The Lyceum: Cybersecurity Daily — Mar 26, 2026

Your Chrome browser has a federal patch deadline tomorrow, a widely used AI library was silently backdoored for at least a day before anyone noticed, and Citrix's VPN appliance is leaking memory from the authentication layer again. None of these are theoretical — all three are confirmed, actionable, and affect millions of endpoints. If you do one thing today, restart Chrome. If you do two, check whether your Python environments ever touched LiteLLM 1.82.7 or 1.82.8.

No critical CVEs, zero-days, or significant data breaches were publicly disclosed in the past 48 hours beyond the stories covered below. The March 2026 Patch Tuesday cycle (March 10) remains the most recent major patch event. Metasploit modules added earlier this month are noted for awareness:

• CVE-2026-3909 — Google Chrome (Skia): patched in 146.0.7680.75/76, actively exploited in the wild, CISA KEV deadline March 27. Out-of-bounds write enabling code execution via malicious webpage.
• CVE-2026-3910 — Google Chrome (V8): patched in 146.0.7680.75/76, actively exploited in the wild, CISA KEV deadline March 27. Implementation flaw enabling arbitrary code execution in browser sandbox.
• CVE-2026-3055 — Citrix NetScaler ADC/Gateway (SAML IDP config): patched, CVSS 9.3, unauthenticated memory overread. No confirmed wild exploitation yet.
• CVE-2026-29058 — AVideo Encoder getImage.php: Metasploit module available (added March 20), unauthenticated command injection, weaponized.
• CVE-2025-15517 — TP-Link Archer routers: patched, critical authentication bypass allowing unauthenticated firmware upload.

If Chrome has been sitting open with forty tabs since last week, there's a reasonable chance you're running a version attackers are actively exploiting right now.

Google patched two high-severity zero-days — CVE-2026-3909, an out-of-bounds write in Skia (Chrome's 2D graphics library), and CVE-2026-3910, an implementation flaw in the V8 JavaScript engine. Both allow remote code execution: visit the wrong link, get owned. No file download, no phishing form, just a webpage. Google confirmed exploitation in the wild for both.

The safe version is 146.0.7680.75/76 for Windows/macOS and 146.0.7680.75 for Linux. Microsoft also shipped a corresponding Edge update (146.0.3856.62), per Qualys. CISA's federal patch deadline is tomorrow, March 27. These follow CVE-2026-2441, another actively exploited Chrome zero-day patched just a month ago — part of a run of zero-days affecting Chrome's rendering and JS runtime.

What changes if you don't act: enterprise Chrome deployments managed through group policy often download the update but don't apply it until a user restarts the browser. IT teams should verify enforcement policies are actually closing the gap — not just staging the patch. If a refined PoC drops after the deadline, unpatched endpoints become low-hanging fruit overnight.

The supply chain attack that started with a vulnerability scanner in February has now reached LiteLLM — the Python library that routes requests to OpenAI, Anthropic, Google, and other AI providers through a single API — and the group behind it just announced a partnership with the notorious extortion crew LAPSUS$.

TeamPCP compromised LiteLLM versions 1.82.7 and 1.82.8, published to PyPI on March 24, likely through the project's use of the previously compromised Trivy scanner in its CI/CD pipeline. The payload included a credential harvester targeting SSH keys, cloud tokens, wallets, and .env files; a Kubernetes lateral movement toolkit that spawns privileged pods; and a persistent systemd backdoor. Version 1.82.8 was particularly nasty: it installs a .pth file that executes the harvester on every Python startup, even if LiteLLM is never imported — silently running in the background across any Python process in that environment.

Both poisoned versions have been pulled from PyPI. Version 1.82.6 is the last safe release. Wiz researchers warned this represents "a dangerous convergence between supply chain attackers and high-profile extortion groups," and TeamPCP is now openly taunting the industry on X (@pcpcats), threatening that "many of your favourite security tools and open-source projects will be targeted in the months to come."

If you have LiteLLM in any environment, check your installed version immediately and rotate every credential that Python process could reach — cloud tokens, SSH keys, Kubernetes secrets, .env files. If the LAPSUS$ collaboration produces ransom demands tied to stolen cloud credentials, this campaign escalates from theft to extortion at scale.

Citrix shipped patches for two vulnerabilities in NetScaler ADC and Gateway. The lead flaw, CVE-2026-3055 (CVSS 9.3), is an unauthenticated memory overread — an attacker can remotely read sensitive data from the appliance's memory without credentials. The catch: exploitation requires the appliance to be configured as a SAML Identity Provider, which is exactly how large enterprises often deploy NetScaler as the authentication gatekeeper for thousands of employees.

An attacker reading memory off a SAML identity provider could extract session tokens, credentials, or cryptographic material that unlocks access across the organization. The second flaw, CVE-2026-4368 (CVSS 7.7), is a race condition causing session mixup — one user can land in another's authenticated session on a high-traffic VPN gateway.

What to do now: check whether your NetScaler is configured as a SAML IDP and prioritize patching if it is. Many enterprises set this up years ago and may not have documented it. Default configurations are unaffected, but the organizations most at risk are the ones that configured SAML and moved on. Given that this is the same product family that hemorrhaged session tokens in "Citrix Bleed" and is now leaking memory again, the pattern deserves attention even before exploitation is confirmed in the wild. Historically, Citrix memory-read vulnerabilities attract fast weaponization — the window between patch and public exploit code has been shrinking.

Foster City, a Bay Area community of about 33,000, declared a state of emergency on Monday after a ransomware attack crippled its network on March 19. The emergency declaration — the significant new development — happened this week amid ongoing paralysis of city services. The city council held its emergency meeting without Zoom or online access. 911 reportedly still works; most other public services don't.

Declaring a state of emergency unlocks state and county resources, signaling the incident is beyond what the city can handle alone. Officials haven't disclosed the attack group, ransom demand, or what data may be compromised.

Why this matters beyond Foster City: local governments are chronically under-resourced for cybersecurity, and this is a very public signal of how disruptive ransomware remains for municipalities. If your organization depends on local government services — permits, inspections, records — this is a reminder that those dependencies are fragile. The observable signal to watch: whether Foster City pays, how long full restoration takes, and whether other small municipalities accelerate their own backup and incident response investments in response.

Xakep.ru reports that Tycoon2FA — the phishing-as-a-service platform designed to bypass multi-factor authentication on Microsoft 365 and Google Workspace by relaying push/approval codes in real time — has rebuilt its infrastructure and resumed operations with updated templates after a recent law enforcement disruption. The platform lets criminals rent polished phishing kits cheaply, making MFA bypass accessible to low-skill operators. For defenders, this means software-based MFA (SMS, authenticator apps, push notifications) remains insufficient for high-risk accounts; hardware security keys (FIDO2/WebAuthn) are the practical countermeasure. Source: Xakep.ru — Russian. No English-language coverage confirmed at time of publication.

Xakep.ru reports a cyberattack on Intoxalock — a major U.S. provider of ignition interlock devices (court-ordered breathalyzer systems that prevent a car from starting if the driver has been drinking) — disrupted the company's central management systems, leaving some users unable to start their vehicles and potentially exposing device telemetry data. This is a concrete example of how attacks on vendor infrastructure for regulated IoT devices cascade into real-world harms and legal jeopardy for individuals who depend on them for court compliance. Source: Xakep.ru — Russian. No English-language coverage confirmed at time of publication.

Xakep.ru reports that Russian authorities plan to increase the capacity of the TSPU system — the deep packet inspection infrastructure Roskomnadzor uses to filter, throttle, and block internet traffic inside Russia — by 2.5 times by 2030. This expansion would significantly strengthen Russia's ability to enforce internet censorship, degrade VPN and circumvention tools, and control information flows during geopolitical events. For threat modelers tracking Russian information operations, this signals a long-term investment in sovereign internet control infrastructure. Source: Xakep.ru — Russian. No English-language coverage confirmed at time of publication.

A Python library that talks to every AI on the planet was quietly stealing your SSH keys, a city of 33,000 is running its government on paper and phone calls, and somewhere a driver can't start their car because a breathalyzer vendor got hacked.

The .pth file that runs on every Python startup whether you asked for it or not is the 2026 equivalent of finding out your smoke detector has been livestreaming to Telegram.

Stay patched, stay suspicious.

If someone you know is still running Chrome with tabs from last Tuesday, do them a favor and forward this.