{"id":333,"date":"2026-03-23T16:01:54","date_gmt":"2026-03-23T16:01:54","guid":{"rendered":"https:\/\/cybercolombia.co\/index.php\/2026\/03\/23\/ci-cd-backdoor-fbi-buys-location-data-whatsapp-ditches-numbers-more-cyberdefensa-mx\/"},"modified":"2026-03-23T16:01:54","modified_gmt":"2026-03-23T16:01:54","slug":"ci-cd-backdoor-fbi-buys-location-data-whatsapp-ditches-numbers-more-cyberdefensa-mx","status":"publish","type":"post","link":"https:\/\/cybercolombia.co\/index.php\/2026\/03\/23\/ci-cd-backdoor-fbi-buys-location-data-whatsapp-ditches-numbers-more-cyberdefensa-mx\/","title":{"rendered":"CI\/CD Backdoor, FBI Buys Location Data, WhatsApp Ditches Numbers &#038; More \u2013 CYBERDEFENSA.MX"},"content":{"rendered":"<div id=\"articlebody\">\n<p>Another week, another reminder that the internet is still a mess. Systems people thought were secure are being broken in simple ways, showing many still ignore basic advisories.<\/p>\n<p>This edition covers a mix of issues: supply chain attacks hitting CI\/CD setups, long-abused IoT devices being shut down, and exploits moving quickly from disclosure to real attacks. There are also new malware tricks showing attackers are becoming more patient and creative.<\/p>\n<p>It\u2019s a mix of old problems that never go away and new methods that are harder to detect. There are quiet state-backed activities, exposed data from open directories, growing mobile threats, and a steady stream of zero-days and rushed patches.<\/p>\n<p>Grab a coffee, and at least skim the CVE list. Some of these are the kind you don\u2019t want to discover after the damage is done.<\/p>\n<h2 style=\"text-align: left;\"><strong>\u26a1 Threat of the Week<\/strong><\/h2>\n<p><strong>Trivy Vulnerability Scanner Breached in for Supply Chain Attack <\/strong>\u2014 Attackers have <a href=\"https:\/\/labs.boostsecurity.io\/articles\/20-days-later-trivy-compromise-act-ii\/\" rel=\"noopener\" target=\"_blank\">backdoored<\/a> the widely used open-source Trivy vulnerability scanner, injecting credential-stealing malware into official releases and GitHub Actions used by thousands of CI\/CD workflows. The breach has triggered a cascade of additional supply-chain compromises stemming from impacted projects and organizations not rotating their secrets, resulting in the distribution of a self-propagating worm referred to as CanisterWorm. Trivy, developed by Aqua Security, is one of the most widely used open-source vulnerability scanners, with over 32,000 GitHub stars and more than 100 million Docker Hub downloads. The Trivy compromise is the latest in a growing pattern of attacks targeting GitHub Actions and developers in general. GitHub <a href=\"https:\/\/github.blog\/changelog\/2025-11-07-actions-pull_request_target-and-environment-branch-protections-changes\/\" rel=\"noopener\" target=\"_blank\">changed<\/a> the default behavior of pull_request_target workflows in December 2025 to reduce the risk of exploitation.<\/p>\n<h2 style=\"text-align: left;\"><strong>\ud83d\udd14 Top News<\/strong><\/h2>\n<ul>\n<li><strong><a href=\"https:\/\/thehackernews.com\/2026\/03\/doj-disrupts-3-million-device-iot.html\" rel=\"noopener\" target=\"_blank\">DoJ Takes Down DDoS Botnets <\/a><\/strong>\u2014 A cluster of IoT botnets behind some of the largest DDoS attacks ever recorded \u2014 <a href=\"https:\/\/www.cloudflare.com\/threat-intelligence\/research\/report\/aisuru-botnet\/\" rel=\"noopener\" target=\"_blank\">AISURU<\/a>, <a href=\"https:\/\/www.cloudflare.com\/learning\/ddos\/glossary\/aisuru-kimwolf-botnet\/\" rel=\"noopener\" target=\"_blank\">Kimwolf<\/a>, JackSkid, and Mossad \u2014 were wiped as part of a broad law enforcement operation. The botnets largely spread across routers, IP cameras, and digital video recorders that are often shipped with weak credentials and rarely patched. Authorities removed the command-and-control servers used to commandeer the infected nodes. Together, operators of the four botnets had amassed more than 3 million devices, which they then sold access to other criminal hackers, who then used them to target victims with DDoS attacks to knock websites and internet services offline or mask other illicit activity. Some of these DDoS attacks were aimed at U.S. Department of Defense systems and other high-value targets. No arrests were announced, but two suspects associated with AISURU\/Kimwolf are said to be based in Canada and Germany. All four botnets disrupted by the operation are variants of Mirai, which had its source code leaked in 2016 and has served as the starting point for other botnets. The U.S. Justice Department said some victims of the DDoS attacks lost hundreds of thousands of dollars through remediation expenses or ransom demands from hackers who would only stop overloading websites for a price.<\/li>\n<li><strong>Google Debuts New Advanced Flow for Sideloading on Android <\/strong>\u2014 Google\u2019s advanced flow for Android changes how apps from unverified developers are installed, adding friction to combat scams and malware. The feature is aimed at experienced users and allows sideloading through a one-time setup. The advanced flow adds a 24-hour delay and verification steps intended to disrupt coercive pressure and give users time to make decisions. It\u2019s designed to address scenarios where attackers pressure individuals to install unsafe software and play on the urgency of the operation to push them to bypass security warnings and disable protections before they can pause or seek help.<\/li>\n<li><strong>Critical Langflow Flaw Comes Under Attack <\/strong>\u2014 A critical security flaw impacting Langflow has come under active exploitation within 20 hours of public disclosure, highlighting the speed at which threat actors weaponize newly published vulnerabilities. The security defect, tracked as CVE-2026-33017 (CVSS score: 9.3), is a case of missing authentication combined with code injection that could result in remote code execution. Cloud security firm Sysdig said that the attacks weaponize the vulnerability to steal sensitive data from compromised systems. \u00abThe real-world proof is definitive: threat actors exploited it in the wild within 20 hours of the advisory going public, with no public PoC code available,\u00bb Aviral Srivastava, who discovered the vulnerability, told The Hacker News. \u00abThey built working exploits just from reading the advisory description. That\u2019s the hallmark of trivial exploitation when multiple independent attackers can weaponize a vulnerability from a description alone, within hours.\u00bb<\/li>\n<li><strong>Interlock Ransomware Exploited Cisco FMC Flaw as 0-Day <\/strong>\u2014 An Interlock ransomware campaign exploited a critical security flaw in Cisco Secure Firewall Management Center (FMC) Software as a zero-day well over a month before it was publicly disclosed. The vulnerability in question is CVE-2026-20131 (CVSS score: 10.0), a case of insecure deserialization of user-supplied Java byte stream, which could allow an unauthenticated, remote attacker to bypass authentication and execute arbitrary Java code as root on an affected device. \u00abThis wasn\u2019t just another vulnerability exploit; Interlock had a zero-day in their hands, giving them a week\u2019s head start to compromise organizations before defenders even knew to look,\u00bb Amazon, which spotted the activity, said.<\/li>\n<li><strong>Yet Another iOS Exploit Kit Comes to Light <\/strong>\u2014 A new watering hole attack against iPhone users has been found to deliver a previously undocumented iOS exploit kit codenamed DarkSword. While some of the attacks targeted users in Ukraine, the kit has also been put to use by two other clusters that singled out Saudi Arabian users in November 2025, as well as users in Turkey and Malaysia. It\u2019s worth noting that these exploits would not be effective on devices where Lockdown Mode is active or on the iPhone 17 with Memory Integrity Enforcement (MIE) enabled. The kit used a total of six exploits in iOS to deliver various malware families designed for surveillance and intelligence gathering. Apple has since addressed all of them. \u00abCompletely written in JavaScript, DarkSword comprises six vulnerabilities across two exploit chains that were patched in stages ending with iOS 26.3,\u00bb iVerify said. \u00abStarting in WebKit and moving down to the kernel, it achieves full iPhone compromise with elegant techniques never publicly seen before.\u00bb The discovery of DarkSword makes it the <a href=\"https:\/\/arstechnica.com\/security\/2026\/03\/hundreds-of-millions-of-iphones-can-be-hacked-with-a-new-tool-found-in-the-wild\/\" rel=\"noopener\" target=\"_blank\">second mass attack<\/a> targeting iOS devices. What\u2019s more, the Russian threat actor that deployed DarkSword demonstrated poor operational security. They left the full JavaScript code unobfuscated, unprotected, and easily accessible. The findings also point to a secondary market where such exploits are being acquired by threat actors of varied motivations to actively infect unpatched iOS users on a large scale.<\/li>\n<li><strong>Perseus Banking Malware Targets Android <\/strong>\u2014 A newly discovered Android malware is masking itself within television streaming apps in order to steal users\u2019 passwords and banking data and spy on their personal notes, researchers have found. The malware, dubbed Perseus by researchers at ThreatFabric, is being actively distributed in the wild and primarily targets users in Turkey and Italy. To infect devices, attackers disguise the malware inside apps that appear to offer IPTV services \u2014 platforms that stream television content over the internet. These apps are also widely used to stream pirated content and are often downloaded outside official marketplaces like Google Play, making users more accustomed to installing them manually and less likely to view the process as suspicious. Once installed, Perseus can monitor nearly everything a user does in real time. It uses overlay attacks \u2014 placing fake login screens over legitimate apps \u2014 and keylogging capabilities to capture credentials as they are entered. The malware\u2019s most unusual feature is its focus on personal note-taking applications. \u00abNotes often contain sensitive information such as passwords, recovery phrases, financial details, or private thoughts, making them a valuable target for attackers,\u00bb ThreatFabric said.<\/li>\n<\/ul>\n<h2 style=\"text-align: left;\"><strong>\u200e\ufe0f\u200d\ud83d\udd25 Trending CVEs<\/strong><\/h2>\n<p>New vulnerabilities show up every week, and the window between disclosure and exploitation keeps getting shorter. The flaws below are this week\u2019s most critical \u2014 high-severity, widely used software, or already drawing attention from the security community.<\/p>\n<p>Check these first, patch what applies, and don\u2019t wait on the ones marked urgent \u2014 CVE-2026-21992 (Oracle), CVE-2026-33017 (Langflow), CVE-2026-32746 (GNU InetUtils telnetd), CVE-2026-32297, CVE-2026-32298 (Angeet ES3 KVM), CVE-2026-3888 (Ubuntu), CVE-2026-20643 (Apple WebKit), <a href=\"https:\/\/kb.cert.org\/vuls\/id\/624941\" rel=\"noopener\" target=\"_blank\">CVE-2026-4276<\/a> (LibreChat RAG API), <a href=\"https:\/\/www.mdsec.co.uk\/2026\/03\/rip-regpwn\/\" rel=\"noopener\" target=\"_blank\">CVE-2026-24291<\/a> aka RegPwn (Microsoft Windows), <a href=\"https:\/\/bishopfox.com\/blog\/cve-2026-21643-pre-authentication-sql-injection-in-forticlient-ems-7-4-4\" rel=\"noopener\" target=\"_blank\">CVE-2026-21643<\/a> (Fortinet FortiClient), <a href=\"https:\/\/github.com\/kubernetes\/kubernetes\/issues\/137797\" rel=\"noopener\" target=\"_blank\">CVE-2026-3864<\/a> (Kubernetes), <a href=\"https:\/\/github.com\/angular\/angular\/security\/advisories\/GHSA-g93w-mfhg-p222\" rel=\"noopener\" target=\"_blank\">CVE-2026-32635<\/a> (Angular), <a href=\"https:\/\/hakaisecurity.io\/cve-2026-25769-rce-via-insecure-deserialization-in-wazuh-cluster-remote-command-execution-through-cluster-protocol\/research-blog\/\" rel=\"noopener\" target=\"_blank\">CVE-2026-25769<\/a> (<a href=\"https:\/\/github.com\/wazuh\/wazuh\/security\/advisories\/GHSA-3gm7-962f-fxw5\" rel=\"noopener\" target=\"_blank\">Wazuh<\/a>), <a href=\"https:\/\/www.connectwise.com\/company\/trust\/security-bulletins\/2026-03-17-screenconnect-bulletin\" rel=\"noopener\" target=\"_blank\">CVE-2026-3564<\/a> (ConnectWise ScreenConnect), <a href=\"https:\/\/community.ui.com\/releases\/Security-Advisory-Bulletin-062-062\/c29719c0-405e-4d4a-8f26-e343e99f931b\" rel=\"noopener\" target=\"_blank\">CVE-2026-22557, CVE-2026-22558<\/a> (Ubiquiti), <a href=\"https:\/\/depthfirst.com\/post\/the-masked-namespace-vulnerability-in-temporal-cve-2025-14986\" rel=\"noopener\" target=\"_blank\">CVE-2025-14986<\/a> (Temporal), <a href=\"https:\/\/www.rapid7.com\/blog\/post\/ve-cve-2026-31381-cve-2026-31382-gainsight-assist-information-disclosure-xss-fixed\/\" rel=\"noopener\" target=\"_blank\">CVE-2026-31381, CVE-2026-31382<\/a> (Gainsight Assist), <a href=\"https:\/\/github.com\/aquasecurity\/trivy-action\/security\/advisories\/GHSA-9p44-j4g5-cfx5\" rel=\"noopener\" target=\"_blank\">CVE-2026-26189<\/a> (Trivy), <a href=\"https:\/\/chromereleases.googleblog.com\/2026\/03\/stable-channel-update-for-desktop_18.html\" rel=\"noopener\" target=\"_blank\">CVE-2026-4439, CVE-2026-4440, CVE-2026-4441<\/a> (Google Chrome), <a href=\"https:\/\/www.jenkins.io\/security\/advisory\/2026-03-18\/\" rel=\"noopener\" target=\"_blank\">CVE-2026-33001, CVE-2026-33002<\/a> (Jenkins), <a href=\"https:\/\/confluence.atlassian.com\/security\/security-bulletin-march-17-2026-1721271371.html\" rel=\"noopener\" target=\"_blank\">CVE-2026-21570<\/a> (Atlassian Bamboo Center), and <a href=\"https:\/\/confluence.atlassian.com\/security\/security-bulletin-march-17-2026-1721271371.html\" rel=\"noopener\" target=\"_blank\">CVE-2026-21884<\/a> (Atlassian Crowd Data Center).<\/p>\n<p><strong>\ud83c\udfa5 Cybersecurity Webinars<\/strong><\/p>\n<ul>\n<li><a href=\"https:\/\/thehacker.news\/automate-testing-security-posture?source=recap\" rel=\"noopener\" target=\"_blank\">Learn How to Automate Exposure Management with OpenCTI &amp; OpenAEV<\/a> \u2192 Discover how to automate continuous, threat-informed testing using open-source tools like OpenCTI and OpenAEV to validate your security controls against real attacker behavior without increasing your budget. See a live demo on how to verify your security works, identify real gaps, and integrate it into your SOC workflow at no extra cost.<\/li>\n<li><a href=\"https:\/\/thehacker.news\/identity-maturity-2026?source=recap\" rel=\"noopener\" target=\"_blank\">Identity Maturity Cracking in 2026: See the New Data + How to Catch Up Fast<\/a> \u2192 Identity programs are under massive pressure in 2026 \u2013 disconnected apps, AI agents, and credential sprawl are creating real risks and audit challenges. Join this webinar for new Ponemon Institute 2026 research from over 600 leaders, showing the scale of the problem and practical steps to close gaps, reduce friction, and catch up quickly.<\/li>\n<\/ul>\n<h2 style=\"text-align: left;\"><strong>\ud83d\udcf0 Around the Cyber World<\/strong><\/h2>\n<ul>\n<li><strong>WhatsApp Tests Usernames Instead of Phone Numbers <\/strong>\u2014 WhatsApp is planning to introduce usernames and unique IDs instead of phone numbers, allowing users to send messages and make voice or video calls without sharing numbers. The optional privacy feature is expected to roll out globally by June 2026, with users and businesses able to reserve unique handles. \u00abWe\u2019re excited to bring usernames to WhatsApp in the future to help people connect with new friends, groups, and businesses without having to share their phone numbers,\u00bb the company <a href=\"https:\/\/economictimes.indiatimes.com\/tech\/technology\/whatsapp-to-introduce-usernames-by-mid-2026-allowing-messaging-without-phone-numbers\/articleshow\/129685847.cms\" rel=\"noopener\" target=\"_blank\">said<\/a> in a statement shared with The Economic Times. The feature has been under test since early January 2026. Signal introduced a similar feature in early 2024.<\/li>\n<li><strong>FBI Details SE Asia Scam Centers <\/strong>\u2014 The U.S. Federal Bureau of Investigation (FBI) detailed its work with Thai authorities to shut down <a href=\"https:\/\/www.secretservice.gov\/newsroom\/behind-the-shades\/2026\/01\/inside-our-nationwide-crackdown-card-skimming-and-fraud\" rel=\"noopener\" target=\"_blank\">scam centers<\/a> proliferating in Southeast Asia. The schemes, which primarily target retirees, small-business owners, and people seeking companionship, have been described as a blend of cyber fraud, money laundering, and human trafficking, causing billions of dollars in annual losses. These scam centers operate in a manner that\u2019s similar to how legitimate corporations do. \u00abRecruiters advertise high-paying jobs abroad. Workers are flown to foreign countries only to discover that the positions do not exist,\u00bb the FBI <a href=\"https:\/\/www.fbi.gov\/news\/stories\/fbi-in-thailand-working-with-partners-to-shut-down-regions-scam-centers-that-target-americans\" rel=\"noopener\" target=\"_blank\">said<\/a>. \u00abPassports are confiscated. Armed guards patrol the grounds. Under threat of violence, workers are forced to pose as potential romantic partners or savvy investment advisers, cultivating trust with victims over weeks or months.\u00bb Recent crackdowns in countries like Cambodia have freed thousands of workers from scam compounds, but the FBI warned that these breakthroughs can be temporary, as criminal networks always tend to relocate, rebrand, or shift tactics in response to law enforcement actions.<\/li>\n<li><strong>APT28 Exposed Server Leaks SquirrelMail XSS Payload <\/strong>\u2014 A second exposed open directory discovered on a server (\u00ab203.161.50[.]145\u00bb) associated with APT28 (aka Fancy Bear) has offered insights into the threat actor\u2019s espionage campaigns targeting government and military organizations across Ukraine, Romania, Bulgaria, Greece, Serbia, and North Macedonia. According to <a href=\"https:\/\/ctrlaltintel.com\/threat%20research\/FancyBear\/\" rel=\"noopener\" target=\"_blank\">Ctrl-Alt-Intel<\/a>, the directory contained command-and-control (C2) source code, scripts to steal emails, credentials, address books, and 2FA tokens from Roundcube mailboxes, telemetry logs, and exfiltrated data. The stolen data consists of 2,870 emails from government and military mailboxes, 244 sets of stolen credentials, 143 Sieve forwarding rules (to silently forward every incoming email to an attacker-controlled mailbox), and 11,527 contact email addresses. One of the newly identified tools is an XSS payload targeting the SquirrelMail webmail software, highlighting the threat actor\u2019s continued focus on leveraging XSS flaws to steal data from email inboxes. It\u2019s worth noting that the server was attributed to APT28 by the Computer Emergency Response Team of Ukraine (CERT-UA) as far back as September 2024. \u00abFancy Bear developed a modular, multi-platform exploitation toolkit where a victim simply opening a malicious email \u2013 with no further clicks \u2013 could result in their credentials stolen, their 2FA bypassed, emails within their mailbox exfiltrated, and a silent forwarding rule established that persists indefinitely,\u00bb Ctrl-Alt-Intel said.<\/li>\n<li><strong>Analysis of a Beast Ransomware Server <\/strong>\u2014 An <a href=\"https:\/\/www.team-cymru.com\/post\/beast-ransomware-server-toolkit-analysis\" rel=\"noopener\" target=\"_blank\">analysis<\/a> of an open directory on a server (\u00ab5.78.84[.]144\u00bb) associated with Beast, a ransomware-as-a-service (RaaS) that\u2019s suspected to be the successor to Monster ransomware, has uncovered the various tools used by the threat actors and the different stages of their attack lifecycle. These included Advanced IP Scanner and Advanced Port Scanner to map internal networks and find open remote desktop protocol (RDP) or server message block (SMB) ports. Also identified were programs to locate sensitive files for exfiltration and flag which servers hold the most data, as well as Mimikatz, LaZagne, and Automim (for credential harvesting), AnyDesk (for persistence), PsExec (for lateral movement), and MEGASync (for data exfiltration). Beast ransomware operations paused in November 2025 and resumed in January 2026.<\/li>\n<li><strong>GrapheneOS Opposes the Unified Attestation Initiative <\/strong>\u2014 GrapheneOS has come out strongly against <a href=\"https:\/\/uattest.net\/\" rel=\"noopener\" target=\"_blank\">Unified Attestation<\/a>, stating it \u00abserves no truly useful purpose beyond giving itself an unfair advantage while pretending it has something to do with security.\u00bb The Unified Attestation initiative is an open-source, decentralized alternative to the Google Play Integrity API to provide device and app integrity checks for custom ROMs without requiring Google Play Services. \u00abWe strongly oppose the Unified Attestation initiative and call for app developers supporting privacy, security, and freedom on mobile to avoid it,\u00bb GraphenseOS said. \u00abCompanies selling phones should not be deciding which operating systems people are allowed to use for apps.\u00bb<\/li>\n<li><strong>VoidStealer Uses Chrome Debugger to Steal Secrets <\/strong>\u2014 An information stealer known as VoidStealer has observed using a novel debugger-based Application-Bound Encryption (ABE) bypass technique that leverages hardware breakpoints to extract the \u00abv20_master_key\u00bb directly from browser memory and use it to decrypt sensitive data stored in the browser. VoidStealer is a malware-as-a-service (MaaS) infostealer that began being marketed on several dark web forums in mid-December 2025. The ABE bypass technique was introduced in version 2.0 of the stealer announced on March 13, 2026. \u00abThe bypass requires neither privilege escalation nor code injection, making it a stealthier approach compared to alternative ABE bypass methods,\u00bb Gen Digital <a href=\"https:\/\/www.gendigital.com\/blog\/insights\/research\/voidstealer-abe-bypass\" rel=\"noopener\" target=\"_blank\">said<\/a>. VoidStealer is assessed to have adopted the technique from the open-source <a href=\"https:\/\/github.com\/Meckazin\/ChromeKatz\/tree\/main\/ElevationKatz\" rel=\"noopener\" target=\"_blank\">ElevationKatz<\/a> project.<\/li>\n<li><strong>FBI Says it is Buying Americans\u2019 location Data <\/strong>\u2014 FBI director Kash Patel admitted that the agency is buying location data that can be used to track people\u2019s movements without a warrant. \u00abWe do purchase commercially available information that\u2019s consistent with the Constitution and the laws under the Electronic Communications Privacy Act, and it has led to some valuable intelligence for us,\u00bb Patel <a href=\"https:\/\/www.politico.com\/news\/2026\/03\/18\/fbi-buying-data-track-people-patel-00834080\" rel=\"noopener\" target=\"_blank\">said<\/a> at a hearing before the Senate Intelligence Committee.<\/li>\n<li><strong>Iranian Botnet Exposed via Open Directory <\/strong>\u2014 An Open Directory on \u00ab185.221.239[.]162:8080\u00bb has been found to contain several payloads, including a Python-based botnet script, a compiled DDoS binary, multiple C-language denial-of-service files, and IP addresses associated with SSH credentials. \u00abA Python script called ohhhh.py reads credentials in a host:port|username|password format and opens 500 concurrent SSH sessions, compiling and launching the bot client on each host automatically,\u00bb Hunt.io <a href=\"https:\/\/hunt.io\/blog\/iran-botnet-operation-open-directory\" rel=\"noopener\" target=\"_blank\">said<\/a>. \u00abThe exposed .bash_history captured three distinct phases of work: standing up the tunnel network, building and testing DDoS tooling against live targets, and iterative botnet development across multiple script versions.\u00bb The activity has not been linked to any state-directed campaign.<\/li>\n<li><strong>OpenClaw Developers in Phishing Attack <\/strong>\u2014 OpenClaw\u2019s combination of flexibility, local control, and a fast-growing ecosystem has made it popular among developers in a very short time. While that unprecedented adoption speed has exposed organizations to new security risks of its own (i.e., vulnerabilities and the presence of malicious skills on ClawHub and SkillsMP), threat actors are also capitalizing on the brand name and reputation to set up fake GitHub accounts for a phishing campaign that lures unsuspecting developers with promises of free $CLAW tokens and trick them into connect their cryptocurrency wallet. \u00abThe threat actor creates fake GitHub accounts, opens issue threads in attacker-controlled repositories, and tags dozens of GitHub developers,\u00bb OX Security researchers Moshe Siman Tov Bustan and Nir Zadok <a href=\"https:\/\/www.ox.security\/blog\/openclaw-github-phishing-crypto-wallet-attack\/\" rel=\"noopener\" target=\"_blank\">said<\/a>. \u00abThe posts claim that recipients have won $5,000 worth of CLAW tokens and can collect them by visiting a linked site and connecting their crypto wallet.\u00bb The linked site (\u00abtoken-claw[.]xyz\u00bb) is a near-identical clone of openclaw.ai rigged with a wallet-draining \u00abConnect your wallet\u00bb button designed to conduct cryptocurrency theft.<\/li>\n<li><strong>New Campaign Targets Energy Operations Personnel in Pakistan <\/strong>\u2014 A targeted campaign against operations personnel at energy firms linked to projects in Pakistan has leveraged phishing emails mimicking invitations to the upcoming Pakistan Energy Exhibition &amp; Conference (PEEC). The messages, sent from compromised accounts from a Pakistani university and a government organization, aim to deceive victims into opening PDF attachments with a fake Adobe Acrobat Reader update prompt. Clicking the update leads to the download of a ClickOnce application resource that drops the Havoc Demon C2 framework. \u00abThe redirect chain was also wrapped in geofencing and browser fingerprinting, limiting access to intended targets,\u00bb Proofpoint <a href=\"https:\/\/x.com\/threatinsight\/status\/2035023649330348370\" rel=\"noopener\" target=\"_blank\">said<\/a>. \u00abThat likely reduced the exposure to automated analysis while keeping the delivery path tightly scoped.\u00bb The activity has been codenamed UNK_VaporVibes. It\u2019s assessed to share overlaps with activity publicly associated with SloppyLemming.<\/li>\n<li><strong>Over 373K Dark Web Sites Down <\/strong>\u2014 International law enforcement agencies <a href=\"https:\/\/www.europol.europa.eu\/media-press\/newsroom\/news\/global-cybercrime-crackdown-over-373-000-dark-web-sites-shut-down\" rel=\"noopener\" target=\"_blank\">announced<\/a> the takedown of one of the largest known networks of fraudulent platforms on the dark web, uncovering hundreds of thousands of fake websites used to scam users seeking child sexual abuse content. A 10-day international operation led by German authorities and supported by Europol shut down more than 373,000 dark web domains run by a 35-year-old man based in China, who had been operating a sprawling network of fraudulent platforms since at least 2021. While the sites advertised child abuse material and cybercrime-as-a-service offerings, nothing was actually delivered after victims made a payment in Bitcoin. The fraudulent scheme netted the operator an estimated \u20ac345,000 from around 10,000 people. Authorities from 23 countries participated in the operation, and have since identified 440 customers whose purchases are now under active investigation.<\/li>\n<li><strong>Malicious npm Packages Steal Secrets <\/strong>\u2014 Two malicious npm packages, sbx-mask and touch-adv, have been found to steal secrets from victims\u2019 computers. While one invokes the malicious code via the postinstall script, the other executes it when application code is invoked by the developer after importing it. \u00abThe evidence strongly suggests account takeover of a legitimate publisher, rather than intentional malicious activity,\u00bb Sonatype <a href=\"https:\/\/www.sonatype.com\/blog\/sonatype-discovers-two-malicious-npm-packages\" rel=\"noopener\" target=\"_blank\">said<\/a>. \u00abHijacked publisher accounts are particularly concerning as, over time, maintainers build trust with the users of their components. Attackers aim to take advantage of that trust in order to steal valuable, or profitable, information.\u00bb<\/li>\n<li><strong>China to Have Its Own Post-Quantum Cryptography in 3 Years <\/strong>\u2014 China is reportedly planning to develop its own national post-quantum cryptography standards within the next three years, according to a <a href=\"https:\/\/www.reuters.com\/world\/asia-pacific\/china-likely-have-standards-post-quantum-crytography-3-years-expert-says-2026-03-19\/\" rel=\"noopener\" target=\"_blank\">report<\/a> from Reuters. The U.S. finalized \u200bits first set of post-quantum cryptography standards in 2024 and is aiming to achieve full industry migration by 2035.<\/li>\n<li><strong>What\u2019s Next for Tycoon2FA? <\/strong>\u2014 A recent law enforcement operation dismantled the infrastructure associated with the Tycoon2FA phishing-as-a-service (PhaaS) platform. However, a new analysis from Bridewell has revealed that some of the 2FA phishing CAPTCHA pages are still live. The lingering activity, the cybersecurity company noted, stems from the fact that these pages operate on a massive network of compromised third-party sites, legitimate SaaS platforms, and thousands of disposable domains. \u00abOperators and affiliates are highly agile and will attempt to rebuild, migrate to new infrastructure, or pivot to competing PhaaS platforms,\u00bb it <a href=\"https:\/\/www.bridewell.com\/insights\/blogs\/detail\/the-rise-and-fall-of-tycoon-2fa-inside-the-mfa-bypassing-phishing-empire\" rel=\"noopener\" target=\"_blank\">added<\/a>. \u00abThe live CAPTCHA pages we are seeing may belong to surviving criminal affiliates attempting to keep their individual campaigns breathing on secondary proxy networks.\u00bb<\/li>\n<\/ul>\n<h2 style=\"text-align: left;\"><strong>\ud83d\udd27 Cybersecurity Tools<\/strong><\/h2>\n<ul>\n<li><a href=\"https:\/\/github.com\/BARGHEST-ngo\/MESH\" rel=\"noopener\" target=\"_blank\">MESH<\/a> \u2192 It is an open-source tool from BARGHEST that enables remote mobile forensics and network monitoring over an encrypted, peer-to-peer mesh network resistant to censorship. It connects Android\/iOS devices behind firewalls or CGNAT using a modified Tailscale-like protocol (no central servers needed), supports ADB wireless debugging, libimobiledevice, PCAP capture, and Suricata IDS\u2014allowing secure, direct access for live logical acquisitions in restricted or hostile environments.<\/li>\n<li><a href=\"https:\/\/github.com\/GreatScott\/enject\" rel=\"noopener\" target=\"_blank\">enject<\/a> \u2192 It is a lightweight Rust tool that protects .env secrets from AI assistants like Copilot or Claude. It replaces real values in your .env file with placeholders (e.g., en:\/\/api_key). Secrets stay encrypted in a per-project store (AES-256-GCM, master password protected). When you run enject run \u2014 <command>, it decrypts them only in memory at runtime, then wipes them\u2014never leaving plaintext on disk. Open-source, macOS\/Linux, perfect for safe local development.<\/command><\/li>\n<\/ul>\n<p><em>Disclaimer: For research and educational use only. Not security-audited. Review all code before use, test in isolated environments, and ensure compliance with applicable laws.<\/em><\/p>\n<h2 style=\"text-align: left;\"><strong>Conclusion<\/strong><\/h2>\n<p>And that\u2019s the week. The real pattern isn\u2019t any one story; it\u2019s the gap. The gap between a flaw and detection. Between a patch and a deployment. Between knowing and doing. Most of this week\u2019s damage happened in that gap, and it\u2019s not new.<\/p>\n<p>Before you move on: update your mobile devices, review anything touching your CI\/CD pipeline, and don\u2019t store crypto wallet recovery phrases in notes apps.<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Another week, another reminder that the internet is still a mess. Systems people thought were secure are being broken in simple ways, showing many still ignore basic advisories. This edition covers a mix of issues: supply chain attacks hitting CI\/CD setups, long-abused IoT devices being shut down, and exploits moving quickly from disclosure to real [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[25,5],"tags":[492,1175,731,24,1177,1178,329,1176,1179,1151],"class_list":["post-333","post","type-post","status-publish","format-standard","hentry","category-noticias","category-trending","tag-backdoor","tag-buys","tag-cicd","tag-cyberdefensa-mx","tag-data","tag-ditches","tag-fbi","tag-location","tag-numbers","tag-whatsapp"],"_links":{"self":[{"href":"https:\/\/cybercolombia.co\/index.php\/wp-json\/wp\/v2\/posts\/333","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cybercolombia.co\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybercolombia.co\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cybercolombia.co\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/cybercolombia.co\/index.php\/wp-json\/wp\/v2\/comments?post=333"}],"version-history":[{"count":0,"href":"https:\/\/cybercolombia.co\/index.php\/wp-json\/wp\/v2\/posts\/333\/revisions"}],"wp:attachment":[{"href":"https:\/\/cybercolombia.co\/index.php\/wp-json\/wp\/v2\/media?parent=333"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybercolombia.co\/index.php\/wp-json\/wp\/v2\/categories?post=333"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybercolombia.co\/index.php\/wp-json\/wp\/v2\/tags?post=333"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}