Cybersecurity Headlines — March 26, 2026
Podcast by the CISO Series, Hosted by Sarah Lane

Episode Overview

This episode delivers a fast-paced roundup of the latest developments in cybersecurity as of March 26, 2026. Host Sarah Lane reports on malware campaigns targeting cryptocurrencies, open-source software backdoors, major arrests in the credential theft underground, AI’s expanding role in code security, ransomware impact on global shipping, creative abuse of app builders for phishing, targeted attacks on government operations, and urgent Citrix vulnerabilities. Each story is distilled into actionable highlights for infosec professionals.

Key Discussion Points

1. Torg Grabber: A New Threat to Crypto Wallets

[00:07–01:24]

• Description:

  • Torg Grabber is a newly discovered info-stealer targeting over 850 browser extensions, including nearly 8,000 cryptocurrency wallet types, password managers, and 2FA tools.
  • Attack Vector: Propagates via “click-fix” attacks — users are tricked into running malicious PowerShell commands.
  • Technical Escalation:
    • Hundreds of new samples appear weekly.
    • Command and control (C2) infrastructure is updated frequently.
    • Exfiltration now takes place via HTTPS over Cloudflare.
    • Employs sophisticated evasion, including in-memory execution, encryption bypasses, and anti-analysis techniques.

• Memorable Moment:

  • “It now uses HTTPS via Cloudflare for data exfiltration to steal credentials, cookies, crypto wallet data and files while using evasion techniques like in-memory execution, encryption bypasses and anti analysis protections.” —Sarah Lane [00:36]

2. TeamPCP Backdoors LiteLLM via Open-Source Supply Chain Attack

[01:24–02:17]

• Incident:

  • Threat actor TeamPCP tainted the LightLLM Python package by introducing a malicious Trivi dependency.
  • Consequences:
    • Malware harvests credentials, SSH keys, cloud secrets, and cryptocurrency wallets.
    • Spread across Kubernetes clusters and persists by installing backdoors.
  • Industry Warnings:
    • Package maintainer Barry AI and the Python Packaging Authority urge users to treat affected environments as fully compromised and to rotate all credentials immediately.
    • Researchers say the attackers may be in collaboration with the “Lapsus” group.

• Notable Quote:

  • “Users should treat affected environments as fully compromised and rotate all credentials.” —Sarah Lane, citing maintainers [01:55]

3. GitHub Rolls Out AI-Powered Security Bug Detection

[02:17–03:01]

• Innovation:

  • GitHub introduces AI-powered vulnerability scanning, expanding protection beyond CodeQL.
  • Coverage:
    • Languages/environments: Shell, Bash, Dockerfiles, Terraform, PHP, and more.
    • Detects misconfigurations, weak cryptography, and insecure SQL in pull requests.
    • Copilot Autofix suggests automatic remedies.
  • Early Results:
    • 170,000 findings during internal tests in 30 days.
    • 80% positive developer feedback.
    • Median fix time reduced from 1.29 to 0.66 hours.

• Highlight:

  • “Copilot Autofix suggesting remedies. Internal test showed 170,000 findings over 30 days... and autofix cutting resolution time from 1.29 to 0.66 hours.” —Sarah Lane [02:45]

4. Leakbase Admin Arrested in Russia

[03:01–03:42]

• Action:

  • Russian authorities arrest alleged Leakbase admin—accused of trading in hundreds of millions of stolen credentials and sensitive data since 2021.
  • Platform Scale:
    • Over 147,000 registered users.
    • Hosted massive troves of financial information and documents.
    • Equipment seized, forum data preserved for evidence.
  • Global Impact:
    • US authorities call Leakbase “one of the world’s largest hubs for buying and selling stolen data and cybercrime tools.”

• Memorable Quote:

  • “US Authorities called Leakbase one of the world's largest hubs for buying and selling stolen data and cybercrime tools.” —Sarah Lane [03:35]

5. Ransomware Hits Spain’s Port of Vigo

[04:01–04:32]

• Event:
  • Ransomware attack disables digital logistics at Spain’s Port of Vigo, forcing cargo operations to revert to manual process.
  • Response:
    • Prompt isolation of affected networks.
    • Port remains operational physically; digital systems offline pending verification.
    • No group has claimed responsibility; investigation underway.

6. Bubble (AI App Builder) Used in Microsoft 365 Credential Phishing

[04:32–05:13]

• Tactic:

  • Threat actors host phishing apps on Bubble’s trusted domain, tricking users into Microsoft 365 credential theft.
  • Evasion:
    • Trusted domains evade email security scanning.
    • Apps leverage complex JavaScript and shadow DOMs, stymieing both human and automated analysis.

• Notable Quote:

  • “Because the apps are served from trusted bubble IO domains, email security tools often fail to flag them...” —Sarah Lane [04:43]

7. Puerto Rico’s Department of Transportation Shuts Down After Cyberattack

[05:13–05:50]

• Incident:
  • All driver’s license and vehicle service appointments canceled due to a cyber incident, temporarily shutting down systems for containment.
  • Reassurance:
    • Authorities say no evidence of data theft; systems being restored and tested.
    • Latest in a series of attacks on Puerto Rico’s government agencies.

8. Citrix Urges Emergency Patching for NetScaler Vulnerabilities

[05:50–06:30]

• Threat:

  • Citrix patches two vulnerabilities (including a ‘Citrix Bleed’-type critical flaw) affecting NetScaler ADC and Gateway devices.
  • Risks:
    • Attackers could steal session tokens via memory overread or cause session mixups.
    • Over 30,000 instances exposed; potential for reverse engineering of fixes and rapid exploitation.
  • Call to Action:
    • Citrix and researchers stress immediate patching as essential.

• Highlight:

  • “With the flaw closely mirroring previously exploited zero days, making remediation critical.” —Sarah Lane [06:22]

Notable Quotes and Memorable Moments

• On Torg Grabber’s sophistication:

  • “It now uses HTTPS via Cloudflare for data exfiltration to steal credentials, cookies, crypto wallet data and files while using evasion techniques like in-memory execution, encryption bypasses and anti analysis protections.” —Sarah Lane [00:36]

• On open-source malware campaign risk:

  • “Users should treat affected environments as fully compromised and rotate all credentials.” —Sarah Lane [01:55]

• On AI-driven security improvement:

  • “Copilot Autofix suggesting remedies… and autofix cutting resolution time from 1.29 to 0.66 hours.” —Sarah Lane [02:45]

• On cybercrime marketplace impact:

  • “US Authorities called Leakbase one of the world's largest hubs for buying and selling stolen data and cybercrime tools.” —Sarah Lane [03:35]

• On phishing tool creativity:

  • “Because the apps are served from trusted bubble IO domains, email security tools often fail to flag them...” —Sarah Lane [04:43]

Timestamps for Key Segments

| Segment | Timestamps | |-----------------------------------------------------|----------------------| | Torg Grabber crypto wallet attacks | 00:07–01:24 | | TeamPCP backdoors LiteLLM via Python supply chain | 01:24–02:17 | | GitHub AI bug detection rollout | 02:17–03:01 | | Leakbase admin arrest | 03:01–03:42 | | Ransomware disrupts Spanish port | 04:01–04:32 | | Bubble abused for Microsoft phishing | 04:32–05:13 | | Puerto Rico DOT cyberattack | 05:13–05:50 | | Emergency Citrix NetScaler flaws | 05:50–06:30 |

Overall Tone and Takeaways

The episode is brimming with urgency and crucial news tailored for security professionals. The host remains clear, authoritative, and pragmatic throughout, emphasizing both emerging trends (like AI in security and open-source risks) and the need for proactive, rapid response to high-impact vulnerabilities and incidents.

Listeners gain a rapid, thorough overview of the threats, technical details of attacks, and immediate steps professionals should be considering in today’s security climate.