End-of-Day report
Timeframe: Freitag 13-03-2026 18:00 - Montag 16-03-2026 18:00
Handler: Alexander Riepl
Co-Handler: Felician Fuchs
News
Supply-chain attack using invisible code hits GitHub and other repositories
Unicode thats invisible to the human eye was largely abandoned-until attackers took notice.
https://arstechnica.com/security/2026/03/supply-chain-attack-using-invisible-code-hits-github-and-other-repositories/
Fake enterprise VPN sites used to steal company credentials
A threat actor tracked as Storm-2561 is distributing fake enterprise VPN clients from Ivanti, Cisco, and Fortinet to steal VPN credentials from unsuspecting users.
https://www.bleepingcomputer.com/news/security/fake-enterprise-vpn-downloads-used-to-steal-company-credentials/
AppsFlyer Web SDK hijacked to spread crypto-stealing JavaScript code
The AppsFlyer Web SDK was temporarily hijacked this week with malicious code used to steal cryptocurrency in a supply-chain attack.
https://www.bleepingcomputer.com/news/security/appsflyer-web-sdk-used-to-spread-crypto-stealer-javascript-code/
Cyberangriff: Hacker attackieren polnischen Kernreaktor-Betreiber
Polens nationales Nuklearforschungszentrum bestätigt einen versuchten Cyberangriff auf die eigene IT. Erste Spuren weisen angeblich Richtung Iran.
https://www.golem.de/news/cyberangriff-hacker-attackieren-polnischen-kernreaktor-betreiber-2603-206533.html
Vernetzte Fabriken im Visier: Cyberangriffe kosten Autobranche Milliarden
Ein Weißbuch der Denkfabrik CAM und von Cisco zeigt: Die Schadenskosten sind explodiert, wobei vor allem die Zulieferer als schwächstes Glied der Kette gelten.
https://www.heise.de/news/Vernetzte-Fabriken-im-Visier-Cyberangriffe-kosten-Autobranche-Milliarden-11211531.html
FBI sucht Opfer infizierter Steam-Spiele für eigene Ermittlungen
Das FBI ruft Nutzer von acht bei Steam angebotenen, aber infizierten Games zu Hilfe. Durch ein Formular sollen Spieler die Ermittlungen unterstützen.
https://www.heise.de/news/FBI-sucht-Opfer-infizierter-Steam-Spiele-fuer-eigene-Ermittlungen-11211660.html
Spammer setzen auf hohe Spritpreise als Köder
Durch den Iran-Krieg bleiben die Kraftstoffpreise hoch. Spammer missbrauchen das und wollen Opfern nutzlose OBD2-Dongles andrehen.
https://www.heise.de/news/Spam-Warnung-Betrueger-koedern-mit-angeblichen-Spritspar-Dongles-11211698.html
Festgeld-Falle zinsfuchs.com: Warnzeichen auf einen Blick
Fest- und Tagesgeldanlagen gelten als sichere und beliebte Geldanlage. Doch Vorsicht: Zwischen seriösen Online-Anbietern verstecken sich immer wieder schwarze Schafe. Ein aktuelles Beispiel ist die Website zinsfuchs.com, die mit attraktiven Angeboten in die Falle lockt.
https://www.watchlist-internet.at/news/festgeld-falle-zinsfuchscom/
Roll Your Own... LMS
People say dont roll your own crypto but nobody ever warns you not to roll your own LMS (when you have minimal dev experience).
https://blog.zsec.uk/roll-your-own-lms/
Web Shells, Tunnels, and Ransomware: Dissecting a Warlock Attack
Warlock continues to enhance its attack chain with new tactics to improve persistence, lateral movement, and defense evasion using an expanded toolset: TightVNC Yuze, and a persistent BYOVD technique leveraging the NSec driver.
https://www.trendmicro.com/en_us/research/26/c/dissecting-a-warlock-attack.html
Ransomware Under Pressure: Tactics, Techniques, and Procedures in a Shifting Threat Landscape
Since 2018, when many financially motivated threat actors began shifting their monetization strategy to post-compromise ransomware deployments, ransomware has become one of the most pervasive threats to organizations across almost every industry vertical and region.
https://cloud.google.com/blog/topics/threat-intelligence/ransomware-ttps-shifting-threat-landscape/
Companies House vulnerability enabled company hijacking
A major vulnerability in the Companies House website gave unauthorised access to the private dashboard of any of the five million registered companies for five months. It exposed directors- home addresses and email addresses, and appears to have enabled attackers to change company and director details - and even file accounts.
https://taxpolicy.org.uk/2026/03/13/companies-house-security-vulnerability-directors-addresses/
Try not to get scammed while looking for work
Couple weeks ago a CTO contacted me about a role at their company. After three failed calls, I figured they are trying to access my machine.
https://trysound.io/try-not-to-get-scammed-while-looking-for-work/
72 Malicious Open VSX Extensions Linked to GlassWorm Campaign Now Using Transitive Dependencies
GlassWorm has not re-emerged so much as evolved, and our latest analysis shows a significant escalation in how it spreads through Open VSX. Instead of requiring every malicious listing to embed the loader directly, the threat actor is now abusing extensionPack and extensionDependencies to turn initially standalone-looking extensions into transitive delivery vehicles in later updates, allowing a benign-appearing package to begin pulling a separate GlassWorm-linked extension only after trust has already been established.
https://socket.dev/blog/open-vsx-transitive-glassworm-campaign
Ongoing Phishing Campaign Abusing Google Cloud Storage to Redirect Users to Multiple Scam Pages
A few days ago, I published a blog analyzing a phishing campaign abusing Google Cloud infrastructure: While continuing to monitor the infrastructure used in that campaign, I discovered several additional URLs hosted on Google Cloud Storage (storage[.]googleapis[.]com) that appear to be part of the same ecosystem.
https://malwr-analysis.com/2026/03/14/ongoing-phishing-campaign-abusing-google-cloud-storage-to-redirect-users-to-multiple-scam-pages/
Vulnerabilities
Chrome: Erster Fix unzureichend, neues Notfall-Update veröffentlicht
Nachdem Google bereits am Freitag ein Notfall-Update für Chrome veröffentlicht hat, legt der Hersteller in der Nacht zum Samstag nach.
https://www.heise.de/news/Jetzt-aktualisieren-Chrome-Notfall-Update-fuer-Notfall-Update-11211109.html
LWN Security updates for Monday
https://lwn.net/Articles/1063095/