End-of-Day report
Timeframe: Freitag 27-03-2026 18:00 - Montag 30-03-2026 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Felician Fuchs
News
Backdoored Telnyx PyPI package pushes malware hidden in WAV audio
TeamPCP hackers compromised the Telnyx package on the Python Package Index today, uploading malicious versions that deliver credential-stealing malware hidden inside a WAV file.
https://www.bleepingcomputer.com/news/security/backdoored-telnyx-pypi-package-pushes-malware-hidden-in-wav-audio/
Nach Cyberangriff: Hacker erpressen gelähmte und hirngeschädigte Patienten
Die BHD-Klinik Greifswald behandelt primär querschnittsgelähmte und hirngeschädigte Patienten. Hacker haben Daten erbeutet und missbrauchen diese nun.
https://www.golem.de/news/nach-cyberangriff-hacker-erpressen-gelaehmte-und-hirngeschaedigte-patienten-2603-207051.html
EU-Kommission: Cyberangriff auf Cloud-Dienste
Die Europäische Kommission ist Opfer eines Cyberangriffes geworden. Ein mutmaßlicher Angreifer meldete sich bei der Presse.
https://www.heise.de/news/Cyberangriff-auf-Cloud-der-EU-Kommission-11228549.html
Phishing-SMS zielen auf Trade-Republic-Kund:innen ab
Kriminelle versenden derzeit Phishing SMS im Namen des Online Brokers Trade Republic. Ihr Ziel: Zugriff auf Konten und Kryptovermögen der Betroffenen zu erlangen.
https://www.watchlist-internet.at/news/phishing-trade-republic-kundinnen/
Schwachstelle CVE-2026-3055 in Citrix Netscaler ADC und Gateway wird angegriffen
Zum 24. März 2026 hatte ich im Beitrag Kritische Schwachstellen in Citrix Netscaler ADC und Gateway (März 2026) vor zwei kritischen Schwachstellen in den genannten Citrix-Produkten gewarnt. Nun werden Angriffe in freier Wildbahn über eine Schwachstelle beobachtet.
https://borncity.com/blog/2026/03/30/schwachstelle-cve-2026-3055-in-citrix-netscaler-adc-und-gateway-wird-angegriffen/
TeamPCP-s Telnyx Attack Marks a Shift in Tactics Beyond LiteLLM
Moving beyond their LiteLLM campaign, TeamPCP weaponizes the Telnyx Python SDK with stealthy WAV-based payloads to steal credentials across Linux, macOS, and Windows.
https://www.trendmicro.com/en_us/research/26/c/teampcp-telnyx-attack-marks-a-shift-in-tactics.html
The Sequels Are Never As Good, But Were Still In Pain (Citrix NetScaler CVE-2026-3055 Memory Overread)
Sequels? Pain? Were obviously talking about Citrix NetScalers, yet again. Welcome back to another watchTowr Labs blog post - pull up a chair, we always welcome new members to our group therapy sessions.
https://labs.watchtowr.com/the-sequels-are-never-as-good-but-were-still-in-pain-citrix-netscaler-cve-2026-3055-memory-overread/
FortiClient EMS: Sicherheitslücke wird attackiert
Im Februar hat Fortinet eine kritische Sicherheitslücke in FortiClient EMS mit einem Sicherheitspatch bedacht. Sie wird nun angegriffen.
https://heise.de/-11229898
The Comforting Lie Of SHA Pinning
In March 2026, Trivy became the latest reminder that software supply chains are, at best, loosely held together with convention and trust. A typosquatting attack slipped malicious code into what looked like a legitimate dependency path. The post-mortems are worth reading, and they all converge on a single recommendation: pin your dependencies. In the GitHub Actions world, that usually translates to use commit SHAs, not tags.
https://www.vaines.org/posts/2026-03-24-the-comforting-lie-of-sha-pinning/
A Detection Researcher Mindset
As detection researchers we are frequently asked where do our detection ideas come from (and to build a backlog for them, and when will it all be done, etc.). At some point I needed to stop referencing Demetri Martins- stand up where he describes how his jokes are delivered by a delicate fairy from a magical shire (the AI drawing may make more sense now-or not).
https://detect.fyi/a-detection-researcher-mindset-f2ed045480c5
Threats based on Clipboards actions (+ KQL Query)
We are currently placing a strong focus on threats related to AI - and while I truly believe that is the right direction, we shouldn-t forget that there are many long-standing techniques that attackers continue to abuse effectively. One of those overlooked areas is clipboard activity.
https://detect.fyi/threats-based-on-clipboards-actions-kql-query-93615eef79b7
Hackers Impersonate Ukrainian CERT to Plant a RAT on Government, Hospital Networks
Ukraines frontline cyber defense agency became the subject of its own investigation last week after an unknown threat actor built a convincing fake version of its website, sent emails impersonating its staff and instructed recipients across the country to download malware packaged as official security software.
https://thecyberexpress.com/hackers-impersonate-cert-ua-agewheeze-rat/
ksmbd - Exploiting CVE-2025-37947 (3/3)
This is the last of our posts about ksmbd. For the previous posts, see part1 and part2. Considering all discovered bugs and proof-of-concept exploits we reported, we had to select some suitable candidates for exploitation. In particular, we wanted to use something reported more recently to avoid downgrading our working environment.
https://blog.doyensec.com/2025/10/08/ksmbd-3.html
Vulnerabilities
File read flaw in Smart Slider plugin impacts 500K WordPress sites
A vulnerability in the Smart Slider 3 WordPress plugin, active on more than 800,000 websites, can be exploited to allow subscriber-level users access to arbitrary files on the server.
https://www.bleepingcomputer.com/news/security/file-read-flaw-in-smart-slider-plugin-impacts-500k-wordpress-sites/
Jetzt updaten! Angriffe auf F5 BIG-IP Access Policy Manager beobachtet
Die US-amerikanische IT-Sicherheitsbehörde CISA warnt vor laufenden Angriffen auf F5 BIG-IP Access Policy Manager.
https://heise.de/-11229172
Updaten! Angriffe auf Gambio-Webshops
Eine Sicherheitslücke in Gambio-Webshops ermöglicht Angreifern, diese zu knacken. Und das machen bösartige Akteure offenbar bereits.
https://heise.de/-11229519
Video Calling Vulnerabilities in Miko Smart Kid Robots - Security Research
Miko robots have been vulnerable to exploits which can initiate video calls to the robots and get personal information from them remotely.
https://blog.mgdproductions.com/miko-robots-vulnerabilities/
LWN Security updates for Monday
https://lwn.net/Articles/1065419/