The Hacker News

⚡ Claude Code runs with full user permissions, acting before security tools can see it. Files, commands, data—executed with no real audit trail. Learn how Ceros enforces runtime controls and logs every action with identity. 🔗 Tool execution trails and MCP risks explained → https://thehackernews.com/2026/03/how-ceros-gives-security-teams.html

🚨 WARNING - A new #iOS exploit kit, DarkSword, has been active since late 2025 across multiple threat groups. It targets #iPhone on iOS 18.4–18.7, chaining zero-days to gain full access and rapidly extract data—files, messages, credentials, and crypto wallets—then wipe traces within minutes. 🔗 DarkSword details here → https://thehackernews.com/2026/03/darksword-ios-exploit-kit-uses-6-flaws.html

🛑 Shai-Hulud 2.0 ran code before security scans, quietly breaking CI/CD at the source. As Jonny Rivera from ActiveState explains, it stole cloud credentials and turned GitHub runners into attacker-controlled botnets—long before detection kicked in. Fix: control what enters the pipeline. 🔗 How curated catalogs stop pre-install attacks → https://thehackernews.com/expert-insights/2026/03/the-curated-catalog-biggest-defense.html

⚠️ CISA flags active exploitation across Zimbra and SharePoint, with federal patch deadlines now in motion. One flaw enables remote code execution. The other turns email rendering into an attack vector. In parallel, a Cisco zero-day was used weeks before disclosure—showing how fast attackers are moving. 🔗 Read → https://thehackernews.com/2026/03/cisa-warns-of-zimbra-sharepoint-flaw.html

North Korean operatives used AI-powered fake identities to land remote IT jobs at global firms and redirect salaries to state programs, per U.S. sanctions. Tools like Faceswap, VPN tunneling, and crypto laundering helped sustain access and evade detection over time. 🔗 Read → https://thehackernews.com/2026/03/ofac-sanctions-dprk-it-worker-network.html

⚠️ Amazon says Interlock #ransomware exploited a Cisco firewall flaw rated 10.0 CVSS as a zero-day weeks before disclosure. Attackers gained root access via insecure deserialization, then deployed RATs, proxies, and persistence tools. 🔗 Read → https://thehackernews.com/2026/03/interlock-ransomware-exploits-cisco-fmc.html

AI comes with potential risks and vulnerabilities, but you can protect your workers and your organization. One of the best places to start is with a comprehensive AI usage policy. This template provides: ✅ A definition of artificial intelligence ✅ A breakdown of acceptable and prohibited AI use ✅ Customizable guidelines for training, human oversight, accountability, and amendments 🔗 Get your AI employee usage policy template → https://thn.news/ai-policy-guide

⚠️ CERT/CC warns a ZIP flaw tracked as CVE-2026-0866 lets attackers hide malware using malformed archive headers. Security tools trust the header and miss the payload, while it can still be extracted and executed with the right method. It breaks how AV and EDR validate files. 🔗 How Zombie ZIP bypasses detection and runs payloads → https://thehackernews.com/2026/03/threatsday-bulletin-oauth-trap-edr.html#zip-evasion-technique

🛑 A Magecart skimmer hid its payload in a favicon’s EXIF metadata, never entering the codebase. A fake CDN script fetched the image, decoded a hidden URL, and executed it in the browser. No repo changes. No scan alerts. Payment data was exfiltrated at checkout. 🔗 Loader chain and why static tools missed it → https://thehackernews.com/2026/03/claude-code-security-and-magecart.html

⚠️ Low-cost IP KVM devices expose a direct path to full system takeover. Researchers found 9 flaws across 4 devices, including unauthenticated root access and remote code execution. Operating below the OS, they let attackers bypass security tools and maintain silent, persistent control. 🔗 Read → https://thehackernews.com/2026/03/9-critical-ip-kvm-flaws-enable.html

🛡️ Security teams see alerts. They don’t see how they connect. Small gaps, weak settings, and cloud access can link into a path to sensitive data. This walkthrough shows how CSMA maps those paths and helps fix them fast. 🔗 How small issues form real attack paths → https://thehackernews.com/2026/03/product-walkthrough-how-mesh-csma.html

🛑 ALERT - A new flaw in #Ubuntu 24.04+ lets attackers gain full root access from low privileges. By timing system cleanup, they replace a snap directory and execute code as root—no user action required. 🔗 Exploit steps and patched versions → https://thehackernews.com/2026/03/ubuntu-cve-2026-3888-bug-lets-attackers.html