The FBI is investigating suspicious cyber activity on an internal system containing sensitive information related to surveillance operations. The bureau is assessing the scope and impact of the incident, which involves sophisticated techniques exploiting network security controls, and has confirmed the cyber incident without providing further details.
China-Linked Hackers Use Malware Trio for Telecom Espionage
A China-linked cyberespionage group, identified as UAT-9244 and linked to Famous Sparrow and Tropic Trooper, has been targeting telecommunications providers in South America since 2024 using a trio of new malware: TernDoor (Windows backdoor), PeerTime (Linux backdoor), and BruteEntry (credential brute-forcing tool). These tools are designed for persistent access, data collection, and expanding network reach, with PeerTime uniquely using the BitTorrent protocol for command and control.
OpenAI Launches Codex Security that Discover, Validate and Patch Vulnerabilities
OpenAI has launched Codex Security, an AI agent designed to discover, validate, and patch vulnerabilities in codebases, aiming to replace noisy traditional security tools. The agent builds threat models, validates findings through proof-of-concept exploits, and generates patches, demonstrating significant reductions in alert noise and false positives during its beta phase. OpenAI is also offering free access to Codex Security for qualifying open-source maintainers through the Codex for OSS program.
Anthropic Finds 22 Firefox Vulnerabilities Using Claude Opus 4.6 AI Model
Anthropic’s Claude Opus 4.6 AI model identified 22 vulnerabilities in Firefox, including 14 high-severity ones, which have been addressed in Firefox 148. The AI model also demonstrated a limited ability to create exploits, highlighting that vulnerability discovery is more cost-effective than exploit creation.
Over 100 GitHub Repositories Distributing BoryptGrab Stealer - SecurityWeek
A new information stealer named BoryptGrab is being distributed through over 100 GitHub repositories, capable of harvesting browser and cryptocurrency wallet data, system information, and user files. Some variants also deploy the TunnesshClient backdoor, which uses an SSH tunnel for command-and-control communication.
Hackers Spread Fake Red Alert Rocket Alert App to Spy on Israeli Users
Researchers have identified a malicious version of the Red Alert rocket warning app targeting Israeli Android users, disguised as an update via fake SMS messages. This spyware steals sensitive data like GPS location, SMS messages, and contact lists while appearing to function normally.
Cognizant TriZetto Data Breach Exposes Health Information of 3.4 Million Patients
A significant data breach at Cognizant TriZetto Provider Solutions has exposed the sensitive health information of over 3.4 million patients. The breach, which involved unauthorized access to external systems, went undetected for over a year, leading to the exfiltration of personal identifiers and medical data, and prompting offers of credit monitoring and identity theft protection for affected individuals.
Microsoft: Hackers abusing AI at every stage of cyberattacks
Microsoft reports that hackers are increasingly leveraging AI across all stages of cyberattacks, from reconnaissance and malware creation to post-compromise activities. Threat actors use generative AI to accelerate operations, scale malicious activity, and lower technical barriers, with examples including the creation of fake identities and the generation of malicious code.
Termite ransomware breaches linked to ClickFix CastleRAT attacks
Threat actors known as Velvet Tempest are employing the ClickFix technique alongside legitimate Windows utilities to deploy DonutLoader malware and the CastleRAT backdoor. Researchers observed these actions, noting Velvet Tempest’s history with various ransomware strains, though Termite ransomware was not deployed in this specific observed intrusion.
OpenAI Codex Security Scanned 1.2 Million Commits and Found 10,561 High-Severity Issues
OpenAI has launched Codex Security, an AI-powered agent that scanned over 1.2 million commits and identified 10,561 high-severity issues, including vulnerabilities in projects like OpenSSH and PHP. The tool builds context about a project to find complex vulnerabilities, validates them, and proposes fixes to improve system security.
GitHub - matrixleons/evilwaf: evilwaf is a penetration testing tool designed to detect and bypass common Web Application Firewalls (WAFs). · GitHub
EvilWAF is a toolkit for Web Application Firewall (WAF) testing and bypass, functioning as a transparent MITM proxy. It features TCP and TLS fingerprint rotation, Tor IP rotation, and an Origin IP Hunter to discover the real server IP behind a WAF, enabling direct bypass.
Wikipedia hit by self-propagating JavaScript worm that vandalized pages
A self-propagating JavaScript worm vandalized pages on Meta-Wiki after a dormant script was executed, temporarily halting editing across Wikimedia projects. The worm modified user scripts and pages, but the Wikimedia Foundation has since restored the content and resolved the security issue.
Hackers Allegedly Selling Exploit for Windows Remote Desktop Services 0-Day Flaw
A threat actor is allegedly selling a zero-day exploit for a Windows Remote Desktop Services vulnerability (CVE-2026-21533) for $220,000, which allows for privilege escalation to gain local administrative control. This high-severity flaw impacts numerous Windows versions and requires immediate patching and potential disabling of Remote Desktop Services if not essential.
Recent Cisco Catalyst SD-WAN Vulnerability Now Widely Exploited - SecurityWeek
A Cisco Catalyst SD-WAN vulnerability (CVE-2026-20127), initially exploited as a zero-day, is now being widely exploited by threat actors. This escalating exploitation, now internet-wide, targets systems by bypassing authentication and escalating privileges, with a significant spike observed on March 4th. Experts warn that exposed systems should be considered compromised due to the mass and opportunistic nature of these attacks.
Massive GitHub malware operation spreads BoryptGrab stealer
A massive GitHub malware operation has been discovered spreading the BoryptGrab stealer through over 100 repositories, disguised as software tools and game cheats. This stealer targets sensitive data including browser credentials, cryptocurrency wallets, system information, and user files, with evidence suggesting Russian threat actors behind the campaign.
Hackers abuse .arpa DNS and ipv6 to evade phishing defenses
Hackers are exploiting the special-use .arpa domain and IPv6 reverse DNS to bypass phishing defenses by creating A records that point to phishing sites, making them harder to detect. This method leverages trusted internet infrastructure, obscuring the malicious activity and evading traditional security measures.
This week’s cybersecurity news highlights a surge in cyberattacks across 16 countries amid the Middle East conflict, the discovery of potent iPhone spyware potentially leaked from a government client, and the FBI’s successful takedown of a major cyber forum used by hackers. Additionally, Kazakhstan is investigating a group suspected of laundering approximately $4.7 million through cryptocurrency.
LexisNexis Hack Exposes 3.9M Records Through Unpatched React Vulnerability
A LexisNexis hack exposed nearly 4 million records, including customer accounts and password hashes, due to an unpatched React vulnerability. The company stated the breach involved mostly legacy data and did not contain sensitive financial or personal identification information.
LexisNexis AWS Data Breach 2026: React2Shell Exploit Exposes Legacy Data in Cloud Hack
On March 3, 2026, LexisNexis Legal & Professional confirmed a data breach after hackers exploited the React2Shell vulnerability in an unpatched React application, gaining access to their AWS infrastructure and exfiltrating legacy data. The compromised information, dating from before 2020, included customer names and contact details, but LexisNexis states no sensitive PII or financial data was affected.
Google threat analyst warns Iran may launch wave of cyberattacks
A Google threat analyst has warned that Iran may launch a wave of cyberattacks in retaliation for recent US and Israeli air strikes, potentially targeting organizations across the Middle East and beyond. Cybersecurity researchers have already observed early indications of increased activity, with Iran-aligned hacking groups claiming disruptive operations against Israel.
Microsoft warns of ClickFix campaign exploiting Windows Terminal for Lumma Stealer
Microsoft has issued a warning about a ClickFix campaign that exploits Windows Terminal through social engineering to deploy Lumma Stealer malware. Attackers trick users into executing malicious PowerShell commands within the Terminal, leading to the installation of the stealer which targets browser credentials.
Apache ActiveMQ Allow Attackers to Trigger DoS Attacks With Malformed Packets
A medium-severity vulnerability (CVE-2025-66168) in Apache ActiveMQ allows authenticated attackers to cause a Denial-of-Service (DoS) by sending malformed network packets to the MQTT module, exploiting an integer overflow due to improper validation of the remaining length field. Affected versions include those before 5.19.2, 6.0.0 through 6.1.8, and 6.2.0, with mitigation requiring upgrades to patched versions (5.19.2, 6.1.9, or 6.2.1) or disabling the MQTT transport connector.
Microsoft working on Teams feature to keep unauthorized bots at bay - Help Net Security
Microsoft is developing a new Microsoft Teams feature to combat unauthorized bots, allowing meeting admins to identify and control third-party bots before they join meetings. This feature, set to roll out in May 2026, aims to prevent malicious bots from compromising communications and stealing data, a growing threat exacerbated by AI tools.
Iran-linked APT targets US critical sectors with new backdoors - Help Net Security
An Iran-linked APT group, known as Seedworm, has been actively targeting US critical sectors, including a bank, an airport, and a software company, since early February 2026. The group is utilizing new backdoors named Dindoor and Fakeset, with the apparent goal of espionage and data exfiltration.
Iran’s Cyber-Kinetic War Doctrine Takes Shape
Iran is integrating cyber and kinetic warfare, using hacked IP cameras for missile strike planning and battle damage assessment, indicating a new doctrine of hybrid warfare. This approach blends cyber operations with physical attacks, a strategy observed in other conflicts but now being fully embraced by Iran as a scalable and impactful military option.