InfoSec News 30MAR2026

General

• TeamPCP are continuing their credential-stealing rampage, this time backdooring Telnyx - which appears to be a package for phone and chat support agents. It seems they're still stealing credentials, then trying to work out what to do next, now adding some Command and Control (C2).
  • https://www.bleepingcomputer.com/news/security/backdoored-telnyx-pypi-package-pushes-malware-hidden-in-wav-audio/
• More Info-Stealers distributed via 'ClickFix' - interesting to see if the new clipboard protection in macOS prevents this.
  • https://www.malwarebytes.com/blog/threat-intel/2026/03/infiniti-stealer-a-new-macos-infostealer-using-clickfix-and-python-nuitka
  • https://www.heise.de/en/news/Attacks-via-Terminal-Apple-prevents-command-execution-11228261.html
  • https://www.reddit.com/r/MacOSBeta/comments/1rywb2x/woah_woah_the_rc_version_of_macos_tahoe_264/
  • https://www.bleepingcomputer.com/news/security/new-infinity-stealer-malware-grabs-macos-data-via-clickfix-lures/
• Interesting to keep an eye upon - Databricks is creating a SIEM, partnering with NAB.

NAB has emerged as one of five “design partners” of a new security information and event management (SIEM) platform being built by Databricks.
...
NAB’s chief security officer Sandro Bucchianeri said the bank currently ingests “more than 30TB of security data each day”.

• https://www.itnews.com.au/news/nab-is-co-designing-a-siem-with-databricks-624651
• https://www.databricks.com/blog/building-future-security-nab-lakewatch
• https://www.databricks.com/company/newsroom/press-releases/databricks-enters-security-market-launch-lakewatch-new-open-agentic
• Someone's trying to drown network sensors with dummy addresses?

Last week, the GreyNoise Observation Grid (GOG) observed something unusual: 242,666 new scanning IPs geolocating to Hong Kong appeared in seven days — nearly half of all new scanning IPs observed by GreyNoise that week. And 99.7% of them never completed a single TCP connection.
These IPs are ghosts — they appeared in GreyNoise data but never proved they were real. Because they never completed a TCP handshake, GreyNoise cannot verify that the traffic actually originated from those addresses. They carried no payloads, triggered no detection signatures, and performed no exploitation. All they left behind were a quarter-million unverified IP addresses now sitting in observation datasets.
...
Here's why that matters: any detection system that observed this traffic and doesn't distinguish between verified and unverified source addresses just absorbed a quarter-million ghost IPs into its dataset. Meanwhile, the 702 IPs geolocating to Hong Kong that actually completed connections — the ones observed scanning MySQL, SSH, SMB, and RDP, hitting GOG sensors in 20+ countries — could easily get lost in the noise.

• https://www.greynoise.io/blog/ghost-fleet-half-new-scanning-ips-geolocated-to-hong-kong
• [RU] A little unusual - Russian police have arrested a Russian citizen, suspected of creating the LeakBase forum.
  • https://www.bleepingcomputer.com/news/security/russia-arrests-suspected-owner-and-admin-of-leakbase-cybercrime-forum/
  • https://therecord.media/leakbase-russia-admin-arrest-cyber
• [UK] The UK is going to perform a randomised trial, to test if social-media bans and restrictions, for under-16's, have any positive effect.

The Department for Science, Innovation and Technology (DSIT) will recruit families from across the UK and split them into four groups. Parents in the first group will be shown how to disable social media apps using parental controls to block their teenagers from using them at home. Parents in the second group will cap social media use at one hour a day. Those in the third group will prevent their offspring from using the services between 9pm and 7am. Those in the control group will carry on as before.

• https://www.theregister.com/2026/03/26/uk_social_media_ban_trial/

Getting Techy

• Watchtowr Labs have been busy again, diving into the horrors of Citrix Netscaler. Meanwhile, the UK National Cyber Security Centre (NCSC) is urging companies to patch the devices.
  • https://labs.watchtowr.com/the-sequels-are-never-as-good-but-were-still-in-pain-citrix-netscaler-cve-2026-3055-memory-overread/
  • https://labs.watchtowr.com/please-we-beg-just-one-weekend-free-of-appliances-citrix-netscaler-cve-2026-3055-memory-overread-part-2/
  • https://www.ncsc.gov.uk/news/vulnerabilities-affecting-citrix-netscaler-adc-gateway
• Searchlight Cyber decided to pull apart the recent Magento/Adobe Commerce bug.
  • https://slcyber.io/research-center/magento-polyshell-unauthenticated-file-upload-to-rce-in-magento-apsb25-94/

Geo-Politics

• Low Earth Orbit (LEO) satellites may be outside local legal reach.

A primary concern is the ownership and jurisdiction of data transmitted via LEO satellites. These systems often relay data across multiple national borders without passing through local infrastructure, so countries other than the origin may process or store the data. This cross-border transmission creates ambiguity around which national laws govern the data, complicating compliance with privacy and data protection regulations.
In many jurisdictions, national laws require telecom or internet service providers to obtain licenses and operate physical infrastructure within the country. However, LEO SATCOM operators may deliver connectivity without establishing a local presence or securing domestic licenses. This lack of physical infrastructure can exempt them from local oversight, making enforcement of national data regulations difficult.
Moreover, private satellite operators – due to their global infrastructure and operational autonomy – can exert significant control over data flows and access. This influence may exceed the regulatory capacity of individual nations, raising concerns about sovereignty and the protection of national interests.

• https://www.cyber.gov.au/business-government/secure-design/securing-space
• https://www.itnews.com.au/news/leo-satellite-operators-could-be-beyond-australian-data-laws-624583
• [CN] What could a Taiwan invasion by China look like?

A potential conflict between China and Taiwan would represent a globally significant inflection point. Drawing from the Center for Strategic and International Studies (CSIS) 2023 report The First Battle of the Next War: Wargaming a Chinese Invasion of Taiwan, this piece aims to conduct a reality check on a likely scenario of China-Taiwan conflict presented in the CSIS report, and examines the challenges and possible cyber implications of such a scenario and how organizations across sectors could be exposed, whether directly or indirectly.

• https://blog.predictivedefense.io/p/wargaming-a-china-taiwan-conflict
• [RU] Russia is accusing Baltic states (all former members of the USSR), of allowing their airspace to be used by Russian drones. The Baltic states are denying the claims. It's likely that location jamming (e.g. GPS jamming) is causing Unmanned Aerial Vehicles (UAVs) to stray out of Russian airspace, into the airspace of these Baltic states.
  • https://therecord.media/latvia-accuses-russia-of-disinformation-campaign-ukraine-war
• [US] The FBI has confirmed a breach of Director Kash Patel's personal email account. The breach is being attributed to Iran's Ministry of Intelligence and Security (MOIS). The leak is 1.1GB on Distributed Denial of Secrets.

An FBI spokesperson told Recorded Future News that the information is “historical in nature and involves no government information,” adding that the agency has “taken all necessary steps to mitigate potential risks associated with this activity.”
...
In addition to photos, the leak includes mundane emails from ​2010 and 2019 allegedly sent by and to Patel.

• https://therecord.media/fbi-confirms-theft-of-directors-personal-emails-iran-group
• https://ddosecrets.org/article/kash-patel-emails

Privacy

• [EU] In an interesting move, the European Parliament has voted not to extend rules permitting tech companies to perform scanning of data for potential Child Sexual Abuse Material (CSAM).
  Europol aren't happy.

The law, which exempts platforms from strict privacy rules so they can scan for CSAM, lapses next Friday. When it does, tech companies will no longer be able to use certain scanning tools to detect the material and turn it over to law enforcement.
....
Critics have long held that scanning for CSAM allows mass surveillance and violates Europeans’ privacy rights, an argument that apparently resonated with many lawmakers.
“This is actually just enabling big tech companies to scan all of our private messages, our most intimate details, all our private chats so it constitutes a really, really serious interference with our right to privacy,” said Ella Jakubowska, head of policy at the digital rights nonprofit eDRI.
“It's not targeted against people that are suspected of child abuse — It's just targeting everyone, potentially all of the time.”

• https://therecord.media/eu-parliament-rejects-csam-scanning-extension
• https://www.europol.europa.eu/media-press/newsroom/news/combatting-child-sexual-exploitation-statement-catherine-de-bolle

AI

• The expected fallout from xAI's Grok image generation has started. A Dutch court has set a €100k/day fine, if Grok doesn't stop generating non-consensual sexual imagery.

Grok — which is owned by Elon Musk’s xAI — will be forced to pay damages of €100,000 ($115,000) a day if it does not comply, according to the ruling, which also said that damages of up to €10 million ($11.5 million) could be levied if xAI does not rectify the problem.
...
X has done some work to stop the spread of the nonconsensual nudes, the judge said, but added that evidence brought by the plaintiff — a nonprofit called Offlimits — suggests that it’s unclear if the changes are actually working. The platform should be subjected to fines to “ensure that the defendants actually do what they claim to be striving for,” the judge said.
...
Additionally, the court banned xAI from “producing, distributing, offering, publicly displaying and/or possessing sexual imagery in the Netherlands insofar as this involves the use of functionality whereby imagery is generated that qualifies as child pornography under Dutch law.”

• https://therecord.media/dutch-court-threatens-xai-with-fines-grok-nudification
• Trail of Bits have released a plugin/skill for Claude Code, to enhance bug finding. It adds 'dimensionality' comments to commands, to make programming mistakes (logic errors) more visible.
  This release is targeted at programming for DeFi platforms.

Requirements
A codebase performing numeric arithmetic with mixed units, precisions, or scaling factors
Most effective for DeFi protocols (Solidity, Rust/Anchor, CosmWasm, etc.) but works with any language

• https://blog.trailofbits.com/2026/03/25/try-our-new-dimensional-analysis-claude-plugin/
• https://github.com/trailofbits/skills/tree/main/plugins/dimensional-analysis