The Lyceum: Cybersecurity Daily — Mar 16, 2026

This weekend, attackers proved — again — that the tools your team trusts most are the ones most worth poisoning. A supply chain campaign called GlassWorm figured out how to slip malware into VSCode extensions after they pass security review, Microsoft unmasked a threat group serving signed trojans through Google search results for enterprise VPN clients, and INTERPOL dismantled over 45,000 malicious servers in a sweep that netted 94 arrests. The theme: the infrastructure you rely on to build, connect, and defend is the infrastructure under attack.

If your developers use VSCode or any editor pulling from the Open VSX registry — the open-source alternative to Microsoft's extension marketplace — read this before Monday standup.

Security firm Socket disclosed Friday that the GlassWorm supply chain campaign has escalated significantly. Instead of embedding malicious code directly in new extension listings, the threat actor is now abusing extensionPack and extensionDependencies fields to turn clean-looking extensions into transitive malware delivery vehicles through later updates. You install something that passes review. A future auto-update quietly makes it dangerous. Your tooling approved it. Your team trusted it. The payload arrived later.

Socket identified at least 72 additional malicious Open VSX extensions since January 31, mimicking popular developer utilities — linters, formatters, AI coding helpers. The attack surface is every developer workstation with auto-updates enabled, which is most of them by default.

What to do: Audit installed extensions, disable auto-updates for unvetted packages, and watch for Socket's IOC list to hit threat feeds this week. Treat Open VSX with the same skepticism you'd give a random npm package.

Here's the scenario that should keep IT managers up at night: an employee Googles their VPN client, clicks a legitimate-looking result, and downloads a digitally signed trojan that hands over the credentials your entire remote workforce uses to get in.

Microsoft Threat Intelligence says Storm-2561 has been running this play since mid-January 2026, redirecting users searching for enterprise software to attacker-controlled sites hosting signed trojans disguised as trusted VPN clients. The targets are specific: users searching for software from SonicWall, Hanwha Vision, and Pulse Secure (now Ivanti Secure) — all enterprise network security tools, meaning the campaign is hunting credentials belonging to people with privileged network access.

The word "digitally signed" matters. Most endpoint security tools let properly signed executables run without raising alarms. Storm-2561 has essentially figured out how to walk past the front door wearing a name badge.

What to do: Block execution of software installed outside approved channels. Brief helpdesk staff to stop sending users to Google for VPN reinstalls. Watch Microsoft's threat intelligence blog for updated IOCs if targeting expands to other vendor names.

Law enforcement just scored a major operational win. Operation Synergia III, an INTERPOL-coordinated multi-country effort, disrupted over 45,000 malicious IP addresses and servers tied to phishing, malware distribution, and ransomware infrastructure, resulting in 94 arrests across multiple jurisdictions.

Takedowns at this scale raise attacker costs and create short-term windows of reduced malicious capacity — command-and-control channels go dark, hosting infrastructure vanishes, and active campaigns stall. But history teaches restraint: motivated actors regroup, migrate services, and reuse stolen tooling within weeks.

What to do: Treat this as a tactical window, not a strategic victory. If you're a threat intel consumer, watch for follow-up disclosures identifying specific marketplaces, hosting providers, or botnet infrastructure that went offline — that intel can sharpen your detection rules and hunt priorities.

Not every cyber incident ends in a ransom note. Poland's National Centre for Nuclear Research (NCBJ) — the country's primary nuclear research institution, home to its only research reactor — says hackers targeted its IT infrastructure but the attack was detected and blocked before causing impact.

The targeting itself is the story. Since Russia's expanded aggression in Eastern Europe, research institutions affiliated with NATO member states have seen a marked increase in intrusion attempts, particularly those with nuclear, energy, or defense connections. Some reporting cites logs aligning with Iran-linked infrastructure, though attribution hasn't been publicly confirmed. Failed intrusions like this are reconnaissance: adversaries mapping the perimeter of European critical infrastructure, testing response times and detection capabilities.

What to do: Watch for follow-up from Poland's CERT Polska. If you operate in European scientific or energy research, treat this as a signal to review detection coverage on your perimeter — someone is testing doors.

A malware campaign that waits until you trust it to betray you, a VPN trojan wearing a digital signature like a borrowed suit, and over 45,000 criminal servers blinking off like a city losing power. Meanwhile, an AI found a 9.8-severity Microsoft bug before any human did, and hardware researchers continue to find unexpected attack surfaces on consumer devices. Stay sharp, stay patched, stay skeptical of anything that auto-updates itself.

If someone you know is still Googling their VPN downloads, forward this before they click.