Issue #001 · March 29, 2026

Cyber Threat Brief — Issue #001

What's active. What matters. What to do about it.

Active Campaigns

[ ACTIVE ]Russian GRU Targeting Signal & WhatsApp Accounts

ACTOR: APT — Russian Intelligence Services (GRU/FSB)TARGETS: High-value individuals, journalists, government personnel, NGOs

FBI and CISA issued a joint advisory warning that Russian intelligence-affiliated actors are running coordinated phishing campaigns against commercial messaging apps — specifically Signal and WhatsApp. The objective is account takeover of individuals with intelligence value. Tactics include QR code phishing, fake device-linking prompts, and social engineering disguised as security alerts from the app itself.

[ ACTIVE ]TeamPCP Supply Chain Attack — Trivy, LiteLLM, Telnyx

ACTOR: TeamPCP — financially motivatedTARGETS: Developer environments, CI/CD pipelines, cloud infrastructure

TeamPCP executed a multi-target supply chain attack, compromising Trivy (a widely used open-source vulnerability scanner), LiteLLM, and the Telnyx Python package. Malicious versions were pushed to Docker Hub and PyPI, delivering infostealers capable of harvesting CI/CD secrets, cloud credentials, and connected database keys. The Trivy compromise also dropped a Kubernetes wiper in some environments. Last clean Trivy release: v0.69.3.

CVE Watch

CVE-2026-3055CVSS 9.3[ MONITORING ]

PRODUCT: Citrix NetScaler ADC / Gateway

WHAT IT MEANS:

A memory overread vulnerability in NetScaler that leaks sensitive data when the appliance is configured as a SAML Identity Provider. Attackers are currently in active recon phase — honeypots are seeing probes targeting /cgi/GetAuthMethods to fingerprint which systems are exposed before exploitation begins. This follows a pattern of prior Citrix Bleed-style attacks. Exploitation is coming — patch now, don't wait.

ACTION:Patch immediately if running NetScaler as SAML IDP. Citrix advisory available. Monitor for auth method enumeration in access logs.

CVE-2026-33017CVSS 9.1[ ACTIVE ]

PRODUCT: Langflow (AI workflow builder)

WHAT IT MEANS:

A code injection vulnerability in Langflow that allows unauthenticated users to execute arbitrary code by exploiting public-facing flows. What makes this particularly dangerous: attackers built working exploits directly from the advisory description within 20 hours of publication — no proof-of-concept code needed. Exfiltrated data included cloud credentials and database keys. The window between advisory and active exploitation is now measured in hours, not days.

ACTION:Apply vendor patch immediately. Restrict public flow access. Audit for credential exposure in affected environments.

CVE-2026-20963CVSS 8.8[ ACTIVE ]

PRODUCT: Microsoft SharePoint

WHAT IT MEANS:

A deserialization vulnerability in SharePoint allowing unauthenticated remote code execution over the network. CISA added it to the Known Exploited Vulnerabilities catalog confirming active exploitation. SharePoint servers are high-value targets — they contain corporate data and often serve as a gateway to broader internal networks. If you have an internet-facing SharePoint instance that hasn't been patched since January 2026, treat it as potentially compromised.

ACTION:Patch was available January 2026. Apply immediately. Check for signs of lateral movement originating from SharePoint hosts.

Threat Actor Activity

GRU / APT28[ ESCALATING ]

Active phishing campaign against Signal and WhatsApp. Targeting high-value individuals in Europe and the US. Joint FBI/CISA advisory issued.

TeamPCP[ ACTIVE ]

Supply chain attack hitting developer tooling. Trivy, LiteLLM, and Telnyx all compromised. Financially motivated.

Volt Typhoon[ MONITORING ]

No new activity confirmed. Continued pre-positioning in US critical infrastructure reported in prior periods remains unresolved.

LockBit[ MONITORING ]

Reduced operational tempo following February law enforcement actions. Affiliate activity continues at lower volume.

Scattered Spider[ MONITORING ]

No confirmed new incidents. Group remains active and dangerous — last known for large-scale social engineering attacks against hospitality and entertainment.

Actor	Status	Activity
GRU / APT28	[ ESCALATING ]	Active phishing campaign against Signal and WhatsApp. Targeting high-value individuals in Europe and the US. Joint FBI/CISA advisory issued.
TeamPCP	[ ACTIVE ]	Supply chain attack hitting developer tooling. Trivy, LiteLLM, and Telnyx all compromised. Financially motivated.
Volt Typhoon	[ MONITORING ]	No new activity confirmed. Continued pre-positioning in US critical infrastructure reported in prior periods remains unresolved.
LockBit	[ MONITORING ]	Reduced operational tempo following February law enforcement actions. Affiliate activity continues at lower volume.
Scattered Spider	[ MONITORING ]	No confirmed new incidents. Group remains active and dangerous — last known for large-scale social engineering attacks against hospitality and entertainment.

Key Takeaway

The window between a vulnerability being disclosed and attackers actively exploiting it has collapsed — in one case this issue, it took less than 20 hours. At that speed, monthly or even weekly patch cycles aren't fast enough. Organizations running unpatched internet-facing systems should treat critical patches as same-day work, not scheduled maintenance. Separately, developers and security teams that rely on open-source scanning tools should verify the integrity of those tools — attackers are now targeting the security toolchain itself.

Sources

CISA KEV Catalog
The Hacker News
Help Net Security
FBI/CISA Joint Advisory
Sysdig Threat Research Team