DLTA

@TheHackersNews NetScaler is widely deployed in crypto exchange and DeFi platform architectures as an ADC. Sensitive appliance data leakage via unauthenticated memory reads is a direct initial access risk for Web3 infra. #Citrix #VulnerabilityManagement #Web3Security

⚠️ Citrix patched a critical NetScaler flaw (CVSS 9.3) enabling unauthenticated memory leaks. The issue exposes sensitive appliance data when SAML IDP is enabled, alongside a second bug that can mix user sessions in gateway or AAA setups. 🔗 Read → thehackernews.com/2026/03/citrix…

@SentinelOne Agentic AI security is critical for Web3 infrastructure where DeFi protocols and smart contracts operate without human oversight. Shadow AI discovery is now table stakes for crypto ops teams running unvetted AI integrations. #AISecurity #RSAC2026 #CTI

While others promise the "AI Security of the future," SentinelOne is making it a reality today at RSAC 2026. Unveiling our new lineup of AI Security offerings, all designed to give defenders the edge. This is the AI advantage that secures innovation and stops attacks at machine speed: - Purple AI One-Click Auto Investigation (GA): Shift from manual triage to agentic investigations and response in a single click - Prompt AI Red Teaming: Hardening homegrown AI apps before they ship—not after they’re breached. - Prompt AI Agent Security: Real-time discovery and governance for your entire agentic layer, including Shadow AI deployments. Stop waiting for the future. Get the AI advantage today. 📍 All of these AI Security offerings are on display at Booth N-5863 | AI. GA. NOW. 🔗 s1.ai/New-AISec

@Unit42_Intel OAuth device code phishing bypasses MFA entirely. Credentials are never entered, so traditional phishing controls don't fire. Crypto exchanges and DeFi platforms are high-value targets for long-term token access. #Phishing #IdentitySecurity #CTI

A phishing campaign is abusing an official device code OAuth flow. Instead of stealing passwords, attackers trick you into entering a verification code on the real login page to hijack OAuth tokens. This grants long-term access to email and files. Details: bit.ly/3PvgHG0

@DefusedCyber CitrixBleed showed NetScaler ADC & Gateway are high-value targets in crypto and DeFi infrastructure. CVE-2026-3055 unauthenticated attack path via SAML IDP makes this critical priority for Web3 ops teams. #Citrix #VulnerabilityManagement #CTI

🚨 Update: Citrix just dropped a new security bulletin (CTX696300) with two fresh CVEs for NetScaler ADC & Gateway: CVE-2026-3055 - CVSS 9.3 Out-of-bounds read via insufficient input validation. Unauthenticated, network-accessible, low complexity. Requires SAML IDP configuration. Memory overread - same vulnerability class as CitrixBleed. CVE-2026-4368 - lower impact vuln also patched in the same bulletin. Tap into acute NetScaler intel before the mass exploiting starts! 👉 console.defusedcyber.com

@ReversingLabs Wallet info and token exfiltration via a compromised IDE extension is a direct threat to Web3 developers and crypto operations teams. VSX supply chain attacks are now a key AADAPT initial access vector. #SupplyChainSecurity #Web3Security #CTI

Look out for compromised version of Checkmarx ast-results OpenVSX extension open-vsx.org/extension/chec…

@Dinosn Sliver is increasingly the C2 of choice in crypto-targeted intrusions post-Cobalt Strike detection maturity. Red team tooling adoption by threat actors is well documented in M-Trends 2026 AADAPT telemetry. #RedTeam #CTI #ThreatIntelligence

Every Sliver C2 Tutorial Was Outdated. So I Wrote My Own @aviraj3868/every-sliver-c2-tutorial-was-outdated-so-i-wrote-my-own-cd47c50add3f" target="_blank" rel="nofollow noopener">medium.com/@aviraj3868/ev…

@SecurityWeek 20 hours from disclosure to active exploitation is now baseline, not an outlier. AI workflow builders like Langflow are widely deployed in crypto operations teams for automation pipelines. #VulnerabilityManagement #CTI #ThreatIntelligence

Critical Langflow Vulnerability Exploited Hours After Public Disclosure securityweek.com/critical-langf…

@DarkReading Targeting the FMC rather than endpoints is deliberate: compromise the management plane, blind the SOC. Web3 infrastructure operators running Cisco perimeter gear without out-of-band monitoring carry the same exposure. #Ransomware #DetectionEngineering #CTI

Interlock Ransomware Targets Cisco Enterprise Firewalls: bit.ly/4bmllia by Alexander Culafi

@chainalysis On-chain liquidity pools remain high-value targets regardless of protocol maturity. DLTA maps post-exploit fund flow against known Lazarus Group and UNC3782 laundering typologies. #Web3Security #ThreatIntelligence #DigitalAssets

1/7 On March 22, 2026, an attacker was able to mint tens of millions of Resolv DeFi’s unbacked stablecoins (USR) and extract roughly $25 million in value, triggering a sharp de-peg and forcing the protocol to halt operations. Here's what happened 🧵

@Mandiant At 22 seconds, perimeter detection has already lost. For digital asset custodians, the only metric that matters is the gap between initial access and key material exposure. #DetectionEngineering #ThreatIntelligence #CTI

From the targeting of Tier-0 assets to the rise of high-velocity access handoffs, M-Trends 2026 Report provides a roadmap for navigating today's most complex security challenges. Read the full report: goo.gle/3NYELk9

@MsftSecIntel Jailbreak output is being operationalised for phishing lure generation targeting crypto executives and DeFi treasury signers. DLTA tracks adversarial AI use in Web3 social engineering campaigns aligned to MITRE AADAPT T0147. #ThreatIntelligence #CTI #Web3Security

Microsoft Threat Intelligence has observed threat actors actively experimenting with techniques to bypass or “jailbreak” AI safety controls. By reframing malicious requests, chaining instructions across multiple interactions, and misusing system‑ or developer‑style prompts, threat actors can coerce models into generating restricted content that bypasses built‑in safeguards. These techniques demonstrate how generative AI models are probed, shaped, and redirected to support reconnaissance, malware development, and social engineering while minimizing friction from moderation. AI guardrails have become dynamic surfaces that attackers test and manipulate to sustain operational advantage. As AI becomes more deeply embedded in enterprise workflows, understanding how attackers test and manipulate these guardrails is critical for defenders. Learn more about securing generative AI models on Azure AI Foundry: msft.it/6013Qs5oX

@BleepinComputer Third-party BPO access via federated SSO is the entry vector, not a secondary risk. Digital asset platforms with outsourced ops teams face the same exposure: contractor Okta tokens with production access and no session controls. #CTI #Web3Security #ThreatIntelligence

Crunchyroll probes breach after hacker claims to steal 6.8M users' data bleepingcomputer.com/news/security/… bleepingcomputer.com/news/security/…

@feross Pinning CI/CD actions to commit SHAs rather than mutable tags eliminates this injection vector entirely. Every DeFi protocol with unpinned GitHub Actions workflows carries the same supply chain exposure. #SupplyChain #Web3Security #CTI

🚨 Breaking: Trivy GitHub Actions supply chain attack – 75 out of 76 version tags compromised. If your CI/CD pipelines reference “aquasecurity/trivy-action” by version tag, you’re likely running malware right now. At Socket, we identified that an attacker force-pushed nearly every version tag in the official aquasecurity/trivy-action repository. That’s @​0.0.1 all the way through @​0.34.2. Over 10,000 GitHub workflow files reference this action. The malicious payload runs silently before the legitimate Trivy scan, so nothing looks broken. Meanwhile it’s: - Dumping runner process memory to extract secrets - Harvesting SSH keys - Exfiltrating AWS, GCP, and Azure credentials - Stealing Kubernetes service account tokens The only unaffected tag right now appears to be @​0.35.0. Socket independently detected this at 19:15 UTC and generated 182 threat feed entries tied to this campaign – all correctly classified as Backdoor, Infostealer, or Reconnaissance malware. This is the second Trivy compromise this month. Earlier in March, attackers injected code into the Aqua Trivy VS Code extension on OpenVSX to abuse local AI coding agents. The compromised tags are still active. Pin to @​0.35.0 or use a SHA reference until this is fully remediated. Full write-up: socket.dev/blog/trivy-und…

@zachxbt Coordinated multi-account fraud at this scale requires victim profiling before outreach. Tradecraft mirrors MITRE AADAPT social engineering TTPs. DLTA tracks attribution patterns across Web3 incident data. #Web3Security #CTI

1/ I uncovered a coordinated network of 10+ accounts manufacturing viral panic about war and politics to drive traffic to crypto scams. Strategy: >Purchase accounts with followers >Doompost multiple times per day >Repost content from alt accounts >Promote fake giveaway or scam >Change username

Three separate attack chains targeting Web3 infrastructure dropped this weekend, all using the same fundamental gap: trusted tooling with privileged access and no runtime monitoring. CanisterWorm used npm packages with ICP blockchain canisters as C2 dead drops; the same TeamPCP actor backdoored Trivy to pull cloud credentials from CI/CD pipelines at the point of maximum exposure. DarkSword deployed a full iOS 18.4 exploit chain; the post-exploitation payload was Ghostblade, purpose-built to extract wallet seed phrases and exchange session tokens from mobile devices. Resolv USR lost $23M because a single compromised off-chain key could mint unbounded tokens with no on-chain rate limit, no multisig, and no automated circuit breaker to pause activity. Different vectors. Same pattern: the trusted component had privileged access, no anomaly detection, and no automated response capability. DLTA maps these control gaps to your current maturity level. The intelligence exists; the question is whether it maps to your architecture. #Web3Security #ThreatIntelligence #CTI #SupplyChain #DigitalAssets

Trivy is embedded in thousands of CI/CD pipelines as a trusted scanner. Compromising it gives an attacker read access to secrets and cloud credentials at the exact point they're most exposed. TeamPCP linking this to the CanisterWorm npm campaign confirms a coordinated threat actor targeting developer tooling across multiple vectors simultaneously. Pinning actions to SHA commit hashes and verifying checksums on security tooling should be standard pipeline hygiene for any team deploying to cloud infrastructure. #SupplyChain #ThreatIntelligence #DetectionEngineering

🚨 Wiz Research: Trivy supply chain attack. Backdoored version + poisoned GitHub Actions exposed secrets and cloud creds. Used it March 19–20? Rotate creds, audit pipelines, pin actions to SHA. wiz.io/blog/trivy-com…

Local processing for breach analysis is the correct architecture for handling sensitive credential data. Cloud-piped agentic workflows create unnecessary exposure of exactly the kind of data you're trying to protect. PwnedClaw running on a Mac Mini with no outbound data transfer is a better operational security model than most enterprise breach monitoring deployments. #DetectionEngineering #ThreatIntelligence #CTI

Going live with my weekly vid in 10 mins! Baydöner Breach; Aura Breach; Building PwnedClaw Agentic AI on a Mac Mini to do Data Breach Stuff youtube.com/live/WbKbDiMo_…

Ghostblade's wallet extraction capability via DarkSword confirms the target set: seed phrases, private keys, and exchange session tokens stored on iOS devices. This is not opportunistic malware. The exploit cost and payload specificity indicate a well-resourced threat actor targeting high-value crypto holders directly. Hardware wallets and air-gapped signing devices exist precisely because mobile operating systems are not a trusted execution environment for key material. #MobileSecurity #Web3Security #ThreatIntelligence

🚨 ALERT: Google’s threat team flags DarkSword exploit targeting iOS, enabling Ghostblade malware to extract wallet data.

Using ICP blockchain canisters as C2 dead drops is a significant evasion technique. On-chain C2 traffic is effectively censorship-resistant and invisible to traditional network-layer controls. TeamPCP linking CanisterWorm to the Trivy supply chain campaign confirms this is a persistent, multi-vector threat actor targeting developer tooling pipelines. Web3 dev environments are the attack surface. Any team running npm packages in CI/CD pipelines adjacent to smart contract deployment should treat this as active targeting. #SupplyChain #ThreatIntelligence #Web3Security

Update: CanisterWorm has expanded to 135 malicious artifacts across 64+ npm packages. New activity is slowing, likely due to npm intervention. @wiz_io attributes the campaign to “TeamPCP,” linked to the Trivy supply chain attacks. Campaign tracking: socket.dev/supply-chain-a…

WebContent RCE to SB escape to kernel PE/KRW is the standard commercial iOS exploit chain architecture. The presence of post-exploit data collection targeting task ops and process injection confirms this is surveillance tooling, not a jailbreak project. The Ghostblade wallet-targeting payload documented by Cointelegraph uses the same infection vector. DarkSword is actively being deployed against crypto holders. #MobileSecurity #ThreatIntelligence #Web3Security

DarkSword payloads have surfaced and appear to be a full iOS 18.4 staged chain with WebContent RCE, SB escape, a kernel PE/KRW bundle, and post-exploit logic for task ops, process injection, and data collection. Not going to publicly link the payloads. Legit researchers can DM me