Here are today’s top cybersecurity stories for Monday, March 30, 2026.
CISA March 30 Deadline: F5 BIG-IP APM CVE-2025-53521 Reclassified as RCE with CVSS 9.8 Under Active Exploitation
CISA ordered all Federal Civilian Executive Branch agencies to mitigate CVE-2025-53521 in F5 BIG-IP Access Policy Manager by today, March 30, 2026. The vulnerability was originally disclosed in October 2025 as a denial-of-service flaw, but new exploitation evidence prompted F5 and CISA to reclassify it as unauthenticated remote code execution with a CVSS v3.1 score of 9.8. Affected versions span BIG-IP APM 15.1.0 through 17.5.1. F5 patches are available and all affected organizations should apply them immediately. The Hacker News | Help Net Security
Nova Scotia Power Discloses 900,000 Canadians Affected in 2025 SocGholish Ransomware Breach
Nova Scotia Power has confirmed a 2025 cyberattack affected more than 900,000 current and former customers after the Office of the Privacy Commissioner of Canada released details from a compliance investigation. A single employee clicking a SocGholish malware pop-up on March 19, 2025, allowed threat actors to move laterally using stolen domain administrator credentials, exfiltrating data between April 23 and April 25 before detection. Stolen records include driver’s licence numbers, Social Insurance Numbers, and bank account details. Nova Scotia Power has pledged to delete all customer SINs from its systems by end of March and submit an external security audit by October 31. SecurityWeek
Three CVEs in LangChain and LangGraph Expose Filesystem Data, API Keys, and Databases in Widely Used AI Frameworks
Security researchers disclosed three vulnerabilities across the LangChain and LangGraph AI orchestration frameworks used by more than 52 million weekly downloads. CVE-2026-34070 (CVSS 7.5) is a path traversal flaw in LangChain’s prompt-loading function allowing arbitrary file reads. CVE-2025-68664 (CVSS 9.3) enables exfiltration of API keys and environment secrets via unsafe deserialization triggered through prompt injection. CVE-2025-67644 is a SQL injection flaw in LangGraph’s SQLite checkpoint implementation. Patches are available in langchain-core 1.2.22, langchain 0.3.81 and 1.2.5, and langgraph-checkpoint-sqlite 3.0.1. The Hacker News
CISA Flags Critical PTC Windchill CVE-2026-4681 After German Police Deploy Overnight to Alert Manufacturers
CISA added CVE-2026-4681 to its advisory feed after German federal and state police conducted an unusual overnight operation, physically visiting manufacturers across Germany to warn them of an imminent exploitation risk in PTC Windchill and FlexPLM product lifecycle management software. The flaw is a deserialization vulnerability enabling unauthenticated remote code execution against Windchill and FlexPLM releases prior to version 11.0 M030. No patches are yet available; PTC has published mitigations. No confirmed in-the-wild exploitation has been reported, but authorities judge the risk of imminent attack to be high. SecurityWeek | BleepingComputer
Fake Visual Studio Code Security Alerts on GitHub Deliver Malware in Large-Scale Developer Campaign
A coordinated campaign is flooding GitHub Discussions across thousands of repositories with fake VS Code vulnerability advisories, impersonating maintainers and citing fabricated CVE identifiers to trick developers into downloading malware. The posts redirect targets through Google Drive to a reconnaissance JavaScript payload that profiles the victim’s system before delivering a second stage. Socket researchers observed thousands of near-identical automated posts appearing within minutes across multiple repositories. Developers should treat any unsolicited GitHub Discussion security alert with extreme caution and verify advisories against official VS Code release channels. BleepingComputer
Three China-Linked Threat Clusters Conducted 2025 Cyber-Espionage Campaign Against Southeast Asian Government
Researchers attributed a multi-wave 2025 cyber-espionage campaign targeting an unnamed Southeast Asian government to three distinct China-aligned threat activity clusters: Mustang Panda, a group overlapping with Earth Estries and Crimson Palace, and a cluster overlapping with Unfading Sea Haze. The campaign deployed more than ten malware families including HIUPAN, PUBLOAD, MASOL RAT, PoshRAT, and FluffyGh0st to maintain persistent access across government networks. The operation is assessed as complex and well-resourced, spanning at least from March to September 2025. The Hacker News
Bearlyfy Pro-Ukrainian Group Hits 70-Plus Russian Firms with Custom GenieLocker Ransomware
Threat intelligence researchers attributed more than 70 ransomware attacks against Russian companies since January 2025 to Bearlyfy, a pro-Ukrainian dual-purpose group combining extortion and sabotage. Since March 2026, Bearlyfy has deployed a custom Windows ransomware family called GenieLocker, replacing its earlier use of LockBit 3 and Babuk encryptors. GenieLocker’s encryption scheme draws from Venus and Trinity ransomware families. Ransom demands have escalated to hundreds of thousands of dollars, and the group shows infrastructure overlaps with PhantomCore, another Ukraine-aligned threat actor. The Hacker News
European Commission Investigates Breach After Threat Actor Claims 350 GB Stolen from Amazon Cloud Account
The European Commission confirmed it is investigating a security breach after a threat actor gained access to the Commission’s Amazon Web Services account on March 24 and claimed to have exfiltrated more than 350 GB of data, including multiple databases, email server access, and employee records. AWS stated its own infrastructure was not compromised and the breach was contained to the Commission’s account configuration. The attacker provided BleepingComputer with screenshots of internal documents as evidence of the claim. An investigation is ongoing with the scope of actual data loss unconfirmed. BleepingComputer
Iran-Linked Handala Group Breaches FBI Director Kash Patel’s Personal Email Account
The Iran-linked Handala Hack Team claimed responsibility for accessing FBI Director Kash Patel’s personal email account and published photos and documents allegedly stolen from the account. Stolen content includes correspondence dating from approximately 2011 to 2022. The FBI confirmed awareness of the incident, stating the compromised material is historical and contains no government information, and that all necessary mitigation steps have been taken. Handala has claimed previous attacks against US organizations as retaliation for military strikes on Iran. The breach underscores the risk that personal email accounts of senior officials present to national security. CyberScoop
Kaplan North America Discloses Data Breach Exposing Social Insurance Numbers of 1.4 Million People
Education and test-preparation company Kaplan North America reported a data breach to multiple state regulators disclosing that 1.4 million individuals were affected after hackers accessed its systems between October 30 and November 18, 2025. Stolen data includes names, Social Security numbers, and driver’s licence numbers. Kaplan discovered the intrusion on February 21, 2026, and began individual notifications in mid-March. The delayed disclosure window has drawn attention from class-action law firms. The breach affected residents across multiple US states including Maine, South Carolina, Texas, and New Hampshire. BleepingComputer
Stay tuned for today’s in-depth analysis posts.
