End-of-Day report
Timeframe: Donnerstag 05-03-2026 18:00 - Freitag 06-03-2026 18:00
Handler: Felician Fuchs
Co-Handler: Michael Schlagenhaufer
News
Wikipedia hit by self-propagating JavaScript worm that vandalized pages
The Wikimedia Foundation suffered a security incident today after a self-propagating JavaScript worm began vandalizing pages and modifying user scripts across multiple wikis.
https://www.bleepingcomputer.com/news/security/wikipedia-hit-by-self-propagating-javascript-worm-that-vandalized-pages/
Fake Claude Code install guides push infostealers in InstallFix attacks
Threat actors are employing a new variation of the ClickFix social engineering technique called InstallFix to convince users into running malicious commands under the pretext of installing legitimate command line interface (CLI) tools.
https://www.bleepingcomputer.com/news/security/fake-claude-code-install-guides-push-infostealers-in-installfix-attacks/
Cyberangriff: Das FBI hat offenbar Hacker im Netzwerk
Beim FBI ist offenbar ein System zur Verwaltung von Überwachungsmaßnahmen kompromittiert worden. Die Behörde untersucht verdächtige Aktivitäten.
https://www.golem.de/news/cyberangriff-das-fbi-hat-offenbar-hacker-im-netzwerk-2603-206170.html
Datenschutz: FBI gelangt an Zahlungsdaten von Protonmail
Durch Rechtshilfeabkommen können persönliche Daten auch aus der Schweiz an Strafverfolgungsbehörden in den USA gelangen.
https://www.golem.de/news/datenschutz-fbi-gelangt-an-zahlungsdaten-von-protonmail-2603-206199.html
Microsoft Reveals ClickFix Campaign Using Windows Terminal to Deploy Lumma Stealer
Microsoft on Thursday disclosed details of a new widespread ClickFix social engineering campaign that has leveraged the Windows Terminal app as a way to activate a sophisticated attack chain and deploy the Lumma Stealer malware.
https://thehackernews.com/2026/03/microsoft-reveals-clickfix-campaign.html
Multi-Stage VOID#GEIST Malware Delivering XWorm, AsyncRAT, and Xeno RAT
Cybersecurity researchers have disclosed details of a multi-stage malware campaign that uses batch scripts as a pathway to deliver various encrypted remote access trojan (RATs) payloads that correspond to XWorm, AsyncRAT, and Xeno RAT.
https://thehackernews.com/2026/03/multi-stage-voidgeist-malware.html
Warnung vor Angriffen auf Hikvision, Rockwell Automation und Apple-Produkte
Die US-amerikanische IT-Sicherheitsbehörde CISA warnt vor aktuellen Angriffen auf Hikvision, Rockwell Automation und Apple-Produkte.
https://www.heise.de/news/Warnung-vor-Angriffen-auf-Hikvision-Rockwell-Automation-und-Apple-Produkte-11201384.html
London: Bei Cyberangriff auf Verkehrsbehörde zehn Millionen Datensätze gestohlen
2024 gab es einen Cyberangriff auf die britische Behörde TfL. Nun ist herausgekommen: Dabei wurden auch Daten von zehn Millionen Kundinnen und Kunden gestohlen.
https://www.heise.de/news/London-Zehn-Millionen-Datensaetze-bei-Cyberangriff-auf-Verkehrsbehoerde-gestohlen-11202301.html
BSI: 11.500 kritische Einrichtungen unter NIS2 registriert
Zum Registrierungsfristende haben tausende Unternehmen den Prozess abgeschlossen - doch knapp 20.000 fehlen wohl noch.
https://www.heise.de/news/BSI-11-500-kritische-Einrichtungen-unter-NIS2-registriert-11202673.html
Fake CleanMyMac site installs SHub Stealer and backdoors crypto wallets
We uncovered a fake CleanMyMac site delivering SHub Stealer, a macOS infostealer that steals credentials and silently backdoors crypto wallets.
https://www.malwarebytes.com/blog/threat-intel/2026/03/fake-cleanmymac-site-installs-shub-stealer-and-backdoors-crypto-wallets
An Investigation Into Years of Undetected Operations Targeting High-Value Sectors
In-depth analysis of threat activity we call CL-UNK-1068. We discuss their toolset, including tunneling, reconnaissance and credential theft.
https://unit42.paloaltonetworks.com/cl-unk-1068-targets-critical-sectors/
The Hidden Cyber Risks of Remote Work Infrastructure
Hidden cyber risks in remote work include insecure home Wi-Fi, phishing attacks, and data exposure, leaving businesses and employees vulnerable to breaches.
https://hackread.com/hidden-cyber-risks-remote-work-infrastructure/
Avira: Deserialize, Delete and Escalate - The Proper Way to Use an AV
Avira Internet Security ships with a handful of modules that quietly handle privileged operations in the background: software updates, performance monitoring and system cleanup. Each one runs parts of its workflow as SYSTEM. Three of them dont bother checking what they are actually operating on.
http://blog.quarkslab.com/avira-deserialize-delete-and-escalate-the-proper-way-to-use-an-av.html
A GitHub Issue Title Compromised 4,000 Developer Machines
The attack - which Snyk named "Clinejection"2 - composes five well-understood vulnerabilities into a single exploit that requires nothing more than opening a GitHub issue.
https://grith.ai/blog/clinejection-when-your-ai-tool-installs-another
Fake imToken Chrome Extension Steals Seed Phrases via Phishing Redirects
Socket-s Threat Research Team uncovered a malicious Chrome extension, lm-oken Chromophore (extension ID bbhaganppipihlhjgaaeeeefbaoihcgi), that impersonates imToken while presenting itself as a hex color visualizer in the Chrome Web Store. Instead of providing the harmless tool it promises, the extension automatically opens a threat actor-controlled phishing site as soon as it is installed, and again whenever the user clicks it.
https://socket.dev/blog/fake-imtoken-chrome-extension-steals-seed-phrases-via-phishing-redirects
A Satellite Receiver Trusted by Pentagon, ESA Has More Than 20 Security Flaws - and the Maker Never Responded
A penetration tester found more than 20 vulnerabilities in a satellite receiver deployed by the U.S. Department of Defense (also referred to as the Department of War), the European Space Agency, and other critical infrastructure operators worldwide - and the device-s manufacturer, International Data Casting Corporation (IDC), did not respond to a single disclosure attempt over several months.
https://thecyberexpress.com/satellite-receiver-vulnerabilities-unpatched/
Vulnerabilities
WordPress membership plugin bug exploited to create admin accounts
Hackers are exploiting a critical vulnerability in the User Registration & Membership plugin, which is installed on more than 60,000 WordPress sites.
https://www.bleepingcomputer.com/news/security/wordpress-membership-plugin-bug-exploited-to-create-admin-accounts/
Acronis warnt vor zig Sicherheitslücken in Cyber Protect
Vor mehr als 20 Sicherheitslücken in Cyber Protect warnt Acronis aktuell. Admins sollten bereitstehende Updates rasch anwenden.
https://www.heise.de/news/Acronis-Cyber-Protect-Zig-Schwachstellen-gefaehrden-Unternehmenssoftware-11201761.html
LWN Security updates for Friday
https://lwn.net/Articles/1061738/