Weekly Cybersecurity News: They’re Getting In But They’re Not Getting Away
Published
The pattern across this week is not about isolated incidents but the test of pressure points at scale. Attackers proved they can enter, stay briefly, and leave without immediately collapsing systems.
From healthcare environments to government networks and messaging platforms, access has become the objective. Defenses are holding just enough to prevent collapse, but not enough to prevent intrusion. They are responding faster and more decisively. The balance is not broken, but it is under constant strain.
What stands out is the sustained global action against child exploitation networks. Multiple arrests, guilty pleas, and coordinated investigations across countries show that enforcement in this area is not fragmented.
San Felipe-Del Rio CISD Outage Disrupts Internet And Phone Systems After Email Activity
A network disruption at San Felipe-Del Rio Consolidated Independent School District in Texas was triggered after administrators detected suspicious email activity across internal systems. The incident led to a temporary outage affecting in-network services, including internet connectivity and phone lines, prompting immediate containment measures. Despite the disruption, district officials confirmed that classroom instruction and transportation services continued as scheduled, limiting the operational impact on nearly 10,000 students. Authorities restored telephone services the same day, while broader network systems remained under evaluation.
Alleged Roblox Programmer Faces Over 40 Felony Charges In Child Exploitation Case
A Louisiana man identified as Jamie Borne is facing more than 40 felony charges related to child exploitation, following a multi-agency investigation in New Orleans. Authorities allege that the 30-year-old possessed illicit material involving minors under the age of 13, along with an additional charge tied to illegal physical contraband discovered at his residence. The case began during a routine probation compliance check in late February 2026, when officers uncovered suspicious materials, prompting a deeper forensic investigation. Law enforcement later seized multiple electronic devices, including laptops and hard drives, which reportedly contained extensive illegal content.
Trivy Supply Chain Attack Exploits CI/CD Pipelines And Exposes Secrets
The Trivy supply chain attack demonstrates how attackers can exploit CI/CD pipeline weaknesses to infiltrate widely trusted developer tools. By compromising GitHub Action tokens and force-pushing malicious code into trusted version tags, attackers distributed a backdoored release through legitimate workflows. The malicious version enabled exfiltration of sensitive data including API keys, cloud credentials, and SSH tokens, from affected environments. The attack also extended the attack surface to container ecosystems through compromised Docker images.
DarkSword iPhone Exploit Kit Leak Lowers Barrier For Spyware Deployment
The reported leak of the DarkSword exploit kit on GitHub highlights how advanced mobile surveillance tools can become more accessible beyond highly skilled threat actors. The kit is said to use a chain of previously identified and patched iOS vulnerabilities, meaning risk depends heavily on whether devices remain unpatched. Researchers indicate the leaked code simplifies deployment, potentially enabling broader misuse if verified and weaponized. The malware is designed to extract sensitive data such as messages, call logs, and stored credentials.
Poland Reports Surge in Cyber Incidents as Energy Infrastructure Targeted in Suspected State-Linked Campaign
Poland recorded around 270,000 cyber incidents in 2025, marking a sharp increase in hostile activity and signaling rising pressure on national infrastructure. The most serious case involved a coordinated attack on a combined heat and power plant and multiple renewable energy sites in December, with malware designed to wipe systems rather than extract data. While the attack did not disrupt the electricity supply, it impacted grid control components responsible for monitoring and operations. Officials described the incident as a significant escalation compared to typical financially motivated cyber activity.
Fake Palo Alto Recruiters Target Executives in Sophisticated Job Scam Campaign
Threat actors are impersonating Palo Alto Networks recruiters to target senior professionals using highly personalized phishing tactics built from scraped LinkedIn data. The campaign fabricates a hiring issue by claiming resumes fail Applicant Tracking System requirements, creating urgency to manipulate victims. Attackers then introduce fake third-party services and demand payments ranging from $400 to $800 for fraudulent resume fixes. Researchers note that social media has become a primary entry point for such scams, reflecting a broader shift toward targeted recruitment fraud. The use of legitimate branding, realistic email domains, and multi-step engagement shows a rise in complex social engineering.
Botnet Operator Sentenced Over Ransomware Access Sales
A Russian national has been sentenced to two years in prison for managing a botnet operation that enabled ransomware attacks across more than 70 U.S. companies. The individual operated a large-scale malware distribution system, sending hundreds of thousands of phishing emails daily to compromise thousands of devices. These infected systems were then sold as access points to other cybercriminal groups, who used them to infiltrate corporate networks and deploy ransomware. Authorities imposed financial penalties, including a monetary judgment tied to the proceeds of the operation.
Ulster County Woman Arrested in Child Exploitation Probe
A 32-year-old woman from Kingston, New York, was arrested following a coordinated federal and state investigation into the online exchange of illicit material involving minors. Authorities allege the suspect used a chat application to receive and distribute child sexual abuse material, with digital evidence forming the basis of the case. The arrest was carried out by New York State Police, and the individual appeared in federal court shortly after. Prosecutors say the case is connected to a broader network, including another accused individual previously charged in a related investigation.
Russian Authorities Arrest Suspected LeakBase Administrator
Russian law enforcement has detained a suspected administrator of LeakBase, a major cybercrime forum used for trading stolen data since 2021. The suspect, reportedly based in Taganrog, is believed to have managed the platform, which enabled the sale of compromised credentials, financial data, and corporate information. Authorities seized technical equipment during a search, while officials stated the forum hosted hundreds of millions of records and supported over 140,000 users engaged in illicit transactions. The arrest follows a broader international crackdown that dismantled the platform earlier this month through coordinated actions involving multiple countries and agencies. Investigators now have access to seized databases, including user accounts, private messages, and IP logs, which could help map wider cybercriminal networks and identify additional actors.
LiteLLM Supply Chain Attack Exposes Risks in Certified Open-Source Ecosystems
A supply chain attack targeting the LiteLLM open-source framework has been linked to a compromise in the Trivy security scanner used within CI/CD pipelines. Attackers reportedly obtained privileged tokens, allowing them to inject credential-harvesting malware into distributed packages. Once executed, the malicious code extracted sensitive data such as API keys, cloud credentials, and access tokens from affected environments. The malware leveraged these credentials to expand access across developer systems and repositories, increasing the overall impact of the breach. The incident has drawn scrutiny toward compliance claims, as LiteLLM displayed SOC 2 and ISO 27001 certifications facilitated by Delve.
GitHub Phishing Campaign Uses Fake VS Code Alerts to Distribute Malware
A large-scale phishing campaign is targeting developers through GitHub Discussions by posting fake Visual Studio Code security alerts that appear as legitimate vulnerability warnings. Attackers generate thousands of posts that trigger GitHub email notifications, increasing the likelihood that developers trust and engage with the messages. These alerts reference fabricated CVEs and urge users to download urgent “patches” from external file-sharing platforms instead of official sources. Once clicked, the links initiate a redirection chain that ultimately connects to attacker-controlled infrastructure designed to profile victims and prepare further exploitation. By abusing GitHub’s collaboration features, threat actors are turning a trusted developer platform into a delivery mechanism.
U.S. Charges Armenian Suspect in RedLine Infostealer Operation
An Armenian national has been extradited to the United States to face charges tied to the RedLine infostealer malware operation. Prosecutors allege he played a key role in maintaining the malware’s infrastructure, including command-and-control servers and admin panels. RedLine has been widely used in credential theft campaigns targeting organizations globally. The case highlights how malware-as-a-service models enable affiliates to scale attacks while operators manage backend systems. Authorities also linked the operation to cryptocurrency-based monetization and laundering mechanisms. The extradition follows broader international efforts to disrupt RedLine and similar infostealer ecosystems.
UK Cracks Down on Cambodian Scam Network Tied to Forced Labor and Crypto Laundering
The United Kingdom has taken decisive action against a major cyber-enabled fraud and human trafficking network by sanctioning key operators and infrastructure. Authorities targeted Legend Innovation, which runs the notorious #8 Park compound, along with crypto platform Xinbi for enabling large-scale scam operations. The compound was identified as a hub capable of holding thousands of trafficked individuals forced into executing online fraud schemes. Investigations also revealed Xinbi’s role in processing billions in illicit transactions tied to stolen data and money laundering. As part of the crackdown, high-value assets linked to the network, including a luxury London penthouse, were frozen.
Bearlyfy Group Intensifies Cyberattacks on Russian Firms
A pro-Ukrainian ransomware group known as Bearlyfy has significantly escalated its cyber campaign against Russian companies, carrying out dozens of targeted attacks over the past year. The group has shifted from smaller operations to more coordinated intrusions aimed at large enterprises, increasing both disruption and financial pressure. Researchers report that Bearlyfy has moved beyond using leaked ransomware builders to deploying its own custom malware, GenieLocker. This new strain incorporates advanced techniques such as anti-analysis features and improved encryption mechanisms. The attacks appear to serve a dual purpose, combining financial extortion with geopolitical signaling amid ongoing tensions.
Spanish Police Dismantle Major Cybercrime Ring Behind Data Theft and Fraud
Spanish police have successfully dismantled a sophisticated cybercrime network responsible for stealing nearly 10 million confidential records. The operation led to the arrest of two suspects linked to a wider criminal group involved in multiple cyberattacks across the country. Investigators revealed the network targeted sensitive data belonging to students, parents, and educators, and later exploited it for fraud and identity theft. Authorities uncovered that the group had carried out dozens of similar operations, showcasing a well-organized and scalable cybercrime model. The criminals used advanced infrastructure to breach systems, hide their tracks, and launder proceeds through cryptocurrency channels.
ShinyHunters Expose 340,000 Accounts in BreachForums Data Leak
A data exposure has revealed nearly 340,000 user accounts allegedly linked to BreachForums Version 5, with threat group ShinyHunters claiming responsibility. The leaked dataset includes email addresses, usernames, and argon2-hashed passwords, posing ongoing risks if credentials are reused. The data was verified and added to breach tracking services, confirming the scale and authenticity of the incident. The group stated the leak followed internal disputes and inefficiencies after a prior law enforcement disruption of the forum. ShinyHunters claimed access to exploits affecting forum software and threatening additional data releases.
WorldLeaks Group Breaches Los Angeles Systems And Disrupts Metro Operation
The WorldLeaks ransomware group claimed responsibility for breaching systems linked to the City of Los Angeles, including its Metro transit network, causing operational disruptions such as disabled arrival displays and limited access to internal systems. While core transit services continued, users faced issues with digital services like reloading transit cards. In parallel, a separate ransomware incident in Foster City led to a state of emergency, with several municipal services disrupted, though emergency systems remained operational. Authorities in both cases acted quickly by restricting access and taking systems offline to contain the threat and begin investigations. Officials stated that it is still unclear whether sensitive data was accessed or exfiltrated, though precautionary measures such as password changes were advised.
Dutch Ministry Of Finance Confirms Breach Affecting Internal System
The Dutch Ministry of Finance disclosed a cyberattack that led to unauthorized access to systems supporting key internal processes, with the incident detected on March 19 following a third-party alert. The breach affected a portion of employees, prompting authorities to immediately block access to compromised systems and launch an investigation. Officials emphasized that critical public-facing services, including tax collection and customs operations, were not impacted, ensuring continuity for millions of citizens. While the scope of the breach remains under investigation, authorities have not confirmed whether sensitive data was accessed or exfiltrated.
FCC Bans Foreign-Made Routers Over National Security Risks
The U.S. Federal Communications Commission has banned the import of foreign-made consumer routers unless manufacturers receive special exemptions, citing national security and cybersecurity concerns. The move is based on findings that reliance on foreign-manufactured devices introduces supply chain vulnerabilities that could impact critical infrastructure and economic stability. Authorities highlighted that compromised routers have been used in cyberattacks for surveillance, data exfiltration, and as entry points into larger networks. The rule applies only to future imports, meaning existing devices can still be used by consumers.
French Student Platform Breach Exposes Data of 774,000 Users
A major data breach at France’s National Center for University and School Services (Cnous) has exposed the personal information of 774,000 students after attackers infiltrated its appointment platform. The DumpSec group claimed responsibility, leaking names, emails, appointment details, and in some cases sensitive documents uploaded by users. The breach spans data collected over a decade, with 139,000 individuals potentially facing higher risk due to document exposure. Authorities have taken the platform offline, launched an investigation, and notified regulators including CNIL and ANSSI. The incident highlights ongoing risks to education sector platforms handling large volumes of personal data.
Texas Man Pleads Guilty In Online Child Exploitation Network
A Texas man pleaded guilty to leading an online child exploitation enterprise tied to an extremist group that targeted minors and coerced them into producing abuse material and self-harm content. The group operated through online platforms, where members groomed victims using manipulation, threats, and exposure to violent extremist ideologies. Investigators found that the network functioned as an organized operation, with members managing access, directing victims, and distributing illicit material. The individual now faces a potential life sentence, underscoring the severity of crimes involving online exploitation and abuse.
European Commission Confirms Cyberattack After Hackers Claim Breach
The European Commission confirmed a cyberattack affecting part of its cloud-based infrastructure after threat actors claimed responsibility for a data breach. Officials stated that the incident impacted a limited number of systems and was quickly contained, with no disruption to core operations. The attack involved a compromised cloud environment, highlighting risks associated with third-party infrastructure. Investigations are ongoing, with cybersecurity teams conducting forensic analysis to determine the scope and impact of the breach. The incident underscores increasing threats to government cloud environments and the need for stronger visibility.
Attackers Gain Access Faster While Global Crackdowns And Child Protection Efforts Strengthen
On one side, threat actors are refining access-based attacks, targeting supply chains, cloud systems, and identity layers. On the other hand, state-linked and politically aligned activity is becoming more outrageous.
Phishing campaigns tied to intelligence services, attacks on government systems, and policy responses like hardware bans show that geopolitical tension is now operating inside networks, not just around them. The line between cybercrime and state activity is not clean.
Arrests linked to botnets, takedowns of dark web marketplaces, and cross-border investigations testify that enforcement is scaling alongside the threat. This is not a losing fight, but it is not a reactive one either.
The future points to more precise attacks, aimed at identity, trust, and access. And the systems once considered the safest are now the ones being tested first.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular