27 Mar 2026
Week in review
Greetings,
Crunchyroll has launched an investigation into a potential data breach after a hacker claimed to have accessed personal information linked to approximately 6.8 million users. The popular anime streaming platform confirmed it is working with external cyber security experts to assess the scope of the incident and determine what data, if any, was compromised. According to Crunchyroll, the investigation is ongoing and there is currently no evidence of active or continued unauthorised access to its systems.
The claims emerged after a threat actor contacted cyber security publication BleepingComputer, alleging they gained access to Crunchyroll systems on March 12 by compromising the Okta single sign on account of a customer support agent. The agent is believed to be employed by Telus International, a third party business process outsourcing provider that handles Crunchyroll support tickets. The attacker claims malware was used to steal the agent’s login credentials, which then provided access to multiple internal platforms, including Zendesk, Slack and Google Workspace.
Using this access, the hacker says they downloaded approximately eight million customer support ticket records from Crunchyroll’s Zendesk system, containing roughly 6.8 million unique email addresses. Sample data reportedly included user names, email addresses, IP addresses, general location data and the contents of support requests. While some reports suggested payment data may have been exposed, it was confirmed that credit card details only appeared in cases where users voluntarily included them in support tickets, and usually in a limited form.
Crunchyroll says it believes the issue is limited to customer service data associated with the third party vendor and continues to monitor the situation closely as its investigation progresses.
CVE‑2026‑3055: Critical Unauthenticated Memory-Read Vulnerability in Citrix NetScaler ADC and Gateway
Date: 2026-03-23
Author: Arctic Wolf
[See AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2026.2769/]
On March 23, 2026, Citrix released fixes for a critical vulnerability affecting NetScaler ADC and NetScaler Gateway (CVE‑2026‑3055) that allows unauthenticated threat actors to perform out-of-bounds memory reads. Exploitation of this vulnerability requires that the affected appliance be configured as a SAML Identity Provider (IDP).
TP-Link warns users to patch critical router auth bypass flaw
Date: 2026-03-25
Author: Bleeping Computer
TP-Link has patched several vulnerabilities in its Archer NX router series, including a critical-severity flaw that may allow attackers to bypass authentication and upload new firmware.
Tracked as CVE-2025-15517, this security flaw affects Archer NX200, NX210, NX500, and NX600 wireless routers and stems from a missing authentication weakness that attackers can exploit without privileges.
Popular LiteLLM PyPI package backdoored to steal credentials, auth tokens
Date: 2026-03-24
Author: Bleeping Computer
The TeamPCP hacking group continues its supply-chain rampage, now compromising the massively popular "LiteLLM" Python package on PyPI and claiming to have stolen data from hundreds of thousands of devices during the attack.
LiteLLM is an open-source Python library that serves as a gateway to multiple large language model (LLM) providers via a single API. The package is very popular, with over 3.4 million downloads a day and over 95 million in the past month.
Trivy Security Scanner GitHub Actions Breached, 75 Tags Hijacked to Steal CI/CD Secrets
Date: 2026-03-20
Author: The Hacker News
Trivy, a popular open-source vulnerability scanner maintained by Aqua Security, was compromised a second time within the span of a month to deliver malware that stole sensitive CI/CD secrets.
The latest incident impacted GitHub Actions "aquasecurity/trivy-action" and "aquasecurity/setup-trivy," which are used to scan Docker container images for vulnerabilities and set up GitHub Actions workflow with a specific version of the scanner, respectively.
Device Code Phishing Hits 340+ Microsoft 365 Orgs Across Five Countries via OAuth Abuse
Date: 2026-03-25
Author: The Hacker News
Cybersecurity researchers are calling attention to an active device code phishing campaign that's targeting Microsoft 365 identities across more than 340 organizations in the U.S., Canada, Australia, New Zealand, and Germany.
The activity, per Huntress, was first spotted on February 19, 2026, with subsequent cases appearing at an accelerated pace since then. Notably, the campaign leverages Cloudflare Workers redirects with captured sessions redirected to infrastructure hosted on a platform-as-a-service (PaaS) offering called Railway, effectively turning it into a credential harvesting engine.
Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code, sandbox escape, information disclosure, denial of service or privilege escalation.
ESB-2026.2955 – Cisco Products
Cisco IOS, IOS XE, Secure Firewall Adaptive Security Appliance, and Secure Firewall Threat Defense Software IKEv2 Denial of Service Vulnerability
ESB-2026.2769 – NetScaler ADC and NetScaler Gateway
Critical vulnerabilities have been discovered in NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway)
ESB-2026.2906 – NGINX Products
This vulnerability allows a local, authenticated attacker to cause a denial-of-service (DoS) of the NGINX system or to possibly trigger a code execution.
Stay safe, stay patched and have a good weekend!
The AUSCERT team
