🧸 Hasbro says it was hacked and took some systems offline after detecting the intrusion on March 28. The company is using continuity plans to keep orders and shipments moving while cybersecurity teams investigate. Hasbro warns the disruption and investigation may take several weeks and it is not yet clear if data was stolen.

🇪🇺 CERT-EU says the TeamPCP group used a stolen AWS API key to breach the European Commission cloud and steal data. The leaked 90GB archive (about 340GB uncompressed) contains tens of thousands of files with names, emails, and email content affecting 42 Commission clients and at least 29 other EU entities. No websites were altered and investigations are ongoing while data protection authorities and affected entities are being notified.

🤖 Mercor, an AI recruiting startup, says it was hit by a supply-chain cyberattack tied to the open-source LiteLLM project. Extortion group Lapsus$ claimed it stole Mercor data, though details and the connection to LiteLLM remain unclear. Mercor says it is investigating with third-party forensics and working to contain the incident.

🇬🇧 Lloyds Banking Group had a software update glitch on March 12 that exposed transaction details for about 447,936 mobile users. The exposure was brief and only happened when two users viewed their transaction lists almost simultaneously. No money was lost, Lloyds fixed the issue quickly and made goodwill payments to some customers.

🇺🇸 CareCloud, a healthcare IT company, reported a March 16 cybersecurity incident that disrupted one of its six electronic health record environments for about eight hours. The company is investigating whether patient data were accessed or stolen but says the issue was limited to its CareCloud Health environment and systems are restored. CareCloud believes the incident is not materially damaging and expects cyberinsurance to cover any losses.

🇳🇱 The Dutch Finance Ministry shut down several systems, including the treasury banking portal, after a March 19 cyberattack — About 1,600 public institutions cannot view treasury balances or use portal services, though funds and payments remain accessible. Authorities are investigating with the NCSC and external experts, and no data loss or attacker has been confirmed.

→ More:

🇰🇵 💰 North Korean-linked hackers stole about $285 million from DeFi platform Drift in a coordinated, high-speed attack. They pre-signed transactions, gained admin control, created a fake token market, and drained multiple vaults in about 10 seconds. The thieves then laundered funds through thousands of wallets and automated bots across many chains.

🇷🇺 Russian APT Star Blizzard has started using the DarkSword iOS exploit kit in a recent phishing campaign. The group sent more emails than usual that link to mobile-targeted exploits for iCloud and Apple devices. Proofpoint says the kit appears aimed at stealing credentials and gathering intelligence across finance, government, education, legal, and think-tank targets.

🇺🇸 ⚖ A Maryland man, Jonathan Spalletta, is charged with stealing about $53.3 million by hacking the Uranium Finance crypto exchange … twice. He laundered the funds through Tornado Cash and spent millions on rare collectibles before authorities seized about $31 million. He faces up to 10 years for computer fraud and up to 20 years for money laundering.

🗓️ {Cyber,Info}Sec Events — A community-maintained list of infosec conferences worldwide. Subscribe to the ICS calendar feed to get events straight into your calendar, or follow @[email protected] on Mastodon for weekly digests. Contributions and ⭐ welcome!

🇺🇸 👀 ICE confirmed it is using Paragon spyware to target encrypted communications in fentanyl and national security investigations. Three House Democrats criticized the move, saying there is no congressional oversight or proof of strong safeguards. Civil liberties groups and past incidents involving journalists and WhatsApp raise additional concerns.

🇺🇸 🇨🇳 👀 The FBI warned Americans to avoid or be cautious with foreign-developed mobile apps, especially those from China, because of privacy and data security risks. These apps can collect extensive personal data, store it on servers in China, and may share it under Chinese national security laws. The FBI advises disabling unnecessary data sharing, updating devices, using verified apps, and reporting suspicious activity to IC3.

🍎 👮 Apple’s “Hide My Email” can mask addresses but Apple gave real customer identities to federal agents. Court records show Apple provided names, emails, and many anonymized-address records in two investigations. The case shows Apple’s privacy tools don’t block lawful government access to stored or unencrypted data.

🎠 Attackers used a compromised Axios maintainer account to publish two malicious Axios versions that add a fake dependency, [email protected]. The dependency runs a postinstall dropper that installs a cross-platform RAT (macOS, Windows, Linux) and then hides its traces. Users should downgrade to safe Axios versions, remove the malicious package, check for RAT artifacts, and rotate credentials.

🙊 A new Android malware called NoVoice was hidden in 50+ Google Play apps and infected at least 2.3 million devices. It used steganography and old exploits to gain root, persist through factory resets, and inject code to steal WhatsApp data. Infected apps were removed, but users should assume compromise and update devices or reinstall from trusted sources.

🥷 Researchers warn of a new malware campaign called DeepLoad that steals credentials and hides in enterprise systems. The attackers used AI-generated obfuscation and evasion at every stage to evade traditional signature-based defenses. Experts say defenders must shift to behavioral and runtime detection to catch these fast-changing attacks.

🛣 🩸 Security firm Blackpoint found a new Node.js implant called RoadK1ll that turns a compromised host into a relay to reach internal systems. It uses an outbound WebSocket tunnel to forward TCP traffic and supports multiple concurrent connections and reconnection. RoadK1ll has no traditional persistence but enables stealthy lateral pivoting inside breached networks.

🔓 💸 Google researchers say quantum computers could break the cryptography that protects Bitcoin and other cryptocurrencies much sooner than thought. They show a way to break 256-bit elliptic curve keys using far fewer qubits and operations, cutting resource estimates by about 20×. Google urges faster moves to post-quantum cryptography and released a zero-knowledge proof instead of the attack details.

🍎 ⚠ Apple added a Terminal safety feature in macOS Tahoe 26.4 that delays and warns when users paste potentially dangerous commands. The change aims to block ClickFix social-engineering attacks that trick people into pasting malicious commands. Users should still avoid running commands from untrusted sources because the warning’s detection method is unclear.

🐛 Researchers found a command-injection flaw in OpenAI Codex that let attackers grab short-lived GitHub OAuth tokens. BeyondTrust showed automation could steal and abuse those tokens to access repos and move across companies. OpenAI fixed the issue, but the report warns AI agents must be secured like live execution environments to prevent token theft.

🤷 Documents about Anthropic's secret "Claude Mythos" model were exposed in a public CMS. Anthropic confirmed the model exists but said the leak happened. Reddit users debated whether the leak was accidental or a publicity stunt.

→ Claude Code source code accidentally leaked in NPM package

➝ From the Patching Department:

🔼 Two critical ShareFile flaws let attackers reach admin pages and upload files without logging in. By chaining CVE-2026-2699 and CVE-2026-2701, researchers showed an attacker can place a web shell and get remote code execution. The issues were fixed in ShareFile 5.12.4 (versions 6.x are not affected).

🔓 ✏ GIGABYTE Control Center has a critical arbitrary file-write vulnerability (CVE-2026-4415) that lets unauthenticated remote attackers write files and potentially run code, escalate privileges, or cause denial of service. The flaw affects versions 25.07.21.01 and earlier when the "pairing" feature is enabled. Users should immediately update to version 25.12.10.01 from GIGABYTE’s official portal.

📈 F5 reclassified a BIG-IP APM flaw (CVE-2025-53521) from DoS to critical remote code execution after attackers began exploiting it to install webshells. F5 and CISA warn unpatched systems are at risk and published IOCs and mitigation guidance. Organizations should check logs, disks, and follow incident-handling and patching procedures immediately.

🤷

Follow me on Mastodon for quick daily updates and bite-sized content.

Prefer using an RSS feed? Add Infosec MASHUP to your feed here.

Enjoying our newsletter? Forward it to a colleague—
it’s one of the best ways to support us.

Thanks for reading today’s newsletter, and if you're enjoying it and want to support my work, you can buy me a coffee ☕ over at https://www.buymeacoffee.com/0x58

See you next time!

-X.