Cyber Threat Brief — March 20 2026
⚠️ This report is AI-generated. Always validate findings.
Previous brief: Cyber Threat Brief — March 19 2026
1. GlassWorm Supply Chain Phase 3 — Sleeper Extensions & GitHub VSIX Delivery
TL;DR: Dormant Open VSX extensions activated March 17–18, now force-installing malicious VSIX payloads hosted on GitHub Releases — beyond registry takedown reach. 433 compromised components identified across GitHub, npm, and Open VSX; C2 uses Solana blockchain memos making takedown near-impossible.
What’s New:
- Sleeper extensions on Open VSX activated, converting benign extensions into malicious packs via
extensionPack/extensionDependenciesmanifest fields - VSIX payloads now hosted on GitHub Releases (
github[.]com/francesca898/dqwffqw/releases/), force-installed via--install-extension --force - Compromised npm packages published March 12:
@aifabrix/miso-clientv4.7.2,@iflow-mcp/watercrawl-watercrawl-mcpv1.3.0–1.3.4 - Invisible Unicode obfuscation (PUA ranges U+FE00–U+FE0F, U+E0100–U+E01EF) hides malicious code in all editors
- March 18 wave extensions remain live on Open VSX as of March 20
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
Marker variable lzcdrtfxyqiplpd | IOC / Code | T1195.002 | SAST, code scanning | Search all codebases for this string |
~/init.json persistence file | IOC / File | T1547.004 | EDR, Sysmon Event 11 | Alert on creation in developer home dirs |
~/node-v22* directories | IOC / File | T1059.007 | EDR File Create | Alert on Node.js installs outside package manager paths |
github[.]com/francesca898/dqwffqw/releases/ | IOC / Network | T1105 | Web proxy, DNS | Block/alert on requests to this repo |
| Solana RPC polling every 5–10s from dev workstations | Network / C2 | T1102.002 | Web proxy, NetFlow | Alert on repeated Solana RPC from non-crypto hosts |
--install-extension --force CLI invocations | Process | T1059 | EDR Process Create | Alert on VS Code CLI spawning with force-install from extension host |
| Git commits where committer date >> author date | TTP | T1195.002 | Git audit logs | Audit repos for anomalous timestamp patterns |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | Linux Ingress Tool Transfer Hunting, Suspicious Process File Path | No rules for VS Code extension abuse, Solana C2, or Unicode code injection |
| Elastic | Suspicious Browser Extension Installation | No IDE extension supply chain coverage |
| Sigma | Suspicious File In User Home, Suspicious Node.js Child Process | No VS Code extension or blockchain C2 rules |
Sources: Socket · Aikido · BleepingComputer · The Hacker News · Sonatype
2. PolyShell — Unauthenticated RCE in All Magento/Adobe Commerce 2.x
TL;DR: Every Magento 2 installation through 2.4.9-alpha2 has an unrestricted file upload via the REST API cart custom options endpoint, enabling unauthenticated RCE through polyglot PHP uploads. No isolated patch exists for production versions; exploit methodology is already circulating publicly.
What’s New:
- Sansec published full technical disclosure on March 19, 2026
- Exploit methodology publicly circulating — automated exploitation expected imminently
- No isolated patch for production Magento 2.x; only 2.4.9 pre-release contains the fix
- Mass defacement campaign (15,000 hostnames, 7,500 domains) ongoing since Feb 27 may share the same upload vector
- No active RCE exploitation confirmed yet, but disclosure window is open
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
POST to REST API with file_info containing PHP/polyglot payloads | Network / Exploit | T1190 | WAF, web server logs | WAF rule to inspect file_info for executable content |
New files in pub/media/custom_options/quote/ | File / Webshell | T1505.003 | FIM, Sysmon Event 11 | Alert on any file creation in this directory |
HTTP requests to pub/media/custom_options/quote/*.php | Network | T1505.003 | Web server logs | Alert on execution attempts in custom_options dir |
Base64 PHP in REST API bodies (e.g., PD9waHA = <?php) | Network | T1027 | WAF, web proxy | WAF rule to detect base64-encoded PHP patterns |
.txt file uploads to web-accessible dirs (defacement) | File | T1491.002 | FIM, web server logs | Monitor for unexpected text files in Magento web dirs |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | Web Shell Indicator, W3WP Spawning Shell | No Magento-specific upload monitoring or polyglot detection |
| Elastic | Webshell Detection: Script Process Child of Common Web Processes | No file creation monitoring scoped to Magento dirs |
| Sigma | Webshell Detection via File Creation, Suspicious PHP File Creation | No polyglot file or API-based upload vector detection |
Sources: Sansec · The Hacker News · BleepingComputer · Sam James
Previously Covered — Status Updates
- CVE-2026-20131 / CVE-2026-20079 (Cisco FMC / Interlock Ransomware): No new IOCs or TTPs beyond Amazon MadPot disclosure. March 19 brief.
- CVE-2026-20963 (Microsoft SharePoint RCE): Federal deadline March 21. No new exploitation reports. March 19 brief.
- CVE-2025-66376 (Zimbra XSS / APT28 GhostMail): Federal deadline April 1. No new IOCs. March 19 brief.
- DarkSword iOS Exploit Kit: No new malware families or targeting changes. March 19 brief.
- CVE-2026-3909 / CVE-2026-3910 (Chrome Skia/V8): Federal deadline March 27. No new TTPs. March 18 brief.
- CVE-2026-32746 (GNU InetUtils telnetd): No patch until April 1. No exploitation reports. March 18 brief.
- CVE-2025-47813 / CVE-2025-47812 (Wing FTP Server): No new artifacts. March 17 brief.
- LeakNet ClickFix + Deno BYOR Campaign: No new IOCs. March 18 brief.
- Payload Ransomware (Babuk derivative): No new victims or TTPs. March 18 brief.
- ACRStealer / HijackLoader: No new IOCs. March 18 brief.
- Konni APT EndRAT via KakaoTalk: No new C2 or targeting changes. March 18 brief.