Supply Chain Strikes and AI Evasion: March Malware Intelligence Roundup

Supply Chain Under Siege

GlassWorm Campaign Targets 400+ Repositories

The GlassWorm supply chain campaign has returned with renewed intensity, targeting hundreds of packages across GitHub, npm, and VSCode/OpenVSX extension marketplaces. BleepingComputer reports the coordinated attack represents a significant escalation in supply chain threat tactics, potentially affecting downstream dependencies across the software development ecosystem.

The campaign's scope across multiple package repositories suggests sophisticated threat actors with deep understanding of modern development workflows.

Apple's Emergency WebKit Response

Apple deployed its first Background Security Improvements update to address CVE-2026-20643, a WebKit vulnerability affecting iPhones, iPads, and Macs. The emergency patch delivery mechanism allows critical security fixes without requiring full OS upgrades, indicating Apple's assessment of active exploitation risk.

This new update channel represents a significant shift in Apple's patch delivery strategy for critical vulnerabilities.

AI Attack Vectors Evolve

Font Rendering Tricks Bypass AI Detection

Researchers demonstrated a novel attack technique using font rendering to hide malicious commands from AI assistants scanning webpage content. The method exploits visual presentation differences between how browsers render fonts and how AI models process the underlying HTML, creating blind spots in automated security scanning.

The technique highlights emerging challenges in securing AI-powered security tools against adversarial inputs.

Public Trust in AI Data Handling Erodes

Malwarebytes Labs reports 90% of survey respondents express distrust in AI systems handling their personal data, with many users actively reducing AI tool usage. The findings suggest significant adoption barriers for AI-powered security solutions requiring user data access.

Crypto Theft Operations Scale

DeFi Architecture Exploits Generate Billions

SentinelOne Labs analysis reveals crypto thieves have generated approximately $9 billion through systematic exploitation of DeFi protocols, with operations ranging from the $1.5 billion Bybit incident to sophisticated drainers-as-a-service platforms. The research exposes mature criminal ecosystems built around cryptocurrency theft and laundering.

Pudgy Penguins Phishing Campaign

Threat actors deployed fake Pudgy World websites to harvest cryptocurrency wallet credentials from NFT enthusiasts. Malwarebytes Labs identifies the campaign as targeting fans of the popular Pudgy Penguins NFT collection through convincing replica sites designed to capture seed phrases and private keys.

Massive Fake Shopping Network Exposed

Researchers uncovered a network exceeding 20,000 fraudulent e-commerce sites designed to harvest payment credentials and personal data. The scale suggests industrial-level fraud operations with significant infrastructure investment.

Advanced Analysis Tools Released

Cisco Talos Open-Sources COM Analysis Tool

Cisco Talos released DispatchLogger, an open-source tool providing transparent instrumentation of late-bound IDispatch COM object interactions through proxy interception. The tool addresses visibility gaps in malware analysis workflows involving COM-based attacks.

The release enhances the defensive community's capability to analyze COM-based malware techniques.

Horabot Campaign Analysis from Mexico

Kaspersky's SOC team detailed a complex Horabot campaign targeting Mexican organizations, providing hunt methodologies and technical indicators. The analysis reveals sophisticated persistence mechanisms and evasion techniques specific to the regional threat landscape.

Policy and Administrative Updates

EU Sanctions Target Cyber Threat Actors

The European Union Council announced sanctions against three entities and two individuals involved in cyberattacks against critical infrastructure. The diplomatic response signals increased international coordination in addressing state-sponsored cyber threats.

Microsoft Halts Forced Copilot Installations

Microsoft ceased automatic installation of the Microsoft 365 Copilot application following user feedback. The policy reversal addresses enterprise concerns about unauthorized software deployment in managed environments.

Sources

• https://www.bleepingcomputer.com/news/security/apple-pushes-first-background-security-improvements-update-to-fix-webkit-flaw/
• https://www.bleepingcomputer.com/news/security/glassworm-malware-hits-400-plus-code-repos-on-github-npm-vscode-openvsx/
• https://www.bleepingcomputer.com/news/security/europe-sanctions-chinese-and-iranian-firms-for-cyberattacks/
• https://www.bleepingcomputer.com/news/security/top-5-things-cisos-need-to-do-today-to-secure-ai-agents/
• https://www.bleepingcomputer.com/news/security/new-font-rendering-trick-hides-malicious-commands-from-ai-tools/
• https://www.bleepingcomputer.com/news/microsoft/microsoft-stops-force-installing-the-microsoft-365-copilot-app/
• https://blog.talosintelligence.com/transparent-com-instrumentation-for-malware-analysis/
• https://www.sentinelone.com/labs/labscon25-replay-your-apps-may-be-gone-but-the-hackers-made-9-billion-and-theyre-still-here/
• https://www.malwarebytes.com/blog/scams/2026/03/inside-a-network-of-20000-fake-shops
• https://www.malwarebytes.com/blog/scams/2026/03/fake-pudgy-world-site-steals-your-crypto-passwords
• https://www.malwarebytes.com/blog/privacy/2026/03/90-of-people-dont-trust-ai-with-their-data
• https://securelist.com/horabot-campaign/119033/