ZeroFox Daily Intelligence Brief - March 18, 2026

ZeroFox Daily Intelligence Brief - March 18, 2026

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• Iran: Key Iranian Figures Confirmed Dead; Oil Prices Wobble; U.S.-Baghdad Embassy Bombed
• New GlassWorm Campaign Found in 433 Compromised Code Repos
• Phishing Attack Impersonates Major Brands to Target C-Level Executives

Iran: Key Iranian Figures Confirmed Dead; Oil Prices Wobble; U.S.-Baghdad Embassy Bombed

• Iran confirmed the deaths of Secretary of the Supreme National Security Council Ali Larijani and head of the paramilitary Basij force Gholamreza Soleimani, reportedly killed in an Israeli airstrike. Iranian army chief Amir Hatami vowed a “decisive and regrettable” retaliation, with Islamic Revolutionary Guard Corps launching missiles toward Israel in response.
• Oil prices eased after Iraq and Kurdish authorities agreed to resume exports via Turkey’s Ceyhan port, easing supply concerns. However, ongoing tensions involving Iran continue to disrupt Middle East exports, keeping Brent crude oil above USD 100 per barrel, at the time of writing.
• On March 17, 2026, rockets and five drones from unconfirmed military origins were launched at the U.S. embassy in Baghdad. A separate strike in Baghdad hit a house reportedly hosting a few Iranian advisers, killing four people.
• The U.S. Central Command said U.S. forces struck Iranian missile sites along the coast near the Strait of Hormuz. The operation used munitions to reportedly target hardened positions linked to anti-ship missile systems.

New GlassWorm Campaign Found in 433 Compromised Code Repos

Source: https://www.bleepingcomputer.com/news/security/glassworm-malware-hits-400-plus-code-repos-on-github-npm-vscode-openvsx/

What we know: The GlassWorm supply-chain malware has been found in 433 compromised components in the month of March 2026. This new campaign targets hundreds of packages, repositories, and extensions on software development platforms. The malware is designed to steal crypto wallets, credentials, and compromise developer environments.

Context: The campaign begins with compromised GitHub accounts, which then publish obfuscated malicious packages on npm and OpenVSX. Instructions are hidden using Solana transactions to deliver a Node.js infostealer. The role of a single Russian-speaking threat actor is suspected behind the campaign.

Analyst Note: Indicators of compromise (IoCs) include the presence of persistence files (~/init[.]json), unexpected Node[.]js installations, suspicious i[.]js files in new projects, and anomalous Git commit histories. Successful intrusion is likely to result in complete compromise of developer environment and downstream impacts.

Phishing Attack Impersonates Major Brands to Target C-Level Executives

Source: https://www.darkreading.com/threat-intelligence/hackers-target-cybersecurity-firm-outpost24-phish

What we know: A cybersecurity company has reportedly intercepted a sophisticated phishing attack that impersonated major technology and financial companies. The phishing attempt was aimed at the security company’s C-level executives to lead them to a page requesting their credentials.

Context: The attack was engineered to bypass multiple layers of enterprise email security without triggering alerts, using anti-bot and human verification services to evade automated detection. The attacker behind this attempt was suspected to have used a phishing-as-a-service toolkit called Kratos.

Analyst Note: Given this attack’s elaborate infrastructure, it is likely a strong threat against users who are less technically aware, those whose device security relies heavily on anti-virus software alone. A phishing campaign of this sophistication can likely succeed and remain undetected if it targeted general consumers, small businesses, or organizations without advanced security training.

DEEP AND DARK WEB INTELLIGENCE

DarkForums user Anonymous2090: A threat actor named "Anonymous2090" has advertised a dataset associated with MiddleEast Auto Service, a Saudi Arabia-based company, on dark web platform DarkForums. The threat actor claims to have exfiltrated about 40 GB of data, allegedly containing personally identifiable information (PII), financial details like bank account numbers, and vehicle license numbers. The targeted website currently displays an “under development” message, indicating the stolen database is inaccessible to the victim. It is likely a ransomware attack that was unsuccessful in extorting the victim firm, forcing the threat actor to advertise on a dark web forum. Threat actors are likely to use the data for insurance and financial fraud.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2026-20643: Apple has released a security patch for a WebKit flaw that enabled malicious web content to bypass the browser's Same Origin Policy. This is the first time Apple has released a patch through its Background Security Improvements feature, which was reserved for small out-of-band patches. Threat actors are likely to exploit the flaw to access web browser session tokens, push malicious advertisements, and phishing links via trusted websites.

Affected products: Versions before iOS 26.3.1, iPadOS 26.3.1, macOS 26.3.1, macOS 26.3.2