End-of-Day report
Timeframe: Montag 30-03-2026 18:00 - Dienstag 31-03-2026 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Felician Fuchs
News
New RoadK1ll WebSocket implant used to pivot on breached networks
A newly identified malicious implant named RoadK1ll is enabling threat actors to quietly move from a compromised host to other systems on the network.
https://www.bleepingcomputer.com/news/security/new-roadk1ll-websocket-implant-used-to-pivot-on-breached-networks/
DeepLoad Malware Uses ClickFix and WMI Persistence to Steal Browser Credentials
A new campaign has leveraged the ClickFix social engineering tactic as a way to distribute a previously undocumented malware loader referred to as DeepLoad.
https://thehackernews.com/2026/03/deepload-malware-uses-clickfix-and-wmi.html
Telnyx joins LiteLLM in latest PyPI package poisoning tied to Trivy breach
The cybercrime crew linked to the Trivy supply-chain attack has struck again, this time pushing malicious Telnyx package versions to PyPI in an effort to plant credential-stealing malware on developers- systems.
https://www.theregister.com/2026/03/30/telnyx_pypi_supply_chain_attack_litellm/
OpenAI patches ChatGPT flaw that smuggled data over DNS
Check Point says outbound controls blocked web traffic but overlooked DNS OpenAI talks up data security for its AI services, yet Check Point says that ChatGPT allowed data to leak through a DNS side channel before the flaw was fixed.
https://www.theregister.com/2026/03/30/openai_chatgpt_dns_data_snuggling_flaw/
Telegram: Hickhack um kritische oder hochriskante Sicherheitslücke
IT-Forscher haben eine vermeintlich kritische Zero-Click-Schwachstelle in Telegram ausgemacht. Telegram widerspricht dem.
https://www.heise.de/news/Telegram-Hickhack-um-kritische-oder-hochriskante-Sicherheitsluecke-11241393.html
Security Governance at the Speed of Vibe Coding
Vibe-coded apps now reach production without security review, dependency scanning, or organizational oversight, built by employees whove never written code. The SaaS and DevOps transitions give security teams a starting governance approach that works at this speed.
https://zeltser.com/security-governance-vibe-coding
Gefälschte Post-Rechnung: Wenn der QR-Code in die Falle führt
-Das Paket ist auf dem Weg, Sie können den Betrag jetzt überweisen!- Kriminelle versuchen über fingierte Kleinanzeigen-Verkäufe an die Kreditkartendaten und das Geld ihrer Opfer zu kommen. Als vermeintliche Bestätigung für den Versand übermitteln sie das Foto einer Rechnung der Post AG. Aber Achtung: Hier ist alles gefälscht!
https://www.watchlist-internet.at/news/post-rechnung-fake/
Double Agents: Exposing Security Blind Spots in GCP Vertex AI
Unit 42 uncovers a "double agent" flaw in Google Clouds Vertex AI, demonstrating how overprivileged AI agents can compromise cloud environments.
https://unit42.paloaltonetworks.com/double-agents-vertex-ai/
When Trusted Software Updates Become the Attack Vector: Inside Operation TrueChaos and a New Zero Day Vulnerability in a Popular Collaboration Tool
At the start of 2026, Check Point Research uncovered a targeted cyber espionage campaign that challenges long held assumptions about trust inside enterprise and government networks. Dubbed Operation TrueChaos, the campaign did not rely on phishing, stolen credentials, or exploitation of internet facing servers. Instead, attackers abused a previously unknown zero day vulnerability in a trusted, widely deployed enterprise videoconferencing platform to quietly distribute malware across multiple government agencies at once.
https://blog.checkpoint.com/research/when-trusted-software-updates-become-the-attack-vector-inside-operation-truechaos-and-a-new-zero-day-vulnerability-in-a-popular-collaboration-tool/
OpenAI Codex Vulnerability Allowed Attackers to Steal GitHub Tokens
OpenAI Codex vulnerability allowed attackers to steal GitHub tokens via malicious branch names using hidden Unicode command injection flaw.
https://hackread.com/openai-codex-vulnerability-steal-github-tokens/
AI Integration Security: Why the Biggest Risk Is Not the Model
AI integration security matters more than model security alone. Learn why the biggest AI risk comes from connected systems, stacked privileges, and workflow access.
https://www.bitsight.com/blog/ai-integration-security-biggest-risk-not-the-model
Vulnerability Research Is Cooked
For the last two years, technologists have ominously predicted that AI coding agents will be responsible for a deluge of security vulnerabilities. They were right! Just, not for the reasons they thought.
https://sockpuppet.org/blog/2026/03/30/vulnerability-research-is-cooked/
Railway Incident Report: Authenticated user data cached
Railway experienced an incident where CDN features were accidentally enabled for some domains without users enabling them. For those affected, this may have resulted in potentially authenticated data being served to unauthenticated users.
https://blog.railway.com/p/incident-report-march-30-2026-accidental-cdn-caching
Vulnerabilities
Kompromittierte axios npm-Pakete verbreiten Schadsoftware
Die weit verbreitete JavaScript-Bibliothek axios (HTTP-Client mit über 300 Millionen wöchentlichen Downloads auf npm) wurde durch kompromittierte Paketversionen als Angriffsvektor missbraucht. Über den gekaperten npm-Account eines Hauptentwicklers wurden zwei schadhafte Versionen veröffentlicht: axios@1.14.1 und axios@0.30.4. Beide Versionen enthalten eine zusätzliche Abhängigkeit (plain-crypto-js@4.2.1), die beim Installieren automatisch einen Remote Access Trojaner (RAT) für macOS, Windows und Linux nachlädt. Die schadhaften Versionen wurden mittlerweile von npm entfernt.
https://www.cert.at/de/warnungen/2026/3/kompromittierte-axios-npm-pakete-verbreiten-schadsoftware
RCE Vulnerability in F5 BIG-IP APM (CVE-2025-53521)
This issue was previously classified as a Denial-of-Service (DoS) vulnerability but has been re-categorized as an RCE in March 2026 following new information.
https://www.truesec.com/hub/blog/rce-vulnerability-cve-2025-53521
Claude finds RCE in Vim and Emacs
We asked Claude to find a bug in Vim. It found an RCE. Just open a file, and you-re owned. We joked: fine, we-ll switch to Emacs. Then Claude found an RCE there too.
https://blog.calif.io/p/mad-bugs-vim-vs-emacs-vs-claude
LWN Security updates for Tuesday
https://lwn.net/Articles/1065585/