In this week’s news: Critical Langflow Flaw CVE-2026-33017 Triggers Attacks within 20 Hours of Disclosure, A Meta agentic AI sparked a security incident by acting without permission, Trivy Security Scanner GitHub Actions Breached, Oracle fixes critical RCE flaw, NIST updates its DNS security guidance for the first time in over a decade, WorldLeaks ransomware group breached the City of Los Angels. Microsoft Azure Monitor alerts are being abused to send callback phishing emails that impersonate warnings, FBI links Signal phishing attacks to Russian intelligence, LAPSUS$ Claims Alleged AstraZeneca Data Breach, U.S. DoJ disrupted command-and-control infrastructure used by several IoT botnets, Hackers target millions of iPhones with new DarkSword spyware and Researchers found font-rendering trick to hide malicious commands.

Subscribe to this newsletter
Check out our Blog

A critical security flaw impacting Langflow has come under active exploitation within 20 hours of public disclosure, highlighting the speed at which threat actors weaponize newly published vulnerabilities. The security defect, tracked as CVE-2026-33017 (CVSS score: 9.3), is a case of missing authentication combined with code injection that could result in remote code execution.
https://thehackernews.com/2026/03/critical-langflow-flaw-cve-2026-33017.html
https://www.linkedin.com/posts/conordsherman_a-critical-langflow-rce-dropped-20-hours-activity-7440747759424540672-LU_U

The Information reported that an AI agent within Meta took unauthorized action that led to an employee creating a security breach at the social company last week. According to the publication, an employee used an in-house agentic AI to analyze a query from a second employee on an internal forum. The AI agent posted a response to the second employee with advice even though the first person did not direct it to do so.
https://www.engadget.com/ai/a-meta-agentic-ai-sparked-a-security-incident-by-acting-without-permission-224013384.html

Oracle released security updates to address a critical vulnerability, tracked as CVE-2026-21992 (CVSS score of 9.8), affecting Identity Manager and Web Services Manager. The flaw lets unauthenticated attackers over HTTP take control of Oracle Identity Manager and Web Services Manager, risking full system compromise with severe impact on data and availability.
https://securityaffairs.com/189796/security/oracle-fixes-critical-rce-flaw-cve-2026-21992-in-identity-manager.html

A threat actor group identifying itself as “LAPSUS$” is claiming responsibility for an alleged data breach involving AstraZeneca, one of the world’s largest multinational pharmaceutical and biotechnology company. The group claims to have obtained approximately 3GB of internal data, including source code, cloud infrastructure configurations, and employee-related information.
https://hackread.com/hacker-group-lapsus-astrazeneca-data-breach/

The U.S. DoJ disrupted command-and-control infrastructure used by several IoT botnets, including AISURU, Kimwolf, JackSkid, and Mossad. The operation involved authorities from Canada and Germany, along with major tech companies, to target botnet operators and weaken their global cybercrime activities.
https://securityaffairs.com/189710/cyber-crime/global-law-enforcement-operation-targets-aisuru-kimwolf-jackskid-botnet-operators.html

WorldLeaks group hit Los Angeles and its Metro, forcing a shutdown, while two Bay Area cities declared emergencies after ransomware attacks. This week, local media reported that an unauthorized activity hit Metro’s internal systems, forcing the agency to limit access and disrupting station arrival displays.
https://securityaffairs.com/189753/data-breach/worldleaks-group-breached-the-city-of-los-angels.html

The FBI has issued a public service announcement warning that Russian intelligence-linked threat actors are actively targeting users of encrypted messaging apps such as Signal and WhatsApp in phishing campaigns that have already compromised thousands of accounts.
https://www.bleepingcomputer.com/news/security/fbi-links-signal-phishing-attacks-to-russian-intelligence-services/

Trivy, a popular open-source vulnerability scanner maintained by Aqua Security, was compromised a second time within the span of a month to deliver malware capable of stealing sensitive CI/CD secrets. The latest incident impacted GitHub Actions "aquasecurity/trivy-action" and "aquasecurity/setup-trivy," which are used to scan Docker container images for vulnerabilities and set up GitHub Actions workflow with a specific version of the scanner, respectively.
https://thehackernews.com/2026/03/trivy-security-scanner-github-actions.html

Sansec disclosed a critical flaw in the Magento and Adobe Commerce REST API that allows attackers to upload executable files without authentication. The issue affects versions up to 2.4.9-alpha2 and could also enable XSS in releases prior to 2.3.5, exposing many online stores to compromise.
https://securityaffairs.com/189744/security/polyshell-flaw-exposes-magento-and-adobe-commerce-to-file-upload-attacks.html

Navia Benefit Solutions disclosed a data breach affecting 2,697,540 individuals. The company detected suspicious activity on January 23, 2026 and quickly launched an investigation to assess the incident. Navia Benefit Solutions is a U.S.-based company that provides employee benefits administration services to employers and their staff.
https://securityaffairs.com/189726/data-breach/navia-data-breach-impacts-nearly-2-7-million-people.html

Microsoft Azure Monitor alerts are being abused to send callback phishing emails that impersonate warnings from the Microsoft Security Team about unauthorized charges on your account.
https://www.bleepingcomputer.com/news/security/microsoft-azure-monitor-alerts-abused-in-callback-phishing-campaigns/

Threat actors are suspected to be exploiting a maximum-severity security flaw impacting Quest KACE Systems Management Appliance (SMA), according to Arctic Wolf.
https://thehackernews.com/2026/03/hackers-exploit-cve-2025-32975-cvss-100.html

DNS infrastructure underpins nearly every network connection an organization makes, yet security configurations for it have gone largely unrevised at the federal guidance level for more than twelve years. NIST published SP 800-81r3, the Secure Domain Name System Deployment Guide, superseding a version that dates to 2013.
https://www.helpnetsecurity.com/2026/03/23/nist-dns-security-guide-sp-800-81r3/

An international law enforcement action called Operation Alice has shut down over 373,000 dark web sites that offered fake CSAM packages. The investigation, led by Germany and supported by Europol, began in mid-2021 and focused on a platform called “Alice with Violence CP,” operated by a 35-year-old suspect based in China.
https://www.bleepingcomputer.com/news/security/police-take-down-373-000-fake-csam-sites-in-operation-alice/

DarkSword is a new hacking toolkit being deployed by bad actors on a global scale. The reports by Google Threat Intelligence Group and cybersecurity companies Lookout and iVerify detailed multiple vulnerabilities used to carry out attacks against iOS devices running versions 18.4 through 18.7.
https://mashable.com/article/hackers-target-apple-iphone-darksword-spyware

Intoxalock’s servers have been offline since March 14 following a cyberattack, preventing customers from calibrating their ignition interlock devices. The company is offering a ten-day recalibration extension and will cover direct towing fees, though the extension does not immediately apply in Arkansas, Massachusetts, Michigan, and Washington.
https://www.hendryadrian.com/cyberattack-disrupts-intoxalock-services/

Cybersecurity researchers have disclosed a critical security flaw impacting the GNU InetUtils telnet daemon (telnetd) that could be exploited by an unauthenticated remote attacker to execute arbitrary code with elevated privileges.
https://thehackernews.com/2026/03/critical-telnetd-flaw-cve-2026-32746.html

Researchers have published a proof-of-concept (PoC) that uses custom fonts to fool many popular Artificial Intelligence (AI) assistants, including ChatGPT, Claude, Copilot, Gemini, Leo, Grok, Perplexity, Sigma, Dia, Fellou, and Genspark.
https://www.malwarebytes.com/blog/news/2026/03/researchers-found-font-rendering-trick-to-hide-malicious-commands

CVE-2026-26144: Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office Excel allows an unauthorized attacker to disclose information over a network.
https://www.cyberhub.blog/cves/CVE-2026-26144