Oracle has released an emergency, out-of-band security update to address CVE-2026-21992, a critical vulnerability affecting Oracle Identity Manager and Oracle Web Services Manager.
On March 19 and March 20, 2026, a threat actor known as TeamPCP executed a highly impactful, cross-ecosystem supply chain attack. The campaign began with the compromise of Aqua Security's Trivy vulnerability scanner and quickly expanded into a self-propagating worm, known as CanisterWorm, across the npm registry.
The 2026 tax season has seen a marked escalation in cyberattack sophistication, with Microsoft Threat Intelligence identifying a high volume of campaigns that exploit the seasonal pressure of filing deadlines.
A suspected North Korea-linked threat actor attempted to infiltrate a targeted organization by applying for a remote IT position. Within a 10 day period in August 2025, the operative was hired to manage Salesforce data, provisioned with an EntraID account, and subsequently detected and terminated.
The FBI's FLASH-20260320-001 advisory details a sophisticated and ongoing campaign by the Iranian Ministry of Intelligence and Security (MOIS) that leverages the Telegram messaging platform as a primary command-and-control (C2) infrastructure.
On March 17, 2026, a critical unauthenticated remote code execution (RCE) vulnerability was disclosed in Langflow, the widely-used open-source visual framework for building AI agents and RAG pipelines, tracked as CVE-2026-33017.
On March 19, 2026, the U.S. Department of Justice, in coordination with law enforcement in Canada and Germany, executed a court-authorized operation to dismantle the command-and-control infrastructure of four IoT-based DDoS botnets: Aisuru, KimWolf, JackSkid, and Mossad.
ConnectWise has released a security update for a critical vulnerability in its ScreenConnect remote monitoring and management (RMM) platform that exposes server-level cryptographic material.
A highly sophisticated social engineering campaign is currently targeting Windows users by leveraging the ubiquity of Zoom to deliver malware.
A recent investigation by Group-IB has uncovered the emergence and rapid evolution of "The Gentlemen," a Ransomware-as-a-Service (RaaS) operation led by a threat actor known as "hastalamuerte."
A new information-stealing malware, dubbed "Speagle," has been identified targeting organizations that utilize the Cobra DocGuard data protection software.
The Google Threat Intelligence Group (GTIG) has identified DarkSword, a highly sophisticated iOS full-chain exploit utilizing six vulnerabilities to fully compromise devices running iOS versions 18.4 through 18.7.
A critical vulnerability in Microsoft SharePoint Server, originally patched in January 2026, is now seeing active exploitation in the wild.
Ubiquiti has patched two vulnerabilities in the UniFi Network Application, including a maximum-severity flaw that may allow attackers to take over user accounts.
EDR killers have become one of the most commonly seen tools in modern ransomware intrusions, with attackers acquiring high privileges, deploying such tools to disrupt endpoint protection, and only then launching an encryptor.
Amazon threat intelligence identified an active Interlock ransomware campaign exploiting CVE-2026-20131, a critical vulnerability in Cisco Secure Firewall Management Center (FMC) Software.
ConnectWise disclosed a new high-severity vulnerability in ScreenConnect on March 17, 2026, tracked as CVE-2026-3564 with a CVSS score of 9.0.
A security flaw, tracked as CVE-2026-3888 (CVSS 7.8), has been identified in the snapd package management system, primarily impacting default installations of Ubuntu 24.04 and 25.10.
Recent research has detailed a sophisticated technique called "Poisoned Typeface," which leverages the discrepancy between how AI assistants parse a webpage's Document Object Model (DOM) and how a browser visually renders that same page for a human.
On January 19, 2026, the UK's National Cyber Security Centre (NCSC) issued an alert highlighting the persistent targeting of UK organizations by Russian state-aligned hacktivist groups seeking to disrupt networks.
According to Akamai's 2026 State of the Internet (SOTI) report, APIs have become the dominant attack surface for global organizations, with 87% of organizations registering an API-related security incident in 2025.
On January 19, 2026, Proofpoint Threat Research observed a risk pattern in a controlled test environment dubbed "CursorJack" that affects the Cursor IDE.
Group-IB recently detailed a sophisticated and expanding "fake shipment tracking" scam primarily targeting the Middle East and Africa (MEA) region, though its infrastructure is global in scope.
The "ClickFix" technique has rapidly transitioned from a novel social engineering trick into a highly industrialized threat vector. At its core, ClickFix exploits "verification fatigue" by presenting users with fake browser errors, CAPTCHAs, or software update prompts.
BeyondTrust's Phantom Labs research team, uncovered a critical architectural flaw in the AWS Bedrock AgentCore Code Interpreter, a managed service that enables AI agents to write and execute code for tasks such as data analysis and calculations.
StepSecurity's threat intelligence team has identified an active supply chain campaign, tracked as ForceMemo, in which a threat actor is compromising hundreds of GitHub developer accounts and injecting identical infostealer malware into hundreds of Python repositories, with earliest injections dating to March 8, 2026.
On March 12, 2026, Polish authorities, including the Internal Security Agency (ABW), reported a sophisticated cyberattack targeting the National Centre for Nuclear Research (NCBJ), home to Poland's only operational nuclear research reactor, MARIA.
XWorm has emerged as the dominant commodity remote access trojan (RAT) in the underground malware market, with version 7.1 representing a significant escalation in capability and sophistication.
Trend Micro's analysis of a Warlock-related incident from early January 2026 revealed that operators maintained undetected access inside a victim's network for 15 days before deploying ransomware.
Sophos X-Ops analysis of recent intrusions by Iran-based threat groups (including state-sponsored APTs and state-aligned "hacktivist" personas) reveals a strategic reliance on cost-effective, repeatable, and identity-centric initial access methods.
Cyble Research and Intelligence Labs has identified a widespread social engineering campaign active since early 2026 that leverages AI-assisted development techniques to harvest sensitive multimedia and device data.
In March 2026, the threat actor known as Glassworm initiated a widespread software supply chain campaign targeting over 150 GitHub repositories, npm packages, and the VS Code marketplace.
Microsoft Threat Intelligence has exposed a sophisticated, financially motivated campaign by Storm-2561 that leverages Search Engine Optimization poisoning to steal enterprise credentials.
IBM X-Force has identified a new malware strain dubbed "Slopoly," which represents a significant milestone in the evolution of offensive AI. Attributed to the financially motivated threat group Hive0163, the malware was recently deployed during an Interlock ransomware attack.
Intel 471's Malware Intelligence team documented a cluster of threat activity exploiting the rapid rise of OpenClaw, an open-source autonomous AI agent platform that accumulated roughly 265,000 GitHub stars by early March 2026.
A coordinated international law enforcement operation dubbed Operation Lightning has disrupted SocksEscort, a long-running criminal residential proxy network that monetized compromised SOHO routers as anonymization infrastructure for paying cybercriminals.
Endor Labs researchers have identified 88 new malicious npm packages linked to three active waves of the PhantomRaven software supply chain campaign.
The landscape of Iranian state-sponsored cyber operations is undergoing a fundamental transformation, shifting from the mere imitation of cybercrime to direct, active integration within the criminal ecosystem.
Rapid7 Labs has identified an active, large-scale campaign in which an unidentified threat actor is compromising legitimate WordPress websites to deliver ClickFix-style credential and digital wallet stealers to unsuspecting visitors.
Adobe released a security update on March 10, 2026 addressing three vulnerabilities in Adobe Acrobat and Acrobat Reader for Windows and macOS (APSB26-26).
A new technique dubbed "Zombie ZIP" has been identified that conceals malicious payloads inside specially crafted compressed archive files designed to evade detection by antivirus (AV) and endpoint detection and response (EDR) products.
The Health-ISAC has released an advisory on the Iranian attacks against Stryker Corporation claimed by the Handala Group.
This report from AllSecure details a highly targeted social engineering and malware campaign attributed to Lazarus Group, targeting high-level executives, founders, and technical leaders.
The Google Cloud Threat Horizons Report H1 2026 details a sophisticated supply chain attack that underscores the speed and automation of modern cloud breaches.
Aryaka Threat Research has uncovered a sophisticated, year-long malware campaign operated by a Russian-speaking threat actor specifically targeting HR and recruitment personnel.
The threat group known as ShinyHunters has explicitly claimed to be actively exploiting misconfigured Salesforce Experience Cloud deployments to conduct large-scale data exfiltration operations.
Research from BlueVoyant highlights a sophisticated social engineering campaign dubbed "Blitz Brigantine" (also tracked as Storm-1811) that utilizes a new, custom malware called A0Backdoor.