2026-9.html

🛑 A Russian-linked toolkit is spreading through fake Windows shortcut files disguised as private key folders. CTRL hides activity through RDP tunnels and local pipes, avoiding standard C2 traffic and reducing network detection signals. 🔗 Read → https://thehackernews.com/2026/03/russian-ctrl-toolkit-delivered-via.html

AI isn’t making code safer. It’s expanding the attack surface. As Eric Fourrier, GitGuardian CEO, notes, 28.65M secrets were exposed in 2025 as AI workflows expanded tokens, APIs, and machine identities. Risk has shifted from code to credentials. Remediation is now the bottleneck. 🔗 Why AI security is shifting beyond code → https://thehackernews.com/expert-insights/2026/03/the-real-problem-isnt-that-ai-cant.html

⚠️ Three China-linked clusters targeted a Southeast Asian government in a coordinated operation. Overlapping malware and tactics show a sustained push for long-term access, not disruption, across several months in 2025. 🔗 Read → https://thehackernews.com/2026/03/three-china-linked-clusters-target.html

⚡ Iran-linked hackers breached FBI Director Kash Patel’s personal email and leaked years-old data. No government data was exposed, but the breach is part of a wider campaign using phishing, VPN access, and wiper attacks to disrupt targets and send geopolitical signals. 🔗 Read about tactics, Stryker attack, and MOIS links → https://thehackernews.com/2026/03/iran-linked-hackers-breach-fbi.html

🚨 Attackers are probing Citrix NetScaler for CVE-2026-3055 (CVSS 9.3). Honeypots show requests to /cgi/GetAuthMethods to identify SAML IdP setups, which are required for exploitation. 🔗 How attackers are mapping vulnerable NetScaler targets → https://thehackernews.com/2026/03/citrix-netscaler-under-active-recon-for.html

⚠️ CISA flagged active exploitation of an F5 BIG-IP APM flaw.CVE-2025-53521 (CVSS 9.3) enables RCE, reclassified from DoS after new findings. Exploitation is confirmed in the wild, with a federal patch deadline set. 🔗 Read → https://thehackernews.com/2026/03/cisa-adds-cve-2025-53521-to-kev-after.html

🛑 Russian-linked TA446 is using DarkSword iOS exploit kit in targeted phishing emails. Spoofed “discussion invites” trigger exploits only on iPhones and deliver GHOSTBLADE malware, expanding from credential theft to device compromise across government, academia, and policy targets. 🔗 How DarkSword is used in these attacks → https://thehackernews.com/2026/03/ta446-deploys-leaked-darksword-ios.html

🛑 Apple is sending #iPhone Lock Screen alerts warning users about active web-based attacks targeting outdated iOS. Coruna and DarkSword exploit kits target older iOS via compromised sites, expanding risk beyond targeted attacks. 🔗 Read → https://thehackernews.com/2026/03/apple-sends-lock-screen-alerts-to.html