Mar 25 Digest: DarkSword Leaks iPhone Zero-Days, CanisterWorm Hits npm, CVSS 10.0 PLM RCE, Two Russians Sentenced

This Week in Cybersecurity

The week of March 25 was defined by supply chain escalation, a newly democratized iPhone hacking toolkit, and a wave of cybercrime accountability. DarkSword — an iOS exploit chain previously deployed exclusively by nation-states and commercial surveillance vendors — was published publicly on GitHub in plain HTML and JavaScript, deployable by anyone in minutes. With hundreds of millions of unpatched iPhones at risk, Apple raced out emergency patches for iOS 18.7.3 and iOS 26.3.

The Trivy supply chain attack by TeamPCP entered a dangerous second phase: malicious Docker Hub images for versions 0.69.4–0.69.6 were pushed without corresponding releases, and CanisterWorm — the first malware to use Internet Computer Protocol smart contracts as an untakedownable C2 channel — spread to 47 npm packages, self-propagating through stolen publish tokens harvested from compromised CI/CD environments.

On the vulnerability front, PTC issued a P0 emergency notice over CVE-2026-4681, a CVSS 10.0 deserialization flaw in Windchill and FlexPLM actively threatened by imminent exploitation. Germany's federal police mobilized officers nationwide to personally notify affected organizations. And in back-to-back DOJ actions, two Russian cybercriminals were sentenced — one for running the TA551 botnet that seeded BitPaymer ransomware into 72 U.S. companies, another for brokering initial access to the Yanluowang ransomware group.

Data breach disclosures continued at pace: QualDerm Partners notified 3.1 million patients that medical records, diagnoses, and insurance data were stolen on Christmas Eve 2025.

Top Stories

DarkSword iOS Exploit Chain Leaks on GitHub — Hundreds of Millions of iPhones Exposed

A six-vulnerability iOS exploit chain called DarkSword — previously used only by nation-states and commercial surveillance vendors — was published on GitHub, written in plain HTML and JavaScript with no compiled binaries or complex toolchains required. Researchers warn any operator can be ready to exploit vulnerable iPhones in "a couple of minutes to hours."

DarkSword targets iPhones running iOS 18.4 through 18.7, delivering the Ghostblade infostealer payload via a single drive-by website visit with no user interaction beyond clicking a link. Once installed, Ghostblade exfiltrates SMS and iMessage history, iOS keychain passwords, GPS location, photos, iCloud files, and crypto wallet apps including Coinbase, Binance, Ledger, and MetaMask. Previously deployed by suspected Russian state actor UNC6353 and customers of Turkish surveillance vendor PARS Defense in campaigns targeting Saudi Arabia, Turkey, Malaysia, and Ukraine — this chain is now within reach of opportunistic attackers globally.

Apple issued emergency patches: iOS 26.3 (full fix for supported devices) and iOS 18.7.3 (older hardware). Update immediately. High-value targets should also enable Lockdown Mode, which blocks the attack chain even on unpatched devices.

Full story →

Trivy Supply Chain Attack Escalates: CanisterWorm Deploys Blockchain C2, Docker Hub Poisoned

The Trivy supply chain breach by TeamPCP expanded dramatically this week beyond GitHub Actions into a multi-vector attack. Three malicious Docker Hub images — versions 0.69.4, 0.69.5, and 0.69.6 — were pushed without corresponding GitHub releases, embedding the TeamPCP Cloud Stealer infostealer that exfiltrates cloud credentials, SSH keys, kubeconfigs, Docker registry tokens, and npm publish tokens from any pipeline that ran them.

Using credentials harvested from compromised CI/CD environments, TeamPCP deployed CanisterWorm — a self-propagating npm worm marking an unsettling first: its C2 infrastructure is stored in an Internet Computer Protocol (ICP) blockchain smart contract, making it resistant to conventional hosting takedowns. The worm spreads by stealing npm publish tokens and republishing infected versions of packages the victim has write access to — a cascading compromise across 47 confirmed packages with hundreds of thousands of potential downstream installs. A Kubernetes wiper component leveraged stolen kubeconfigs to delete cluster resources, and 44 Aqua Security GitHub repositories were defaced in a scripted 2-minute burst. Pin Trivy to version 0.69.3 or earlier and rotate all credentials that passed through affected pipelines immediately.

Trivy escalation → CanisterWorm detail →

PTC Windchill and FlexPLM Face CVSS 10.0 RCE — German Federal Police Mobilized Nationwide

PTC issued an emergency advisory warning of credible evidence of imminent exploitation of CVE-2026-4681 — a perfect-score CVSS 10.0 deserialization vulnerability in Windchill PDMLink and FlexPLM that allows unauthenticated remote code execution with no credentials required. In an extraordinary response that underscores the severity, Germany's Bundeskriminalamt (BKA) dispatched officers nationwide over the weekend to personally alert organizations, including contacting system administrators in early morning hours and briefing state criminal investigation offices.

Windchill and FlexPLM are used by manufacturers, aerospace, defence, automotive, and life sciences organizations to manage product lifecycle and design data — making them high-value targets for both ransomware operators and state-sponsored espionage. Webshell artefacts to look for include GW.class, payload.bin, and dpr_<random>.jsp files. PTC Cloud customers have already been protected; self-hosted deployments must apply the Apache/IIS servlet path restriction rule immediately or take affected instances offline. A full patch is under active development.

Full story →

Two Russian Cybercriminals Sentenced in Back-to-Back DOJ Actions

U.S. courts handed down two cybercrime sentences on consecutive days in a coordinated prosecutorial push targeting the infrastructure layer that enables ransomware attacks — not just the ransomware operators themselves.

Ilya Angelov was sentenced to 24 months for co-managing the TA551 (Mario Kart) botnet, which at its peak sent 700,000 phishing emails per day, infected approximately 3,000 computers daily, and sold access to BitPaymer ransomware operators who struck 72 U.S. companies across 31 states between 2017 and 2021. The sentence came with a $100,000 fine and $1.6 million money judgment. One day earlier, Aleksei Volkov received 81 months for serving as an initial access broker supplying compromised network credentials to the Yanluowang ransomware group. By targeting botnet operators and access brokers — the supply chain beneath ransomware — the DOJ is raising costs for the entire ecosystem.

Angelov sentencing → Yanluowang broker sentencing →

QualDerm Partners: 3.1 Million Patient Records Stolen in Christmas Eve Breach

Tennessee-based dermatology management company QualDerm Partners — which provides IT, operations, and insurance support to 158 practices across 17 states — disclosed that an attacker gained access to its systems on December 23–24, 2025 and exfiltrated the records of 3,117,874 patients. Stolen data includes full names, dates of birth, doctor names, medical record numbers, diagnoses, treatment details, health insurance information, and for a subset of patients, government-issued ID numbers.

The combination of detailed PHI with personal identifiers creates elevated risk for medical identity theft, fraudulent insurance claims, and targeted phishing campaigns impersonating healthcare providers. Affected patients began receiving breach notification letters in late February — approximately two months after the incident — a timeline multiple law firms are scrutinizing against HIPAA's 60-day notification requirement. QualDerm is offering complimentary credit monitoring and identity theft protection to all affected individuals.

Full story →

Security Corner

10 new CVEs published to the Security Advisories section this week — two rated Critical, the remainder High. Key advisories below.

CVE-2025-54068 — Laravel Livewire v3 Unauthenticated RCE (CVSS 9.8 Critical) — CISA KEV — Actively Exploited Unauthenticated remote code execution via a hydration checkpoint bypass in Livewire v3.0.0-beta.1 through v3.6.3. The public Livepyre exploit tool works without any knowledge of the application's APP_KEY, targeting all 130,000+ internet-facing Livewire v3 applications. Upgrade to v3.6.4 immediately and rotate APP_KEY if it may have ever been exposed — a separate design-level RCE path tied to the APP_KEY remains unpatched. Full advisory →

CVE-2025-43510 — Apple Multiple Products Improper Locking (CVSS 7.8 High) — CISA KEV — Actively Exploited Actively exploited improper locking flaw across watchOS, iOS, iPadOS, macOS, visionOS, and tvOS. A malicious app can corrupt shared memory between processes, potentially enabling privilege escalation without root privileges. Added to CISA KEV on March 20, 2026 with a mandatory April 3 FCEB remediation deadline. Apply all pending Apple OS updates immediately. Full advisory →

CVE-2026-4599 — jsrsasign DSA Private Key Recovery via Nonce Bias (CVSS 9.1 Critical) Biased nonce generation in jsrsasign v7.0.0–11.1.0 allows an attacker observing multiple DSA signatures to recover the signer's private key via lattice cryptanalysis. If you use jsrsasign for DSA signing, upgrade to v11.1.1 immediately and treat any previously used DSA key pairs as potentially compromised — rotate all affected certificates and tokens. Full advisory →

CVE-2026-27651 — NGINX Mail Module NULL Pointer Dereference (CVSS 7.5 High) NULL pointer dereference in ngx_mail_auth_http_module causes worker process crashes under CRAM-MD5/APOP authentication when the upstream auth server returns Auth-Wait retry responses. Disrupts SMTP/IMAP/POP3 proxy availability. Apply the F5/NGINX security patch or switch away from CRAM-MD5/APOP as an interim workaround. Full advisory →

Also this week:

• CVE-2026-33478 → Advisory →
• CVE-2026-4567 → Advisory →
• CVE-2026-4529 → Advisory →
• CVE-2026-3629 → Advisory →
• CVE-2026-30836 → Advisory →
• CVE-2026-22172 → Advisory →

Quick Takes

• Resolv DeFi — $24.5M Stolen via Compromised Private Key: An attacker exploited a compromised privileged key to mint $80 million in unbacked USR stablecoins on the Resolv protocol, exiting with $24.5 million in ETH before Resolv Labs suspended operations. The USR peg collapsed 80%, cascading losses across Fluid ($17.5M bad debt) and Curve Finance LPs ($17M). A public key management failure — the SERVICE_ROLE account was a single EOA with no multisig and no supply controls. Read more →

• FBI Warns: Russian Intelligence Targeting Signal and WhatsApp Users: The FBI issued an alert that Russian intelligence services are running mass phishing campaigns designed to compromise Signal, WhatsApp, and Telegram accounts belonging to journalists, activists, government personnel, and NGO workers. Read more →

• VoidStealer Steals Chrome Master Key via Debugger Trick: A new infostealer bypasses Chrome's App-Bound Encryption by abusing the Chrome Remote Debugging interface to extract the master key — recovering stored passwords, cookies, and payment data from a fully patched Chrome installation. Read more →

• Mazda Discloses Security Breach Exposing Employee and Partner Data: Mazda confirmed unauthorized access to internal systems exposing employee and business partner data. The attacker identity and full scope remain under active investigation. Read more →

• Malaysia Airlines — Qilin Ransomware Claims Passenger Data Theft: Qilin ransomware operators claimed an attack on Malaysia Airlines, alleging exfiltration of passenger and operational data. The airline is investigating the scope of the claimed breach. Read more →

• Crunchyroll Investigates Breach — Hacker Claims 68M User Records: A threat actor claims to have stolen 68 million user records from the anime streaming platform Crunchyroll. The company confirmed it is actively investigating. Read more →

• Cegedim Santé: 15 Million French Healthcare Records Breached: French healthcare software provider Cegedim Santé confirmed a breach affecting approximately 15 million patient records held across its health data management platform. Read more →

• Nigerian National Sentenced to 7 Years for $6M Email Fraud: A U.S. federal court sentenced a Nigerian national to seven years for orchestrating a $6 million business email compromise scheme that defrauded dozens of organizations across multiple U.S. states. Read more →

• CISA Adds Apple, DarkSword, Craft CMS, and Laravel to KEV: CISA expanded its Known Exploited Vulnerabilities catalog with a batch covering the Apple improper locking flaw, DarkSword-related CVEs, a Craft CMS vulnerability, and the Laravel Livewire RCE — all confirmed actively exploited in the wild. Read more →

• Marquis FinTech Breach Exposes 672,000 Banking Customers: Marquis FinTech disclosed unauthorized access to systems containing the personal and financial data of approximately 672,000 banking customers across its client portfolio. Read more →

Upcoming

• PTC Windchill / FlexPLM Patch: PTC confirmed a formal patch for CVE-2026-4681 is under active development. Monitor PTC's advisory portal closely and apply the Apache/IIS servlet restriction workaround now if you have not already. Do not wait for the patch to apply interim mitigations.

• April 3 — CISA KEV Remediation Deadline: Federal Civilian Executive Branch agencies must have patched CVE-2025-43510 (Apple) and CVE-2025-54068 (Laravel Livewire) by April 3, 2026 under Binding Operational Directive 22-01. All organizations should treat both as urgent — active exploitation is confirmed for both.

• April Patch Tuesday: Microsoft's next scheduled security update cycle lands the second Tuesday of April. Given the current wave of supply chain disclosures and RCE activity, expect patches for Windows, Exchange, and Office components. Begin patch-readiness checks now.

• Trivy Incident Ongoing: The TeamPCP / Trivy investigation is active and scope continues to expand. Aqua Security is identifying and closing all remaining access paths. Monitor their GitHub Security Advisories, and assume any environment that ran Trivy 0.69.4–0.69.6 is compromised until proven otherwise — rotate credentials and re-image affected runners.

By the Numbers

CosmicBytez Labs — IT & Cybersecurity Intelligence Hub

Unsubscribe · Privacy Policy · View in browser