# Top Stories

CISA disclosed that an unnamed federal agency was breached through Cisco firewall vulnerabilities and infected with FIRESTARTER backdoor malware, which allowed hackers persistent access through March 2026 even after patches were applied. The incident demonstrates how threat actors can maintain long-term persistence in critical infrastructure networks despite remediation efforts.

The Bitwarden CLI npm package (@bitwarden/[email protected]) was compromised as part of an ongoing supply chain attack targeting Checkmarx tools, with malicious code embedded in 'bw1.js' designed to steal developer credentials. This attack affects thousands of developers who rely on Bitwarden CLI for secure credential management in their development workflows.

Attackers compromised Docker images, VSCode extensions, and Open VSX extensions for Checkmarx's KICS security analysis tool, embedding credential-stealing payloads that harvest sensitive data from developer environments. The supply chain attack targets security teams using KICS for infrastructure-as-code scanning, potentially exposing secrets across multiple development projects.

The UNC6692 threat group impersonates IT helpdesk staff via Microsoft Teams to deploy SNOW malware, convincing victims to accept chat invitations from fake accounts. This social engineering campaign demonstrates how attackers exploit trusted communication platforms and helpdesk personas to bypass technical security controls.

UK's NCSC and international partners warned that China-nexus hackers are building large-scale proxy networks using hijacked consumer devices to mask their malicious activities and evade detection. This tactic represents a significant shift toward using compromised IoT devices and home routers as infrastructure for state-sponsored cyber operations.

The newly identified GopherWhisper APT group, linked to China, targets Mongolian government entities using Go-based custom malware and abuses legitimate services like Microsoft 365 Outlook, Slack, and Discord for command and control communications. ESET researchers discovered the group has compromised at least 12 government systems since November 2023.

Apple patched CVE-2026-28950, an iOS/iPadOS Notification Services flaw that retained deleted notifications on devices, which the FBI exploited to forensically extract Signal messages even after the app was deleted. The vulnerability allowed law enforcement to recover sensitive messaging data from the push notification database during device forensic analysis.

CISA ordered federal agencies to patch a Microsoft Defender privilege escalation vulnerability dubbed BlueHammer that was exploited as a zero-day, allowing attackers to access the SAM database and extract NTLM hashes for System privileges. The exploitation demonstrates how security tools themselves can become attack vectors when compromised.

Hackers are actively exploiting a critical file upload vulnerability in the Breeze Cache WordPress plugin that allows uploading arbitrary files without authentication. This vulnerability affects WordPress sites using the popular caching plugin and enables complete server compromise through unrestricted file uploads.

US and UK agencies warned that the FIRESTARTER malware was discovered on a federal agency's Cisco firewall network, with the campaign dating back to at least September 2025 and persisting through March 2026 despite patch application. The incident highlights sophisticated persistence techniques that survive standard remediation procedures on critical network infrastructure.