TeamPCP PyPI supply chain attack π, F5 BIG-IP active exploitation π΄, European Commission AWS breach βοΈ, Handala FBI email hack π§, Railway PaaS token theft π
Daily Threat Intel Digest - 2026-03-28
π΄ Critical Threats & Active Exploitation
[UPDATE] TeamPCP supply chain campaign continues with steganographic PyPI attack
The prolific TeamPCP threat actor has compromised the official Telnyx Python SDK, introducing a sophisticated supply chain attack that hides malicious payloads inside WAV audio files using steganography. Attackers uploaded backdoored versions 4.87.1 and 4.87.2 to PyPI, which execute a script that downloads and decrypts malware from a remote C2 server embedded within the audio data frames. The payload targets Linux and macOS systems to steal SSH keys, cloud tokens, and cryptocurrency wallet data, while deploying a persistence mechanism on Windows. Notably, the malware includes specific logic to enumerate Kubernetes secrets and deploy privileged pods if a cluster is detected. This follows the group’s previous attacks on LiteLLM and Trivy, marking an escalation in their use of evasion techniques. [BleepingComputer]
[NEW] European Commission confirms AWS account breach impacting public web infrastructure
The European Commission has disclosed a cyberattack targeting its cloud-based infrastructure that hosts the Europa.eu platform, following the compromise of an Amazon Web Services (AWS) account. Attackers accessed systems supporting the Commission’s public-facing websites, leading to concerns over potential data exfiltration from the web infrastructure. While the attack was successfully contained without disrupting service availability, the incident highlights the risks associated with cloud credential management, as threat actors potentially leveraged credential theft or API key abuse to access the environment. The Commission confirmed that internal IT systems and sensitive operational networks remained isolated and unaffected due to effective network segmentation. [CyberPress; GBHackers]
[NEW] Critical F5 BIG-IP vulnerability added to CISA Known Exploited Vulnerabilities catalog Security authorities have confirmed active exploitation of CVE-2025-53521, a vulnerability affecting F5 BIG-IP Access Policy Manager (APM), leading to its addition to the CISA Known Exploited Vulnerabilities (KEV) catalog. This update follows a broader security advisory (AV25-669) released late last year, which initially indicated that while files were exfiltrated, active exploitation of undisclosed vulnerabilities was not confirmed. The situation has now evolved, requiring immediate patching for organizations running affected BIG-IP versions to prevent potential unauthorized access or code execution. Administrators are urged to review F5’s indicators of compromise (IOCs) to assess whether their networks have already been targeted. [Malware.news; CISA]
[NEW] “Open Sesame” bug allowed malicious extensions to bypass Open VSX security scans A critical “fail-open” vulnerability in the Open VSX extension registry allowed attackers to publish malicious extensions that were automatically marked as “PASSED” without undergoing security checks. Dubbed “Open Sesame,” the flaw resided in the pre-publish scanning pipeline’s boolean logic, which incorrectly interpreted scanner job failures (often caused by system load) as a state requiring no scanning. By flooding the API with uploads, attackers could trigger resource exhaustion, causing scan jobs to fail and extensions to go live undetected. While the issueβreported in Februaryβhas been patched, the revelation impacts platforms like Cursor and Windsurf that rely on Open VSX, underscoring the supply chain risks inherent in developer ecosystems. [CyberPress; GBHackers]
π― Threat Actor Activity & Campaigns
[NEW] Pro-Iranian group Handala claims breach of FBI Director’s personal email The pro-Iranian hacktivist group Handala has claimed responsibility for compromising the personal email account of FBI Director Kash Patel, purportedly leaking documents and communications online. The FBI confirmed awareness of the targeting of Patel’s personal information but noted that the data is historical and does not involve government systems. This hack-and-leak operation appears to be a retaliatory measure following recent US law enforcement actions against the group, including domain seizures and a $10 million reward for information on Handala members. The group has recently targeted other high-profile entities, including medical device maker Stryker. [CyberScoop; Nextgov]
[NEW] Attackers abuse Railway PaaS infrastructure for M365 token theft Arctic Wolf researchers are tracking a campaign that abuses the legitimate Railway Platform-as-a-Service (PaaS) infrastructure to conduct Microsoft 365 phishing attacks via the OAuth device code flow. By hosting attack components on Railway’s trusted cloud IP addresses, threat actors can blend malicious traffic with legitimate network activity, evading basic security filters. The campaign tricks users into providing authentication codes, which are then used to generate session tokens for the victims’ accounts, bypassing standard MFA prompts. This technique highlights the growing trend of attackers leveraging legitimate cloud services to proxy their operations and make detection more difficult. [Arctic Wolf]
[NEW] Fake VS Code alerts on GitHub spread malware to developers A large-scale automated campaign is targeting GitHub repositories by posting fake security alerts in the “Discussions” section, warning of critical vulnerabilities and urging developers to download “patched” versions of VS Code extensions. These posts, often impersonating maintainers, link to malicious files hosted on Google Drive. The attack chain uses a JavaScript-based traffic distribution system to profile victims before delivering a second-stage payload. Security researchers note that the campaign has affected thousands of repositories, exploiting the trust users place in GitHub’s notification systems and the urgency surrounding security patching. [BleepingComputer]
β οΈ Vulnerabilities & Patches
[NEW] WatchGuard Fireware vulnerability requires immediate attention WatchGuard has released security updates for Firebox appliances running Fireware OS versions prior to 12.12 and 2026.2 to address a critical insecure deserialization flaw (CVE-2026-4266) in the Fireware Access Portal. This vulnerability could potentially allow unauthenticated attackers to execute arbitrary code on affected devices. Given the prevalence of WatchGear appliances in edge network security, administrators are advised to apply the updates immediately to prevent potential perimeter breaches. [Malware.news]
[NEW] Multiple vulnerabilities disclosed in FreeBSD, Siemens, and Ericsson products A batch of security advisories released this week highlights risks across networking and industrial control systems. FreeBSD versions 13.5, 14.x, and 15.0 are affected by multiple vulnerabilities including a remotely exploitable DoS (CVE-2026-4247) and a potential RCE in RPCSEC_GSS packet validation (CVE-2026-4747). Additionally, Siemens released updates for SICAM 8 products to patch multiple vulnerabilities, while Ericsson addressed security flaws in the Indoor Connect 8855 system. Organizations utilizing these specific hardware or software stacks should prioritize patching to mitigate risks of service disruption or unauthorized access. [Malware.news; Malware.news; Malware.news]
π‘οΈ Defense & Detection
[NEW] Microsoft Defender enhances protection for High-Value Assets (HVA) Microsoft has detailed new capabilities in Microsoft Defender that leverage asset context from Microsoft Security Exposure Management to provide differentiated protection for critical systems like Domain Controllers and identity infrastructure. The system applies stronger detection logic for behaviors that might appear benign on standard endpoints but indicate high-risk activity on Tier-0 assets, such as DCSync attempts or webshell drops on Exchange servers. By integrating role-based awareness, Defender can automatically disrupt attacks targeting an organization’s most sensitive assets, reducing the blast radius of potential compromises. [Microsoft Security Blog]
[NEW] Strategies for managing benign scanner noise in security operations As internet-wide scanners like Shodan, Censys, and BinaryEdge continuously probe exposed infrastructure, security teams face increasing alert noise that can obscure genuine threats. Analysts recommend adopting a classification-based approach rather than outright blocking, utilizing published IP ranges to identify and deprioritize traffic from known research scanners. This strategy allows security operations centers (SOCs) to focus resources on distinguishing between malicious reconnaissance and legitimate security research, while maintaining visibility into how their own assets are exposed to the public internet. [SOCRadar]