Remember that F5 BIG-IP APM bug from last year everyone treated as a denial-of-service issue? Turns out it's pre-auth remote code execution - CVSS 9.3. F5 quietly reclassified it after new findings in March 2026 and confirmed exploitation in the wild. CISA added it to the KEV catalog with a March 30 patch deadline. That's tomorrow.
Attackers are scanning internet-facing Citrix NetScaler ADC and Gateway appliances right now, probing the /cgi/GetAuthMethods endpoint to find which ones are configured as SAML identity providers - the exact setup needed to trigger this CVSS 9.3 memory-leak flaw. Not full exploitation yet, but researchers at watchTowr warn the jump from recon to attack could happen any day.
A new macOS infostealer called Infinity Stealer tricks users through fake Cloudflare CAPTCHA pages - a technique called ClickFix. Victims paste a command into Terminal thinking they're verifying their identity, but it silently installs malware. The payload is compiled with Nuitka - turning Python into native macOS binaries that are much harder for security tools to detect. It steals browser credentials, Keychain data, and crypto wallets.
Attackers didn't wait for a proof-of-concept. Within 20 hours of CVE-2026-33017 being disclosed in Langflow - an open-source AI workflow builder with 145K+ GitHub stars - they built working exploits straight from the advisory. One crafted HTTP POST to the public flow endpoint is all it takes, no credentials needed. Compromised instances leak API keys for OpenAI, AWS, and connected databases.
Hackers compromised the Telnyx Python SDK on PyPI and hid malware inside .wav sound files - disguised as audio to bypass security scanners. Versions 4.87.1 and 4.87.2 were poisoned - just importing the package triggers the attack. It grabs SSH keys, cloud credentials, and can hijack Kubernetes clusters. The malicious versions were live for about 6 hours before PyPI quarantined them.
One group, four major compromises, nine days. TeamPCP started by backdooring Aqua Security's Trivy vulnerability scanner on March 19 - then used the stolen CI/CD credentials to poison LiteLLM, Checkmarx tools, and Telnyx one after another. Each compromised tool handed them the keys to the next target. They've now partnered with the Vect ransomware gang to turn stolen access into extortion.
Hackers broke into the European Commission's Amazon Web Services account and reportedly stole over 350GB of data, including databases and employee information. The breach was discovered on March 24 and affected the cloud infrastructure hosting Europa.eu websites. The Commission says its internal systems weren't impacted. The attacker isn't demanding ransom - they plan to publish the data instead.
A government-grade iPhone hacking toolkit called DarkSword was leaked on GitHub on March 23 - and researchers say it's trivially easy to use. Written entirely in HTML and JavaScript, anyone can host it and hack iPhones running iOS 18.4 through 18.7.1. It chains six vulnerabilities including three zero-days for full device takeover, stealing messages, location data, and crypto wallets. Roughly a quarter of all iPhones remain on vulnerable versions.