End-of-Day report
Timeframe: Montag 09-03-2026 18:00 - Dienstag 10-03-2026 18:00
Handler: Guenes Holler
Co-Handler: Michael Schlagenhaufer
News
Lock the Ghost
In the software world, -remove- is not equal to "gone." This is crystal clear. There is always a good reason for that, but even the best reason does not have to be intuitive or expected by the users. Let-s take a short trip through how Python Package Index handles removals and how we can lock the ghost in an uv.lock file - forever!
https://www.cert.at/en/blog/2026/3/lock-the-ghost
Microsoft Teams phishing targets employees with A0Backdoor malware
Hackers contacted employees at financial and healthcare organizations over Microsoft Teams to trick them into granting remote access through Quick Assist and deploy a new piece of malware called A0Backdoor.
https://www.bleepingcomputer.com/news/security/microsoft-teams-phishing-targets-employees-with-backdoors/
APT28 hackers deploy customized variant of Covenant open-source tool
The Russian state-sponsored APT28 threat group is using a custom variant of the open-source Covenant post-exploitation framework for long-term espionage operations.
https://www.bleepingcomputer.com/news/security/apt28-hackers-deploy-customized-variant-of-covenant-open-source-tool/
Microsoft to enable Windows hotpatch security updates by default
Microsoft will turn on hotpatch security updates by default for all eligible Windows devices managed through Microsoft Intune and the Microsoft Graph API, beginning with the May 2026 Windows security update.
https://www.bleepingcomputer.com/news/microsoft/microsoft-to-enable-hotpatch-security-updates-by-default-in-may/
Malicious npm Package Posing as OpenClaw Installer Deploys RAT, Steals macOS Credentials
Cybersecurity researchers have discovered a malicious npm package that masquerades as an OpenClaw installer to deploy a remote access trojan (RAT) and steal sensitive data from compromised hosts.
https://thehackernews.com/2026/03/malicious-npm-package-posing-as.html
KadNap Malware Infects 14,000+ Edge Devices to Power Stealth Proxy Botnet
Cybersecurity researchers have discovered a new malware called KadNap that's primarily targeting Asus routers to enlist them into a botnet for proxying malicious traffic.
https://thehackernews.com/2026/03/kadnap-malware-infects-14000-edge.html
Bawag-Phishing: Debitkarte, PIN-Code und Zugangsdaten für Onlinebanking in Gefahr!
Eine altbekannte Phishing-Masche ist gerade wieder besonders häufig zu beobachten. Die Drahtzieher versenden Fake-Mails im Namen der Bawag, die vor einem Ablaufen der Debitkarte warnen. Mit dem vermeintlichen Bestellvorgang der neuen Card fragen sie sensibelste Daten ab. Zudem werden die Opfer aufgefordert, ihre alte Karte per Post an eine Wiener Adresse zu schicken.
https://www.watchlist-internet.at/news/bawag-phishing-debitkarte/
Iranian MOIS Actors & the Cyber Crime Connection
Iran-linked actors are increasingly engaging with the cyber crime ecosystem. Their activity suggests a growing reliance on criminal tools, services, and operational models in support of state objectives. Iranian actors have long used cyber crime and hacktivism as cover for destructive activity, but the trend now suggests direct engagement with the criminal ecosystem. The post Iranian MOIS Actors & the Cyber Crime Connection appeared first on Check Point Research.
https://research.checkpoint.com/2026/iranian-mois-actors-the-cyber-crime-connection/
OpenClaw Advisory Surge Highlights Gaps Between GHSA and CVE Tracking
A recent burst of security disclosures in the OpenClaw project is drawing attention to how vulnerability information flows across advisory and CVE systems.
https://socket.dev/blog/openclaw-advisory-surge-highlights-gaps-between-ghsa-and-cve-tracking?utm_medium=feed
Cyberattack Forces Polish Hospital Revert to Paper-Based Operations
The Independent Public Regional Hospital in the western Polish city of Szczecin has been compelled to switch back to a paper-based workflow after suffering a cyberattack over the weekend. Hospital authorities confirmed that the incident, which struck the facility-s IT system on the night of March 7-8, 2026, has temporarily disrupted digital operations, though patients- health remains uncompromised.
https://thecyberexpress.com/szczecin-public-regional-hospital-cyberattack/
Vulnerabilities
SAP-Patchday: NetWeaver-Lücke ermöglicht Einschleusen von Schadcode
Im März behandelt SAP in 15 Sicherheitsmitteilungen teils kritische Sicherheitslücken in diversen Produkten. Admins müssen handeln.
https://heise.de/-11205008
30,000 WordPress Sites Affected by Authentication Bypass Vulnerability in Tutor LMS Pro WordPress Plugin
On December 30th, 2025, we received a submission for an Authentication Bypass vulnerability in Tutor LMS Pro, a WordPress plugin estimated to have more than 30,000 active installations. The vulnerability makes it possible for an unauthenticated attacker to gain access to any account on a site including accounts used to administer the site, if the attacker knows, or can find, the associated email address.
https://www.wordfence.com/blog/2026/03/30000-wordpress-sites-affected-by-authentication-bypass-vulnerability-in-tutor-lms-pro-wordpress-plugin/
LWN Security updates for Tuesday
https://lwn.net/Articles/1062260/
CISA Adds Three Known Exploited Vulnerabilities to Catalog
https://www.cisa.gov/news-events/alerts/2026/03/09/cisa-adds-three-known-exploited-vulnerabilities-catalog
Ivanti March 2026 Security Update
https://www.ivanti.com/blog/march-2026-security-update