Dr Zulfikar Ramzan says the LiteLLM compromise shows why defenders must go beyond signatures and CVEs. Point Wild built and open-sourced the who-touched-my-packages tool to help teams triage for zero-day supply chain abuse. https://www.pointwild.com/threat-intelligence/dr-zulifkar-ramzan-on-litellm-compromise/

Malwarebytes reports Infiniti Stealer, a newly documented macOS infostealer. It uses ClickFix-style fake CAPTCHA pages to trick users into running commands, then drops a Python payload compiled with Nuitka, producing a native macOS binary. https://www.malwarebytes.com/blog/threat-intel/2026/03/infiniti-stealer-a-new-macos-infostealer-using-clickfix-and-python-nuitka

CyberProof threat researchers report PXA Stealer rising fast in early 2026, hitting financial institutions with phishing emails that lead to ZIP-based payload delivery. The lures are highly adaptable, from job applications to software installers & tax forms. https://www.cyberproof.com/blog/a-deep-dive-into-pxa-stealer/

Elastic Security Labs reports BRUSHWORM and BRUSHLOGGER targeting South Asian financial services. BRUSHWORM is a modular backdoor with scheduled task persistence, AES-CBC config, USB worm propagation and broad file theft, while BRUSHLOGGER is a DLL-side-loaded keylogger disguised as libcurl. https://www.elastic.co/security-labs/brushworm-targets-financial-services

Splunk Threat Research Team analyses BlankGrabber, a Python-based infostealer designed to steal browser credentials, session tokens and system metadata. The report breaks down its obfuscation, runtime behaviour, and the forensic artifacts. https://www.splunk.com/en_us/blog/security/blankgrabber-trojan-stealer-analysis-detection.html

Infoblox and Confiant report that threat actors are abusing Keitaro, an advertising performance tracker, and describe how cybercriminals repurpose ad performance tracking to route traffic into scams and malware. https://www.infoblox.com/blog/threat-intelligence/no-reach-no-risk-the-keitaro-abuse-in-modern-cybercrime-distribution/

eSentire TRU reports detecting EtherRAT, a Node.js-based backdoor, in a retail environment in March 2026. It collects host data and steals cryptocurrency wallets and cloud credentials while using Ethereum smart contracts to fetch and rotate C2 addresses via EtherHiding. https://www.esentire.com/blog/etherrat-sys-info-module-c2-on-ethereum-etherhiding-target-selection-cdn-like-beacons

Insikt Group identified five ClickFix clusters showing operational variance despite a shared technique. Five groups share the same user-driven execution trick, but diverge in lures, infrastructure and cross-platform payload selection for Windows and macOS. https://www.recordedfuture.com/research/clickfix-campaigns-targeting-windows-and-macos

Trend Micro reports Pawn Storm using PRISMEX to target defence & critical infrastructure supporting Ukraine & its allies. The tooling combines steganography, COM hijacking and cloud C2, and includes both espionage and potential sabotage features, including wiper commands. https://www.trendmicro.com/en_us/research/26/c/pawn-storm-targets-govt-infra.html