Executive Summary -
Highlights of Cyber Threat Intelligence Digest
Vulnerabilities
Citrix Discloses Two Vulnerabilities Affecting NetScaler ADC and NetScaler Gateway - Citrix disclosed two vulnerabilities affecting customer-managed NetScaler ADC and NetScaler Gateway deployments on 23 March 2026. There are currently no reports of active exploitation. The first, CVE-2026-3055, is an insufficient input validation flaw that can lead to a memory overflow. It affects NetScaler ADC and NetScaler Gateway deployments configured as SAML identity providers. Affected versions include NetScaler ADC and NetScaler Gateway 14.1 prior to 14.1-66.59, 13.1 prior to 13.1-62.23, and NetScaler ADC FIPS and NDcPP prior to 13.1-37.262. Citrix noted that the issue was discovered internally during routine security reviews and recommended that customers upgrade to supported fixed releases.
The second vulnerability, CVE-2026-4368, is a race condition that can result in user session mix-ups. This flaw applies to appliances configured as a Gateway, including TLS VPN, ICA Proxy, CVPN, or RDP Proxy, as well as appliances configured as an AAA virtual server. Users are advised to follow Citrix guidance to mitigate potential risks and ensure their systems are updated to secure versions.
NVIDIA Discloses CVE-2025-33244 Vulnerability in Apex Affecting PyTorch Environments - On 23 March 2026, NVIDIA disclosed a critical deserialization vulnerability, CVE-2025-33244, affecting Apex on Linux in PyTorch versions prior to 2.6. Exploitation of this flaw could allow attackers to execute arbitrary code, trigger denial-of-service (DoS) conditions, and tamper with or expose sensitive data.
NVIDIA has advised users to update to PyTorch version 2.6 or later to mitigate the issue. At present, there have been no reports of active exploitation.
Critical Path Traversal Vulnerability Affecting Mesop (CVE-2026-33054) - On 18 March 2026, GitHub user Richard To (richard-to) published an advisory on Mesop’s GitHub repository detailing CVE-2026-33054, accompanied by an alleged proof-of-concept (PoC) exploit. CVE-2026-33054 is a critical path traversal vulnerability affecting Mesop versions 1.2.2 and earlier. Mesop is a Python-based user interface (UI) framework designed to assist developers in building web applications.
Exploitation of this vulnerability allows attackers to perform arbitrary file operations on the system, including overwriting or deleting files, potentially causing application denial-of-service (DoS). In response, Mesop released version 1.2.3 to address and fix CVE-2026-33054. Sonos addressed the vulnerability by releasing version 83.1-61240 for Era300 devices.
Potential Threats
Threat Actors Exploit Claude.ai Brand and VS Code Ecosystem to Deliver Multi-Variant Information Stealer Campaign - On 17 March 2026, agentic security platform 7AI published a technical analysis of “Claude Fraud,” a multi-variant malware campaign targeting developers and security professionals via the trusted Claude.ai and Visual Studio Code (VS Code) ecosystems. Claude.ai, an AI-powered coding assistant by Anthropic, integrates into developer workflows, while VS Code is a widely used source-code editor supporting extensions. According to 7AI, the campaign has affected over 15,600 users, including two confirmed enterprise incidents, signalling active large-scale exploitation.
Claude Fraud employs different vectors depending on the operating system. On macOS, threat actors use malvertising campaigns that redirect developers to legitimate Claude.ai artifacts or fake documentation pages, instructing victims to execute Base64-encoded commands that deploy a MacSync Stealer loader. The stealer collects Keychain credentials, browser logins, session cookies, and cryptocurrency wallet keys, stages the data into ZIP archives, exfiltrates via HTTP POST, and deletes files to reduce forensic evidence. On Windows, the campaign exploits a malicious VS Code extension posing as a Claude Code plugin. In confirmed incidents, it launched PowerShell to execute remote payloads, add Windows Defender exclusions, and deploy “CrossMark2-Setup.exe,” enabling persistent, stealthy execution with in-memory techniques or AV bypass. Both vectors establish command-and-control communication with threat actor infrastructure to maintain ongoing access.
LiteLLM PyPI Supply-Chain Compromise Enables Credential Theft via Python Startup Hook - On 24 March 2026, FutureSearch reported that BerriAI's LiteLLM versions 1.82.8 and 1.82.7, published to PyPI, contained malicious code. Version 1.82.8 included a .pth file, litellm_init.pth, which executed automatically on Python startup, while 1.82.7 contained an obfuscated payload in proxy/proxy_server.py. The malware collected sensitive data, including SSH keys, cloud credentials, Kubernetes configurations, Git and Docker credentials, and database secrets, before encrypting and exfiltrating it to models[.]litellm[.]cloud. It also attempted Kubernetes post-compromise actions, such as reading cluster secrets, creating privileged pods, and establishing persistence. Any credentials in affected environments should be treated as exposed.
A GitHub issue confirmed that version 1.82.8 lacked a corresponding release and triggered recursive execution, causing fork-bomb-like crashes. Responders are advised to remove affected packages, purge caches, check for litellm_init.pth and related malicious files, and rotate exposed credentials. Investigations linked the compromise to the threat actor TeamPCP, who previously carried out the Trivy and Checkmarx KICS supply-chain attacks. The LiteLLM incident appears to stem from a maintainer account takeover, and BerriAI’s public repositories were defaced with “teampcp owns BerriAI.”
Threat Actors Backdoor Trivy GitHub Action Tags to Exfiltrate CI/CD Credentials - On 20 March 2026, Socket Security reported a supply-chain compromise of the aquasecurity/trivy-action GitHub Action, in which threat actors force-updated version tags to point to malicious commits. This caused downstream CI/CD workflows referencing affected tags to execute an infostealer. Trivy, an open-source vulnerability scanner, is widely used in CI/CD pipelines to detect security issues in software dependencies and infrastructure, with over 10,000 GitHub workflow files referencing the action, creating a large potential exposure.
According to Socket Security, the attackers obtained repository credentials and force-updated 75 of 76 version tags with malicious commits, leaving only @0.35.0 unaffected. The commits replaced entrypoint.sh with a trojanised script while leaving the rest of the repository intact. When executed in CI/CD pipelines, the script targeted GitHub Actions runner processes, harvested environment variables, SSH keys, cloud credentials, Kubernetes tokens, Git and Docker credentials, database secrets, and .env files, and collected system information such as hostname, logged-in user, OS details, and network configuration. The data was encrypted using AES-256-CBC with RSA-4096 protection and exfiltrated via HTTPS POST or, if that failed, uploaded to a public GitHub repository on the victim’s account. Temporary files were deleted to reduce forensic traces, and a normal Trivy scan was performed to avoid detection.
General News
UK pilot program to test social media restrictions on families before government decides on ban - The U.K. government will trial various social media restrictions on selected families as part of a pilot programme designed to inform decisions on a potential social media ban for some teenagers. The initiative comes amid a public consultation on possible restrictions, raising the digital age of consent, and the use of age assurance technologies. In January, Prime Minister Keir Starmer highlighted concerns that social media can contribute to anxiety and unhealthy comparison for young people.
The pilot will involve hundreds of families across all four nations of the U.K., with each group assigned a different intervention for six weeks. One group of parents will learn to use parental controls to remove or block access to certain apps, another will impose a one-hour daily limit on popular platforms such as Instagram, TikTok, and Snapchat, while a third will disable social media between 9 p.m. and 7 a.m. A fourth group will serve as a control with normal access. Interviews with parents and children before and after the pilots will examine impacts on family life, sleep, and schoolwork, as well as challenges in implementing restrictions. The Department for Science, Innovation and Technology (DSIT) will use the findings to guide potential government action, expected to be announced this summer.
US-Based Crunchyroll Investigates Data Breach Exposing 6.8 Million Users via Compromised third-party Support Account - On 23 March 2026, BleepingComputer reported that an unknown threat actor claimed to have accessed the US-based streaming platform Crunchyroll via its third-party customer support provider, Telus International, and exfiltrated around 8 million support ticket records, including 6.8 million unique email addresses. Crunchyroll stated it found no evidence of ongoing unauthorised access and assessed that exposure is largely limited to the support tickets.
According to reports, the threat actor allegedly gained access on 12 March 2026 by infecting a Telus International support agent’s device with malware and harvesting Okta single sign-on credentials. These were then used to access systems including Zendesk, Google Workspace Mail, Slack, Mixpanel, Jira Service Management, Wizer, and MaestroQA, and to download data. Samples shared with BleepingComputer suggest exposed information includes names, usernames, email addresses, IP addresses, general location, and support ticket contents. Some tickets may contain payment data, such as partial card numbers, expiration dates, and, in rare cases, full card numbers. Insikt Group, using Recorded Future Intelligence, found no actors claiming responsibility.
Vibe coding could reshape SaaS industry and add security risks, warns UK cyber agency - Britain’s National Cyber Security Centre (NCSC) has warned that a rise in “vibe coding” — software developed using AI tools with minimal human input — could disrupt the software-as-a-service (SaaS) industry while creating new cybersecurity risks if organisations fail to adapt. NCSC chief executive Richard Horne, speaking at the RSA Conference in San Francisco, urged security professionals to ensure AI coding tools become “a net positive for security,” noting that unchecked AI-assisted development could simply propagate insecure software. His remarks came after a sharp market sell-off in software and cloud shares in February, driven by concerns that vibe coding might reduce demand for subscription-based SaaS platforms.
The NCSC highlighted that AI-assisted development is already changing how organisations write code, making it faster and cheaper to produce bespoke software in-house, echoing the same business incentives that spurred the rise of SaaS. However, AI-generated code can be unreliable, difficult to maintain, and prone to security flaws, increasing the risk of vulnerable systems being deployed. The agency urged organisations to prioritise security by ensuring AI systems produce secure code by default, verifying model integrity, and expanding automated code review and testing. While any disruption to SaaS is expected to unfold over several years, the NCSC noted that only companies whose services are critical, regulatory-compliant, or reliant on large customer datasets may remain irreplaceable.
Threat Actor Weekly Graph
Over the past 7 days, we have been tracking the following intent and opportunity changes within our Threat Actor Landscape.
Intent represents the potential targets of a group. When a group is observed attacking a different organisation or entity, their intent will increase.
Opportunity represents the various methods and technologies these groups may use. For example, if a group started using a new attack vector, such as a new kind of ransomware, their opportunity would increase.
Both intent and opportunity are scored out of 100 and are responsible for scoring the group's severity. These updates can be seen below.
| ● Limited Severity | ● Basic Severity | ● Moderate Severity | ● High Severity |
| Threat Actor | Severity Increase | Opportunity | Intent | ||||||
|---|---|---|---|---|---|---|---|---|---|
| RedGolf | ● High | → | ● High | ● 83 | → | ● 83 | ● 30 | → | ● 25 |
| Sandworm Team | ● High | → | ● High | ● 79 | → | ● 79 | ● 30 | → | ● 25 |
| ShinyHunters | ● Moderate | → | ● Moderate | ● 49 | → | ● 49 | ● 74 | → | ● 55 |
| UNC6395 | ● Moderate | → | ● Moderate | ● 40 | → | ● 40 | ● 55 | → | ● 50 |
| GreenGolf |
● Moderate | → | ● Moderate | ● 64 | → | ● 60 | ● 30 | → | ● 30 |
Global Trends Powered by Recorded Future
Within each category, we have provided the current top five globally trending items. Each item is linked to how actively trending it is and is marked with a small symbol.
The spikes in references are calculated over 60 days and are normalised to ensure they aren't disproportionate when compared to bigger entities that will naturally have more baseline mentions.
▲- Spike – This indicates a large increase in reporting volume and a high diversity in the event descriptions.
▲- Rise – This indicates a small increase in reporting volume with little diversity in the descriptions.
| Attackers | Methods | Vulnerabilities | Targets | |||||
|---|---|---|---|---|---|---|---|---|
| Lapsus$ Group | ▲ | Supply Chain Attack | ▲ | CVE-2025-32975 | ▲ | LiteLLM | ▲ | |
| Handala Hack Team | ▲ | BitPaymer | ▲ | CVE-2026-20131 | ▲ | Crunchyroll | ▲ | |
| INC RANSOM | ▲ | Gunra Ransomware | ▲ | CVE-2025-5777 | ▲ | Warner Media | ▲ | |
| ByteToBreach | ▲ |
Initial Access |
▲ | CVE-2026-3055 | ▲ | HackerOne | ▲ | |
| Dark Storm Team | ▲ | Collection | ▲ | CVE-2026-21992 | ▲ | AstraZeneca | ▲ | |
Prominent Information Security Events
LiteLLM PyPi Supply-Chain Compromise Enables Credential Theft via Python Startup Hook
Source: Insikt Group | Validated Intelligence Event
IOC: Domain - models[.]litellm[.]cloud
IOC: URL - hxxps://models[.]litellm[.]cloud/
On 24 March 2026, FutureSearch reported that BerriAI’s LiteLLM version 1.82.8, published to PyPI, contained a malicious .pth file, litellm_init.pth, which executed automatically on Python startup without requiring import litellm. Version 1.82.7 was later confirmed compromised, with its payload embedded in proxy/proxy_server.py. Both FutureSearch and Awesome Agents observed credential theft and exfiltration to models[.]litellm[.]cloud. A public GitHub issue documented the malicious .pth file in the litellm==1.82.8 package “RECORD,” and the launcher caused recursive re-execution producing fork-bomb-like crashes. Given LiteLLM’s use in developer, CI/CD, container, and cloud environments, credentials on affected systems should be considered exposed.
The payload collected extensive host and environment data, including SSH keys, cloud credentials (AWS, GCP, Azure), Kubernetes configurations, Git and Docker credentials, shell history, database secrets, and other locally stored secrets. The data was packaged into tpcp.tar.gz, encrypted with AES-256-CBC and a hard-coded RSA-4096 public key, then exfiltrated via HTTPS POST. Post-compromise activity included attempts to read Kubernetes cluster secrets, create privileged pods, and establish persistence via /root/.config/sysmon/sysmon.py and a user systemd service. Incident response teams were advised to remove affected packages, purge caches, hunt for malicious files and pods, and rotate exposed credentials.
Investigations linked the compromise to TeamPCP, responsible for previous Trivy and Checkmarx KICS supply-chain attacks. Analyses indicated the incident resulted from an account takeover of the maintainer’s PyPI or GitHub CI/CD credentials. TeamPCP reportedly disclosed that the compromise led to around half a million stolen credentials. BerriAI’s public repositories were defaced with “teampcp owns BerryAI,” confirming the threat actor’s involvement.
Threat Actors Backdoor Trivy GitHub Action Tags to Exfiltrate CI/CD Credentials
Source: Insikt Group | Validated Intelligence Event
IOC: Hash - 18a24f83e807479438dcab7a1804c51a00dafc1d526698a66e0640d1e5dd671a
IOC: Domain - scan[.]aquasecurtiy[.]org
On 20 March 2026, Socket Security reported a supply-chain compromise of the aquasecurity/trivy-action GitHub Action, in which threat actors force-updated version tags to point to malicious commits. This caused downstream CI/CD workflows referencing affected tags to execute an infostealer. Trivy is an open-source vulnerability scanner widely used in CI/CD pipelines to identify security issues in software dependencies and infrastructure, with over 10,000 GitHub workflow files referencing the action, creating a substantial potential exposure.
According to Socket Security, the attackers obtained repository credentials and force-updated 75 of 76 version tags with malicious commits, leaving only @0.35.0 unaffected. The commits replaced entrypoint.sh with a trojanised script while keeping the rest of the repository aligned with the master HEAD. The attackers also used spoofed commit metadata and unsigned, poisoned tag commits. Socket noted that GitHub UI cues, such as “0 commits to master since this release,” can be misleading, and that the repository’s “Immutable” designation did not prevent the force-updating of tags.
When executed in CI/CD pipelines, the trojanised script targeted GitHub Actions runner processes, harvested environment variables, /proc artifacts, SSH keys, cloud credentials, Kubernetes tokens, Git and Docker credentials, database secrets, and .env files. It collected system information, recursively scanned for additional data, encrypted it using AES-256-CBC with RSA-4096 protection, and exfiltrated it via HTTPS POST. If exfiltration failed, the script created a public GitHub repository on the victim’s account to upload the archive. Temporary files were deleted to reduce forensic traces, and a normal Trivy scan was conducted to avoid detection.
Remediation Actions
Following the information provided above, we recommend that the technologies mentioned be fully patched and updated. We also want to highlight and recommend applying the following patches where applicable:
- CVE-2026-3055, CVE-2026-4368 (Citrix) – These vulnerabilities can be addressed by updating NetScaler ADC and NetScaler Gateway deployments to 14.1-66.59 or later.
- CVE-2025-33244 (NVIDIA) – This vulnerability can be remediated by updating PyTorch to version 2.6 or later.
- CVE-2026-33054 (Mesop) – This vulnerability can be addressed by updating Mesop to the newly released 1.2.3.
If you are currently an Acumen Cyber Vulnerability Management customer, we will be proactively performing related searching and hunting activities within your environment.