Transcript
A (0:00)
From the CISO series, it's Cybersecurity Headlines
B (0:06)
these are the cybersecurity headlines for Thursday, March 26, 2026. I'm Sarah Lane. Torg Grabber targets crypto wallets A new info stealer called Torg Grabber is targeting more than 850 browser extensions, including 7, 728 cryptocurrency wallets along with password managers and two FA tools. Researchers at Gen Digital says it spreads via click fix attacks that trick users into running malicious PowerShell commands. There are hundreds of new samples and weekly C2 infrastructure updates, and it now uses HTTPs via Cloudflare for data exfiltration to steal credentials, cookies, crypto crypto wallet data and files while using evasion techniques like in memory execution, encryption bypasses and anti analysis protections. Team PCP backdoors Light LLM threat actor team PCP compromised two Python package light LLMs via a tainted Trivi dependency injecting malware that steals credentials, spreads across Kubernetes clusters and installs persistent backdoors. Researchers at endor Labs and JFrog say the payload executes automatically, harvesting SSH keys, cloud secrets and crypto wallets, then exfiltrating data and deploying backdoors across infected systems. Maintainer Barry AI and the Python Packaging Authority warn users to treat affected environments as fully compromised and rotate all credentials. Researchers say the campaign may involve collaboration with lapsus. GitHub adds AI powered security bug detection GitHub is adding AI powered scanning to its code security tools to expand Vulnerability detection beyond CodeQL covering shell bash, docker files, terraform, php and other ecosystems. The hybrid model is entering public preview soon and and flags issues like misconfigurations, weak cryptography and insecure SQL at the pull request level, with Copilot Autofix suggesting remedies. Internal test showed 170,000 findings over 30 days, 80% positive feedback and autofix cutting resolution time from 1.29 to 0.66 hours. Leakbase admin arrested over stolen credential Marketplace Russian authorities arrested the alleged administrator of the leak based cybercrime forum, a resident of Taganrog, for running a marketplace that traded stolen personal and corporate data. Since 2021. The platform hosted hundreds of millions of credentials, financial information and documents with more than 147,000 registered users, law enforcement seized equipment and preserved forum data for evidence. US Authorities called Leakbase one of the world's largest hubs for buying and selling stolen data and cybercrime tools. Huge thanks to our sponsor ThreatLocker detection based security assumes you'll catch an attack in time. Control based security assumes you won't. That mindset shift is driving more organizations to focus on preventative controls, stopping unknown execution and unauthorized privilege elevation instead of relying solely on alerts after the fact. Learn a lot more@threatlocker.com ransomware disrupts Spanish fishing port A ransomware attack hit Spain's Port of Vigorous, disrupting digital systems that manage cargo operations and forcing staff to revert to manual processes. The attack was detected Tuesday and locked servers along with a ransom demand. Authorities isolated affected networks. Physical port operations continue, but digital logistics are offline pending security verification. No group has claimed responsibility, but an investigation is ongoing. Bubble AI app builder abused for Microsoft credentials Kaspersky Researchers report that threat actors are abusing bubble to host phishing apps that steal Microsoft 365 credentials while evading detection. Because the apps are served from trusted bubble IO domains, email security tools often fail to flag them, letting victims get redirected to fake Microsoft login pages. The AI generated apps reportedly use complex JavaScript and shadow DOM structures that are difficult for both humans and automated tools to analyze, helping conceal malicious behavior. Puerto Rico government agency cancels driver's license appointments Puerto Rico's Department of Transportation canceled all driver's license and vehicle service appointments, and after a cyberattack forced officials to shut down systems to contain the incident. The Puerto Rico Innovation and Technology Service said the attack was detected on Monday. Response protocols were activated and there is no evidence of data theft. So far, services remain offline while systems are tested and restored, marking the latest in a series of cyber incidents affecting the territory's government agencies. Citrix urges admins to patch netscaler flaws Citrix patched two vulnerabilities affecting netscaler, ADC and gateway devices, including a critical flaw that could let attackers steal session tokens via a memory overread, similar to past Citrix bleed exploits. A second bug could allow session mixups through a race condition. Citrix is urging immediate patching with more than 30,000 exposed netscaler instances being tracked, researchers warn attackers will likely reverse engineer the fixes with the flaw, closely mirroring previously exploited zero days, making remediation critical. When a CISO walks up to a vendor booth, it should be a golden opportunity to connect. So so why do so many vendors not know where to even start? We try to figure out what the heck is going on in this week's episode of Defense in Depth. Look for the episode how to engage with a CISO when they express interest. Wherever you get your podcasts, if you have some thoughts on the news from today or about our show in general, be sure to reach out to us. Feedbackisoseries.com we really want to hear from you. I am Sarah Lane reporting for the CISO series and we will talk to you tomorrow.