This Week in Cybersecurity
The week of March 17 was defined by supply chain escalation and critical infrastructure exposure. GlassWorm — the threat group that debuted with a campaign against developer tooling — executed two simultaneous operations: flooding the Open VSX marketplace with 72 malicious extensions that hijacked developer environments, then following up with ForceMemo, a separate campaign that used stolen GitHub tokens to force-push poisoned commits to hundreds of Python package repositories. Developers and CI/CD pipelines that trusted those packages were silently compromised.
On the patch front, CISA moved fast: the n8n workflow automation RCE was added to the Known Exploited Vulnerabilities catalog with a concurrent directive ordering federal agencies to patch — while researchers estimated 24,700 internet-exposed instances remained unpatched. Veeam simultaneously disclosed and patched five critical RCE vulnerabilities in Backup & Replication, the kind of patch Tuesday that stops network architects cold.
Two data breaches confirmed this week signal that no sector is safe: Telus Digital confirmed a ShinyHunters exfiltration, and England Hockey is investigating a ransomware breach linked to AiLock. And in a different category entirely, the Stryker cyberattack that wiped tens of thousands of medical devices did so without a single piece of detectable malware — a sobering demonstration of living-off-the-land destruction at clinical scale.
Top Stories
GlassWorm Doubles Down: 72 Open VSX Extensions + Hundreds of Poisoned Python Repos
GlassWorm had the most active week of any threat group in 2026 so far, executing two concurrent supply chain attacks targeting developers directly.
In the first campaign, the group published 72 malicious extensions to the Open VSX marketplace — the primary extension registry for VS Code-compatible IDEs used in Linux and enterprise environments where the Microsoft Marketplace is unavailable. The extensions impersonated popular developer tools and used typosquatted names to maximize accidental installs. Once loaded, they used the VS Code Extension API to exfiltrate workspace secrets, SSH keys, and cloud credentials from the development environment.
The second campaign — dubbed ForceMemo by researchers — used stolen GitHub OAuth tokens to perform force-push commits against the default branches of hundreds of Python package repositories, injecting credential-harvesting code into setup.py and __init__.py files before repository owners noticed the unauthorized commits. Any developer or CI runner that installed those packages during the exposure window should treat their build environments as compromised.
Open VSX campaign → ForceMemo GitHub token campaign →
CISA Flags n8n RCE as Actively Exploited — 24,700 Instances Still Exposed
CVE-2025-68613, a critical remote code execution vulnerability in the n8n workflow automation platform, was added to CISA's Known Exploited Vulnerabilities catalog this week after researchers confirmed active in-the-wild exploitation. A concurrent CISA directive ordered federal agencies to patch within the mandatory remediation window.
The severity is compounded by the exposure scale: researchers scanning internet-facing n8n deployments counted 24,700 publicly reachable instances, the majority running vulnerable versions. n8n is widely deployed in enterprise automation pipelines, internal tools, and AI agent orchestration stacks — environments that often have elevated access to APIs, databases, and cloud credentials. The flaw stems from improper control of dynamically managed code resources, allowing unauthenticated or low-privileged attackers to execute arbitrary code on the server.
CISA KEV addition → Federal patch order → Technical disclosure →
Veeam Patches Five Critical RCEs in Backup & Replication
Veeam released an emergency patch bundle addressing five critical remote code execution vulnerabilities in Backup & Replication — software that sits at the heart of most enterprise disaster recovery architectures and holds privileged access to every system it backs up.
The five CVEs span distinct attack surfaces: authenticated RCE via deserialization (CVE-2026-21666, CVE-2026-21667), third-domain trust abuse allowing lateral RCE (CVE-2026-21669), a specific HA deployment attack path (CVE-2026-21671), and a Backup Viewer component flaw (CVE-2026-21708). All are rated Critical. Veeam backup servers are consistently high-value ransomware targets — attackers who compromise them can delete or encrypt backups before launching the final payload, eliminating the victim's recovery options. Patch immediately and verify no unauthorized access occurred in the preceding 30 days.
Telus Digital Breach Confirmed; England Hockey Investigating AiLock Ransomware
Telus Digital confirmed this week that ShinyHunters — the group responsible for prior high-profile breaches at Ticketmaster, Santander, and AT&T — successfully exfiltrated data from their systems. The breach follows ShinyHunters' now-established pattern of targeting large outsourced digital service providers to maximize the blast radius across their client portfolios.
Simultaneously, England Hockey disclosed it is investigating a data breach after AiLock ransomware operators claimed responsibility, alleging access to internal systems and member data. The incident follows a surge in ransomware targeting national sports governing bodies, which often hold detailed member PII but operate with limited security staffing relative to the sensitivity of the data they hold.
Telus Digital breach → England Hockey breach →
AI Attack Surface Expanding: Flaws in Bedrock, LangSmith, SGLang, and OpenClaw
AI infrastructure is becoming a primary attack surface. This week, researchers disclosed vulnerabilities in Amazon Bedrock, LangSmith, and SGLang that enable data exfiltration and remote code execution via prompt injection and SSRF-class issues in the underlying model serving and observability platforms — not the models themselves, but the plumbing around them.
Separately, OpenClaw — an open-source AI agent framework — was found vulnerable to prompt injection attacks that can trigger 1-click RCE and data exfiltration against users of the framework. The disclosure underscores a systemic issue: AI agent frameworks expose new attack surfaces (tool calling, memory retrieval, external integrations) that traditional application security tooling is not designed to detect or block. Security teams need to treat AI agent deployments like they treat web application perimeters — with explicit threat modeling, input validation at tool boundaries, and output sandboxing.
Amazon Bedrock / LangSmith / SGLang flaws → OpenClaw AI agent flaws →
More Headlines This Week
-
Stryker — Tens of Thousands of Devices Wiped, No Malware Detected: Attackers wiped tens of thousands of Stryker medical devices using only native administrative tools — no malware, no dropper, no signature for EDR to catch. A stark reminder that "no malware detected" no longer means "no attack." Read more →
-
AppsFlyer Web SDK Hijacked for Crypto-Stealing JS: The AppsFlyer Web SDK CDN was compromised and served malicious JavaScript to downstream applications, injecting code that intercepted cryptocurrency wallet interactions. Any site that embeds third-party analytics SDKs via CDN is exposed to this class of attack. Read more →
-
Operation Synergia III — 45,000 IPs Sinkholed: INTERPOL's third phase of Operation Synergia sinkholed 45,000 malicious IP addresses in a coordinated global takedown targeting phishing infrastructure, ransomware C2, and infostealer distribution networks across 95 countries. Read more →
-
LeakNet Ransomware Combines ClickFix and Deno Runtime: Emerging ransomware operator LeakNet deployed a novel attack chain using ClickFix social engineering to initial-access targets, then used the Deno JavaScript runtime as a living-off-the-land binary to execute payload stages — evading controls that block PowerShell and known scripting runtimes. Read more →
-
Shadow AI Is Everywhere — Here's How to Find It: A detailed operational guide published this week covers detection and governance approaches for shadow AI deployments — unsanctioned LLM integrations that bypass data classification controls and compliance oversight. Read more →
-
Android 17 Blocks Accessibility API Abuse: Google's upcoming Android 17 will restrict non-accessibility apps from accessing the Accessibility API — a long-standing malware abuse vector used by banking trojans, spyware, and RATs for screen scraping and input injection. Read more →
-
Microsoft OOB Hotpatch Fixes RRAS RCE: Microsoft pushed an out-of-band hotpatch for Windows 11 addressing three vulnerabilities including an RRAS remote code execution flaw, distributing the fix without requiring a device reboot — the hotpatch mechanism now in broader rollout for Windows 11 24H2. Read more →
-
CISA Adds Wing FTP Server Flaw to KEV: A path disclosure vulnerability in Wing FTP Server (CVE-2025-47813) was added to the KEV catalog after researchers demonstrated how it enables a full RCE exploitation chain when combined with a separate deserialization bug. Read more →
-
Betterleaks: Open-Source Secrets Scanner to Replace Gitleaks: A new open-source tool — Betterleaks — launched this week with the explicit goal of replacing Gitleaks, offering improved detection rules, lower false-positive rates, and native CI/CD integration patterns. Read more →
-
Samsung C: Drive Fix Now Available: Microsoft published a fix for the Windows 11 February update that blocked C: drive access on certain Samsung PCs — the rollout of the repair is now underway via Windows Update. Read more →
-
Microsoft Halts Forced M365 Copilot Rollout: Microsoft reversed course on the forced global installation of the Microsoft 365 Copilot app, pausing the rollout after user and IT admin backlash over unexpected application installs appearing on managed endpoints. Read more →
Security Advisories This Week
17 new CVEs published to the Security Advisories section this week — seven rated Critical, ten rated High or Medium. Notable advisories below.
CVE-2025-68613 — n8n Remote Code Execution via Dynamic Code Resources (CVSS Critical) — Actively Exploited Unauthenticated RCE in n8n workflow automation, now on CISA KEV. Federal agencies must patch; all organizations with internet-exposed n8n instances should treat this as emergency remediation. Full advisory →
CVE-2026-21666 / 21667 / 21669 / 21671 / 21708 — Veeam Backup & Replication Critical RCE Cluster (CVSS Critical ×5) Five critical RCEs across Veeam Backup & Replication covering authenticated deserialization, third-domain trust abuse, HA deployment paths, and Backup Viewer. Patch immediately — ransomware actors actively target Veeam to destroy recovery options. CVE-2026-21666 → · CVE-2026-21667 → · CVE-2026-21669 → · CVE-2026-21671 → · CVE-2026-21708 →
CVE-2025-62319 — HCL Unica SQL Injection (CVSS 9.8 Critical) Critical SQL injection in HCL Unica marketing platform with a CVSS score of 9.8 — effectively unauthenticated database read/write access. Organizations running Unica should apply the vendor patch immediately and audit recent query logs. Full advisory →
CVE-2025-69902 — kubectl-mcp-server Command Injection (CVSS Critical) Critical command injection in the kubectl MCP server — a tool used to expose Kubernetes cluster management to AI agents via the Model Context Protocol. Exploitation gives an attacker full kubectl execution context, meaning arbitrary cluster-level commands. Any AI agent stack wiring LLMs to production Kubernetes via this server is directly exposed. Full advisory →
CVE-2026-28792 — TinaCMS CLI Dev Server CORS + Path Traversal (CVSS Critical) A combined CORS misconfiguration and path traversal in the TinaCMS CLI development server allows an attacker on the local network to read arbitrary files from the developer's filesystem. Particularly dangerous in shared office or co-working environments. Full advisory →
CVE-2025-47813 — Wing FTP Server Path Disclosure → RCE Chain (Actively Exploited) Path disclosure vulnerability in Wing FTP Server that researchers have chained with a deserialization bug to achieve RCE. Now on CISA KEV — treat as actively exploited. Full advisory →
CVE-2026-4312 — DrangSoft GCB/FCB Missing Authentication — Unauthenticated Admin Creation Missing authentication in DrangSoft GCB/FCB audit software allows any unauthenticated user to create an admin account. Audit software with admin-level access to OT/compliance systems represents a critical lateral movement risk if exposed. Full advisory →
Also this week:
- CVE-2026-4177 — YAML::Syck heap buffer overflow enabling remote code execution via malicious YAML input →
- CVE-2016-20026 — ZKTeco ZKBioSecurity 3.0 hardcoded Tomcat credentials enabling unauthenticated RCE — a 10-year-old issue still unpatched in many deployments →
- CVE-2016-20024 — ZKTeco ZKTime.Net insecure file permissions allowing local privilege escalation →
- CVE-2016-20030 — ZKTeco ZKBioSecurity 3.0 username enumeration via login endpoint →
- CVE-2015-20115 — RealtyScript 4.0.2 stored XSS via file upload in admin panel →
- CVE-2015-20118 — Stored XSS in RealtyScript 4.0.2 admin interface →
By the Numbers
| Metric | Value |
|---|---|
| n8n instances exposed at time of KEV addition | 24,700 |
| Malicious Open VSX extensions (GlassWorm) | 72 |
| Python repos poisoned by GlassWorm ForceMemo | hundreds |
| IPs sinkholed in Operation Synergia III | 45,000 |
| Veeam critical RCE CVEs patched | 5 |
| Stryker devices wiped (no malware used) | tens of thousands |
| CVEs added to CISA KEV this week | 2 (n8n, Wing FTP) |
| Critical CVEs published this week | 7 |
| Total CVEs published this week | 17 |
CosmicBytez Labs — IT & Cybersecurity Intelligence Hub