FISA

  The GlassWorm malware campaign is being used to fuel an ongoing attack that leverages the stolen GitHub tokens to inject malware into hundreds of Python repositories. "The attack targets Python projects — including Django apps, ML research code, Streamlit dashboards, and PyPI packages — by appending obfuscated code to files like setup.py, main.py, and app.py," StepSecurity  said . "Anyone who runs pip install from a compromised repo or clones and executes the code will trigger the malware." According to the software supply chain security company, the earliest injections date back to March 8, 2026. The attackers, upon gaining access to the developer accounts,  rebasing  the latest legitimate commits on the default branch of the targeted repositories with malicious code, and then force-pushing the changes, while keeping the original commit's message, author, and author date intact. This new offshoot of the GlassWorm campaign has been codenamed ForceMemo. Th...

  If you run security at any reasonably complex organization, your validation stack probably looks something like this: a BAS tool in one corner. A pentest engagement, or maybe an automated pentesting product, in another. A vulnerability scanner feeding an attack surface management platform somewhere else. Each tool gives you a slice of the picture. None of them talks to each other in any meaningful way. Meanwhile, adversaries do not attack in silos. A real intrusion might chain together an exposed identity, a cloud misconfiguration, a missed detection opportunity, and an unpatched vulnerability in a single operation. Attackers understand that your environment is an interconnected system. Unfortunately, most validation programs are still treating it as a set of disparate, disconnected parts. This isn't a minor inefficiency. It's a structural blind spot. And it's lasted for years because the market has treated every validation discipline as a separate category, with its own ...

  Three different ClickFix campaigns have been found to act as a delivery vector for the deployment of a macOS information stealer called MacSync. "Unlike traditional exploit-based attacks, this method relies entirely on user interaction – usually in the form of copying and executing commands – making it particularly effective against users who may not appreciate the implications of running unknown and obfuscated terminal commands," Sophos researchers Jagadeesh Chandraiah, Tonmoy Jitu, Dmitry Samosseiko, and Matt Wixey  said . It's currently not known if the campaigns are the work of the same threat actor. The use of ClickFix lures to distribute the malware was also flagged by Jamf Threat Labs in December 2025. The details of the three campaigns are as follows - November 2025: A campaign that used the OpenAI Atlas browser as bait, delivered via sponsored search results on Google, to direct users to a fake Google Sites URL with a download button that, when clicke...

  Ukrainian entities have emerged as the target of a new campaign likely orchestrated by threat actors linked to Russia, according to a report from S2 Grupo's LAB52 threat intelligence team. The campaign,  observed  in February 2026, has been assessed to share overlaps with a prior campaign mounted by Laundry Bear (aka UAC-0190 or Void Blizzard) aimed at Ukrainian defense forces with a malware family known as PLUGGYAPE. The attack activity "employs various judicial and charity themed lures to deploy a JavaScript‑based backdoor that runs through the Edge browser," the cybersecurity company said. Codenamed  DRILLAPP , the malware is capable of uploading and downloading files, leveraging the microphone, and capturing images through the webcam by taking advantage of the web browser's features. Two different versions of the campaign have been identified, with the first iteration detected in early February. The attack makes use of a Windows shortcut (LNK) file to...