The Hacker News

m

XM Cyber mapped 8 AWS Bedrock attack paths targeting permissions and integrations, not the model itself. One over-privileged identity can redirect logs, hijack agents, poison prompts, and pivot into connected enterprise systems. 🔗 The 8 paths from Bedrock access to infrastructure risk → https://thehackernews.com/2026/03/we-found-eight-attack-vectors-inside.html

Biggest security stories this week 👇 🔥 Trivy backdoor — CI/CD worm 🤖 4 DDoS botnets down 📱 iOS DarkSword — 6 vulns 🦠 Android malware in IPTV apps 🔓 Cisco FMC 0-day exploited ⚡ Langflow RCE in 20h 🕵️ FBI buys location data 🌐 WhatsApp testing usernames 🐻 APT28 toolkit leak 💀 373K domains seized 🎯 Phishing hits Pakistan energy 🧠 VoidStealer bypasses Chrome ABE 💰 Beast ransomware leak 📦 Malicious npm account hijack 🎣 OpenClaw devs crypto phishing 🇨🇳 China PQC standards 🚨 25+ critical CVEs exploited Full cybersecurity recap → https://thehackernews.com/2026/03/weekly-recap-cicd-backdoor-fbi-buys.html

Microsoft says tax-season phishing now deploys RMM tools like ScreenConnect, moving beyond credential theft. A Feb. 10 campaign hit 29,000+ users across 10,000 orgs, using IRS lures to gain persistent system access. 🔗 IRS themes, QR tricks, and full attack chain → https://thehackernews.com/2026/03/microsoft-warns-irs-phishing-hits-29000.html

🛑 Malicious Trivy images (0.69.4–0.69.6) confirm a supply chain breach using a compromised service account token. Attackers pushed trojanized builds, spread an npm worm, defaced 44 repos in minutes, and deployed Kubernetes wiper payloads. 🔗Read → https://thehackernews.com/2026/03/trivy-hack-spreads-infostealer-via.html

⚠️ Attackers are exploiting a CVSS 10.0 auth bypass in Quest KACE SMA to hijack admin accounts. Arctic Wolf observed attacks on unpatched, internet-exposed systems, with payloads delivered via curl and persistence set through registry changes. 🔗 From initial access to full domain control chain → https://thehackernews.com/2026/03/hackers-exploit-cve-2025-32975-cvss-100.html

⚠️ CISA & FBI warn Russian intel is hijacking Signal/WhatsApp via fake “Signal Support” scams. Share a code or scan a QR, and attackers gain full account access or takeover—then impersonate you to spread more phishing. 🔗 Attack methods explained → https://thehackernews.com/2026/03/fbi-warns-russian-hackers-target-signal.html

🚨 Oracle fixed a 9.8 “easily exploitable” RCE flaw in Identity Manager and Web Services Manager, allowing unauthenticated attackers to execute code over HTTP and take full control of systems. 🔗 Read → https://thehackernews.com/2026/03/oracle-patches-critical-cve-2026-21992.html

🛑 CISA adds 5 exploited vulnerabilities across Apple, Craft CMS, and Laravel, with a hard patch deadline of April 3. Apple bugs link to the DarkSword iOS exploit chain. Others enable remote code execution, mining, and espionage campaigns. Active attacks already underway. 🔗 Exploited CVEs, threat actors, and fixes → https://thehackernews.com/2026/03/cisa-flags-apple-craft-cms-laravel-bugs.html

⚠️ WARNING - A Trivy-linked supply chain attack has escalated into a self-propagating npm worm now spreading across dozens of packages. It steals npm tokens, republishes itself, and spreads through developer machines and CI. Uses an ICP canister to rotate payloads and resist takedowns. 🔗 How the worm spreads and updates payloads → https://thehackernews.com/2026/03/trivy-supply-chain-attack-triggers-self.html

🛑 ALERT - Trivy, a popular open-source vulnerability scanner, was compromised after attackers hijacked 75 version tags in #GitHub Actions to deliver an infostealer. It ran in CI pipelines, stealing creds and tokens, then exfiltrating data or staging it via stolen GitHub PATs. 🔗 Attack flow, impacted versions, fixes → https://thehackernews.com/2026/03/trivy-security-scanner-github-actions.html

CursorJack abuses cursor:// links to trigger arbitrary command execution via MCP installs with executable configs. One click plus user approval can run local commands or link to a malicious server. 🔗 Deep link abuse flow, MCP risk, and PoC details → https://thehackernews.com/2026/03/threatsday-bulletin-fortigate-raas.html#deep-link-abuse-enables-command-execution