End-of-Day report
Timeframe: Dienstag 24-03-2026 18:00 - Mittwoch 25-03-2026 18:00
Handler: Felician Fuchs
Co-Handler: Guenes Holler
News
Supply Chain Security im CI/CD Umfeld
In den letzten Wochen wurden mehrere Security Lösungen aus dem Continuous Integration/Continuous Delivery (CI/CD) Umfeld erfolgreich kompromittiert: Xygeni, Trivy, Checkmarx. Durch Injektion böswilligen Codes wurden vordergründig Zugangsdaten aus automatisierten CI/CD Pipelines, in welchen die Softwarepakete der kompromittierten Unternehmen genutzt werden, gestohlen. Durch die so erlangten Zugangsdaten wurden in weiterer Folge andere Softwarepakete kompromittiert.
https://www.cert.at/de/aktuelles/2026/3/supply-chain-security-im-cicd-umfeld
SmartApeSG campaign pushes Remcos RAT, NetSupport RAT, StealC, and Sectop RAT (ArechClient2), (Wed, Mar 25th)
This diary provides indicators from the SmartApeSG (ZPHP, HANEYMANEY) campaign I saw on Tuesday, 2026-03-24. SmartApeSG is one of many campaigns that use the ClickFix technique.
https://isc.sans.edu/diary/rss/32826
Device Code Phishing Hits 340+ Microsoft 365 Orgs Across Five Countries via OAuth Abuse
Cybersecurity researchers are calling attention to an active device code phishing campaign thats targeting Microsoft 365 identities across more than 340 organizations in the U.S., Canada, Australia, New Zealand, and Germany. The activity, per Huntress, was first spotted on February 19, 2026, with subsequent cases appearing at an accelerated pace since then.
https://thehackernews.com/2026/03/device-code-phishing-hits-340-microsoft.html
GlassWorm Malware Uses Solana Dead Drops to Deliver RAT and Steal Browser, Crypto Data
Cybersecurity researchers have flagged a new evolution of the GlassWorm campaign that delivers a multi-stage framework capable of comprehensive data theft and installing a remote access trojan (RAT), which deploys an information-stealing Google Chrome extension masquerading as an offline version of Google Docs.
https://thehackernews.com/2026/03/glassworm-malware-uses-solana-dead.html
1K+ cloud environments infected following Trivy supply chain attack
Crims creating a snowball effect across open source projects RSAC 2026 Thousands of organizations cloud environments have been infected with secret-stealing malware as a result of the Trivy supply-chain attack last week, and now the crims that compromised the open source scanners are working with notorious extortion crews like Lapsus$.
https://www.theregister.com/2026/03/24/1k_cloud_environments_infected_following/
Der Gebrauchtwagen, der niemals existierte: Vorschussbetrug im Namen von Sixt Car Sales
Eine E-Mail flattert ins virtuelle Postfach, die angeblich von der Sixt Car Sales GmbH stammt. Ihr Inhalt: Kurzfristig stünden günstige Gebrauchtwagen zum Verkauf. Man möge doch im angehängten Katalog schmökern, vielleicht ist ja ein passendes Fahrzeug dabei. Wer sich auf das Geschäft einlässt und den vereinbarten Preis überweist, erhält allerdings nie ein Auto. Und das Geld ist auch weg.
https://www.watchlist-internet.at/news/gebrauchtwagen-vorschussbetrug-sixt/
Threat Brief: Recruiting Scheme Impersonating Palo Alto Networks Talent Acquisition Team
Unit 42 identifies a recruitment phishing campaign targeting senior professionals via impersonation and fraudulent resume fees.The post Threat Brief: Recruiting Scheme Impersonating Palo Alto Networks Talent Acquisition Team appeared first on Unit 42.
https://unit42.paloaltonetworks.com/phishing-attackers-pose-as-panw-recruiters/
5 Malicious npm Packages Typosquat Solana and Ethereum Libraries to Steal Private Keys
Sockets Threat Research Team identified five malicious npm packages published under the account galedonovan, all targeting cryptocurrency developers. Each package typosquats a legitimate crypto library and exfiltrates private keys to a single hardcoded Telegram bot. The campaign covers both the Solana and Ethereum ecosystems, and the C2 infrastructure was confirmed active as of March 23, 2026.
https://socket.dev/blog/5-malicious-npm-packages-typosquat-solana-and-ethereum-libraries-steal-private-keys
Vulnerabilities
PTC warns of imminent threat from critical Windchill, FlexPLM RCE bug
PTC Inc. is warning of a critical vulnerability in Windchill and FlexPLM, widely used product lifecycle management (PLM) solutions, that could allow remote code execution.
https://www.bleepingcomputer.com/news/security/ptc-warns-of-imminent-threat-from-critical-windchill-flexplm-rce-bug/
Supply-Chain-Attacke auf LiteLLM: Betroffene sollen Credentials sofort ändern
Es hat offenbar ein Angriff auf die Open-Source-Bibliothek zur Anbindung an LLMs stattgefunden, wodurch zwei kompromittierte Pakete Credentials stehlen können.
https://heise.de/-11223618
Datenbankmanagementsystem MariaDB kann crashen oder Schadcode auf Systeme lassen
Die Entwickler von MariaDB haben eine Sicherheitslücke geschlossen. Ein Patch ist verfügbar.
https://heise.de/-11224256
iStat Menus < 7.20.5 local privilege escalation
iStat Menu version < 7.20.5 has a local privilege escalation vulnerability due to insecure world-writable permissions set by the install helper component. This allows standard users to execute commands as root.
https://markuta.com/istat-menus-local-privilege-escalation/
LWN Security updates for Wednesday
https://lwn.net/Articles/1064634/